Introduction Security

Management of Information Security
Chapter 1:
Introduction to the
Management of
Information Security
If this is the information
superhighway, its
going through a lot of bad, bad
neighborhoods.
--
DORIAN BERGER, 1997
Introduction
Information technology is critical to
business and society
Computer security is evolving into
information security
Information security is the responsibility
of every member of an organization, but
managers play a critical role
Introduction
Information security involves three
distinct communities of interest:
Information security managers and
professionals
Information technology managers and
professionals
Non-technical business managers and
professionals
Communities of Interest
InfoSec community: protect
information assets from threats
IT community: support business
objectives by supplying appropriate
information technology
Business community: policy and
resources
What Is Security?
The quality or state of being secure
to be free from danger
Security is achieved using several
strategies simultaneously
Specialized Areas of Security

Physical security
Personal security
Operations security
Communications security
Network security
Information Security (InfoSec)
Computer Security
Information Security
InfoSec includes information security
management, computer security,
data security, and network security
Policy is central to all information
security efforts
FIGURE 1-1
Components of Information Security
CIA Triangle
The C.I.A. triangle is made up of:
Confidentiality
Integrity
Availability
Over time the list of characteristics has

expanded, but these three remain central
Figure 1-2 NSTISSC Security

Model
10
Key Concepts of Information

Security
Confidentiality
Confidentiality of information ensures that

only those with sufficient privileges may
access certain information
To protect confidentiality of information, a
number of measures may be used including:
Information classification
Secure document storage
Application of general security policies
Education of information custodians and end
users
11

Security
Integrity
Integrity is the quality or state of being
whole, complete, and uncorrupted
The integrity of information is threatened
when it is exposed to corruption, damage,
destruction, or other disruption of its
authentic state
Corruption can occur while information is
being compiled, stored, or transmitted
12

Security
Availability
Availability is making information accessible

to user access without interference or
obstruction in the required format
A user in this definition may be either a
person or another computer system
Availability means availability to authorized
users
13

Security
Privacy
Information is to be used only for purposes
known to the data owner
This does not focus on freedom from
observation, but rather that information will
be used only in ways known to the owner
14

Security
Identification
Information systems possess the
characteristic of identification when they are
able to recognize individual users
Identification and authentication are
essential to establishing the level of access
or authorization that an individual is granted
15

Security
Authentication
Authentication occurs when a control
provides proof that a user possesses the
identity that he or she claims
16

Security
Authorization
After the identity of a user is authenticated,
a process called authorization provides
assurance that the user (whether a person
or a computer) has been specifically and
explicitly authorized by the proper
authority to access, update, or delete the
contents of an information asset
17

Security
Accountability
The characteristic of accountability
exists when a control provides
assurance that every activity
undertaken can be attributed to a
named person or automated process
18
What Is Management?
A process of achieving objectives using

a given set of resources
To manage the information security
process, first understand core principles
of management
A manager is someone who works with
and through other people by
coordinating their work activities in
order to accomplish organizational
goals
19
Managerial Roles
Informational role: Collecting,
processing, and using information to
achieve the objective
Interpersonal role: Interacting with
superiors, subordinates, outside
stakeholders, and other
Decisional role: Selecting from
alternative approaches and resolving
conflicts, dilemmas, or challenges
20
Differences Between
Leadership and Management
The leader influences employees so that
they are willing to accomplish objectives
He or she is expected to lead by example
and demonstrate personal traits that instill
a desire in others to follow
Leadership provides purpose, direction,
and motivation to those that follow
21
A Manager administer the resources

of the organization by
Creating budgets
Authorizes expenditures
Hires employees
A Manager can also be a leader.
22
Characteristics of a Leader
1.Bearing
2.Courage
3.Decisiveness
4.Dependability
5.Endurance
6.Enthusiasm
7.Initiative
8.Integrity
9.Judgment
10.Justice
11.Knowledge
12.Loyalty
13.Tact
14.Unselfishness
23
What Makes a Good Leader?

Action plan for improvement of
leadership abilities
1. Knows and seeks self-improvement
2. Be technically and tactically proficient
3. Seek responsibility and take
responsibility for your actions
4. Make sound and timely decisions
5. Set the example
6. Knows [subordinates] and looks out for
their well-being
24
What Makes a Good Leader?

