Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CNIT 160:
Cybersecurity
Responsibilities
2. Information Security 

Governance

Part 1

Pages 16 - 55
Topics in Part 1
• Introduction to Information Security
Governance
• Reason for Security Governance
• Security Governance ...
Topics in Part 1 

(continued)
• Introduction to Information Security
Governance (continued)
• Monitoring Responsibilities...
Topics in Part 2
• Security Strategy Development
• Strategy Objectives
• Control Frameworks
• Risk Objectives
• Strategy R...
Governance
• A process whereby senior management
exerts strategic control over business
functions
• Through policies, obje...
Information Security
Governance
• Focuses on key processes
• Personnel management
• Sourcing
• Risk management
• Configurat...
Information Security
Governance
• Focuses on key processes (continued)
• Vulnerability management
• Incident management
• ...
Information Security
Governance
• Monitor processes with scorecard or
metrics
• Continuous improvement changes
processes t...
Reason for Security
Governance
• Organizations are dependent on
information systems
• Must understand priority of
• Confide...
Security Governance
Activities and Results
• Risk management
• Risk assessments and follow-up actions
to reduce risks
• Pr...
Security Governance
Activities and Results
• Improved compliance
• With laws, regulations, and standards
• Business contin...
Security Governance
Activities and Results
• Resource management
• Allocation of manpower, budget, and
resources
• Improve...
Business Alignment
• Security program must align with guiding
principles
• Mission
• Why the organization exists
• Goals a...
Organization's
Characteristics
• Culture
• Asset value
• Risk tolerance
• Legal obligations
• Market conditions
Dr. No
• Security that prevents necessary business
practices
• Leads to "Shadow IT"
• Departments setting up uncontrolled ...
Organization's
Characteristics
• Goals and objectives
• Risk appetite
• Risk-averse organizations have a formal
system of ...
Facebook
• https://www.wired.com/2016/11/buy-facebook-propaganda-posters/
Roles and Responsibilities
• Role describes expected activities
Ranks
• In order of increasing seniority
Responsibilities
• Specific
• General
RACI Charts
RACI Charts
Considerations
• When assigning roles in a RACI chart
• Skills
• Segregation of duties
• Conflict of interest
Ch 2a-1
Board of Directors
• Fiduciary duty
• Accountable to shareholders to act in the
best interests of the organization
• Selec...
Five Principles
• From National Association of Corporate
Directors
Executive Management
• Carries out directives from the board of
directors
• Ratifies corporate security policy
• Publicly supporting it
• Leads by example
• Has ultimate responsibility
Executive Ma...
Security Steering
Committee's Responsibilities
• Risk treatment deliberation and
recommendation
• Discussion and coordinat...
Business Process and
Business Asset Owners
• Usually nontechnical personnel
• Responsibilities:
• Access grants, revocatio...
Custodial Responsibilities
• IT staff acts as a proxy for asset owners
• Should implement decisions from the asset
owner
• ...
• https://www.nbcnews.com/business/consumer/former-equifax-ceo-blames-one-it-guy-massive-
hack-n807956
Chief Information Security
Officer (CISO)
• Highest-ranking security person
• Develops security strategies
• Similar titles...
Position of CISO
• Reports to Chief Operating Officer (COO) or
Chief Executive Officer (CEO)
• Sometimes to CIO or legal or so...
Rank Sets Tone and Gives
