Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and...
-
Upload
alice-gaines -
Category
Documents
-
view
215 -
download
0
Transcript of Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and...
![Page 1: Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649e025503460f94aed32d/html5/thumbnails/1.jpg)
Lecture 30Information Security (Cont’d)
![Page 2: Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649e025503460f94aed32d/html5/thumbnails/2.jpg)
Overview
• Organizational Structures
• Roles and Responsibilities
• Information Classification
• Risk Management
2
![Page 3: Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649e025503460f94aed32d/html5/thumbnails/3.jpg)
Organizational Structure
• Organization of and official responsibilities for security vary– BoD, CEO, BoD Committee– Director, Manager
• IT/IS Security• Audit
3
![Page 4: Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649e025503460f94aed32d/html5/thumbnails/4.jpg)
Typical Org Chart
4
Board of Directors/Trustees President
CIO
Security Director
ProjectSecurity Architect
EnterpriseSecurity Architect
Security Analyst System Auditor
![Page 5: Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649e025503460f94aed32d/html5/thumbnails/5.jpg)
Security-Oriented Org Chart
5
Board of Directors/Trustees President
CIO
Security Director
ProjectSecurity Architect
EnterpriseSecurity Architect
Security AnalystSystem Auditor
IT Audit Manager
![Page 6: Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649e025503460f94aed32d/html5/thumbnails/6.jpg)
Further Separation
6
Audit Committee
Board of Directors/Trustees President
CIO
Security Director
ProjectSecurity Architect
EnterpriseSecurity Architect
Security AnalystSystem Auditor
IT Audit Manager
Internal Audit
![Page 7: Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649e025503460f94aed32d/html5/thumbnails/7.jpg)
Organizational Structure
• Audit should be separate from implementation and operations– Independence is not compromised
• Responsibilities for security should be defined in job descriptions
• Senior management has ultimate responsibility for security
• Security officers/managers have functional responsibility
7
![Page 8: Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649e025503460f94aed32d/html5/thumbnails/8.jpg)
Roles and Responsibilities
• Best Practices:– Least Privilege– Mandatory Vacations– Job Rotation– Separation of Duties
8
![Page 9: Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649e025503460f94aed32d/html5/thumbnails/9.jpg)
Roles and Responsibilities
• Owners– Determine security requirements
• Custodians– Manage security based on requirements
• Users– Access as allowed by security requirements
9
![Page 10: Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649e025503460f94aed32d/html5/thumbnails/10.jpg)
Information Classification
• Not all information has the same value
• Need to evaluate value based on CIA• Value determines protection level• Protection levels determine procedures• Labeling informs users on handling
10
![Page 11: Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649e025503460f94aed32d/html5/thumbnails/11.jpg)
Information Classification
• Government classifications:– Top Secret– Secret– Confidential– Sensitive but Unclassified– Unclassified
11
![Page 12: Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649e025503460f94aed32d/html5/thumbnails/12.jpg)
Information Classification
• Private Sector classifications:– Confidential– Private– Sensitive– Public
12
![Page 13: Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649e025503460f94aed32d/html5/thumbnails/13.jpg)
Information Classification
• Criteria:– Value– Age– Useful Life– Personal Association
13
![Page 14: Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649e025503460f94aed32d/html5/thumbnails/14.jpg)
Risk Management
• Risk Management is identifying, evaluating, and mitigating risk to an organization– It’s a cyclical, continuous process– Need to know what you have– Need to know what threats are likely– Need to know how and how well it is protected– Need to know where the gaps are
14
![Page 15: Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649e025503460f94aed32d/html5/thumbnails/15.jpg)
Identification
• Assets• Threats
– Threat-sources: man-made, natural
• Vulnerabilities– Weakness
• Controls– Safeguard
15