Management of Information

Security, 4th Edition

Chapter 5
Developing the Security Program
 Objectives
• Explain the organizational approaches to information
security
• List and describe the functional components of an
information security program
• Discuss how to plan and staff an organization’s
information security program based on its size
• Describe the internal and external factors that
influence the activities and organization of an
information security program

Management of Information Security, 4th Edition 2

© Cengage Learning 2014
 Objectives (continued)
• List and describe the typical job titles and functions
performed in the information security program
• Discuss the components of a security education,
training, and awareness program and explain how
organizations create and manage these programs

Management of Information Security, 4th Edition 3

© Cengage Learning 2014
 Organizing for Security
• Variables that determine how an organization
chooses to structure its information security
(InfoSec) program are:
– Organizational culture, size, security personnel
budget, and security capital budget
• An organization’s size and available resources
directly affect the size and structure of its InfoSec
– Large, complex organizations may have entire
divisions dedicated to InfoSec
– Smaller organizations may have a single security
administrator or assign responsibilities to staff
Management of Information Security, 4th Edition 4
© Cengage Learning 2014
 Organizing for Security (continued)
• Personnel budget for InfoSec is also a factor
– The size of the InfoSec budget typically corresponds
to the size of the organization
– Office politics, the economy, and budget forecasts
are some factors that cause upper management to
juggle with staffing levels
• Another important variable is the portion of capital
and expense budget for physical resources that is
dedicated to InfoSec
– Includes allocation of offices, computer labs, and
testing facilities
Management of Information Security, 4th Edition 5
© Cengage Learning 2014
 Security in Large Organizations
• Organizations that have more than 1000 devices
and require security management
– Are likely to be staffed and funded at a level that
enables them to accomplish most InfoSec functions
• A recommended approach is to separate the
functions into four areas
– Functions performed by non technology business
units outside IT
• Legal, training
– Functions performed by IT groups outside InfoSec
• Systems and network security administration
Management of Information Security, 4th Edition 6
© Cengage Learning 2014
 Security in Large Organizations
(continued)
• A recommended approach is to separate the
functions into four areas (cont’d)
– Functions performed within the InfoSec department
as a customer service to the organization:
• Risk assessment, systems testing, incident response
– Functions performed within the InfoSec department
as a compliance enforcement obligation
• Policy, compliance/audit, risk management
• It remains the CISO’s responsibility to see that
InfoSec functions are adequately performed within
the organization
Management of Information Security, 4th Edition 7
© Cengage Learning 2014
 Figure 5-1 Example of InfoSec
staffing in a large organization

Management of Information Security, 4th Edition 8

© Cengage Learning 2014
 Figure 5-2 Example of InfoSec
staffing in a very large organization

Management of Information Security, 4th Edition 9

© Cengage Learning 2014
 Security in Medium-Sized
Organizations
• Medium-sized organizations have between 100
and 1000 machines requiring security management
– May still be large enough to implement the multi-
tiered approach to security
– The central authentication function often gets
handed off to systems administration personnel
• Medium-sized organizations tend to ignore some of
the InfoSec functions
– When they cannot staff a certain function
– In these cases, the CISO must improve collaboration
among InfoSec and IT departments
Management of Information Security, 4th Edition 10
© Cengage Learning 2014
 Figure 5-3 Example of InfoSec
staffing in a medium-sized
organization

Management of Information Security, 4th Edition 11

© Cengage Learning 2014
 Security in Small Organizations
• Smaller organizations - fewer than 100 systems
– InfoSec often becomes the responsibility of a single
security administrator
– Not uncommon to have the systems or network
administrator play this role
• Smaller organizations typically have minimal formal
policy, planning, or security measures
– Usually outsource Web presence or e-commerce
• Security administrators may use freeware or open
source software to lower costs of security
• Threats from insiders are less likely
Management of Information Security, 4th Edition 12
© Cengage Learning 2014
 Figure 5-4 Example of InfoSec
staffing in a smaller organization

Management of Information Security, 4th Edition 13

© Cengage Learning 2014
 Placing Information Security within an
Organization
• In large organizations:
– The InfoSec department may be located within an IT
division headed by the CISO, who reports to CIO
• Operating an InfoSec program within an IT division
– May cause InfoSec goals and objectives to
contradict those of the IT division as a whole
• Goals and objectives of the CIO and CISO may
come in conflict
– There is a current movement to separate InfoSec
from the IT division

