Developing the Security Program

1
Developing the Security Program
2
Objectives

• Upon completion of this material you should be
  able to
• Explain the organizational approaches to
  information security
• List and describe the functional components of an
  information security program
• Determine how to plan and staff an organizations
  information security program based on its size

3
Objectives (contd.)

• Upon completion of this material you should be
  able to (contd.)
• Evaluate the internal and external factors that
  influence the activities and organization of an
  information security program
• List and describe the typical job titles and
  functions performed in the information security
  program

http//www.flickr.com/photos/pstainthorp/547141524
0/
4
Objectives (contd.)

• Upon completion of this material you should be
  able to (contd.)
• Describe the components of a security education,
  training, and awareness program and explain how
  organizations create and manage these programs

5
Introduction

• Some organizations use security program to
  describe the entire set of personnel, plans,
  policies, and initiatives related to information
  security
• The term information security program is used
  here to describe the structure and organization
  of the effort that contains risks to the
  information assets of the organization

6
Organizing for Security

• Variables involved in structuring an information
  security program
• Organizational culture
• Size
• Security personnel budget
• Security capital budget
• As organizations increase in size
• Their security departments are not keeping up
  with increasingly complex organizational
  infrastructures

7
Organizing for Security (contd.)

• Information security departments tend to form
  internal groups
• To meet long-term challenges and handle
  day-to-day security operations
• Functions are likely to be split into groups
• Smaller organizations typically create fewer
  groups
• Perhaps having only one general group of
  specialists

8
Organizing for Security (contd.)

• Very large organizations
• More than 10,000 computers
• Security budgets often grow faster than IT
  budgets
• Even with large budgets, the average amount spent
  on security per user is still smaller than any
  other type of organization
• Small organizations spend more than 5,000 per
  user on security very large organizations spend
  about 1/18th of that, roughly 300 per user

9
Organizing for Security (contd.)

• Very large organizations (contd.)
• Do a better job in the policy and resource
  management areas
• Only 1/3 of organizations handled incidents
  according to an IR plan
• Large organizations
• Have 1,000 to 10,000 computers
• Security approach has often matured, integrating
  planning and policy into the organizations
  culture

10
Organizing for Security (contd.)

• Large organizations (contd.)
• Do not always put large amounts of resources into
  security
• Considering the vast numbers of computers and
  users often involved
• They tend to spend proportionally less on security

11
Security in Large Organizations

• One approach separates functions into four areas
• Functions performed by non-technology business
  units outside of IT
• Functions performed by IT groups outside of
  information security area
• Functions performed within information security
  department as customer service
• Functions performed within the information
  security department as compliance

12
Security in Large Organizations (contd.)

• The CISO has responsibility for information
  security functions
• Should be adequately performed somewhere within
  the organization
• The deployment of full-time security personnel
  depends on
• Sensitivity of the information to be protected
• Industry regulations
• General profitability

13
Security in Large Organizations (contd.)

• The more money the company can dedicate to its
  personnel budget
• The more likely it is to maintain a large
  information security staff

14
Security in Large Organizations (contd.)
Figure 5-1 Example of information security
staffing in a large organization
Source Course Technology/Cengage Learning
15
Security in Large Organizations (contd.)
Figure 5-2 Example of information security
staffing in a very large organization
Source Course Technology/Cengage Learning
16
Security in Medium-Sized Organizations

• Medium-sized organizations
• Have between 100 and 1000 computers
• Have a smaller total budget
• Have same sized security staff as the small
  organization, but a larger need
• Must rely on help from IT staff for plans and
  practices
• Ability to set policy, handle incidents, and
  effectively allocate resources is worse than any
  other size

17
Security in Medium-Sized Organizations (contd.)

• Medium-sized organizations (contd.)
• May be large enough to implement a multi-tiered
  approach to security
• With fewer dedicated groups and more functions
  assigned to each group
• Tend to ignore some security functions

18
Security in Medium-Sized Organizations (contd.)
Figure 5-3 Example of information security
staffing in a medium-sized organization
Source Course Technology/Cengage Learning
19
Security in Small Organizations

• Small organizations
• Have between 10 and 100 computers
• Have a simple, centralized IT organizational
  model
• Spend disproportionately more on security
• Information security is often the responsibility
  of a single security administrator
• Have little in the way of formal policy,
  planning, or security measures

