security management structures

Posted on 2013-12-02
Last Modified: 2013-12-17
At an organisational / structural level who typically owns security in your organisation, and how are security related responsibilities delegated down to lower levels of staff in your organisations? I am doing some research into the risks of lack of ownership and management structures for security (and other disciplines of IT) - so if you have any view on this, i.e. risks in poorly defined security ownership/delegation from the top down, I would be very interested in hearing these.
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
LVL 15

Accepted Solution

Giovanni Heward earned 500 total points
ID: 39690446
Information Security Governance and Risk Management entails the identification of an organization's information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines.

Management tools such as information classification, risk assessment, and risk analysis are used to identify threats, classify assets, and to rate system vulnerabilities so that effective controls can be implemented.

Managing risk involves the identification, measurement, control, and minimization of loss associated with uncertain events or risks. It includes overall security review, risk analysis, selection and evaluation of safeguards, cost benefit analysis, management decision, safeguard implementation, and effectiveness review.

Evolution of Information Security
Information system security has evolved from the mainframe environment through the growth of distributed environments.

Even with the development of Internet-based networking, the key concept is that information security has incorporated industrial or physical security into its sphere of responsibility.

The main objective of information security is to preserve the availability, integrity, and confidentiality of information and knowledge of an organization.

The A-I-C triad is the cornerstone of information system security.

Availability is the ability to provide reliable and timely access to data and resources to authorized individuals. The objective is to prevent disruption of service and productivity.

Integrity involves assuring the accuracy and reliability of information and systems and preventing unauthorized modifications.

Confidentiality ensures the necessary level of secrecy at each junction of data processing, as well as the prevention of unauthorized disclosure of sensitive information and resources.

All security solutions should be designed and implemented to focus on two areas:

Functional requirements
Assurance requirements

Functional and Assurance Requirements
The assurance requirements address whether the functional requirements are actually working properly. No solution is complete unless it addresses both of these areas.

For example: a firewall controlling access by screening, blocking unauthorized traffic, monitoring and logging, etc. performs the functional requirements. Testing to evaluate how well it performs provides the assurance requirements.

When security solutions are designed and implemented, it is important to ensure that for each security requirement and function, there is a corresponding check or assurance that the function is working correctly.

This pic shows the various IT security requirements and the corresponding check or assurance.

Security Requirements
Security is an issue that must address the unique requirements of a business. It cannot be like a blanket, where one size fits all.

The following pic shows the typical requirements for an efficient and effective structure for information security.

Security Structure
Note the top-down model. These requirements will be defined in further detail, to promote the concept of security requirements and blueprints.

Let's examine how the security requirements are identified, developed, and designed.

A blueprint is one of the most commonly used methods. Security blueprints provide a method of organizing the requirements and the resulting components of a security architecture. They can be used to address the security requirements of a specific topic or across the enterprise. They can help ensure that security is considered from a holistic view.

The pic below represents one example of a security blueprint.

Security Blueprint
Blueprints are used to identify, develop, and design security requirements for particular business solutions, such as:

Enterprise Resource Planning (ERP)
Supply Chain
Customer Relationship Management (CRM)

Not all aspects of a particular blueprint will apply, but all should be considered.

Best Practices and Standards

A security blueprint provides tailored security best practices that, in total, form a comprehensive security policy program and technical architecture. It is composed of several security domains that, at a minimum, are mapped from the ISO/IEC 17799 standard. The ISO 17799 Code of Practice for Security Information Management provides a broad base of security controls that offers a point of reference for completeness of the components within the blueprints. As shown, an infrastructure plan includes:

Tailored requirements meeting the organization's specific requirements
Requirements influenced by legal, regulatory, business and IT drivers

The standard does not provide all the guidance required for an effective, holistic security architecture.

Individual security blueprints reflect tailored requirements meeting the organization's specific needs. They are influenced by legal, regulatory, business, and IT drivers.

An effective security architecture will always be able to "connect the dots" between the business decisions of the organization, how these are reflected in the principles, policies and standards of the organization, how these have been turned into requirements and how the requirements map to the blueprints.

Connect the Dots
Security Responsibilities
For security to be effective, it is imperative that individual roles, responsibilities, and authority are clearly communicated and understood by all. Organizations must assign security-related functions to designated employees.

Security must play a significant role in the organization's personnel management practices, including:

Hiring and termination procedures
Employment practices
Security awareness education and training
Security best practices

Featured Post

Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question