Академический Документы
Профессиональный Документы
Культура Документы
CS 996: Information Security Management
Pavel Margolin
4/20/05
o is an ISSO?
Duties and Responsibilities
Planning
Establis ing t e CIAPP
InfoSec Functions
InfoSec in t e Government
c
ISSO ± Information Systems Security
Officer
Reports to t e C ief Information Officer
(CIO), w o reports to t e CEO.
Leader of t e Information Security
(InfoSec) organization.
Qualifications
Manage and organize people
Communicate to upper management wit out
muc tec nical details
Have enoug tec nical expertise to understand
systems and make decisions
a
Establis ing and enforcing Corporate
Information Assets Protection
Program (CIAPP)
Managing people
Managing t e business of CIAPP
Managing CIAPP processes
Hiring InfoSec staff
Report to upper management
á
Strategic Plan (ISSSP)
Compatible wit Strategic Business Plan
Long-term direction, goals, and objectives
Tactical Plan (ITP)
S ort-range plan
Supports CIAPP and InfoSec functional goals
and objectives
Annual Plan (IAP)
Identify and implement projects to accomplis
t e goals and objectives in t e ISSSP and ITP
Plan of projects for t e year
Ô cáá
Reasons for t e CIAPP
Corporate vision, mission, and quality statements
Corporate strategic, tactical, and annual business
plans
InfoSec vision, mission and quality statements
InfoSec strategic, tactical and annual business plans
Information and systems legal, et ical, and best
business practices
Overall information assets protection plans, policies,
and procedures
Current CIAPP-related and InfoSec policies
Current CIAPP-related and InfoSec procedures
Ot er topics as deemed appropriate by t e ISSO
cááá
Costs
Profits Business Decisions
Sales
Public Relations
Stock olders¶ value
Laws
Regulations InfoSec InfoSec InfoSec
Business Practices Policies Procedures Processes
Et ics
Risk Assessments
Vulnerability
assessments
T reat Assessments CIAPP
Limited Risk
assessments
Risk analyses
Best InfoSec
Practices
Ô cáá
á
a
X. Introduction Section
2. Purpose Section
3. Scope Section
4. Responsibilities
5. Requirements Section
A. Identifying t e value of t e information
B. Access to information systems
C. Access to specific applications and files
D. Audit trails and t eir review
E. Reporting and response in t e event of a violation
F. Minimum protection requirements for t e ardware, firmware
and software
G. Requirements for InfoSec procedures at ot er departments
and lower levels of t e corporation
6. P ysical Security
Optional if P ysical Security is andled by t e Director of
Security
c
Processes
Valuing Information
Awareness
Access Control
Evaluation of all ardware, firmware and
software
Risk Management
Security Tests and evaluations program
Noncompliance Inquiries
Contingency and emergency planning and
disaster recovery program (CEP-DR)
a
ISSO O
F
Customers Identification of InfoSec
Contracts requirements
InfoSec Custodians Access control
CIAPP
Users Non-compliance Inquiries (NCI)
Management Disaster Recovery/Emergency
Audits Planning
Tests & Evaluations Tests and Evaluations
Ot er employees Intranet Security
ISSO¶s CIAPP
Laws Internet and eb Site Security
organizational
Regulations Security Applications Protection
requirements
Non-compliance Inquiries Security Software Development
Investigations Software Interface InfoSec
Trade articles Evaluations
Tec nical Bulletings Access Control Violations Analysis
Business Plans Responsibilities Systems¶ Approvals
ISSO¶s plans C arter CIAPP Awareness and Training
Best business practices Contractual Compliance
Best InfoSec practices Inspections
InfoSec Risk Management
c
National Security Classified Information
Confidential ± loss of t is information can cause
damage to national security
Secret ± loss of t is information can cause
serious damage to national security
Top Secret ± loss of t is information can cause
grave damage to national security
Black/Compartmented ± Granted on a need to
know (NTK) basis. Ex: Sensitive
Compartmented Information (SCI).
Unclassified
For Official Use Only
Unclassified but Sensitive Information
Unclassified
c
InfoSec policy ± laws, rules, practices t at
regulate ow organizations andle national
security data.
Accountability ± assigning responsibility
and accountability to individuals or groups
w o deal wit national security information
Assurance ± guarantees t at t e InfoSec
policy is implemented correctly and t e
InfoSec elements accurately mediate and
enforce t e policy
Documentation ± records ow a system is
structured, its functions and ow t e
system was designed
c
Protect and defend all information used by an AIS
(automated information system)
Prevent unaut orized access, modification,
damage, destruction, or DoS
Provide assurances of:
Compliance wit government and contractual obligations
and agreements
Confidentiality of all classified information
Integrity of information and related processes
Availability of information
Usage by aut orized personnel only of t e information
and AIS
Identification and elimination of fraud, waste, and
abuse
c
Maintain a plan site security improvement
Ensure IS systems are operated, used, maintained and
disposed of properly
Ensure IS systems are certified and accredited
Ensure users and personnel ave required security
clearances, aut orization, NTK, and are familiar wit
internal security practices
Enforce security policies and safeguards on personnel
aving access to an IS
Ensure audit trails are reviewed periodically
Initiate protective and corrective measures
Report security incidents in accordance wit agency
specific policy
Report t e security status of t e IS
Evaluate know vulnerabilities to determine if additional
security is needed
£á
Entry Level
Identify vulnerabilities and recommend security solutions
required to return t e system to an operational level of
assurance.
Intermediate Level
For a new system arc itecture, investigate and document
system security tec nology, policies and training
requirements to assure system operation at a specified
level of assurance
Advanced Level
For an accreditation action, analyze and evaluate system
security tec nology, policy and training requirements in
support of upper management. T e analysis will include a
description of t e management/tec nology team required
to successfully complete t e accreditation process
ac
Develop Certification and Accreditation Posture
Plan for Certification and Accreditation
Create CIA Policy
Control Systems Policy
Culture and Et ics
Incidence Response