20
Security in Small Organizations (contd.)

• Small organizations (contd.)
• Commonly outsource their Web presence or
  electronic commerce operations
• Security training and awareness is commonly
  conducted on a 1-on-1 basis
• Policies (when they exist) are often
  issue-specific
• Formal planning is often part of IT planning
• Threats from insiders are less likely
• Every employee knows every other employee

21
Security in Small Organizations (contd.)
Figure 5-4 Example of information security
staffing in a smaller organization
Source Course Technology/Cengage Learning
22
Placing Information Security Within An
Organization

• In large organizations
• InfoSec is often located within the information
  technology department
• Headed by the CISO who reports directly to the
  top computing executive, or CIO
• An InfoSec program is sometimes at odds with the
  goals and objectives of the IT department as a
  whole

23
Placing Information Security Within An
Organization (contd.)

• Because the goals and objectives of the CIO and
  the CISO may come in conflict
• It is not difficult to understand the current
  movement to separate information security from
  the IT division
• The challenge is to design a reporting structure
  for the InfoSec program that balances the needs
  of each of the communities of interest

24
Placing Information Security Within an
Organization (contd.)
Figure 5-5 Woods Option 1 Information security
reports to information technology department
Source From Information Security Roles and
Responsibilities Made Easy, used with permission.
25
Placing Information Security Within an
Organization (contd.)
Figure 5-6 Woods Option 2 Information security
reports to broadly defined security department
Source From Information Security Roles and
Responsibilities Made Easy, used with permission.
26
Placing Information Security Within an
Organization (contd.)
Figure 5-7 Woods Option 3 Information security
reports to administrative services department
Source From Information Security Roles and
Responsibilities Made Easy, used with permission.
27
Placing Information Security Within an
Organization (contd.)
Figure 5-8 Woods Option 4 Information security
reports to insurance and risk management
department
Source From Information Security Roles and
Responsibilities Made Easy, used with permission.
28
Placing Information Security Within an
Organization (contd.)
Figure 5-9 Woods Option 5 Information security
reports to strategy and planning department
Source From Information Security Roles and
Responsibilities Made Easy, used with permission.
29
Placing Information Security Within an
Organization (contd.)

• Other options
• Option 6 Legal
• Option 7 Internal audit
• Option 8 Help desk
• Option 9 Accounting and finance through IT
• Option 10 Human resources
• Option 11 Facilities management
• Option 12 Operations

30
Components of the Security Program

• Organizations information security needs
• Unique to the culture, size, and budget of the
  organization
• Determining what level the information security
  program operates on depends on the organizations
  strategic plan
• Also the plans vision and mission statements
• The CIO and CISO should use these two documents
  to formulate the mission statement for the
  information security program

31
Information Security Roles and Titles

• Types of information security positions
• Those that define
• Provide the policies, guidelines, and standards
• Do the consulting and the risk assessment
• Develop the product and technical architectures
• Senior people with a lot of broad knowledge, but
  often not a lot of depth
• Those that build
• The real techies who create and install
  security solutions

32
Information Security Roles and Titles (contd.)

• Types of information security positions (contd.)
• Those that administer
• Operate and administer the security tools and the
  security monitoring function
• Continuously improve the processes
• A typical organization has a number of
  individuals with information security
  responsibilities

33
Information Security Roles and Titles (contd.)

• While the titles used may be different, most of
  the job functions fit into one of the following
• Chief Information Security Officer (CISO) or
  Chief Security Officer (CSO)
• Security managers
• Security administrators and analysts
• Security technicians
• Security staff

34
Information Security Roles and Titles (contd.)
Figure 5-10 Information security roles
Source Course Technology/Cengage Learning
35
Help Desk Personnel

• Help desk
• An important part of the information security
  team
• Enhances the security teams ability to identify
  potential problems
• When a user calls the help desk with a complaint
  , the users problem may turn out to be related
  to a bigger problem, such as a hacker,
  denial-of-service attack, or a virus

36
Help Desk Personnel (contd.)

• Help desk (contd.)
• Because help desk technicians perform a
  specialized role in information security, they
  have a need for specialized training

37
Implementing Security Education, Training, and
Awareness Programs

• SETA program
• Designed to reduce accidental security breaches
• Consists of three elements security education,
  security training, and security awareness
• Awareness, training, and education programs offer
  two major benefits
• Improving employee behavior
• Enabling the organization to hold employees
  accountable for their actions