(Continued)
Action plan for improvement of
leadership abilities
7. Keeps subordinates informed
8. Develops a sense of responsibility in
subordinates
9. Ensures the task is understood, supervised,
and accomplished
10.Builds the team
11.Employs a team in accordance with its
capabilities
25
Behavioral Types of Leaders

Three basic behavioral types of leaders:
Autocratic- action-oriented, Do as I say
Democratic action-oriented and likely to be
less efficient
Laissez-faire laid-back.
26
Characteristics of Management
Two well-known approaches to
management:
Traditional management theory using
principles of planning, organizing, staffing,
directing, and controlling (POSDC)
Popular management theory categorizes
principles of management into planning,
organizing, leading, and controlling (POLC)
27
Planning
Planning: process that develops,
creates, and implements strategies for
the accomplishment of objectives
Three levels of planning:
Strategic occurs at highest level of
organization
Tactical focuses on production planning and
integrates organizational resources
Operational focuses on day-to-day operations
of local resources
28
Planning (Continued)
In general, planning begins with the
strategic plan for the whole
organization
To do this successfully, organization
must thoroughly define its goals and
objectives
29
Organization
Organization: is a principle of management
dedicated to structuring of resources to support
the accomplishment of objectives
Organizing tasks requires determining:
What is to be done
In what order
By whom
By which methods
When
30
Leadership
Encourages the implementation of the
planning and organizing functions,
including supervising employee behavior,
performance, attendance, and attitude
Leadership generally addresses the
direction and motivation of the human
resource
31
Control
Control:
Monitoring progress toward completion
Making necessary adjustments to achieve the
desired objectives
Controlling function determines what must

be monitored as well using specific control
tools to gather and evaluate information
32
Solving Problems
All managers face problems that must
be solved.
Step 1: Recognize and Define the Problem
Step 2: Gather Facts and Make Assumptions
Step 3: Develop Possible Solutions
Step 4: Analyze and Compare the Possible
Solutions
Step 5: Select, Implement, and Evaluate a Solution
33
Principles Of Information Security

Management
Information security management is part of the
organizational management team.
The extended characteristics of information security are
known as the six Ps:
Planning
Policy
Programs
Protection
People
Project Management
34
InfoSec Planning
Planning as part of InfoSec
management is an extension of the
basic planning model discussed earlier
in this chapter
Included in the InfoSec planning model
are activities necessary to support the
design, creation, and implementation of
information security strategies as they
exist within the IT planning environment
35
InfoSec Planning Types

Several types of InfoSec plans exist:
Incident response
Business continuity
Disaster recovery
Policy
Personnel
Technology rollout
Risk management and
Security program including education,
training and awareness
36
Policy
Policy: set of organizational guidelines
that dictates certain behavior within the
organization
In InfoSec, there are three general
categories of policy:
General program policy (Enterprise Security
Policy)
An issue-specific security policy (ISSP)
System-specific policies (SSSPs)
37
Programs
Programs: specific entities managed in
the information security domain
A security education training and
awareness (SETA) program is one such
entity
Other programs that may emerge
include a physical security program,
complete with fire, physical access,
gates, guards, and so on
38
Protection
Risk management activities, including risk
assessment and control, as well as
protection mechanisms, technologies, and
tools
Each of these mechanisms represents
some aspect of the management of
specific controls in the overall information
security plan
39
People
People are the most critical link in the
information security program
It is imperative that managers
continuously recognize the crucial role
that people play
Including information security personnel
and the security of personnel, as well as
aspects of the SETA program
40
Project Management
Project management discipline should
be present throughout all elements of
the information security program
Involves
Identifying and controlling the resources
applied to the project
Measuring progress and adjusting the
process as progress is made toward the
goal
41

Introduction Security

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Introduction Security

Загружено:

Авторское право:

Доступные форматы

Management of Information Security

DORIAN BERGER, 1997

Management of Information Security

Management of Information Security

Specialized Areas of Security

Management of Information Security

Components of Information Security

Management of Information Security

Over time the list of characteristics has

Figure 1-2 NSTISSC Security

Management of Information Security

Key Concepts of Information

Confidentiality of information ensures that

Key Concepts of Information

Key Concepts of Information

Availability is making information accessible

Key Concepts of Information

Key Concepts of Information

Key Concepts of Information

Management of Information Security

Key Concepts of Information

Key Concepts of Information

Management of Information Security

A process of achieving objectives using

Management of Information Security

A Manager administer the resources

A Manager can also be a leader.

Management of Information Security

Management of Information Security

What Makes a Good Leader?

What Makes a Good Leader?

Behavioral Types of Leaders

Management of Information Security

Management of Information Security

Management of Information Security

Controlling function determines what must

Principles Of Information Security

InfoSec Planning Types

Вам также может понравиться