lOMoARcPSD|59658805
Principles of Information Security 7E Module 3
Financial Accounting (University of Oxford)
Scan to open on Studocu
Studocu is not sponsored or endorsed by any college or university
Downloaded by olinder seth ()
, lOMoARcPSD|59658805
MODULE 3
Information Security
Management
Upon completion of this material, you should be able to: Begin with the end in
1 Describe the different management functions with respect to information security mind.
— Stephen Covey, Author of
2 Define information security governance and list the expectations of the organiza-
Seven Habits of Highly
tion’s senior management with respect to it Effective People
3 Describe management’s role in the development, maintenance, and enforcement
of information security policy, standards, practices, procedures, and guidelines
4 List the elements in an effective security education, training, and awareness
program and describe a methodology for effectively implementing security policy
in the organization
5 Explain what an information security blueprint is, identify its major components,
and explain how it supports the information security program
Opening Scenario
Charlie had a problem. Well, to be precise, Janet Kinneck had a problem, and now Charlie had to deal with it.
Janet, the vice president of social media market development in the SLS Marketing unit, had appeared on the monthly
abuse report. Charlie had started having the security operations team prepare this report, based on the network activity for
the prior month. All SLS employees consented to this monitoring whenever they used the company’s network.
SLS had a pretty liberal policy in place that described how and when employees could use company computers and
networks for their own personal reasons. Charlie had convinced CEO Fred Chin and the other senior executives that employees
had lives that filtered over into the workplace and that the minor costs of the company network’s incidental use for personal
matters, within certain boundaries, were well worth the improved productivity that resulted. It was those “certain boundaries”
that they were dealing with now.
Charlie looked at the report and the data it contained once more and picked up his phone to call Gladys Williams, the CIO.
He had considered whether this meeting should involve Fred, but he decided it fit better with Gladys’ role. She could always
decide to bring Fred in if she determined that his presence was needed.
Gladys picked up, saying, “Hi, Charlie, what’s up?”
Downloaded by olinder seth ()
, lOMoARcPSD|59658805
82 Principles of Information Security
He replied, “Hey, Gladys, we have an issue with that new monthly abuse report we are implementing.” Gladys knew the
report, as she had helped in its creation. She knew what was coming next because she was to be informed when employees
above a specific rank were involved.
Charlie continued, “Well, anyway, it looks like we have an issue with Janet Kinneck in Marketing. Near as I can tell without
a forensic examination of her computer, she’s running a commercial sports gaming league out of her office on the sixth floor.”
Gladys thought for a second and replied, “That doesn’t sound like an acceptable use to me.”
Introduction To The Management Of Information
Security
An organization’s information security effort succeeds only when it operates in conjunction with the organization’s
information security policy. An information security program begins with policy, standards, and practices, which are
the foundation for the information security program and its blueprint. The creation and maintenance of these elements
require coordinated planning. The role of planning in modern organizations is hard to overemphasize. All but the small-
est organizations engage in some planning, from strategic planning to manage the future direction of the organization
to the operational day-to-day planning to control the use and allocation of resources.
As part of the organization’s management team, the InfoSec management team operates like all other management
units. However, the InfoSec management team’s goals and objectives differ from those of the IT and general management
communities in that the InfoSec management team is focused on the secure operation of the organization. In fact, some
of the InfoSec management team’s goals and objectives may be contrary to or require resolution with the goals of the
IT management team, as the primary focus of the IT group is to ensure the effective and efficient processing of information,
whereas the primary focus of the InfoSec group is to ensure the confidentiality, integrity, and availability of information.
Security, by its very nature, will slow down the information flow into, through, and out of an organization as infor-
mation is validated, verified, and assessed against security criteria. Because the chief information security officer
(CISO) in charge of the security management team typically reports directly to the chief information officer (CIO), who
is responsible for the IT function, issues and prioritization conflicts can arise unless upper management intervenes.
Because InfoSec management oversees a specialized program, certain aspects of its managerial responsibility are
unique. These unique functions, which are known as “the six Ps” (planning, policy, programs, protection, people, and
project management), are discussed throughout this book and briefly described in the following sections.