38
Implementing SETAPrograms (contd.)

• Purpose of SETA is to enhance security
• By building in-depth knowledge, to design,
  implement, or operate security programs for
  organizations and systems
• By developing skills and knowledge so that
  computer users can perform their jobs while using
  IT systems more securely
• By improving awareness of the need to protect
  system resources

39
Implementing SETAPrograms (contd.)
Table 5-3 Framework of security education,
training and awareness
Source National Institute of Standards and
Technology. An Introduction to Computer Security
The NIST Handbook. SP 800-12. http//csrc.nist.gov
/publications/nistpubs/800-12/.
40
Security Education

• Employees within information security may be
  encouraged to seek a formal education
• If not prepared by their background or experience
• A number of institutions of higher learning,
  including colleges and universities, provide
  formal coursework in information security

41
Security Education (contd.)

• A knowledge map
• Can help potential students assess information
  security programs
• Identifies the skills and knowledge clusters
  obtained by the programs graduates
• Creating the map can be difficult because many
  academics are unaware of the numerous
  subdisciplines within the field of information
  security
• Each of which may have different knowledge
  requirements

42
Security Education (contd.)
Figure 5-11 Information security knowledge map
Source Course Technology/Cengage Learning
43
Security Education (contd.)

• Depth of knowledge
• Indicated by a level of mastery using an
  established taxonomy of learning objectives or a
  simple scale such as understanding ?
  accomplishment ? proficiency ? mastery.
• Because many institutions have no frame of
  reference for which skills and knowledge are
  required for a particular job area
• They may refer to the certifications offered in
  that field

44
Security Education (contd.)

• Once the knowledge areas are identified, common
  knowledge areas are aggregated into teaching
  domains
• From which individual courses can be created
• Course design
• Should enable a student to obtain the required
  knowledge and skills upon completion of the
  program
• Identify the prerequisite knowledge for each class

45
Security Education (contd.)
Figure 5-12 Technical course progression
Source Course Technology/Cengage Learning
46
Security Training

• Involves providing detailed information and
  hands-on instruction
• To develop user skills to perform their duties
  securely
• Management can either develop customized training
  or outsource

47
Security Training (contd.)

• Customizing training for users
• By functional background
• General user
• Managerial user
• Technical user
• By skill level
• Novice
• Intermediate
• Advanced

48
Training Techniques

• Using the wrong method
• Can hinder the transfer of knowledge
• Leading to unnecessary expense and frustrated,
  poorly trained employees
• Good training programs
• Take advantage of the latest learning
  technologies and best practices

49
Training Techniques (contd.)

• Recent developments
• Less use of centralized public courses and more
  on-site training
• Training is often for one or a few individuals
• Waiting until there is a large-enough group for a
  class can cost companies lost productivity
• Other best practices
• Increased use of short, task-oriented modules
• Available during the normal work week

50
Training Techniques (contd.)

• Selection of the training delivery method
• Not always based on the best outcome for the
  trainee
• Often overriden by budget, scheduling, and needs
  of the organization
• Types of delivery methods
• One-on-one
• Formal class
• Computer-based training (CBT)

51
Training Techniques (contd.)

• Types of delivery methods (contd.)
• Distance learning/web seminars
• User support group
• On-the-job training
• Self-study (non-computerized)

52
Training Techniques (contd.)

• Training methods
• Use a local training program
• Use a continuing education department
• Use another external training agency
• Hire a professional trainer, a consultant, or
  someone from an accredited institution to conduct
  on-site training
• Organize and conduct training in-house using
  organizations own employees

53
Implementing Training

• Seven-step methodology generally applies
• Step 1 Identify program scope, goals, and
  objectives
• Step 2 Identify training staff
• Step 3 Identify target audiences
• Step 4 Motivate management and employees
• Step 5 Administer the program
• Step 6 Maintain the program
• Step 7 Evaluate the program

54
Security Awareness

• One of the least frequently implemented, but most
  effective security methods is the security
  awareness program
• Security awareness programs
• Set the stage for training by changing
  organizational attitudes to realize the
  importance of security and the adverse
  consequences of its failure
• Remind users of the procedures to be followed

55
Security Awareness (contd.)

• Best practices
• Focus on people
• Refrain from using technical jargon
• Use every available venue
• Define learning objectives, state them clearly,
  and provide sufficient detail and coverage
• Keep things light
• Dont overload the users
• Help users understand their roles in InfoSec

56
Security Awareness (contd.)

• Best practices (contd.)
• Take advantage of in-house communications media
• Make the awareness program formal
• Plan and document all actions
• Provide good information early, rather than
  perfect information late

