Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

security management structures

Posted on 2013-12-02
1
Medium Priority
?
293 Views
Last Modified: 2013-12-17
At an organisational / structural level who typically owns security in your organisation, and how are security related responsibilities delegated down to lower levels of staff in your organisations? I am doing some research into the risks of lack of ownership and management structures for security (and other disciplines of IT) - so if you have any view on this, i.e. risks in poorly defined security ownership/delegation from the top down, I would be very interested in hearing these.
0
Comment
Question by:pma111
1 Comment
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 2000 total points
ID: 39690446
Information Security Governance and Risk Management entails the identification of an organization's information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines.

Management tools such as information classification, risk assessment, and risk analysis are used to identify threats, classify assets, and to rate system vulnerabilities so that effective controls can be implemented.

Managing risk involves the identification, measurement, control, and minimization of loss associated with uncertain events or risks. It includes overall security review, risk analysis, selection and evaluation of safeguards, cost benefit analysis, management decision, safeguard implementation, and effectiveness review.

Evolution of Information Security
Information system security has evolved from the mainframe environment through the growth of distributed environments.

Even with the development of Internet-based networking, the key concept is that information security has incorporated industrial or physical security into its sphere of responsibility.

The main objective of information security is to preserve the availability, integrity, and confidentiality of information and knowledge of an organization.

The A-I-C triad is the cornerstone of information system security.

Availability is the ability to provide reliable and timely access to data and resources to authorized individuals. The objective is to prevent disruption of service and productivity.

Integrity involves assuring the accuracy and reliability of information and systems and preventing unauthorized modifications.

Confidentiality ensures the necessary level of secrecy at each junction of data processing, as well as the prevention of unauthorized disclosure of sensitive information and resources.

All security solutions should be designed and implemented to focus on two areas:

Functional requirements
Assurance requirements

Functional and Assurance Requirements
The assurance requirements address whether the functional requirements are actually working properly. No solution is complete unless it addresses both of these areas.

For example: a firewall controlling access by screening, blocking unauthorized traffic, monitoring and logging, etc. performs the functional requirements. Testing to evaluate how well it performs provides the assurance requirements.

When security solutions are designed and implemented, it is important to ensure that for each security requirement and function, there is a corresponding check or assurance that the function is working correctly.

This pic shows the various IT security requirements and the corresponding check or assurance.

Security Requirements
Security is an issue that must address the unique requirements of a business. It cannot be like a blanket, where one size fits all.

The following pic shows the typical requirements for an efficient and effective structure for information security.

Security Structure
Note the top-down model. These requirements will be defined in further detail, to promote the concept of security requirements and blueprints.

Let's examine how the security requirements are identified, developed, and designed.

A blueprint is one of the most commonly used methods. Security blueprints provide a method of organizing the requirements and the resulting components of a security architecture. They can be used to address the security requirements of a specific topic or across the enterprise. They can help ensure that security is considered from a holistic view.

The pic below represents one example of a security blueprint.

Security Blueprint
Blueprints are used to identify, develop, and design security requirements for particular business solutions, such as:

Portal
Enterprise Resource Planning (ERP)
Supply Chain
Customer Relationship Management (CRM)
Manufacturing

Not all aspects of a particular blueprint will apply, but all should be considered.

Best Practices and Standards

A security blueprint provides tailored security best practices that, in total, form a comprehensive security policy program and technical architecture. It is composed of several security domains that, at a minimum, are mapped from the ISO/IEC 17799 standard. The ISO 17799 Code of Practice for Security Information Management provides a broad base of security controls that offers a point of reference for completeness of the components within the blueprints. As shown, an infrastructure plan includes:

Tailored requirements meeting the organization's specific requirements
Requirements influenced by legal, regulatory, business and IT drivers

The standard does not provide all the guidance required for an effective, holistic security architecture.

Individual security blueprints reflect tailored requirements meeting the organization's specific needs. They are influenced by legal, regulatory, business, and IT drivers.

An effective security architecture will always be able to "connect the dots" between the business decisions of the organization, how these are reflected in the principles, policies and standards of the organization, how these have been turned into requirements and how the requirements map to the blueprints.

Connect the Dots
Security Responsibilities
For security to be effective, it is imperative that individual roles, responsibilities, and authority are clearly communicated and understood by all. Organizations must assign security-related functions to designated employees.

Roles
Security must play a significant role in the organization's personnel management practices, including:

Hiring and termination procedures
Employment practices
Security awareness education and training
Security best practices
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Experts Exchange expands question security options for members.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question