Planning
Planning in InfoSec management is an extension of the basic planning mentioned later in this module. Included in the
InfoSec planning model are activities necessary to support the design, creation, and implementation of InfoSec strat-
egies within the planning environments of all organizational units, including IT. Because the InfoSec strategic plans
must support not only the IT department’s use and protection of information assets but those of the entire organiza-
tion, it is imperative that the CISO work closely with all senior managers in developing InfoSec strategy. The business
strategy is translated into the IT strategy. The strategies of other business units and the IT strategy are then used to
develop the InfoSec strategy. Just as the CIO uses the IT objectives gleaned from the business unit plans to create the
organization’s IT strategy, the CISO develops InfoSec objectives from the IT and other business units to create the
organization’s InfoSec strategy.
The IT strategy and that of the other business units provides critical information used for InfoSec planning as the
CISO gets involved with the CIO and other executives to develop the strategy for the next level down. The CISO then
works with the appropriate security managers to develop operational security plans. These security managers con-
sult with security technicians to develop tactical security plans. Each of these plans is usually coordinated across the
business and IT functions of the enterprise and placed into a master schedule for implementation. The overall goal is
to create plans that support long-term achievement of the overall organizational strategy. If all goes as expected, the
Downloaded by olinder seth ()
, lOMoARcPSD|59658805
Module 3 Information Security Management 83
entire collection of tactical plans accomplishes the operational goals and the entire collection of operational goals
accomplishes the subordinate strategic goals; this helps to meet the strategic goals and objectives of the organization
as a whole.
Several types of InfoSec plans and planning functions exist to support routine operations as well as activities and
responses that are not part of the normal operating environment. Routine planning includes that for policy, personnel
issues, technology rollouts, risk management, and security programs. Plans and functions that go beyond the routine
include planning for incident response, business continuity, disaster recovery, and crisis management. Each of these
plans has unique goals and objectives, yet each can benefit from the same methodical approach. These planning areas
are discussed in detail in Module 4.
Another basic planning consideration unique to InfoSec is the location of the InfoSec department within the orga-
nization structure. This topic is discussed in Module 7.
Policy
In InfoSec, there are three general policy categories, which are discussed in greater detail later in this module:
• Enterprise information security policy (EISP)—Developed within the context of the strategic IT plan, this sets
the tone for the InfoSec department and the InfoSec climate across the organization. The CISO typically drafts
the program policy, which is usually supported and signed by the CIO or the CEO.
• Issue-specific security policies (ISSPs)—These are sets of rules that define acceptable behavior within a specific
organizational resource, such as e-mail or Internet usage.
• Systems-specific policies (SysSPs)—A merger of technical and managerial intent, SysSPs include both the
managerial guidance for the implementation of a technology as well as the technical specifications for its
configuration.
Programs
InfoSec operations that are specifically managed as separate entities are called “programs.” An example would be a
security education, training, and awareness (SETA) program or a risk management program. SETA programs provide
critical information to employees to maintain or improve their current levels of security knowledge. Risk management
programs include the identification, assessment, and control of risks to information assets. Other programs that may
emerge include a physical security program, complete with fire protection, physical access, gates, and guards. Some
organizations with specific regulations may have additional programs dedicated to client/customer privacy, awareness,
and the like. Each organization will typically have several security programs that must be managed.
Protection
The protection function is executed via a set of risk management activities, as well as protection mechanisms, tech-
nologies, and tools. Each of these mechanisms or safeguards represents some aspect of the management of specific
controls in the overall InfoSec plan.
People
People are the most critical link in the InfoSec program. This area encompasses security personnel (the professional
information security employees), the security of personnel (the protection of employees and their information), and
aspects of the SETA program mentioned earlier.
Projects
Whether an InfoSec manager is asked to roll out a new security training program or select and implement a new firewall,
it is important that the process be managed as a project. The final element for thoroughgoing InfoSec management
is the application of a project management discipline to all elements of the InfoSec program. Project management
involves identifying and controlling the resources applied to the project, as well as measuring progress and adjusting
the process as progress is made toward the goal.
