Information Systems Security OfficerCS 996: Information Security Management

Pavel Margolin4/20/05

Overview

Who is an ISSO?Duties and ResponsibilitiesPlanningEstablishing the CIAPP InfoSec Functions InfoSec in the Government

Who is an ISSO?

ISSO – Information Systems Security Officer Reports to the Chief Information Officer

(CIO), who reports to the CEO. Leader of the Information Security (InfoSec)

organization. Qualifications

Manage and organize people Communicate to upper management without

much technical details Have enough technical expertise to understand

systems and make decisions

Duties and Responsibilities

Establishing and enforcing Corporate Information Assets Protection Program (CIAPP)

Managing peopleManaging the business of CIAPPManaging CIAPP processesHiring InfoSec staffReport to upper management

Planning

Strategic Plan (ISSSP) Compatible with Strategic Business Plan Long-term direction, goals, and objectives

Tactical Plan (ITP) Short-range plan Supports CIAPP and InfoSec functional goals

and objectives Annual Plan (IAP)

Identify and implement projects to accomplish the goals and objectives in the ISSSP and ITP

Plan of projects for the year

Establishing the CIAPP Reasons for the CIAPP Corporate vision, mission, and quality statements Corporate strategic, tactical, and annual business

plans InfoSec vision, mission and quality statements InfoSec strategic, tactical and annual business plans Information and systems legal, ethical, and best

business practices Overall information assets protection plans, policies,

and procedures Current CIAPP-related and InfoSec policies Current CIAPP-related and InfoSec procedures Other topics as deemed appropriate by the ISSO

CIAPP ProcessCostsProfitsSalesPublic RelationsStockholders’ value

InfoSec Policies

InfoSec Procedures

InfoSec Processes

CIAPP

•Risk Assessments•Vulnerability assessments•Threat Assessments•Limited Risk assessments•Risk analyses•Best InfoSec Practices

LawsRegulationsBusiness PracticesEthics

Business Decisions

Example CIAPP Requirements and Policy Directive

1. Introduction Section2. Purpose Section3. Scope Section4. Responsibilities5. Requirements Section

A. Identifying the value of the informationB. Access to information systemsC. Access to specific applications and filesD. Audit trails and their reviewE. Reporting and response in the event of a violationF. Minimum protection requirements for the hardware, firmware

and softwareG. Requirements for InfoSec procedures at other departments

and lower levels of the corporation6. Physical Security

Optional if Physical Security is handled by the Director of Security

InfoSec Functions Processes Valuing Information Awareness Access Control Evaluation of all hardware, firmware and

software Risk Management Security Tests and evaluations program Noncompliance Inquiries Contingency and emergency planning and

disaster recovery program (CEP-DR)

Function Drivers

Requirements-Drivers•Customers•Contracts •InfoSec Custodians•Users•Management•Audits•Tests & Evaluations•Other employees•Laws•Regulations•Non-compliance Inquiries•Investigations•Trade articles•Technical Bulletings•Business Plans•ISSO’s plans•Best business practices•Best InfoSec practices

ISSO’s CIAPP organizational requirements

CIAPP

Responsibilities Charter

ISSO Organizational Functions•Identification of InfoSec requirements•Access control•Non-compliance Inquiries (NCI)•Disaster Recovery/Emergency Planning•Tests and Evaluations•Intranet Security•Internet and Web Site Security•Security Applications Protection•Security Software Development•Software Interface InfoSec Evaluations•Access Control Violations Analysis•Systems’ Approvals•CIAPP Awareness and Training•Contractual Compliance Inspections•InfoSec Risk Management

InfoSec in the Government National Security Classified Information

Confidential – loss of this information can cause damage to national security

Secret – loss of this information can cause serious damage to national security

Top Secret – loss of this information can cause grave damage to national security

Black/Compartmented – Granted on a need to know (NTK) basis. Ex: Sensitive Compartmented Information (SCI).

Unclassified For Official Use Only Unclassified but Sensitive Information Unclassified

InfoSec Requirements in the Government

InfoSec policy – laws, rules, practices that regulate how organizations handle national security data.

Accountability – assigning responsibility and accountability to individuals or groups who deal with national security information

Assurance – guarantees that the InfoSec policy is implemented correctly and the InfoSec elements accurately mediate and enforce the policy

Documentation – records how a system is structured, its functions and how the system was designed

InfoSec Objectives in the Government

Protect and defend all information used by an AIS (automated information system)

Prevent unauthorized access, modification, damage, destruction, or DoS

Provide assurances of: Compliance with government and contractual obligations

and agreements Confidentiality of all classified information Integrity of information and related processes Availability of information Usage by authorized personnel only of the information

and AIS Identification and elimination of fraud, waste, and

abuse

ISSO at Gov’t Agencies Maintain a plan site security improvement Ensure IS systems are operated, used, maintained and

disposed of properly Ensure IS systems are certified and accredited Ensure users and personnel have required security

clearances, authorization, NTK, and are familiar with internal security practices

Enforce security policies and safeguards on personnel having access to an IS

Ensure audit trails are reviewed periodically Initiate protective and corrective measures Report security incidents in accordance with agency

specific policy Report the security status of the IS Evaluate know vulnerabilities to determine if additional

security is needed

Levels of Performance Entry Level

Identify vulnerabilities and recommend security solutions required to return the system to an operational level of assurance.

Intermediate Level For a new system architecture, investigate and document

system security technology, policies and training requirements to assure system operation at a specified level of assurance

Advanced Level For an accreditation action, analyze and evaluate system

security technology, policy and training requirements in support of upper management. The analysis will include a description of the management/technology team required to successfully complete the accreditation process

Duties of Gov’t ISSO Develop Certification and Accreditation Posture

Plan for Certification and Accreditation Create CIA Policy Control Systems Policy Culture and Ethics Incidence Response

Implement Site Security Policy Provide CIA Ensure Facility is approved Manage Operations of Information Systems Regulate General Principles

Access Control, Training, Awareness, Legal aspects, CC, etc Security Management Access Controls

Human Access Key Management

Incident Response

Duties (continued) Enforce and verify system security policy

CIA and Accountability Security Management Access Controls Automated Security Tools Handling Media Incident Response

Report on site security Status Security Continuity Reporting Report Security Incidents Law Report Security Status of IS as required by upper

management Report to Inspector General (IG)

Duties (continued)

Support Certification and AccreditationCertification FunctionsAccreditation FunctionsRespond to upper management requests

References

Kovacich, Dr. Gerald L., “The Information Systems Security Officer’s Guide: Establishing and Managing an Information Protection Program”

“Information Assurance Training Standard for Information Systems Security Officers” http://www.cnss.gov/instructions.html