Power
Chief Privacy Officer
• For organization with large amounts of
customer Personally Identifiable
Information (PII)
• Regulati...
Software Development
• Systems architect
• Systems analyst
• Software engineer/developer
• Software tester
Data Management
• Data manager
• Database architect
• Big data architect
• Database administrator (DBA)
• Database analyst...
Network Management
• Network architect
• Network engineer
• Network administrator
• Telecom engineer
Systems Management
• Systems architect
• Systems analyst
• Storage engineer
• Systems administrator
Operations
• Operations manager
• Operations analyst
• Controls analyst
• Systems operator
• Data entry
• Media manager
Security Operations
• Security architect
• Security engineer
• Security analyst
• Examines logs
• Access administrator
Security Audit
• Security audit manager
• Security auditor
Service Desk
• Service desk manager
• Service desk analyst
• Technical support analyst
Quality Assurance & Other
Roles
• QA manager
• QC manager
• Vendor manager
• Project manager
General Staff Security
Responsibilities
Monitoring Responsibilities
• Confirming that the correct jobs are being
carried out in the correct way
• Controls and inte...
Information Security
Governance Metrics
• Technical metrics, counts of events from
• Firewall, IDS, Anti-malware, DLP, etc...
Return on Security
Investment
• Difficult to quantify
• Because breaches are rare
• Other ways to justify security
• Fiducia...
SMART Metrics
Good Considerations for
Metrics
Ch 2a-1
Risk Management
Performance Measurement
Convergence Metrics
• Large organizations with multiple business
units or locations
Value Delivery Metrics
Resource Management
Metrics
Security Balanced
Scorecard
Business Model for
Information Security
Business Model for
Information Security
BMIS Elements and
Dynamic Interconnections
• Elements
• Organization
• People
• Process
• Technology
BMIS Elements and
Dynamic Interconnections
• Dynamic Interconnections
• Culture
• Governing
• Architecture
• Emergence
• E...
Culture
• "a pattern of behaviors, beliefs,
assumptions, attitudes, and ways of doing
things"
• Critical to the success or...
Steps to Create Favorable
Security Culture
Governing
Architecture
Architecture
The Zachman Framework
• The dominant architecture architecture
standard
Data Flow Diagram
Emergence
• People learning to do things better
• Can lead to improvements, but also cause
inconsistent results
Enabling and Support
• Technology and business people don't
understand one another
• To fill this gap, create a requirement...
BMIS Enabling and Support
Life Cycle
Human Factors
• Also called Human-Computer Interaction
(HCI)
• Includes User Interface (UI)
• Consistency with other systems
• Typing and data entry methods
• Display and readability
• Error recovery
• Sound
• Voic...
Example 1:
Adverse Effects of a Policy Change
• New policy
regarding
personal
devices and
company email
• Affects
organizat...
• An outside security audit shows that
servers are months behind in security
patches
• The company uses a vulnerability sc...
• Possible causes:
• Technology --
scanner is
faulty
Example 2:
Causes for Process Weakness
• Possible causes:
• Architecture--
scanner can't
reach all
systems in
network
• Human
factors--
engineers not
using scann...
• Possible causes:
• Enabling &
Support--
Interview
engineers about
business
processes
• New networks
have been added
that...
Ch 2a-1
CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security Governance
Upcoming SlideShare
Loading in …5
×

