Embed Size (px)
Citation preview
Foundations of Organizational Information Assurance
Fall 2007
Dr. Barbara Endicott-PopovskyIMT551
Implementing IA and Cybersecurity
Secure System
Implementing IA and Cybersecurity
Secure System
Policies
• Policies drive security solutions
• Range from standards to guidelines; general to procedural
• Controls derive from policies
• Consequences tied to policies
Role for Procedures:When We Trust Controls…. Assumes:
• Design implements policies
• Sum total of controls implement all policies
• Implementation is correct
• Installation/administration arecorrect
CISO Procedure Dashboard
• Employee termination checklist• Employee provisioning checklist• Data backup• Emergency contacts• Change management procedure• Instant messaging procedures• PCI data security standard• PCI self-assessment checklist• Credit card handling procedure• Data breach response procedure• Procedure for request/access to personnel files• Procedure for outside request for information• Data classification procedure• Media disposal procedure• Privacy procedure
CISO Procedure Dashboard (cont’d.)
• Cyber incident response procedure
• Procedure on disposal of media/memory
• PKI management
• Appropriate use procedure
• Top 10 list
• Security manual
• Metrics
• ISO17799, ISO27001
• VPN procedure
• Outsourcing security requirements/contract terms
• Contractor security requirements /contract terms
IMPLEMENTING IA AND CYBERSECURITY ISO17799 EVALUATION (Rev 1, 11 Sep 07)
ISO 17799 Section Policy Procedures &
Practices Mechanisms Security
Awareness Training
IA Audit Feedback
3.1 Information Security Policy
Objective: To provide management direction and support for information security. Management should set a clear policy direction and demonstrate support for, and commitment to, information security through the issue and maintenance of an information security policy across the organization.
Information Security Policy
4.1 Information Security Infrastructure
Objective: To manage information security within the organization. A management framework should be established to initiate and control the implementation of information security within the organization. Suitable management forums with management leadership should be established to approve the information security policy, assign security roles
A management authorization process for new information processing facilities should be established.
A management forum to ensure that there is clear direction and visible management support for security initiatives should therefore be considered. Appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunications operators should be maintained to ensure that appropriate action can be quickly taken, and advice obtained, in the event of a security incident.
The information security policy document sets out the policy and responsibilities for information security. Its implementation should be reviewed independently to provide assurance that organizational practices properly reflect the policy, and that it is feasible and effective. Such a review may be carried out by the internal audit function, an independent manager or a third party organization specializing in such reviews, where these
Context Evolution
Agricultural Age
Industrial Age
Information Age
Labor Force Composition
0%
10%
20%
30%
40%
50%
60%
70%
1900
1910
1920
1930
1940
1950
1960
1970
1980
1997
YEAR
% SERVICE
% WHITE COLLAR
% BLUE COLLAR
% FARMING
Source: K. Lauden & Lauden
Attribute
Agricultural Age
Industrial Age Information Age
Wealth Land Capital Knowledge
Advancement Conquest Invention Paradigm Shifts
Time Sun/Seasons Factory Whistle Time Zones
Workplace Farm Capital equipment
Networks
Organization
StructureFamily Corporation Collaborations
Tools Plow Machines Computers
Problem-solving Self Delegation Integration
Knowledge Generalized Specialized Interdisciplinary
Learning Self-taught Classroom Online
Technology
Individual
Community
StateEco
nom
ics
Politics &
Law
Culture
Education
At th
e he
art…
IMPACTS
Questions?