Management of Information Security, 4th Edition 14

© Cengage Learning 2014
 Placing Information Security within an
Organization (continued)
• The challenge is to design a reporting structure for
the InfoSec program that balances the competing
needs of the communities of interest
• Many of the best practices on InfoSec program
positioning from industry groups can be found on
pages 172-181 of the text book
– Taken from a chapter of Charles Cresson Wood’s
book Information Security Roles and Responsibilities
Made Easy

Management of Information Security, 4th Edition 15

© Cengage Learning 2014
 Components of the Security Program
• Determining the level at which the InfoSec program
operates depends on the organization’s strategic
plan
– In particular, on the plan’s vision and mission
statements
• The CIO and CISO should use these two
documents to formulate the mission statement for
the InfoSec program
• An informative NIST publication:
– SP 80012, An Introduction to Computer Security:
The NIST Handbook
Management of Information Security, 4th Edition 16
© Cengage Learning 2014
 Components of the Security Program
(continued)
• The “NIST Handbook” covers the following topics:
– Elements of computer security
– Roles and responsibilities
– Common threats
– Common InfoSec controls
– Risk management
– Security program management
– Contingency planning

Management of Information Security, 4th Edition 17

© Cengage Learning 2014
 Table 5-2 Elements of a security
program
Primary Element Components
Policy Program policy, issue-specific policy, system-specific
policy
Program management Central security program, system-level program
Risk management Risk assessment, risk mitigation, uncertainty analysis
Life cycle planning Security plan, initiation phase, development/acquisition
phase, implementation phase, operation/maintenance
phase
Personnel/user issues Staffing, user administration
Preparing for contingencies and disaster? Business plan, identify resources, develop scenarios,
develop strategies, test
Computer security incident handling Incident detection, reaction, recovery, and follow-up
Awareness and training SETA plans, awareness projects, and policy and
procedure training
Security considerations in computer support and Help desk integration, defending against social
operations engineering, and improving system administration
Physical and environmental security Guards, gates, locks and keys, and alarms
identification and authentication Identification, authentication, passwords, advanced
authentication
Logical access control Access criteria, access control mechanisms
Audit trails System logs, log review processes, and log consolidation
and management
Cryptography TKI. VPN. key management, and key recovery

Management of Information Security, 4th Edition 18

© Cengage Learning 2014
 Information Security Roles and Titles
Part 1
• InfoSec positions can be classified into three types:
– Those that define
– Those that build
– Those that administer
• A typical organization has a number of individuals
with InfoSec responsibilities
• Most of the job functions fit into one of several
categories:
– The categories will be discussed over the next few
slides

Management of Information Security, 4th Edition 19

© Cengage Learning 2014
 Information Security Roles and Titles
Part 2
• Chief Information Security Officer (CISO)
– Primarily responsible for the assessment,
management, and implementation of the program
that secures the organization’s information
– May also be called chief security officer (CSO)
– The senior executive responsible for security may
also be called:
• Director of security
• Senior security manager
• Or some similar title

Management of Information Security, 4th Edition 20

© Cengage Learning 2014
 Figure 5-10 InfoSec roles

Management of Information Security, 4th Edition 21

© Cengage Learning 2014
 Information Security Roles and Titles
Part 3
• Security Managers - accountable for the day-to-
day operations of the InfoSec program
– Accomplish objectives set by the CISO
– Resolve issues identified by technicians,
administrators, analysts, or staffers
• Security Administrators and Analysts
– Security administrators are a hybrid of a security
technician and a security manager
– Security analysts are a specialized security
administrator
• Analyze and design solutions within a specific domain
Management of Information Security, 4th Edition 22
© Cengage Learning 2014
 Information Security Roles and Titles
Part 4
• Security Technicians - configure firewalls and
IDPSs, implement security software, diagnose and
troubleshoot problems, and coordinate with
systems and network administrators to ensure
security technology is properly implemented
• Security Staffers and Watchstanders
– Security staffer - individuals who perform routine
administrative activities
– Watchstanders - watch intrusion controls, monitor e-
mail accounts, and perform routine security roles
• Often an entry-level position
Management of Information Security, 4th Edition 23
© Cengage Learning 2014
 Information Security Roles and Titles
Part 5
• Security Consultants - typically an independent
expert in some aspect of InfoSec
– Brought in as an outsource
• Security Officers and Investigators
– These roles are often closely related to law
enforcement and/or criminal justice
• Help Desk Personnel
– The help desk enhances the security team’s ability to
identify potential problems
– Must be prepared to identify and diagnose traditional
and technical problems and threats to InfoSec
Management of Information Security, 4th Edition 24
© Cengage Learning 2014
 Implementing Security Education,
Training, and Awareness Programs
• Security, education, training, and awareness
(SETA) program is the responsibility of the CISO
– Is designed to reduce the incidence of accidental
security breaches by members of the organization
• SETA programs offer three benefits:
– Can improve employee behavior
– Can inform members of the organization about
where to report violations of policy
– Enable the organization to hold employees
accountable for their actions

