Chao-Hsien Chu, Ph.D.

1
Security Organization
Chao-Hsien Chu, Ph.D. College of Information
Sciences and Technology The Pennsylvania State
University University Park, PA 16802 chu_at_ist.psu.e
du
Learning by Doing
Theory ? Practice
IST 515
2
Objectives

• This module will familiarize you with the
  following
• Security planning
• Responsibilities of the chief information
  security officer (CISO).
• Security organizational structure - reporting
  models.
• What is the most effectively security structure
  within an organization?
• Security organization best practices.
• Personnel security
• Security awareness, training and education.

3
Readings

• Tipton, H. and Henry, K. (Eds.), Official (ISC)2
  Guide to the CISSP CBK, Auerbach, 2007. Domain 1
  (Required).
• Benson, C., Security Planning. (Required)
  http//technet.microsoft.com/en-us/library/cc72350
  3.aspx
• Johnson, M. E. and Goetz, E., Embedding
  Information Security into the Organization, IEEE
  Security Privacy, May/June 2007, pp. 16-24.
• ISO, Organization of Information Security,
  http//www.iso27001security.com/ISO27k_Organizatio
  n_of_information_security.rtf
• PriceWaterhouseCooper, The Global State of
  Information Security Survey, 2005.

4
Organizational
Security Policy
Organizational Design
Security Management
Asset Classification and Control
Access Control
Compliance
Personnel Security Awareness Education
Physical and Environmental Security
System Development and Maintenance
Communications Operations Mgmt.
Business Continuity Management
Operational
5
Security Management Practice

• Security Governance.
• Security Policies, Procedures, Standards,
  Guidelines, and Baselines.
• Security Planning.
• Security Organization.
• Personnel Security.
• Security Audit and Control.
• Security Awareness, Training and Education.
• Risk Assessment and Management.
• Professional Ethics.

6
Principles of Organizational Design

• Strategic Alignment.
• Organization structure - Functional vs. Matrix
• Span of control hierarchy
• Reporting relationship (governmance)
• Job descriptions
• Staffing and skill requirements (training)
• Grading (reward structure)
• Clarity about the boundaries with other
  organizational groups

Alsbridge, "Designing Your Organization for BPO
and Shared Services." http//www.sourcingmag.com/c
ontent/c070219a.asp
7
(No Transcript)
8
Principles of Organizational Design

• Strategic Alignment.
• Organization structure - Functional vs. Matrix
• Span of control hierarchy
• Reporting relationship (governmance)
• Job descriptions
• Staffing and skill requirements (training)
• Grading (reward structure)
• Clarity about the boundaries with other
  organizational groups

Alsbridge, "Designing Your Organization for BPO
and Shared Services." http//www.sourcingmag.com/c
ontent/c070219a.asp
9
(No Transcript)
10
Information Security Planning

• Planning reduces the likelihood that the
  organization will be reactionary toward the
  security needs.
• Security planning involves developing security
  policies and implementing controls to prevent
  computer risks from becoming reality.
• The risk assessment provides a baseline for
  implementing security plans to protect assets
  against various threats.

11
Hierarchy of Security Planning

• Strategic Planning (3-5 years). Strategic plans
  are aligned with the strategic business and IT
  goals. They provide the vision for projects to
  achieve the business objectives. The plans should
  be reviewed annually or whenever major change to
  the business occur.
• Tactical Planning (6-18 months). Tactical plans
  provide the broad initiatives to support and
  achieve the goals specified in the strategic
  plans.
• Operational and Project Planning. Specific plans
  with milestones, dates and accountabilities
  provide the communication and direction to ensure
  that the individual projects are completed.

12
Type of Security Planning

• Proactive Planning
• Develop security policies and controls.
• Implement tools and techniques to aid in
  security.
• - Secure access, secure data, and secure code.
• - Techniques for network security firewall,
  VPN.
• - Detection tools.
• Implement technologies to keep the system running
  in the event of a failure.
• Reactive Planning
• Develop a contingency plan.

