Security Management

1
Security Management

• Session 2
• Organization and Infrastructure

2
Organizational Considerations

• Security Supports Mission
• Many Stakeholders involved in Mission
• Program Manager
• User community
• Approver
• Certifier
• Development team
• Security must be part of project organization
  (dedicated or matrixed)
• Security Role detailed in Security Plan

3
Security Plan

• Like any Plan, the Security Plan will define how
  the organization will do security business in the
  system life cycle
• Plan defines (among other things) the
  organization to support the mission project
• The organization plan defines
• The members of the organization,
• The structure (reporting chain)
• The responsibilities

4
Security Organization (Cont.)

• Reporting Chain
• Security should not report to Program Manager Or
  Development Team management
• Likely reporting chain should be to CIO or
  equivalent point
• Must carefully guard against conflict of interest
  (really responsible to executive management)
• Development communitys interest in achieving
  budget and schedule

5
Candidate Organizational Structure
6
Security Organization

• Total organization Should involve two levels
• The executive committee for security
• The Security team
• These two level really have different
  perspectives
• The Executive Committee
• Constitutes the representative of the
  organizational or corporate level management
• Has the business objectives and goals in mind
• Thus, this committee consists of positions such
  as

7
Security Organization (cont.)

• Executive committee (cont.)
• Typical Membership
• CFO
• CIO
• COO
• Security Officer
• I.E., The Corporate Decision Makers
• The People that understand corporate goals and
  objectives

8
Additional Organizational Chart
9
Security Organization (cont.)

• Executive Committee Responsible for
• Defining the organizational business model
• Which resources are critical to the organization
• How those resources need to be protected
• By whom and how those resources need to be shared
• What functionality is important in the business
  strategy

10
Security Organization (cont.)

• Typical Responsibilities Of the Executive
  Security Committee Members
• Aligning IT strategy with Business Strategy - CIO
• IT Arch, Infrastructure, Operations, Investments
  CIO
• Partnerships Relationships CIO
• Training Security Awareness CIO

11
Security Organization (cont.)

• Typical Responsibilities (cont.)
• Accuracy and Reliability of Accounting functions
  CFO
• Internal Controls on Financial relevant resources
  and processes CFO
• Risk assessment related to enterprise CFO

12
Security Organization (cont.)

• Typical Responsibilities (cont.)
• Liason between the Executive Committee and the
  Security Team SSO
• Lead the Security Team - SSO

13
Security Officer Role in the Organization
Executive Mgmt
Security Officer
Project 1 Security Team
Project 2 Security Team
Project 3 Security Team
Project 4 Security Team
ETC.
14
DoD Candidate structure