57
Security Awareness (contd.)

• The ten commandments of information security
  awareness training
• Information security is a people, rather than a
  technical, issue
• If you want them to understand, speak their
  language
• If they cannot see it, they will not learn it
• Make your point so that you can identify it and
  so can they.
• Never lose your sense of humor

58
Security Awareness (contd.)

• The ten commandments of information security
  awareness training (contd.)
• Make your point, support it, and conclude it
• Always let the recipients know how the behavior
  that you request will affect them
• Ride the tame horses
• Formalize your training methodology
• Always be timely, even if it means slipping
  schedules to include urgent information

59
Security Awareness (contd.)

• Security awareness and security training are
  designed to modify any employee behavior that
  endangers the security of the organizations
  information
• Security training and awareness activities can be
  undermined if management does not set a good
  example

60
Security Awareness (contd.)

• Effective training and awareness programs make
  employees accountable for their actions
• Dissemination and enforcement of policy become
  easier when training and awareness programs are
  in place
• Demonstrating due care and due diligence can help
  indemnify the institution against lawsuits

61
Security Awareness (contd.)

• Awareness can take on different forms for
  particular audiences
• A security awareness program can use many methods
  to deliver its message
• Recognize that people tend to practice a tuning
  out process (acclimation)
• Awareness techniques should be creative and
  frequently changed

62
Security Awareness (contd.)

• Many security awareness components are available
  at little or no cost
• Others can be very expensive
• Examples of security awareness components
• Videos
• Posters and banners
• Lectures and conferences
• Computer-based training

63
Security Awareness (contd.)

• Examples of security awareness components
  (contd.)
• Newsletters
• Brochures and flyers
• Trinkets (coffee cups, pens, pencils, T-shirts)
• Bulletin boards

64
Security Awareness (contd.)

• Security newsletter
• A cost-effective way to disseminate security
  information
• Newsletters can be in the form of hard copy,
  e-mail, or intranet
• Topics can include threats to the organizations
  information assets, schedules for upcoming
  security classes, and the addition of new
  security personnel

65
Security Awareness (contd.)

• Security newsletter (contd.)
• The goal is to keep the idea of information
  security uppermost in users minds and to
  stimulate them to care about security
• Newsletters might include
• Summaries of key policies
• Summaries of key news articles
• A calendar of security events, including training
  sessions, presentations, and other activities
• Announcements relevant to information security
• How-tos

66
Security Awareness (contd.)
Figure 5-13 SETA awareness components Newsletters
Source Course Technology/Cengage Learning
67
Security Awareness (contd.)

• Security poster series
• A simple and inexpensive way to keep security on
  peoples minds
• Professional posters can be quite expensive, so
  in-house development may be the best solution
• Keys to a good poster series
• Varying the content and keeping posters updated
• Keeping them simple, but visually interesting
• Making the message clear
• Providing information on reporting violations

http//www.flickr.com/photos/salfordpgrs/471079078
7/
68
Security Awareness (contd.)
Figure 5-14 SETA awareness components Posters
Source Course Technology/Cengage Learning
69
Security Awareness (contd.)

• Trinket programs
• Inexpensive on a per-unit basis
• They can be expensive to distribute
• Types of trinkets
• Pens and pencils, mouse pads
• Coffee mugs, plastic cups
• Hats, T-shirts
• The messages trinket programs impart will be lost
  unless reinforced by other means

http//www.flickr.com/photos/bagels/115395404/size
s/m/in/photostream/
70
Security Awareness (contd.)
Figure 5-15 SETA awareness components Trinkets
Source Course Technology/Cengage Learning
71
Security Awareness (contd.)

• Organizations can establish Web pages or sites
  dedicated to promoting information security
  awareness
• The challenge lies in updating the messages
  frequently enough to keep them fresh
• Tips on creating and maintaining an educational
  Web site
• See whats already out there
• Plan ahead

72
Security Awareness (contd.)

• Tips on creating and maintaining an educational
  Web site (contd.)
• Keep page loading time to a minimum
• Seek feedback
• Assume nothing and check everything
• Spend time promoting your site

73
Security Awareness (contd.)

• Security awareness conference
• Have a guest speaker or even a mini-conference
  dedicated to the topic
• Perhaps in association with the semi-annual
  National Computer Security Days October 31 and
  April 4

http//www.openclipart.org/detail/140461/hal9000-b
y-marauder