13
Examples of Security Plan

• The Department of Housing and Urban Development,
  SYSTEM SECURITY PLAN (SSP) TEMPLATE.
  http//www.nls.gov/offices/cio/sdm/devlife/tempche
  cks/mastemplate.doc
• California State University, Chico.
  http//www.csuchico.edu/ires/security/documents/In
  formation20Security20Plan2005200920v5_1.pdf
• Sample Security Plan Adventure Works.

14
Benson, C., Security Planning. (Required)
http//technet.microsoft.com/en-us/library/cc72350
3.aspx
15
Johnson, M. E. and Goetz, E., Embedding
Information Security into the Organization, IEEE
Security Privacy, May/June 2007, pp. 16-24.
16
Security Related People
Security is the responsibility of everyone within
the organization. Related people include

• Executive management.
• Chief information security officer (CISO).
• Information systems security professional.
• Data /information / business owner.
• Information systems auditor.
• Information systems / IT professional.
• Systems / network / security administrator.
• Help desk administrator.
• Administrative assistant / secretaries.
• End users.

17
CISO Responsibilities

• Communicate risks to executive management.
• Budget for information security activities.
• Ensure development of policies, procedures,
  baselines, standards, and guidelines.
• Develop and provide security awareness program.
• Understand business objectives.
• Maintain awareness of emerging threats and
  vulnerabilities.

• Evaluate security incidents and response.
• Develop security compliance program.
• Establish security metrics.
• Participate in management meetings.
• Ensure compliance with governmental regulations.
• Assist internal and external auditors.
• Stay abreast of emerging technologies.

18
CISO Reporting Models

• Reporting to the CEO.
• Reporting to the information technology (IT)
  department.
• Reporting to corporate security.
• Report to the administrative services department.
• Report to the insurance and risk management
  department.
• Reporting to the internal audit department.
• Reporting to the legal department.

What are the pros and cons of each reporting
model?
19
To Whom CISO Report
PWC Global State of Information Security
Survey2005
20
Organization of Information security
(http//www.iso27001security.com/)
21
Information Security Organization
CEO
CFO
CTO
COO
Legal/Chief
CIO
CPO
Corp Sec
Director Information Security
Policy compliance
Division SPOCS
Technology security operations
Risk management
(Johnson and Goetz, 2007)
22
What are They?

• CEO Chief Executive Officer.
• CFO Chief Financial Officer.
• CTO Chief Technology Officer.
• CIO Chief Information Officer
• COO Chief Operating Officer.
• CISO Chief Information Security Officer.
• CSO Chief Security Officer.
• CPO Chief Privacy Officer.

23
Information Security Organization
Board
IA
CEO
Real Estate Workplace Service
Security Office
Business IT
IT Infrastructure
Health Safety
CISO
Global security Workplace security Supply chain
security
Business information security manager
Strategy, architecture And consulting
Host network security
Program process manager
Incident management
Compliance management
(Johnson and Goetz, 2007)
24
Information Security Organization
Director of Security
Security Advisory Group
Administration Assistant
Critical Infrastructure Protection Service
Continuity
Standards, Policies and Procedures
Security Infrastructure Technical Support
Security Infrastructure Technical Support
Information Security Training Awareness
Incident Management
Risk Management
25
Security Organization Best Practice

• Job rotation. Job rotation reduce the risk of
  collusion of activities between individuals.
• Separation of duties. One individual should not
  have the capability to execute all of the Steps
  of a particular process.
• Least privilege (need to know). Granting users
  only the accesses that are required to perform
  their job functions.
• Mandatory vacations. Requiring mandatory
  vacations of a specified consecutive-day period.
• Job position sensitivity. The access and duties
  of an individual for a particular department
  should be assess to determine the sensitivity of
  the position.

