Please enable JavaScript.
Coggle requires JavaScript to display documents.
CHAPTER 5: DEVELOPING THE SECURITY PROGRAM - Coggle Diagram
CHAPTER 5: DEVELOPING THE SECURITY PROGRAM
ORGANIZING FOR SECURITY
DEFINITION:
Used to describe the structure and organization of the effort to manage risks to an organization’s information assets
Functions needed to implement InfoSec Program
Compliance
Centralized authentication
Systems security administration
Training
Network security administration
Vulnerability assessment
Risk assessment
Risk management
Systems testing
Policy
Legal assessment
Incident response
Planning
Measurement
PLACING INFORMATION SECURITY WITHIN AN ORGANIZATION
Reporting structure for the InfoSec program that balances the competing needs of each of the communities of interest
Wood's Option 1: InfoSec reporting to IT department
Wood's Option 2: InfoSec reporting to broadly defined security
Wood's Option 3: InfoSec reporting to administrative services department
Wood's Option 4: InfoSec reporting to insurance and risk management department
Wood's Option 5: InfoSec reporting to strategy and planning
Option 6: Legal Department
Option 7: Internal Audit Department
Option 8: Help Desk
Option 9: Accounting and Finance Department via IT
Option 10: Human Resources Department
Option 11: Facilities Management Department
Option 12: Operations Approach
STAFFING THE SECURITY FUNCTION
Selecting an effective mix of InfoSec personnel for an organization requires that you consider a number of criteria; including the supply and demand of various skills and experience levels
Defining the Qualifications and Requirements
In most cases, organizations look for a technically qualified InfoSec generalist with a solid understanding of how organizations operate
Information Security Positions
those that define, those that build, and those that administer:
INFORMATION SECURITY PROFESSIONAL CREDENTIALS
Recognizable professional certifications to ascertain the level of knowledge and experience possessed by any given candidate
IMPLENTING SECURITY EDUCATION, TRAINING, AND AWARENESS (SETA) PROGRAMS
The SETA program is designed to reduce accidental security breaches by members of the organization
SETA programs offer three major benefits:
They enable the organization to hold employees accountable for their actions
They can inform members of the organization about where to report violations of policy
They can improve employee behavior
The purpose of SETA is to enhance security:
By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems
By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely
By improving awareness of the need to protect system resources
PROJECT MANGEMENT IN INFOSEC
Organizations that make project management skills a priority benefit in the following ways:
Implementing a methodology ensures that no steps are missed
Creating a detailed blueprint of project activities provides a common reference tool and makes all project team members more productive by shortening the learning curve when getting projects underway
Identifying specific responsibilities for all the involved personnel reduces ambiguity and also reduces confusion
Clearly defining project constraints and minimum quality requirements increases the likelihood that the project will stay within them
Establishing performance measures and creating project milestones simplifies project monitoring
Identifying deviations in quality, time, or budget early on enables early correction of the problems