Solved

security management structures

Posted on 2013-12-02
1
291 Views
Last Modified: 2013-12-17
At an organisational / structural level who typically owns security in your organisation, and how are security related responsibilities delegated down to lower levels of staff in your organisations? I am doing some research into the risks of lack of ownership and management structures for security (and other disciplines of IT) - so if you have any view on this, i.e. risks in poorly defined security ownership/delegation from the top down, I would be very interested in hearing these.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 500 total points
ID: 39690446
Information Security Governance and Risk Management entails the identification of an organization's information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines.

Management tools such as information classification, risk assessment, and risk analysis are used to identify threats, classify assets, and to rate system vulnerabilities so that effective controls can be implemented.

Managing risk involves the identification, measurement, control, and minimization of loss associated with uncertain events or risks. It includes overall security review, risk analysis, selection and evaluation of safeguards, cost benefit analysis, management decision, safeguard implementation, and effectiveness review.

Evolution of Information Security
Information system security has evolved from the mainframe environment through the growth of distributed environments.

Even with the development of Internet-based networking, the key concept is that information security has incorporated industrial or physical security into its sphere of responsibility.

The main objective of information security is to preserve the availability, integrity, and confidentiality of information and knowledge of an organization.

The A-I-C triad is the cornerstone of information system security.

Availability is the ability to provide reliable and timely access to data and resources to authorized individuals. The objective is to prevent disruption of service and productivity.

Integrity involves assuring the accuracy and reliability of information and systems and preventing unauthorized modifications.

Confidentiality ensures the necessary level of secrecy at each junction of data processing, as well as the prevention of unauthorized disclosure of sensitive information and resources.

All security solutions should be designed and implemented to focus on two areas:

Functional requirements
Assurance requirements

Functional and Assurance Requirements
The assurance requirements address whether the functional requirements are actually working properly. No solution is complete unless it addresses both of these areas.

For example: a firewall controlling access by screening, blocking unauthorized traffic, monitoring and logging, etc. performs the functional requirements. Testing to evaluate how well it performs provides the assurance requirements.

When security solutions are designed and implemented, it is important to ensure that for each security requirement and function, there is a corresponding check or assurance that the function is working correctly.

This pic shows the various IT security requirements and the corresponding check or assurance.

Security Requirements
Security is an issue that must address the unique requirements of a business. It cannot be like a blanket, where one size fits all.

The following pic shows the typical requirements for an efficient and effective structure for information security.

Security Structure
Note the top-down model. These requirements will be defined in further detail, to promote the concept of security requirements and blueprints.

Let's examine how the security requirements are identified, developed, and designed.

A blueprint is one of the most commonly used methods. Security blueprints provide a method of organizing the requirements and the resulting components of a security architecture. They can be used to address the security requirements of a specific topic or across the enterprise. They can help ensure that security is considered from a holistic view.

The pic below represents one example of a security blueprint.

Security Blueprint
Blueprints are used to identify, develop, and design security requirements for particular business solutions, such as:

Portal
Enterprise Resource Planning (ERP)
Supply Chain
Customer Relationship Management (CRM)
Manufacturing

Not all aspects of a particular blueprint will apply, but all should be considered.

Best Practices and Standards

A security blueprint provides tailored security best practices that, in total, form a comprehensive security policy program and technical architecture. It is composed of several security domains that, at a minimum, are mapped from the ISO/IEC 17799 standard. The ISO 17799 Code of Practice for Security Information Management provides a broad base of security controls that offers a point of reference for completeness of the components within the blueprints. As shown, an infrastructure plan includes:

Tailored requirements meeting the organization's specific requirements
Requirements influenced by legal, regulatory, business and IT drivers

The standard does not provide all the guidance required for an effective, holistic security architecture.

Individual security blueprints reflect tailored requirements meeting the organization's specific needs. They are influenced by legal, regulatory, business, and IT drivers.

An effective security architecture will always be able to "connect the dots" between the business decisions of the organization, how these are reflected in the principles, policies and standards of the organization, how these have been turned into requirements and how the requirements map to the blueprints.

Connect the Dots
Security Responsibilities
For security to be effective, it is imperative that individual roles, responsibilities, and authority are clearly communicated and understood by all. Organizations must assign security-related functions to designated employees.

Roles
Security must play a significant role in the organization's personnel management practices, including:

Hiring and termination procedures
Employment practices
Security awareness education and training
Security best practices
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question