c
 

  


 
CS 996: Information Security Management
Pavel Margolin
4/20/05

  o is an ISSO?
 Duties and Responsibilities
 Planning
 Establis ing t e CIAPP
 InfoSec Functions
 InfoSec in t e Government
  c 
 ISSO ± Information Systems Security
Officer
 Reports to t e C ief Information Officer
(CIO), w o reports to t e CEO.
 Leader of t e Information Security
(InfoSec) organization.
 Qualifications
 Manage and organize people
 Communicate to upper management wit out
muc tec nical details
 Have enoug tec nical expertise to understand
systems and make decisions
a  
 Establis ing and enforcing Corporate
Information Assets Protection
Program (CIAPP)
 Managing people
 Managing t e business of CIAPP
 Managing CIAPP processes
 Hiring InfoSec staff
 Report to upper management
á  
 Strategic Plan (ISSSP)
 Compatible wit Strategic Business Plan
 Long-term direction, goals, and objectives
 Tactical Plan (ITP)
 S ort-range plan
 Supports CIAPP and InfoSec functional goals
and objectives
 Annual Plan (IAP)
 Identify and implement projects to accomplis
t e goals and objectives in t e ISSSP and ITP
 Plan of projects for t e year
Ô   cáá
 Reasons for t e CIAPP
 Corporate vision, mission, and quality statements
 Corporate strategic, tactical, and annual business
plans
 InfoSec vision, mission and quality statements
 InfoSec strategic, tactical and annual business plans
 Information and systems legal, et ical, and best
business practices
 Overall information assets protection plans, policies,
and procedures
 Current CIAPP-related and InfoSec policies
 Current CIAPP-related and InfoSec procedures
 Ot er topics as deemed appropriate by t e ISSO
 cááá 
Costs
Profits Business Decisions
Sales
Public Relations
Stock olders¶ value

Laws
Regulations InfoSec InfoSec InfoSec
Business Practices Policies Procedures Processes
Et ics

‡Risk Assessments
‡Vulnerability
assessments
‡T reat Assessments CIAPP
‡Limited Risk
assessments
‡Risk analyses
‡Best InfoSec
Practices
Ô cáá 
 á
a 
X. Introduction Section
2. Purpose Section
3. Scope Section
4. Responsibilities
5. Requirements Section
A. Identifying t e value of t e information
B. Access to information systems
C. Access to specific applications and files
D. Audit trails and t eir review
E. Reporting and response in t e event of a violation
F. Minimum protection requirements for t e ardware, firmware
and software
G. Requirements for InfoSec procedures at ot er departments
and lower levels of t e corporation
6. P ysical Security
 Optional if P ysical Security is andled by t e Director of
Security
c
    
 Processes
 Valuing Information
 Awareness
 Access Control
 Evaluation of all ardware, firmware and
software
 Risk Management
 Security Tests and evaluations program
 Noncompliance Inquiries
 Contingency and emergency planning and
disaster recovery program (CEP-DR)
  a

  
  ISSO O    F
‡Customers ‡Identification of InfoSec
‡Contracts requirements
‡InfoSec Custodians ‡Access control
CIAPP
‡Users ‡Non-compliance Inquiries (NCI)
‡Management ‡Disaster Recovery/Emergency
‡Audits Planning
‡Tests & Evaluations ‡Tests and Evaluations
‡Ot er employees ‡Intranet Security
ISSO¶s CIAPP
‡Laws ‡Internet and eb Site Security
organizational
‡Regulations ‡Security Applications Protection
requirements
‡Non-compliance Inquiries ‡Security Software Development
‡Investigations ‡Software Interface InfoSec
‡Trade articles Evaluations
‡Tec nical Bulletings ‡Access Control Violations Analysis
‡Business Plans Responsibilities ‡Systems¶ Approvals
‡ISSO¶s plans C arter ‡CIAPP Awareness and Training
‡Best business practices ‡Contractual Compliance
‡Best InfoSec practices Inspections
‡InfoSec Risk Management
c
      
 National Security Classified Information
 Confidential ± loss of t is information can cause
damage to national security
 Secret ± loss of t is information can cause
serious damage to national security
 Top Secret ± loss of t is information can cause
grave damage to national security
 Black/Compartmented ± Granted on a need to
know (NTK) basis. Ex: Sensitive
Compartmented Information (SCI).
 Unclassified
 For Official Use Only
 Unclassified but Sensitive Information
 Unclassified
c
     
  
 InfoSec policy ± laws, rules, practices t at
regulate ow organizations andle national
security data.
 Accountability ± assigning responsibility
and accountability to individuals or groups
w o deal wit national security information
 Assurance ± guarantees t at t e InfoSec
policy is implemented correctly and t e
InfoSec elements accurately mediate and
enforce t e policy
 Documentation ± records ow a system is
structured, its functions and ow t e
system was designed
c
       
 Protect and defend all information used by an AIS
(automated information system)
 Prevent unaut orized access, modification,
damage, destruction, or DoS
 Provide assurances of:
 Compliance wit government and contractual obligations
and agreements
 Confidentiality of all classified information
 Integrity of information and related processes
 Availability of information
 Usage by aut orized personnel only of t e information
and AIS
 Identification and elimination of fraud, waste, and
abuse
c  
 Maintain a plan site security improvement
 Ensure IS systems are operated, used, maintained and
disposed of properly
 Ensure IS systems are certified and accredited
 Ensure users and personnel ave required security
clearances, aut orization, NTK, and are familiar wit
internal security practices
 Enforce security policies and safeguards on personnel
aving access to an IS
 Ensure audit trails are reviewed periodically
 Initiate protective and corrective measures
 Report security incidents in accordance wit agency
specific policy
 Report t e security status of t e IS
 Evaluate know vulnerabilities to determine if additional
security is needed
£
á
 
 Entry Level
 Identify vulnerabilities and recommend security solutions
required to return t e system to an operational level of
assurance.
 Intermediate Level
 For a new system arc itecture, investigate and document
system security tec nology, policies and training
requirements to assure system operation at a specified
level of assurance
 Advanced Level
 For an accreditation action, analyze and evaluate system
security tec nology, policy and training requirements in
support of upper management. T e analysis will include a
description of t e management/tec nology team required
to successfully complete t e accreditation process
a
c 
 Develop Certification and Accreditation Posture
 Plan for Certification and Accreditation
 Create CIA Policy
 Control Systems Policy
 Culture and Et ics
 Incidence Response

 Implement Site Security Policy

 Provide CIA
 Ensure Facility is approved
 Manage Operations of Information Systems
 Regulate General Principles
 Access Control, Training, Awareness, Legal aspects, CC, etc
 Security Management
 Access Controls
 Human Access
 Key Management
 Incident Response
a   !
 Enforce and verify system security policy
 CIA and Accountability
 Security Management
 Access Controls
 Automated Security Tools
 Handling Media
 Incident Response
 Report on site security Status
 Security Continuity Reporting
 Report Security Incidents
 Law
 Report Security Status of IS as required by upper
management
 Report to Inspector General (IG)
a   !
 Support Certification and
Accreditation
 Certification Functions
 Accreditation Functions
 Respond to upper management requests

 
 Kovacic , Dr. Gerald L., ³T e Information
Systems Security Officer¶s Guide:
Establis ing and Managing an Information
Protection Program´
 ³Information Assurance Training Standard
for Information Systems Security Officers´
ttp://www.cnss.gov/instructions. tml