Management of Information Security, 4th Edition 25

© Cengage Learning 2014
 Implementing Security Education,
Training, and Awareness Programs
(continued)
• SETA programs enhance general education and
training programs by focusing on InfoSec
• A SETA program consists of three elements:
security education, security training, and security
awareness
• SETA enhances security by:
– Building in-depth knowledge to design, implement, or
operate security programs
– Developing skills and knowledge
– Improving awareness of the need to protect systems

Management of Information Security, 4th Edition 26

© Cengage Learning 2014
 Table 5-3 Framework of security
education, training, and awareness
Empty cell Awareness Training Education
Attribute Seeks to teach members of the Seeks to train members of the Seeks to educate members of the
organization what security is and what organization how they should react and organization as to why the organization
the employee should do in some respond when threats are encountered has prepared in the way that it has and
situations. in specified situations. why the organization reacts in the ways
that it does-

Level Offers basic information about threats Offers more detailed knowledge about Offers the background and depth of
and responses. detecting threats and teaches skills knowledge to gain insight into how
needed for effective reaction. processes are developed and enables
ongoing improvement.

Objective Members of the organization can Members of the organization can mount Members of the organization can engage
recognize threats and formulate effective responses using learned skills. in active defense and use understanding
simple responses. of the organizations objectives to make
continuous improvement.

Teaching methods • Media videos • Formal training • Theoretical instruction

• Newsletters • Workshops • Discussions/seminars
• Posters • Hands-on practice • Background reading
• Informal training
Assessment True/False or Multiple Choice (Identify Problem solving (apply learning) Essay (interpret learning)
learning)
Impact timeframe Short-term Intermediate Long-term

Management of Information Security, 4th Edition 27

© Cengage Learning 2014
 Security Education
• InfoSec training programs must address the
following issues:
– The InfoSec educational components required of all
InfoSec professionals
– The general educational requirements that all IT
professionals must have
• A number of colleges and universities provide
formal coursework in InfoSec
• Students planning careers in InfoSec should review
the number of courses offered as well as the
content of those courses
Management of Information Security, 4th Edition 28
© Cengage Learning 2014
 Developing Information Security
Curricula
• Hybrid IT/InfoSec programs have started emerging
• A report entitled “The Role of Community Colleges
in Cybersecurity Education”
– Serves as a starting point for community colleges
developing curricula in the field
– A similar effort is underway for four-year colleges
• Creating a knowledge map can be difficult
– Many academics are unaware of the numerous
subdisciplines within the field of InfoSec
• Mapping InfoSec positions to the roles they
perform can be complex
Management of Information Security, 4th Edition 29
© Cengage Learning 2014
 Figure 5-11 InfoSec knowledge map

Management of Information Security, 4th Edition 30

© Cengage Learning 2014
 Security Training Part 1
• Security training - providing members of the
organization with detailed information and hands-
on instruction
– To enable them to perform their duties securely
• Training may include: custom in-house training
developed by InfoSec management
– Or outsource all or part of the training program
• A resource to help organizations put together SETA
programs:
– The Computer Security Resource Center at NIST

Management of Information Security, 4th Edition 31

© Cengage Learning 2014
 Security Training Part 2
• The Computer Security Act of 1987 requires federal
agencies to provide mandatory periodic training in
computer security awareness and accepted
computer practices
• Two methods for customizing training for users:
– By functional background
• General user, managerial user, and technical user
– By skill level
• Novice, intermediate, and advanced

Management of Information Security, 4th Edition 32

© Cengage Learning 2014
 Security Training Part 3
• Training for Technical Users - more detailed than
that for general or managerial users
• Three methods for developing advanced technical
training:
– By job category
• Technical users versus managers
– By job function
• Accounting versus marketing
– By technology product
• E-mail client, database

