1. 5/28/2021
1
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.1
PLANNING FOR INFORMATION
SECURITY
Presented by: Baguma Innocent
CISA,CRISC,CISM,CSX,PhD
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.2
Introduction
• Information technology is critical to
business and society
• „
Computer security is evolving into
information security
• Information security is the responsibility of
every member of an organization, but
managers play a critical role
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.3
Introduction
• Information security involves three distinct
communities of interest
• Information security managers and
professionals
• Information technology managers and
professionals
• Non-technical business managers and
professionals
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.4
Communities of Interest
• InfoSec community:
• protect information assets from threats
• „
IT community:
• support business objectives by
supplying appropriate information
technology
• Business community:
• policy and resources
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.5
What Is Security?
• “The quality or state of being
secure - to be free from danger”
• Security is achieved using several
strategies simultaneously
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.6
Security and Control
Examples
• Physical security
• Personal security
• Operations security
• Communications
security
• Network security
Controls
• Physical Controls
• Technical Controls
• Administrative
• Prevention –
Detection – Recovery
• Deterrence,
Corrective
2. 5/28/2021
2
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.7
InfoSec Components
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.8
CIA Triangle
• The C.I.A. triangle is made up of
• Confidentiality
• Integrity
• Availability
• Over time the list of characteristics has
expanded, but these three remain central
• CNSS model is based on CIA
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.9
Committee on National
Security systems(CNSS) model
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.10
Committee on National
Security Systems (CNSS) model
• Each of the 27 cells in the cube represents an
area that must be addressed to secure an
information system for example the
intersection between technology, integrity and
storage implies the need to use technology to
protect data integrity of information while in
storage.
• Solution: Need for the host intrusion system
that alerts the security administrator when a
critical file is modified
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.11
Key Concepts:
Confidentiality
• Confidentiality
• only those with
sufficient privileges may
access certain
information
• Confidentiality model
• Bell-LaPadula
• No write down & No read
up
• TCSEC/TNI (Orange,
Red Book)
• Some threats
• Hackers
• Masqueraders
• Unauthorized
users
• Unprotected
download of files
• „
LANS
• Trojan horses
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.12
Key Concepts: Integrity
• Integrity
• Integrity is the quality or
state of being whole,
complete, and
uncorrupted
• Integrity model
• Biba/low water mark
• No write up & No read down
• Clark-Wilson
• Separation of duty
• Lipner
• Other issues
• Origin integrity
• Data integrity
3. 5/28/2021
3
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.13
Key Concepts: Availability
• Availability
• making information accessible to user
access without interference or
obstruction
• Survivability
• Ensuring availability in presence of
attacks
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.14
Key Concepts: privacy
• Privacy
• Information is to be used only for purposes
known to the data owner
• This does not focus on freedom from
observation, but rather that information
will be used only in ways known to the
owner
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.15
Key Concepts: Identification
• Identification
• Information systems possess the
characteristic of identification when they
are able to recognize individual users
• Identification and authentication are
essential to establishing the level of
access or authorization that an individual
is granted
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.16
Key Concepts:
Authentication & Authorization
• Authentication
• Authentication occurs when a control provides
proof that a user possesses the identity that
he or she claims
• Authorization
• authorization provides assurance that the user
has been specifically and explicitly authorized
by the proper authority to access the contents
of an information asset
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.17
Key Concepts:
Accountability; Assurance
• Accountability
• The characteristic of accountability
exists when a control provides
assurance that every activity undertaken
can be attributed to a named person or
automated process
• Assurance
• Assurance that all security objectives are
met
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.18
What Is Management?
• A process of achieving objectives using a
given set of resources
• To manage the information security
process, first understand core principles of
management
• A manager is
• “someone who works with and through other
people by coordinating their work activities in
order to accomplish organizational goals
4. 5/28/2021
4
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.19
Managerial Roles
• Informational role: Collecting, processing,
and using information to achieve the
objective
• Interpersonal role: Interacting with
superiors, subordinates, outside
stakeholders, and other
• Decisional role: Selecting from alternative
approaches and resolving conflicts,
dilemmas, or challenges
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.20
Differences Between
Leadership and Management
• The leader influences employees so that they
are willing to accomplish objectives
• He or she is expected to lead by example and
demonstrate personal traits that instill a desire in
others to follow
• Leadership provides purpose, direction, and
motivation to those that follow
• A manager administers the resources of the
organization, budgets, authorizes expenditure
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.21
PLANNING
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.22
Introduction
• Successful organizations utilize planning
• Planning involves:
• Employees
• Management
• Stockholders
• Other outside stakeholders
• Physical environment
• Political and legal environment
• Competitive environment
• Technological environment
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.23
Introduction con’t
• Planning:
• Is creating action steps toward goals, and
then controlling them
• Provides direction for the organization’s future
• Top-down method:
• Organization’s leaders choose the direction
• Planning begins with the general and ends
with the specific
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.24
Introduction con’t
• Strategic planning includes:
• Vision statement
• Mission statement
• Strategy
• Coordinated plans for sub units Knowing
how the general organizational planning
process works helps in the information
security planning process
5. 5/28/2021
5
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.25
Information Security Planning
Part 1 Part 2
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.26
Components Of Planning:
Mission Statement
• Mission statement:
• Declares the business of the organization and
its intended areas of operations
• Explains what the organization does and for
whom
• Example:
• Random Widget Works, Inc. designs and
manufactures quality widgets, associated
equipment and supplies for use in modern business
environments
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.27
Components Of Planning:
Vision Statement
• Vision statement:
• Expresses what the organization wants to
become
• Should be ambitious
• Example:
• Random Widget Works will be the preferred
manufacturer of choice for every business’s widget
equipment needs, with an RWW widgetin every
machine they use
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.28
Components Of Planning:
Values
• By establishing organizational principles in a
values statement, an organization makes its
conduct standards clear
• Example:
• RWW values commitment, honesty, integrity and social
responsibility among its employees, and is committed to
providing its services in harmony with its corporate, social,
legal and natural environments.
