Lecture 30 Information Security Contd Overview Organizational Structures

Overview • Organizational Structures • Roles and Responsibilities • Information Classification • Risk Management

Organizational Structure • Organization of and official responsibilities for security vary – Bo. D,

Typical Org Chart Board of Directors/Trustees President CIO Security Director Project Security Architect Enterprise

Security-Oriented Org Chart Board of Directors/Trustees President CIO IT Audit Manager System Auditor Security

Further Separation Board of Directors/Trustees Audit Committee President Internal Audit IT Audit Manager System

Organizational Structure • Audit should be separate from implementation and operations – Independence is

Roles and Responsibilities • Best Practices: – Least Privilege – Mandatory Vacations – Job

Roles and Responsibilities • Owners – Determine security requirements • Custodians – Manage security

Information Classification • Not all information has the same value • Need to evaluate

Information Classification • Government classifications: – Top Secret – Confidential – Sensitive but Unclassified

Information Classification • Private Sector classifications: – Confidential – Private – Sensitive – Public

Information Classification • Criteria: – Value – Age – Useful Life – Personal Association

Risk Management • Risk Management is identifying, evaluating, and mitigating risk to an organization

Identification • Assets • Threats – Threat-sources: man-made, natural • Vulnerabilities – Weakness •

Slides: 15

Download presentation

Lecture 30 Information Security (Cont’d)

Overview • Organizational Structures • Roles and Responsibilities • Information Classification • Risk Management 2

Organizational Structure • Organization of and official responsibilities for security vary – Bo. D, CEO, Bo. D Committee – Director, Manager • IT/IS Security • Audit 3

Typical Org Chart Board of Directors/Trustees President CIO Security Director Project Security Architect Enterprise Security Architect Security Analyst System Auditor 4

Security-Oriented Org Chart Board of Directors/Trustees President CIO IT Audit Manager System Auditor Security Director Enterprise Security Architect Security Analyst Project Security Architect 5

Further Separation Board of Directors/Trustees Audit Committee President Internal Audit IT Audit Manager System Auditor CIO Security Director Enterprise Security Architect Security Analyst Project Security Architect 6

Organizational Structure • Audit should be separate from implementation and operations – Independence is not compromised • Responsibilities for security should be defined in job descriptions • Senior management has ultimate responsibility for security • Security officers/managers have functional responsibility 7

Roles and Responsibilities • Best Practices: – Least Privilege – Mandatory Vacations – Job Rotation – Separation of Duties 8

Roles and Responsibilities • Owners – Determine security requirements • Custodians – Manage security based on requirements • Users – Access as allowed by security requirements 9

Information Classification • Not all information has the same value • Need to evaluate value based on CIA • Value determines protection level • Protection levels determine procedures • Labeling informs users on handling 10

Information Classification • Government classifications: – Top Secret – Confidential – Sensitive but Unclassified – Unclassified 11

Information Classification • Private Sector classifications: – Confidential – Private – Sensitive – Public 12

Information Classification • Criteria: – Value – Age – Useful Life – Personal Association 13

Risk Management • Risk Management is identifying, evaluating, and mitigating risk to an organization – It’s a cyclical, continuous process – Need to know what you have – Need to know what threats are likely – Need to know how and how well it is protected – Need to know where the gaps are 14

Identification • Assets • Threats – Threat-sources: man-made, natural • Vulnerabilities – Weakness • Controls – Safeguard 15