Management of Information Security, 4th Edition 33

© Cengage Learning 2014
 Security Training Part 4
• Training for General Users - a method of ensuring
policies are read and understood by general users is
to provide training on those policies
– Allows the organization to collect the required letters
of compliance
– Employee orientation is a good time to conduct it
• Training for Managerial Users - managers typically
expect a more personal form of training
– With smaller groups and more interaction
– Support at executive level can convince managers to
attend training events
Management of Information Security, 4th Edition 34
© Cengage Learning 2014
 Training Techniques
• Delivery Methods - selection of the delivery
method is not always based on the best outcome
for the trainee
– Budget, scheduling, and needs of organization can
come first
• Selecting the Training Staff - An organization can
use:
– A local training program, a continuing education
department, or an external training agency
– Can also organize and conduct in-house training
using its own employees
Management of Information Security, 4th Edition 35
© Cengage Learning 2014
 Table 5-4 Training delivery methods
Method Advantages Disadvantages
One-on-one: A dedicated trainer works with • Informal • Resource intensive, to the point of being
each trainee on the areas specified. • Personal inefficient
• Customized to the needs of the trainee
• Can be scheduled to fit the needs of the
trainee
Formal class: A tingle trainer works with • Formal training plan, efficient • Relatively inflexible
multiple trainees in a formal setting • Trainees able to learn from each other • May not be sufficiently responsive to the
• Interaction possible with trainer needs of all trainees
• Usually considered cost-effective • Difficult to schedule, especially if more than
one session is needed
Computer-based training (CBT): Prepackaged • Flexible, no special scheduling requirements • Software can be very expensive.
software that provides training at the trainees • Self-paced, can go as fast or as slow as the • Content may not be customized to the needs
workstation. trainee needs of the organization
• Can be very cost-effective
Distance learning/Web seminars: Trainees • Can be live or can be archived and viewed at • If archived, can be very
receive a seminar presentation at their the trainee's convenience inflexible, with no mechanism for trainee
computers. Some models allow • Can be low or no-cost feedback
teleconferencing for voice feedback; others
have text questions and feedback.
User support group: Support from a • Allows users to learn from each other • Does not use a formal training model
community of users is commonly facilitated by • Usually conducted in an informal social setting • Centered on a specific topic or product
a particular vendor as a mechanism to
augment the support for products or software
On-the-job training: Trainees learn the • Very applied to the task at hand • A sink-or-swim approach
specifics of their jobs while working, using the • inexpensive • Can result in substandard work performance
software, hardware, and procedures they will until trainee gets up to speed
continue to use.
Self-Study (noncomputerized): Trainees study • Lowest cost to the organization • Shifts responsibility for training onto the
materials on their own. usually when not • Places materials in the hands of the trainee trainee, with little formal support
actively performing their Jobs. • Trainees can select the material they need to
focus on the most
• Self-paced

Management of Information Security, 4th Edition 36

© Cengage Learning 2014
 Training Techniques (continued)
• Implementing Training - Each organization
develops it own strategy but the following seven-
step methodology can apply:
– Identify program, scope, goals, and objectives
– Identify training staff
– Identify target audiences
– Motivate management and employees
– Administer the program
– Maintain the program
– Evaluate the program

Management of Information Security, 4th Edition 37

© Cengage Learning 2014
 Security Awareness
• A security awareness program serves to instill a
sense of responsibility and purpose in employees
who handle and manage information
• When developing an awareness program:
– Focus on people both as part of the problem and
part of the solution
– Refrain from using technical jargon
– Use every available venue to access all users
– Define at least one key learning objective, state it
clearly, and provide sufficient detail and coverage to
reinforce the learning of it
Management of Information Security, 4th Edition 38
© Cengage Learning 2014
 Security Awareness (continued)
• When developing an awareness program (cont’d):
– Keep things light; refrain from “preaching”
– Do not overload users with too much detail
– Help users understand their roles in InfoSec and
how a breach in security can affect their jobs
– Take advantage of in-house communications media
to deliver messages
– Make the awareness program formal
– Provide good information early, rather than perfect
information late

