320 likes | 338 Views
Introduction to the Management of Information Security. Dan Hein, Dinesh Raveendran, Molly Coplen Feb 3, 2008. Organization. Overview of Information Security Defining Security Information Security Management The Six P’s of Information Security. Information Security.
E N D
Introduction to the Management of Information Security Dan Hein, Dinesh Raveendran, Molly Coplen Feb 3, 2008
Organization • Overview of Information Security • Defining Security • Information Security Management • The Six P’s of Information Security
Information Security • Risk Analysis is an essential central activity required to secure information assets • Information asset enumeration, • Threat enumeration, • Threat potential and impact and/or damage • Risk Analysis provides rationale (cost justification) for sound business decisions and cross-cuts several communities: • Information Security Community • Information Technology Community • General Business Community
What is Security • The quality or state of being secure – to be free from danger. • Example: National Security • Multiple types of security specialization: • Physical – Protection of people, physical assets, and workplace • Operations – Carrying of the operational activities without interruption or compromise • Communications- Protection of communication media, technology and content • Network – Protection of networking devices, connections and content
Information Security Network Security Policy Management of InfoSec Computer & Data Security Information Security • Information Security (InfoSec) encompasses • Management of information security • Computer & data security • Network Security
Confidentiality Policy Education Technology Integrity Availability Storage Processing Transmission NSTISSC* Security Model • NSTISSC* Security Model • A CNSS model known as McCumber Cube • Purpose: Identify gaps in information security program • Weakness: Addresses only InfoSec Community and leaves out business and broader IT community *-National SecurityTelecommunications and Information Systems Security Committee
Key Concepts of InfoSec • C.I.A Triangle – Basis for CNSS model for InfoSec • Three essential characteristics • Confidentiality, integrity and availability • Limited in scope • Difficult to encompass changing environment • Threats – Accidental or intentional damage, destruction, theft, unintended or unauthorized modification, other human misuses or other threats • Development of a robust model for current IS environment and rapidly changing IT industry with a comprehensive list of critical characteristics
Key Concepts continued… • Confidentiality • Only those with sufficient privileges and demonstrated need may access certain information • Measures to protect it - Information classification, Secure document storage, Application of general security policies, Education of information custodians and end users and Cryptography • Examples: Mailing confidential information outside the organization, Hacker breaking in to an internal database
Key Concepts continued… • Integrity • The quality or state of being whole, complete, and uncorrupted • Corruption can occur while information is being entered, stored, or transmitted • Viruses, worms and even faulty programming can corrupt data • Detection: check file’s state, or file’s hash value or checksum • Prevention: redundancy bits and check bits, file hashing
Key Concepts continued… • Availability • Characteristic of information that enables user access to information without interference in a useable format • Access to only authorized users • Analogy: Library Access • Privacy • Information that is collected, used and stored by an organization is intended only for the purposes stated to the data owner at the time it was collected • Collect, swap and sell personal information • Data used without original owner’s consent
Key Concepts continued… • Identification • Ability to recognize individual users for an IS • First step in gaining access to secured data • Foundation to authentication and authorization • Performed with username and/or password • Authentication • When a control provides proof that a user possesses the identity that he/she claims. • Examples: use of cryptographic certificates to establish SSL
Key Concepts continued… • Authorization • After authentication, this process provides the assurance that the user has been specifically and explicitly authorized by the proper authority • Example: activation and use of ACLs • Accountability • When a control provides assurance that every activity undertaken can be attributed to a person or a process • Example: Audit logs
What is Management? Management is the process of achieving objectives given a set of resources. A manager is a member of the organization assigned to marshal and administer resources, coordinate the completion of tasks, and handle the many roles necessary to meet the desired objectives. 13 1/2/2020
Management Theories 14 • Frederick Winslow Taylor (1900s) • Wandered around factories with a stopwatch and a clipboard to measure worker productivity. • Management’s job is to improve productivity by refining the processes workers perform. • Douglas McGregor - Theory X and Theory Y (1960) • Theory X: Classic command and control – “Carrot-and-the-stick” - workers are basically lazy. • Theory Y: People exercise self-direction and self control in the achievement of organizational objectives. Carrots induce people to stay. 1/2/2020
Management Theories 15 • W. Edwards Deming – Total Quality Management (1980s) • Stressed quality and customer focus in internal operations • Decision making, performance measurement, and compensation • Vertical integration • Business Process Re-engineering (1990s) • Reorganize the business around processes such as purchasing, marketing, and distribution instead of corporate silos based on products and geography. 1/2/2020
Leadership versus Management Leaders Influences employees so that they are willing to accomplish objectives. Leadership provides purpose, direction, and motivation to those who follow. Managers Administers resources of the organization: Create budgets Authorize expenditures Hire employees 16 1/2/2020