of

CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 1 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 2 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 3 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 4 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 5 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 6 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 7 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 8 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 9 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 10 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 11 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 12 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 13 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 14 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 15 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 16 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 17 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 18 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 19 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 20 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 21 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 22 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 23 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 24 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 25 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 26 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 27 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 28 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 29 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 30 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 31 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 32 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 33 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 34 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 35 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 36 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 37 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 38 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 39 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 40 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 41 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 42 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 43 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 44 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 45 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 46 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 47 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 48 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 49 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 50 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 51 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 52 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 53 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 54 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 55 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 56 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 57 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 58 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 59 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 60 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 61 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 62 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 63 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 64 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 65 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 66 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 67 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 68 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 69 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 70 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 71 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 72 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 73 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 74 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 75 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 76 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 77 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 78 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 79 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 80 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 81 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 82 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 83 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 84 CNIT 160: Ch 2a: Introduction to Information Security Governance Slide 85
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

CNIT 160: Ch 2a: Introduction to Information Security Governance

Download to read offline

Slides for a college class by Sam Bowne. More information at
https://samsclass.info/160/160_F19.shtml

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

CNIT 160: Ch 2a: Introduction to Information Security Governance

  1. 1. CNIT 160: Cybersecurity Responsibilities 2. Information Security 
 Governance Part 1 Pages 16 - 55
  2. 2. Topics in Part 1 • Introduction to Information Security Governance • Reason for Security Governance • Security Governance Activities and Results • Business Alignment • Roles and Responsibilities
  3. 3. Topics in Part 1 
 (continued) • Introduction to Information Security Governance (continued) • Monitoring Responsibilities • Information Security Governance Metrics • The Security Balanced Scorecard • Business Model for Information Security
  4. 4. Topics in Part 2 • Security Strategy Development • Strategy Objectives • Control Frameworks • Risk Objectives • Strategy Resources • Strategy Development • Strategy Constraints
  5. 5. Governance • A process whereby senior management exerts strategic control over business functions • Through policies, objectives, delegation of authority, and monitoring • Ensures that business processes effectively meet vision and objectives
  6. 6. Information Security Governance • Focuses on key processes • Personnel management • Sourcing • Risk management • Configuration management • Change management • Access management
  7. 7. Information Security Governance • Focuses on key processes (continued) • Vulnerability management • Incident management • Business continuity planning • Establishment of an effective organization structure and clear statements of roles and responsibilities
  8. 8. Information Security Governance • Monitor processes with scorecard or metrics • Continuous improvement changes processes to keep them effective and support ongoing business needs
  9. 9. Reason for Security Governance • Organizations are dependent on information systems • Must understand priority of • Confidentiality • Integrity • Availability
  10. 10. Security Governance Activities and Results • Risk management • Risk assessments and follow-up actions to reduce risks • Process improvement • Event identification • Security events and incidents • Incident response
  11. 11. Security Governance Activities and Results • Improved compliance • With laws, regulations, and standards • Business continuity and disaster recovery planning • Metrics management • Measure key security events, such as incidents, policy changes, violations, audits, and training
  12. 12. Security Governance Activities and Results • Resource management • Allocation of manpower, budget, and resources • Improved IT governance • Increased trust • From customers, suppliers and partners • Improved reputation
  13. 13. Business Alignment • Security program must align with guiding principles • Mission • Why the organization exists • Goals and objectives • What achievements it wants to accomplish • Strategy • Activities needed to fulfill goals and objectives
