Solved

security management structures

Posted on 2013-12-02
1
284 Views
Last Modified: 2013-12-17
At an organisational / structural level who typically owns security in your organisation, and how are security related responsibilities delegated down to lower levels of staff in your organisations? I am doing some research into the risks of lack of ownership and management structures for security (and other disciplines of IT) - so if you have any view on this, i.e. risks in poorly defined security ownership/delegation from the top down, I would be very interested in hearing these.
0
Comment
Question by:pma111
1 Comment
 
LVL 14

Accepted Solution

by:
Giovanni Heward earned 500 total points
ID: 39690446
Information Security Governance and Risk Management entails the identification of an organization's information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines.

Management tools such as information classification, risk assessment, and risk analysis are used to identify threats, classify assets, and to rate system vulnerabilities so that effective controls can be implemented.

Managing risk involves the identification, measurement, control, and minimization of loss associated with uncertain events or risks. It includes overall security review, risk analysis, selection and evaluation of safeguards, cost benefit analysis, management decision, safeguard implementation, and effectiveness review.

Evolution of Information Security
Information system security has evolved from the mainframe environment through the growth of distributed environments.

Even with the development of Internet-based networking, the key concept is that information security has incorporated industrial or physical security into its sphere of responsibility.

The main objective of information security is to preserve the availability, integrity, and confidentiality of information and knowledge of an organization.

The A-I-C triad is the cornerstone of information system security.

Availability is the ability to provide reliable and timely access to data and resources to authorized individuals. The objective is to prevent disruption of service and productivity.

Integrity involves assuring the accuracy and reliability of information and systems and preventing unauthorized modifications.

Confidentiality ensures the necessary level of secrecy at each junction of data processing, as well as the prevention of unauthorized disclosure of sensitive information and resources.

All security solutions should be designed and implemented to focus on two areas:

Functional requirements
Assurance requirements

Functional and Assurance Requirements
The assurance requirements address whether the functional requirements are actually working properly. No solution is complete unless it addresses both of these areas.

For example: a firewall controlling access by screening, blocking unauthorized traffic, monitoring and logging, etc. performs the functional requirements. Testing to evaluate how well it performs provides the assurance requirements.

When security solutions are designed and implemented, it is important to ensure that for each security requirement and function, there is a corresponding check or assurance that the function is working correctly.

This pic shows the various IT security requirements and the corresponding check or assurance.

Security Requirements
Security is an issue that must address the unique requirements of a business. It cannot be like a blanket, where one size fits all.

The following pic shows the typical requirements for an efficient and effective structure for information security.

Security Structure
Note the top-down model. These requirements will be defined in further detail, to promote the concept of security requirements and blueprints.

Let's examine how the security requirements are identified, developed, and designed.

A blueprint is one of the most commonly used methods. Security blueprints provide a method of organizing the requirements and the resulting components of a security architecture. They can be used to address the security requirements of a specific topic or across the enterprise. They can help ensure that security is considered from a holistic view.

The pic below represents one example of a security blueprint.

Security Blueprint
Blueprints are used to identify, develop, and design security requirements for particular business solutions, such as:

Portal
Enterprise Resource Planning (ERP)
Supply Chain
Customer Relationship Management (CRM)
Manufacturing

Not all aspects of a particular blueprint will apply, but all should be considered.

Best Practices and Standards

A security blueprint provides tailored security best practices that, in total, form a comprehensive security policy program and technical architecture. It is composed of several security domains that, at a minimum, are mapped from the ISO/IEC 17799 standard. The ISO 17799 Code of Practice for Security Information Management provides a broad base of security controls that offers a point of reference for completeness of the components within the blueprints. As shown, an infrastructure plan includes:

Tailored requirements meeting the organization's specific requirements
Requirements influenced by legal, regulatory, business and IT drivers

The standard does not provide all the guidance required for an effective, holistic security architecture.

Individual security blueprints reflect tailored requirements meeting the organization's specific needs. They are influenced by legal, regulatory, business, and IT drivers.

An effective security architecture will always be able to "connect the dots" between the business decisions of the organization, how these are reflected in the principles, policies and standards of the organization, how these have been turned into requirements and how the requirements map to the blueprints.

Connect the Dots
Security Responsibilities
For security to be effective, it is imperative that individual roles, responsibilities, and authority are clearly communicated and understood by all. Organizations must assign security-related functions to designated employees.

Roles
Security must play a significant role in the organization's personnel management practices, including:

Hiring and termination procedures
Employment practices
Security awareness education and training
Security best practices
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now