Key Characteristic of a Leader 17 A key characteristic of a leader is concern for subordinates as well as strong motivation for accomplishing organizational objectives. Exhibit principles of be..know..and do. As a leader you must be a person of strong and honorable character, be committed to professional ethics, be an example of individual values, and be able to resolve complex ethical dilemmas. You must know the details of your situation, the standards to which you work, yourself, human nature, and your team. You must do by providing purpose, direction, and motivation to your teams. 1/2/2020
Characteristics of a LeaderUS Military Model 18 Bearing Courage Decisiveness Dependability Endurance Enthusiasm Initiative Integrity Judgment Justice Knowledge Loyalty Tact Unselfishness 1/2/2020
Improvement of Leadership Abilities 19 Know yourself and seek self improvement Be technically and tactically proficient See responsibility and take responsibility for your actions Make sound and timely decisions Set the example Know your subordinates and look out for their well-being Keep your subordinates informed Develop a sense of responsibility in your subordinates Ensure the task is understood, supervised, and accomplished Build the team Employ your team in accordance with its capabilities 1/2/2020
Behavioral Types of Leaders Autocratic Reserves all decision-making responsibility for themselves, and are more “do as I say” types of managers. Issues an order to accomplish a task and does not seek or accept alternative viewpoints. Democratic Seeks input from all interested parties, requesting ideas and suggestions, and then formulating a position that can be supported by a majority. Laissez-faire Allows the process to develop as it goes, only making minimal decisions to avoid bringing the process to a complete halt. 20 1/2/2020
The Planning-Controlling Link Planning Goals, Objectives, Strategies, Plans Controlling Standards, Measurements, Comparisons, Action Organizing Structure, Human Resource Management Leading Motivation, Leadership, Communication, Behavior 21 1/2/2020
Planning Strategic Highest level of the organization – Board of Directors, Executive Management Time horizon – five or more years Tactical Mid-level managers – implementation of the strategic plan Time horizon – one to five years Operational Supervisors - Day-to-day operations of local resources Time horizon - immediate 22 1/2/2020
Organizing 23 “The principle of management dedicated to the structuring of resources to support the accomplishments of objectives.” • Organizing tasks: • What is to be done and in what order • Who is doing the work • How is the work being accomplished • When - timeline 1/2/2020
Leadership and Motivation 24 • Peter Drucker • A responsible manager has authority. • Workers are led, not managed. • The workplace is participatory, but not “free-wheeling.” • Workers are not motivated through money alone. • Each worker is motivated differently, according to the individual and the situation. • Management recognizes that workers could leave the organization. 1/2/2020
What Motivates Workers 25 Work with people who treat me with respect Interesting work Recognition Opportunity to develop skills Work for people who will listen to you Ability to think for self, not just carry out instructions Seeing the end results of my work Work for efficient managers Job security High pay Good benefits 1/2/2020
Controlling 26 • This function determines what is monitored, the tools to gather and evaluate information, and the corrective action. • Four categories of control tools: • Information – flow of information in the organization • Financial – guide the expenditure of monetary resources. • Operational – evaluate the efficiency and effectiveness of business process flows. • Behavioral – evaluate the efficiency and effectiveness of human resources. 1/2/2020
Control Process Standard Attained? Yes Continue Process Compare Actual vs Standard No Variance Accepted? Yes Continue Process Actual Performance Performance Standard No Yes Standard Acceptable? Identify cause of variation No Revise Standard Correct Performance 27 1/2/2020
Solving Problems • Step 1: Recognize and Define the Problem • How do I know that I have a problem ? • What is the real cause of the problem ? • Step 2: Gather Facts and Make Assumptions • Interview, collect data, review documentation • Step 3: Develop Possible Solutions • Brian storm, interview experts, review research • Step 4: Analyze and Compare Possible Solution • Financial impact, cost-benefit analysis, operation impact • Unintended consequences ?? • Step 5: Select, Implement, and Evaluate a Solution • Monitor the solution – intended impact? 28 1/2/2020
Six Principles of Information Security • Planning - Draw upon larger business / IT plans to develop InfoSec plans that support business goals and objectives. • Policy – Organizational document(s) specifying acceptable and unacceptable use, actions constituting abuse, and punishments for violators [Panko03] . • Programs – Ongoing operational activities to support goals of information security: Education, Training, Drills, and onsite physical access.
Six Principles continued… • Protection – Ongoing risk management identifies information assets, enumerates threats, and performs risk reduction or transference. • People – Training people within an organization is critical for maintaining proper information security; some of the simplest attacks are social-engineering attacks. • Project Management – Continuously monitoring and measuring progress towards InfoSec goals/objectives and making corrective action when needed.
Bibliography 32 • Anonymous, “The Way We Were,” Management Today, London: June 1998, pp 111-112. • Anonymous, “TGM-A Cornerstone of Quality”, Quality Progress. Milwaukee: November 2006, Vol. 39, Iss. 11; pp 32-33. • William A. Cohen, A Class with Drucker, New York: AMACOM, 2008 • W.E. Deming, Out of the Crisis, MIT Press, 1982 • Richard J. Hackman and Ruth Wageman, “Total Quality Management: Empirical, Conceptual, and Practical Issues,” Administrative Science Quarterly, Ithaca: June 1995, Vol. 40, Iss 2; pp 309-342. • Raymond R. Panko, Corporate Computer and Network Security. New Jersey: Prentice Hall, 2003. pp. 324-330. • Michael E. Whitman and Herbert J. Mattord, Management of Information Security, Thompson Course Technology, 2008. pp 1-20. • “Survey: The X and Y Factors,” The Economist, London: January 21, 2006. Vol. 378, Iss. 8461, pg 19. 1/2/2020