Downloaded by olinder seth ()
Principles of Information Security 7E Module 3
Financial Accounting (University of Oxford)
Scan to open on Studocu
Studocu is not sponsored or endorsed by any college or university
Downloaded by olinder seth ()
, lOMoARcPSD|59658805
MODULE 3
Information Security
Management
Upon completion of this material, you should be able to: Begin with the end in
1 Describe the different management functions with respect to information security mind.
— Stephen Covey, Author of
2 Define information security governance and list the expectations of the organiza-
Seven Habits of Highly
tion’s senior management with respect to it Effective People
3 Describe management’s role in the development, maintenance, and enforcement
of information security policy, standards, practices, procedures, and guidelines
4 List the elements in an effective security education, training, and awareness
program and describe a methodology for effectively implementing security policy
in the organization
5 Explain what an information security blueprint is, identify its major components,
and explain how it supports the information security program
Opening Scenario
Charlie had a problem. Well, to be precise, Janet Kinneck had a problem, and now Charlie had to deal with it.
Janet, the vice president of social media market development in the SLS Marketing unit, had appeared on the monthly
abuse report. Charlie had started having the security operations team prepare this report, based on the network activity for
the prior month. All SLS employees consented to this monitoring whenever they used the company’s network.
SLS had a pretty liberal policy in place that described how and when employees could use company computers and
networks for their own personal reasons. Charlie had convinced CEO Fred Chin and the other senior executives that employees
had lives that filtered over into the workplace and that the minor costs of the company network’s incidental use for personal
matters, within certain boundaries, were well worth the improved productivity that resulted. It was those “certain boundaries”
that they were dealing with now.
Charlie looked at the report and the data it contained once more and picked up his phone to call Gladys Williams, the CIO.
He had considered whether this meeting should involve Fred, but he decided it fit better with Gladys’ role. She could always
decide to bring Fred in if she determined that his presence was needed.
Gladys picked up, saying, “Hi, Charlie, what’s up?”
Downloaded by olinder seth ()
, lOMoARcPSD|59658805
82 Principles of Information Security
He replied, “Hey, Gladys, we have an issue with that new monthly abuse report we are implementing.” Gladys knew the
report, as she had helped in its creation. She knew what was coming next because she was to be informed when employees
above a specific rank were involved.
Charlie continued, “Well, anyway, it looks like we have an issue with Janet Kinneck in Marketing. Near as I can tell without
a forensic examination of her computer, she’s running a commercial sports gaming league out of her office on the sixth floor.”
Gladys thought for a second and replied, “That doesn’t sound like an acceptable use to me.”
Introduction To The Management Of Information
Security
An organization’s information security effort succeeds only when it operates in conjunction with the organization’s
information security policy. An information security program begins with policy, standards, and practices, which are
the foundation for the information security program and its blueprint. The creation and maintenance of these elements
require coordinated planning. The role of planning in modern organizations is hard to overemphasize. All but the small-
est organizations engage in some planning, from strategic planning to manage the future direction of the organization
to the operational day-to-day planning to control the use and allocation of resources.
As part of the organization’s management team, the InfoSec management team operates like all other management
units. However, the InfoSec management team’s goals and objectives differ from those of the IT and general management
communities in that the InfoSec management team is focused on the secure operation of the organization. In fact, some
of the InfoSec management team’s goals and objectives may be contrary to or require resolution with the goals of the
IT management team, as the primary focus of the IT group is to ensure the effective and efficient processing of information,
whereas the primary focus of the InfoSec group is to ensure the confidentiality, integrity, and availability of information.
Security, by its very nature, will slow down the information flow into, through, and out of an organization as infor-
mation is validated, verified, and assessed against security criteria. Because the chief information security officer
(CISO) in charge of the security management team typically reports directly to the chief information officer (CIO), who
is responsible for the IT function, issues and prioritization conflicts can arise unless upper management intervenes.
Because InfoSec management oversees a specialized program, certain aspects of its managerial responsibility are
unique. These unique functions, which are known as “the six Ps” (planning, policy, programs, protection, people, and
project management), are discussed throughout this book and briefly described in the following sections.