  14. 14. Organization's Characteristics • Culture • Asset value • Risk tolerance • Legal obligations • Market conditions
  15. 15. Dr. No • Security that prevents necessary business practices • Leads to "Shadow IT" • Departments setting up uncontrolled IT assets
  16. 16. Organization's Characteristics • Goals and objectives • Risk appetite • Risk-averse organizations have a formal system of accountability for risk decisions
  17. 17. Facebook • https://www.wired.com/2016/11/buy-facebook-propaganda-posters/
  18. 18. Roles and Responsibilities • Role describes expected activities
  19. 19. Ranks • In order of increasing seniority
  20. 20. Responsibilities • Specific • General
  21. 21. RACI Charts
  22. 22. RACI Charts
  23. 23. Considerations • When assigning roles in a RACI chart • Skills • Segregation of duties • Conflict of interest
  24. 24. Ch 2a-1
  25. 25. Board of Directors • Fiduciary duty • Accountable to shareholders to act in the best interests of the organization • Selected for • Investor representation • Business experience • Access to resources • Appoints the CEO
  26. 26. Five Principles • From National Association of Corporate Directors
  27. 27. Executive Management • Carries out directives from the board of directors
  28. 28. • Ratifies corporate security policy • Publicly supporting it • Leads by example • Has ultimate responsibility Executive Management
  29. 29. Security Steering Committee's Responsibilities • Risk treatment deliberation and recommendation • Discussion and coordination of IT and security projects • Review of recent risk assessments • Discussion of new laws, regulations, and requirements • Review of recent security incidents
  30. 30. Business Process and Business Asset Owners • Usually nontechnical personnel • Responsibilities: • Access grants, revocation, and reviews • Configuration • Function definition • Process definition • Physical location
  31. 31. Custodial Responsibilities • IT staff acts as a proxy for asset owners • Should implement decisions from the asset owner • But often the asset owner is uninvolved and uninformed, instead of periodically reviewing these decisions
  32. 32. • https://www.nbcnews.com/business/consumer/former-equifax-ceo-blames-one-it-guy-massive- hack-n807956
  33. 33. Chief Information Security Officer (CISO) • Highest-ranking security person • Develops security strategies • Similar titles • Chief Security Officer (CSO) • Chief Information Risk Officer (CIRO) • Chief Risk Officer (CRO)
  34. 34. Position of CISO • Reports to Chief Operating Officer (COO) or Chief Executive Officer (CEO) • Sometimes to CIO or legal or someone else • Many organizations lack a CISO but have a manager of information security lower on the org chart, weakening security posture • Small to medium-sized orgs may contract with a virtual CISO for strategy and planning
  35. 35. Rank Sets Tone and Gives Power
  36. 36. Chief Privacy Officer • For organization with large amounts of customer Personally Identifiable Information (PII) • Regulations like • Health Insurance Portability and Accountability Act (HIPAA) • Fair Credit Reporting Act (FRCA) • The Gramm-Leach-Bliley Act (GLBA)
  37. 37. Software Development • Systems architect • Systems analyst • Software engineer/developer • Software tester
  38. 38. Data Management • Data manager • Database architect • Big data architect • Database administrator (DBA) • Database analyst • Data scientist
  39. 39. Network Management • Network architect • Network engineer • Network administrator • Telecom engineer
  40. 40. Systems Management • Systems architect • Systems analyst • Storage engineer • Systems administrator
  41. 41. Operations • Operations manager • Operations analyst • Controls analyst • Systems operator • Data entry • Media manager
  42. 42. Security Operations • Security architect • Security engineer • Security analyst • Examines logs • Access administrator
  43. 43. Security Audit • Security audit manager • Security auditor
  44. 44. Service Desk • Service desk manager • Service desk analyst • Technical support analyst
  45. 45. Quality Assurance & Other Roles • QA manager • QC manager • Vendor manager • Project manager
  46. 46. General Staff Security Responsibilities
  47. 47. Monitoring Responsibilities • Confirming that the correct jobs are being carried out in the correct way • Controls and internal audit • Metrics and reporting • Work measurement • Performance evaluation • 360 feedback -- from peers, subordinates, and management • Position benchmarking -- comparing job titles with other organizations
  48. 48. Information Security Governance Metrics • Technical metrics, counts of events from • Firewall, IDS, Anti-malware, DLP, etc. • Business-related metrics • Key Risk Indicators (KRIs) • Key Goal Indicators (KGIs) • Key Performance Indicators (KPIs)
  49. 49. Return on Security Investment • Difficult to quantify • Because breaches are rare • Other ways to justify security • Fiduciary responsibility • Regulation • Competitive differentiation
  50. 50. SMART Metrics
  51. 51. Good Considerations for Metrics
  52. 52. Ch 2a-1
  53. 53. Risk Management
  54. 54. Performance Measurement
  55. 55. Convergence Metrics • Large organizations with multiple business units or locations
  56. 56. Value Delivery Metrics
  57. 57. Resource Management Metrics
  58. 58. Security Balanced Scorecard
  59. 59. Business Model for Information Security
  60. 60. Business Model for Information Security
  61. 61. BMIS Elements and Dynamic Interconnections • Elements • Organization • People • Process • Technology
  62. 62. BMIS Elements and Dynamic Interconnections • Dynamic Interconnections • Culture • Governing • Architecture • Emergence • Enabling and Support • Human Factors
  63. 63. Culture • "a pattern of behaviors, beliefs, assumptions, attitudes, and ways of doing things" • Critical to the success or failure of an information security program • Cannot be legislated or controlled directly
  64. 64. Steps to Create Favorable Security Culture
  65. 65. Governing
  66. 66. Architecture
  67. 67. Architecture
  68. 68. The Zachman Framework • The dominant architecture architecture standard
  69. 69. Data Flow Diagram
  70. 70. Emergence • People learning to do things better • Can lead to improvements, but also cause inconsistent results
  71. 71. Enabling and Support • Technology and business people don't understand one another • To fill this gap, create a requirements document • Charts listing required and desired functionality for new technologies
  72. 72. BMIS Enabling and Support Life Cycle
  73. 73. Human Factors • Also called Human-Computer Interaction (HCI) • Includes User Interface (UI)
  74. 74. • Consistency with other systems • Typing and data entry methods • Display and readability • Error recovery • Sound • Voice and biometric recognition • Ergonomics • Environment Human Factors
  75. 75. Example 1: Adverse Effects of a Policy Change • New policy regarding personal devices and company email • Affects organization and processes • Changed processes affect people and technology
  76. 76. • An outside security audit shows that servers are months behind in security patches • The company uses a vulnerability scanner to keep up-to date, for compliance • Why is it failing? Example 2: Causes for Process Weakness
  77. 77. • Possible causes: • Technology -- scanner is faulty Example 2: Causes for Process Weakness
  78. 78. • Possible causes: • Architecture-- scanner can't reach all systems in network • Human factors-- engineers not using scanner properly Example 2: Causes for Process Weakness
  79. 79. • Possible causes: • Enabling & Support-- Interview engineers about business processes • New networks have been added that are not included in scanner's configuration Example 2: Causes for Process Weakness
  80. 80. Ch 2a-1

Slides for a college class by Sam Bowne. More information at https://samsclass.info/160/160_F19.shtml

Views

Total views

243

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

15

Shares

0

Comments

0

Likes

0

×