Академический Документы
Профессиональный Документы
Культура Документы
Chapter 1:
Introduction to the
Management of
Information Security
If this is the information
superhighway, its
going through a lot of bad, bad
neighborhoods.
--
Introduction
Information technology is critical to
business and society
Computer security is evolving into
information security
Information security is the responsibility
of every member of an organization, but
managers play a critical role
Management of Information Security
Introduction
Information security involves three
distinct communities of interest:
Information security managers and
professionals
Information technology managers and
professionals
Non-technical business managers and
professionals
Management of Information Security
Communities of Interest
InfoSec community: protect
information assets from threats
IT community: support business
objectives by supplying appropriate
information technology
Business community: policy and
resources
What Is Security?
The quality or state of being secure
to be free from danger
Security is achieved using several
strategies simultaneously
Information Security
InfoSec includes information security
management, computer security,
data security, and network security
Policy is central to all information
security efforts
FIGURE 1-1
CIA Triangle
The C.I.A. triangle is made up of:
Confidentiality
Integrity
Availability
10
Confidentiality
11
12
Availability
13
14
15
16
17
18
What Is Management?
19
Managerial Roles
Informational role: Collecting,
processing, and using information to
achieve the objective
Interpersonal role: Interacting with
superiors, subordinates, outside
stakeholders, and other
Decisional role: Selecting from
alternative approaches and resolving
conflicts, dilemmas, or challenges
Management of Information Security
20
Differences Between
Leadership and Management
The leader influences employees so that
they are willing to accomplish objectives
He or she is expected to lead by example
and demonstrate personal traits that instill
a desire in others to follow
Leadership provides purpose, direction,
and motivation to those that follow
21
22
Characteristics of a Leader
1.Bearing
2.Courage
3.Decisiveness
4.Dependability
5.Endurance
6.Enthusiasm
7.Initiative
8.Integrity
9.Judgment
10.Justice
11.Knowledge
12.Loyalty
13.Tact
14.Unselfishness
23
24
25
26
Characteristics of Management
Two well-known approaches to
management:
Traditional management theory using
principles of planning, organizing, staffing,
directing, and controlling (POSDC)
Popular management theory categorizes
principles of management into planning,
organizing, leading, and controlling (POLC)
Management of Information Security
27
Planning
Planning: process that develops,
creates, and implements strategies for
the accomplishment of objectives
Three levels of planning:
Strategic occurs at highest level of
organization
Tactical focuses on production planning and
integrates organizational resources
Operational focuses on day-to-day operations
of local resources
Management of Information Security
28
Planning (Continued)
In general, planning begins with the
strategic plan for the whole
organization
To do this successfully, organization
must thoroughly define its goals and
objectives
29
Organization
Organization: is a principle of management
dedicated to structuring of resources to support
the accomplishment of objectives
Organizing tasks requires determining:
What is to be done
In what order
By whom
By which methods
When
30
Leadership
Encourages the implementation of the
planning and organizing functions,
including supervising employee behavior,
performance, attendance, and attitude
Leadership generally addresses the
direction and motivation of the human
resource
Management of Information Security
31
Control
Control:
Monitoring progress toward completion
Making necessary adjustments to achieve the
desired objectives
32
Solving Problems
All managers face problems that must
be solved.
Step 1: Recognize and Define the Problem
Step 2: Gather Facts and Make Assumptions
Step 3: Develop Possible Solutions
Step 4: Analyze and Compare the Possible
Solutions
Step 5: Select, Implement, and Evaluate a Solution
Management of Information Security
33
34
InfoSec Planning
Planning as part of InfoSec
management is an extension of the
basic planning model discussed earlier
in this chapter
Included in the InfoSec planning model
are activities necessary to support the
design, creation, and implementation of
information security strategies as they
exist within the IT planning environment
Management of Information Security
35
36
Policy
Policy: set of organizational guidelines
that dictates certain behavior within the
organization
In InfoSec, there are three general
categories of policy:
General program policy (Enterprise Security
Policy)
An issue-specific security policy (ISSP)
System-specific policies (SSSPs)
Management of Information Security
37
Programs
Programs: specific entities managed in
the information security domain
A security education training and
awareness (SETA) program is one such
entity
Other programs that may emerge
include a physical security program,
complete with fire, physical access,
gates, guards, and so on
Management of Information Security
38
Protection
Risk management activities, including risk
assessment and control, as well as
protection mechanisms, technologies, and
tools
Each of these mechanisms represents
some aspect of the management of
specific controls in the overall information
security plan
Management of Information Security
39
People
People are the most critical link in the
information security program
It is imperative that managers
continuously recognize the crucial role
that people play
Including information security personnel
and the security of personnel, as well as
aspects of the SETA program
Management of Information Security
40
Project Management
Project management discipline should
be present throughout all elements of
the information security program
Involves
Identifying and controlling the resources
applied to the project
Measuring progress and adjusting the
process as progress is made toward the
goal
Management of Information Security
41