• The mission, vision, and values statements
together provide the foundation for planning
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.29
Components Of Planning:
Strategy
• Strategy is the basis for long-term
direction
• Strategic planning:
• Guides organizational efforts
• Focuses resources on clearly defined goals
“…strategic planning is a disciplined effort to produce
fundamental decisions and actions that shape and
guide what an organization is, what it does, and why
it does it, with a focus on the future.”
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.30
Top-Down Strategic Planning for
Information security
6. 5/28/2021
6
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.31
Strategic Planning
• Organization:
• Develops a general strategy
• Creates specific strategic plans for major divisions
• Each level of division
• translates those objectives into more specific
objectives for the level below
• In order to execute this broad strategy,
• executives must define individual managerial
responsibilities
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.32
Planning for the Organization
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.33
Planning for Information Security
• CIO: translates strategic plan into departmental and
InfoSec objectives
• CISO: translates InfoSec objectives into tactical and
operational objectives
• Implementation can now begin
• Implementation of information security can be
accomplished in two ways
• Bottom-up
• Top-down
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.34
Bottom-Up Approach
• Grass-roots effort
• Individual administrators try to improve
security
• No coordinated planning from upper
management
• No coordination between departments
• Unpredictable funding
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.35
Top-Down Approach
• Strong upper management support
• A dedicated champion
• Assured funding
• Clear planning and implementation process
• Ability to influence organizational culture
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.36
Approaches to Security
Implementation
7. 5/28/2021
7
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.37
Principles Of Information
Security Management
• The extended characteristics of information
security are known as the six Ps:
• Planning
• Policy
• Programs
• Protection
• People
• Project Management
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.38
InfoSec Planning
• Planning as part of InfoSec management is
an extension of the basic planning model
earlier (see SecSDLC)
• Included in the InfoSec planning model are
activities necessary to support the design,
creation, and implementation of
information security strategies as they exist
within the IT planning environment
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.39
InfoSec Planning Types
Several types of InfoSec plans exist:
• Creates strategic information security plan with a vision
for the future of information security
• Understands fundamental business activities performed
by the company
• Suggests appropriate information security solutions that uniquely
protect these activities
• Improves status of information security by developing
• action plans
• schedules
• budgets
• status reports
• top management communications
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.40
Policy
• Policy: set of organizational guidelines that
dictates certain behavior within the organization
• In InfoSec, there are three general categories of
policy:
• General program policy (Enterprise Security Policy)
• An issue-specific security policy (ISSP)
• E.g., email, Internet use
• System-specific policies (SSSPs)
• E.g., Access control list (ACLs) for a device
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.41
Programs
• Programs are operations managed as
`specific entities in the information
security domain
• Example:
• A security education training and awareness
(SETA) program is one such entity
• Other programs that may emerge include
• a physical security program, complete with
fire, physical access, gates, guards, and so on
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.42
Protection
• Risk management activities, including
• risk assessment and control, &
• Protection mechanisms, technologies &
tools
• Each of these mechanisms represents some
aspect of the management of specific controls
in the overall security plan
8. 5/28/2021
8
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.43
People
• People are the most critical link in the
information security program
• Human firewall
• It is imperative that managers
continuously recognize the crucial role
that people play; includes
• information security personnel and the
security of personnel, as well as aspects of
the SETA program
Prepared & Facilitated by: Baguma Innocent , CISA, CRISC, CISM, CSX, PhD. Email: baginno2001@yahoo.co.uk
1.44
Project Management
• Project management discipline should be
present throughout all elements of the
information security program
• Involves
• Identifying and controlling the resources
applied to the project
• Measuring progress and adjusting the process
as progress is made toward the goal