Solved

security management structures

Posted on 2013-12-02
1
288 Views
Last Modified: 2013-12-17
At an organisational / structural level who typically owns security in your organisation, and how are security related responsibilities delegated down to lower levels of staff in your organisations? I am doing some research into the risks of lack of ownership and management structures for security (and other disciplines of IT) - so if you have any view on this, i.e. risks in poorly defined security ownership/delegation from the top down, I would be very interested in hearing these.
0
Comment
Question by:pma111
1 Comment
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 500 total points
ID: 39690446
Information Security Governance and Risk Management entails the identification of an organization's information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines.

Management tools such as information classification, risk assessment, and risk analysis are used to identify threats, classify assets, and to rate system vulnerabilities so that effective controls can be implemented.

Managing risk involves the identification, measurement, control, and minimization of loss associated with uncertain events or risks. It includes overall security review, risk analysis, selection and evaluation of safeguards, cost benefit analysis, management decision, safeguard implementation, and effectiveness review.

Evolution of Information Security
Information system security has evolved from the mainframe environment through the growth of distributed environments.

Even with the development of Internet-based networking, the key concept is that information security has incorporated industrial or physical security into its sphere of responsibility.

The main objective of information security is to preserve the availability, integrity, and confidentiality of information and knowledge of an organization.

The A-I-C triad is the cornerstone of information system security.

Availability is the ability to provide reliable and timely access to data and resources to authorized individuals. The objective is to prevent disruption of service and productivity.

Integrity involves assuring the accuracy and reliability of information and systems and preventing unauthorized modifications.

Confidentiality ensures the necessary level of secrecy at each junction of data processing, as well as the prevention of unauthorized disclosure of sensitive information and resources.

All security solutions should be designed and implemented to focus on two areas:

Functional requirements
Assurance requirements

Functional and Assurance Requirements
The assurance requirements address whether the functional requirements are actually working properly. No solution is complete unless it addresses both of these areas.

For example: a firewall controlling access by screening, blocking unauthorized traffic, monitoring and logging, etc. performs the functional requirements. Testing to evaluate how well it performs provides the assurance requirements.

When security solutions are designed and implemented, it is important to ensure that for each security requirement and function, there is a corresponding check or assurance that the function is working correctly.

This pic shows the various IT security requirements and the corresponding check or assurance.

Security Requirements
Security is an issue that must address the unique requirements of a business. It cannot be like a blanket, where one size fits all.

The following pic shows the typical requirements for an efficient and effective structure for information security.

Security Structure
Note the top-down model. These requirements will be defined in further detail, to promote the concept of security requirements and blueprints.

Let's examine how the security requirements are identified, developed, and designed.

A blueprint is one of the most commonly used methods. Security blueprints provide a method of organizing the requirements and the resulting components of a security architecture. They can be used to address the security requirements of a specific topic or across the enterprise. They can help ensure that security is considered from a holistic view.

The pic below represents one example of a security blueprint.

Security Blueprint
Blueprints are used to identify, develop, and design security requirements for particular business solutions, such as:

Portal
Enterprise Resource Planning (ERP)
Supply Chain
Customer Relationship Management (CRM)
Manufacturing

Not all aspects of a particular blueprint will apply, but all should be considered.

Best Practices and Standards

A security blueprint provides tailored security best practices that, in total, form a comprehensive security policy program and technical architecture. It is composed of several security domains that, at a minimum, are mapped from the ISO/IEC 17799 standard. The ISO 17799 Code of Practice for Security Information Management provides a broad base of security controls that offers a point of reference for completeness of the components within the blueprints. As shown, an infrastructure plan includes:

Tailored requirements meeting the organization's specific requirements
Requirements influenced by legal, regulatory, business and IT drivers

The standard does not provide all the guidance required for an effective, holistic security architecture.

Individual security blueprints reflect tailored requirements meeting the organization's specific needs. They are influenced by legal, regulatory, business, and IT drivers.

An effective security architecture will always be able to "connect the dots" between the business decisions of the organization, how these are reflected in the principles, policies and standards of the organization, how these have been turned into requirements and how the requirements map to the blueprints.

Connect the Dots
Security Responsibilities
For security to be effective, it is imperative that individual roles, responsibilities, and authority are clearly communicated and understood by all. Organizations must assign security-related functions to designated employees.

Roles
Security must play a significant role in the organization's personnel management practices, including:

Hiring and termination procedures
Employment practices
Security awareness education and training
Security best practices
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question