Scribd Logo
Upload

Welcome to Scribd!

  • 24 views

    Information Security (Cont'd)

    Uploaded by

    UMAR faROOQ

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Information Security (Cont'd)

    Uploaded by

    UMAR faROOQ
    24 views15 pages

    Original Title

    n.ppt

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    24 views15 pages

    Information Security (Cont'd)

    Uploaded by

    UMAR faROOQ

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    of 15

    Lecture 30

    Information Security (Cont’d)


    Overview
    • Organizational Structures

    • Roles and Responsibilities

    • Information Classification

    • Risk Management

    2
    Organizational Structure
    • Organization of and official responsibilities
    for security vary
    – BoD, CEO, BoD Committee
    – Director, Manager
    • IT/IS Security
    • Audit

    3
    Typical Org Chart
    Board of Directors/Trustees President

    CIO

    Security Director

    Project Enterprise
    Security Analyst System Auditor
    Security Architect Security Architect

    4
    Security-Oriented Org Chart
    Board of Directors/Trustees President

    CIO

    IT Audit Manager Security Director

    Enterprise Project
    System Auditor Security Analyst
    Security Architect Security Architect

    5
    Further Separation
    Board of Directors/Trustees President

    Audit Committee Internal Audit CIO

    IT Audit Manager Security Director

    Enterprise Project
    System Auditor Security Analyst
    Security Architect Security Architect

    6
    Organizational Structure
    • Audit should be separate from
    implementation and operations
    – Independence is not compromised
    • Responsibilities for security should be defined
    in job descriptions
    • Senior management has ultimate
    responsibility for security
    • Security officers/managers have functional
    responsibility
    7
    Roles and Responsibilities
    • Best Practices:
    – Least Privilege
    – Mandatory Vacations
    – Job Rotation
    – Separation of Duties

    8
    Roles and Responsibilities
    • Owners
    – Determine security requirements
    • Custodians (defender)
    – Manage security based on requirements
    • Users
    – Access as allowed by security requirements

    9
    Information Classification
    • Not all information has the
    same value
    • Need to evaluate value based on CIA
    • Value determines protection level
    • Protection levels determine procedures
    • Labeling informs users on handling

    10
    Information Classification
    • Government classifications:
    – Top Secret
    – Secret
    – Confidential
    – Sensitive but Unclassified
    – Unclassified

    11
    Information Classification
    • Private Sector classifications:
    – Confidential
    – Private
    – Sensitive
    – Public

    12
    Information Classification
    • Criteria:
    – Value
    – Age
    – Useful Life
    – Personal Association

    13
    Risk Management
    • Risk Management is identifying, evaluating,
    and mitigating risk to an organization
    – It’s a cyclical, continuous process
    – Need to know what you have
    – Need to know what threats are likely
    – Need to know how and how well it is protected
    – Need to know where the gaps are

    14
    Identification
    • Assets
    • Threats
    – Threat-sources: man-made, natural
    • Vulnerabilities
    – Weakness
    • Controls
    – Safeguard

    15

    You might also like