Management of Information Security, 4th Edition 39

© Cengage Learning 2014
 Advice for Information Security
Awareness Training Programs
• Observations about SETA training practices:
– Information security is about people and only
incidentally related to technology
– If you want others to understand, learn how to speak
a language they can understand
– If they don’t understand, they will not be able to learn
– Make your points so that you can identify them
clearly and so can they
– Keep a sense of humor at all times
– Tell students what you plan to tell them, tell it to
them, and remind them what you told them
Management of Information Security, 4th Edition 40
© Cengage Learning 2014
 Advice for Information Security
Awareness Training Programs
(continued)
• Observations about SETA training practices
(cont’d):
– Unambiguously tell students how the behavior you
request will affect them as well as how failure to
conform to that behavior will affect them
– Continue to train with information about problems
and solutions for those issues that have already
been resolved, keep them fresh in people’s minds
– Formalize your training methodology until it is a
repeatable process
– Always be timely
Management of Information Security, 4th Edition 41
© Cengage Learning 2014
 Employee Behavior and Awareness
• By teaching employees how to properly handle
information, use applications, and operate within
the organization
– The risk of accidental compromise, damage, or
destruction of information is minimized
• Penalties for policy violations are effective only
when:
– Employees fear the penalty, employees believe they
may be caught, and employees believe that, if
caught, they will be penalized

Management of Information Security, 4th Edition 42

© Cengage Learning 2014
 Employee Accountability
• The legal principle ignorantia legis neminem
excusat (ignorance of the law excuses no one)
applies in a courtroom
• But ignorance DOES excuse employees who are
fighting policy violation penalties in labor disputes,
administrative law hearings, or civil court cases
• Warning employees that misconduct, abuse, and
misuse of information resources will not be
tolerated
– Can help indemnify the institution against lawsuits

Management of Information Security, 4th Edition 43

© Cengage Learning 2014
 Developing Security Awareness
Components Part 1
• Security awareness components include:
– Videos
– Posters and banners
– Lectures and conferences
– Computer-based training
– Newsletters
– Brochures and flyers
– Trinkets (coffee cups, pens, pencils, T-shirts)
– Bulletin boards

Management of Information Security, 4th Edition 44

© Cengage Learning 2014
 Developing Security Awareness
Components Part 2
• Security Newsletter - most cost-effective method
of disseminating security information and news to
employees
– Via hard copy, e-mail, or intranet
• A few things it might include:
– Summaries of key policies
– Summaries of key news articles
– Calendar of security events
– Announcements relevant to InfoSec
– How-to articles

Management of Information Security, 4th Edition 45

© Cengage Learning 2014
 Figure 5-13 SETA awareness
components: newsletters

Management of Information Security, 4th Edition 46

© Cengage Learning 2014
 Developing Security Awareness
Components Part 3
• Security Poster - a simple and inexpensive way to
keep security on people’s minds
• Several keys to a good poster:
– Varying the content and keeping posters updated
– Keeping them simple but visually interesting
– Making the message clear
– Providing information on reporting violations

Management of Information Security, 4th Edition 47

© Cengage Learning 2014
 Figure 5-14 SETA awareness
components: posters

Management of Information Security, 4th Edition 48

© Cengage Learning 2014
 Developing Security Awareness
Components Part 4
• Information Security Awareness Web Site - Web
pages or sites dedicated to promoting InfoSec
awareness
– When new information is posted, employees can be
informed via e-mail
– May contain the latest and archived newsletters,
press releases, awards, and recognitions
– Recommended to place your Web site on the
intranet
• Can include phone numbers and information not
generally released to the public

Management of Information Security, 4th Edition 49

© Cengage Learning 2014
 Developing Security Awareness
Components Part 5
• Security Awareness Conference/Presentations -
a means of renewing the InfoSec message by
having a guest speaker or a mini-conference
dedicated to the topic
• Drawbacks:
– Speakers seldom speak for free
– Few organizations are willing to suspend work for
such an event

Management of Information Security, 4th Edition 50

© Cengage Learning 2014
 Summary
• The term “InfoSec program” is used to describe the
structure and organization of the effort that contains
risks to the information assets of an organization
• In large organizations, specific InfoSec functions are
likely to be performed by specialized groups
– In smaller organizations, these functions may be carried
out by all members of the department
• InfoSec positions can be classified into one of three
areas: those that define, those that build, and those that
administer
• The SETA program is the responsibility of the CISO

Management of Information Security, 4th Edition 51

© Cengage Learning 2014
 Summary (continued)
• SETA programs improve employee behavior and
enable organizations to hold employees accountable
• Training is most effective when it is designed for a
specific category of users
• There are two methods for customizing training for
users: by functional background and by level of skill
• A security awareness program can deliver its
message via videotapes, newsletters, posters, bulletin
boards, flyers, demonstrations, briefings, short
reminder notices at log-on, or lectures

Management of Information Security, 4th Edition 52

© Cengage Learning 2014