26
Separation of Duties
The same individual should not typically perform
the following functions

• Systems administration
• Network management
• Data entry
• Computer operations
• Security administration
• Systems development and maintenance
• Security auditing
• Information systems management
• Change management

27
Personnel Security Hiring Practices
Managing the people aspect of security, from pre
employment to post employment, is critical to
ensure trustworthy, competent resources are
employed to further the business objectives that
will protect the company information.

• Developing job descriptions.
• Developing confidentiality agreements.
• Contacting references Reference checks.
• Screening/investigating background.
• Ongoing supervision and periodic performance
  reviews.
• Determining policies on vendor, contractor,
  consultant and temporary staff access.
• Employee terminations need different levels of
  care.

28
Background Checks

• Background checks can uncover the following
  problems
• Gaps in employment.
• Misrepresentation of job titles.
• Job duties.
• Salary.
• Reasons for leaving a job.
• Validity and status of professional
  certification.
• Education verification and degrees obtained.
• Credit history.
• Driving records.
• Criminal history.
• Personal references.
• Social security number verification

29
Special Types of Background Checks

• Individuals involved in technology.
• Individuals with access to confidential or
  sensitive information.
• Employees with access to company proprietary or
  competitive data.
• Positions working with accounts payable,
  receivables, or payroll.
• Positions dealing directly with the public.
• Employees working for healthcare industry-based
  organizations or organizations dealing with
  financial information.
• Positions involving driving a motor vehicle.
• Employees who will come in contact with children.

30
Elements of Professional Development
(NIST, SP 800-100)
31
The IT Security Learning Continuum
Manage Acquire Design Develop Implement
Operate Review Evaluate Use
Security Basics Literacy
Security Awareness
(NIST, SP 800-100)
32
Security Awareness

• Provide the understanding of the importance of
  security within an organization.
• Inform employees about their roles, and
  expectations surrounding their roles, in the
  observance of information security requirements.
• Provide guidance surrounding the performance of
  particular security or risk management function,
  as well as provide information surrounding the
  security or risk management functions in general.
• Educate users in the fulfillment of its security
  program objectives, which may also include audit
  objectives for organizations that are bound by
  regulatory compliance (e.g., HIPPA, the
  Sarbanes-Oxley Act).

33
Topics for Security Awareness

• Corporate security policies.
• Organizations security program.
• Regulatory compliance requirements.
• Social engineering.
• Business continuity.
• Disaster recovery.
• Emergency management.
• Security incidence response.
• Data classification.

• Information labeling and handling.
• Personnel security, safety and soundness.
• Physical security.
• Appropriate computing resource use.
• Proper care and handling of security credentials
• Risk assessment.
• Accidents, errors or omissions.

34
Awareness Activities and Methods

• Formalized courses, face-to-face or online.
• Use of posters to call attention to aspects of
  security.
• Conduct business units walk-through.
• Use intranet to post security reminders or host
  security column.
• Appointment of security awareness mentors.
• Sponsor a security awareness day.
• Sponsor an event with an external partner.
• Provide trinkets for users that support security
  principles.
• Provide security management videos, books, web
  sites, and collateral for references.

35
Selected Professional Education

• Certified Information Systems Security
  Professional (CISSP), (ISC)2 http//www.isc2.org/
• Systems Security Certified Practitioner (SSCP),
  (ISC)2. http//www.isc2.org/
• Certified Information Systems Auditor (CISA),
  ISACA. http//www.isaca.org/
• Certified Information Security Manager (CISM),
  ISACA. http//www.isaca.org/
• Global Information Assurance Certification
  (GIAC), SANS Institute. http//www.giac.org/

36
Potential Practical Projects

• Develop an information security plan.
• Review and propose a security organization
  redesign.
• Develop a security hiring plan.
• - Write a job description for a security
  position.
• - Write an advertisement for a security job.
• Develop a security background check program.
• Develop a security awareness plan / program.
• Develop a security training plan / program.