Planning
Planning in InfoSec management is an extension of the basic planning mentioned later in this module. Included in the
InfoSec planning model are activities necessary to support the design, creation, and implementation of InfoSec strat-
egies within the planning environments of all organizational units, including IT. Because the InfoSec strategic plans
must support not only the IT department’s use and protection of information assets but those of the entire organiza-
tion, it is imperative that the CISO work closely with all senior managers in developing InfoSec strategy. The business
strategy is translated into the IT strategy. The strategies of other business units and the IT strategy are then used to
develop the InfoSec strategy. Just as the CIO uses the IT objectives gleaned from the business unit plans to create the
organization’s IT strategy, the CISO develops InfoSec objectives from the IT and other business units to create the
organization’s InfoSec strategy.
The IT strategy and that of the other business units provides critical information used for InfoSec planning as the
CISO gets involved with the CIO and other executives to develop the strategy for the next level down. The CISO then
works with the appropriate security managers to develop operational security plans. These security managers con-
sult with security technicians to develop tactical security plans. Each of these plans is usually coordinated across the
business and IT functions of the enterprise and placed into a master schedule for implementation. The overall goal is
to create plans that support long-term achievement of the overall organizational strategy. If all goes as expected, the
Downloaded by olinder seth ()
, lOMoARcPSD|59658805
Module 3 Information Security Management 83
entire collection of tactical plans accomplishes the operational goals and the entire collection of operational goals
accomplishes the subordinate strategic goals; this helps to meet the strategic goals and objectives of the organization
as a whole.
Several types of InfoSec plans and planning functions exist to support routine operations as well as activities and
responses that are not part of the normal operating environment. Routine planning includes that for policy, personnel
issues, technology rollouts, risk management, and security programs. Plans and functions that go beyond the routine
include planning for incident response, business continuity, disaster recovery, and crisis management. Each of these
plans has unique goals and objectives, yet each can benefit from the same methodical approach. These planning areas
are discussed in detail in Module 4.
Another basic planning consideration unique to InfoSec is the location of the InfoSec department within the orga-
nization structure. This topic is discussed in Module 7.
Policy
In InfoSec, there are three general policy categories, which are discussed in greater detail later in this module:
• Enterprise information security policy (EISP)—Developed within the context of the strategic IT plan, this sets
the tone for the InfoSec department and the InfoSec climate across the organization. The CISO typically drafts
the program policy, which is usually supported and signed by the CIO or the CEO.
• Issue-specific security policies (ISSPs)—These are sets of rules that define acceptable behavior within a specific
organizational resource, such as e-mail or Internet usage.
• Systems-specific policies (SysSPs)—A merger of technical and managerial intent, SysSPs include both the
managerial guidance for the implementation of a technology as well as the technical specifications for its
configuration.
Programs
InfoSec operations that are specifically managed as separate entities are called “programs.” An example would be a
security education, training, and awareness (SETA) program or a risk management program. SETA programs provide
critical information to employees to maintain or improve their current levels of security knowledge. Risk management
programs include the identification, assessment, and control of risks to information assets. Other programs that may
emerge include a physical security program, complete with fire protection, physical access, gates, and guards. Some
organizations with specific regulations may have additional programs dedicated to client/customer privacy, awareness,
and the like. Each organization will typically have several security programs that must be managed.
Protection
The protection function is executed via a set of risk management activities, as well as protection mechanisms, tech-
nologies, and tools. Each of these mechanisms or safeguards represents some aspect of the management of specific
controls in the overall InfoSec plan.
People
People are the most critical link in the InfoSec program. This area encompasses security personnel (the professional
information security employees), the security of personnel (the protection of employees and their information), and
aspects of the SETA program mentioned earlier.
Projects
Whether an InfoSec manager is asked to roll out a new security training program or select and implement a new firewall,
it is important that the process be managed as a project. The final element for thoroughgoing InfoSec management
is the application of a project management discipline to all elements of the InfoSec program. Project management
involves identifying and controlling the resources applied to the project, as well as measuring progress and adjusting
the process as progress is made toward the goal.
Downloaded by olinder seth ()
