The document discusses various topics related to role management in IT security, including:
- IT security roles such as the chief security officer, security engineer, and information security analyst.
- Where the IT security department should be located within an organization, including options of being within the IT department, outside of IT, or a hybrid solution.
- The importance of top management support for IT security, as well as developing relationships with other departments such as HR, legal, and audit.
- Outsourcing some IT security functions to managed security service providers or other firms to leverage external expertise, though all controls should not be outsourced.
2. What to expect?
Understanding organization
IT Roles
Where to locate IT security?
Top Management Support
Relationships with other departments
Outsourcing IT security
3. Understanding Organization
Comprehensive security is not possible without proper security staff
Their placement
Relationships with other organizational units
Requires proper planning and allocation
4. IT Roles
Chief Security Officer
The title usually used for head of security department
Application security engineer
Application security engineers maintain computer applications and software.
They spend almost all their time in an office environment, with most of their
work involving writing and testing software.
Security engineer
Security engineers are responsible for creating and implementing solutions that
ensure an organization’s products and systems are secure.
5. IT Roles
Network security engineer
Network security engineers play an essential part in the deployment,
configuration, and administration of network- and security-related hardware
and software. This includes firewalls, routers, network monitoring tools, and
VPNs (virtual private networks). They are also tasked with performing network
security risk assessments, and might be asked to help design network
infrastructure.
Information security analyst
Information security analysts are responsible for examining security problems
and finding solutions. Their duties include researching the industry, finding
security threats, and developing strategies to ensure their organization remains
secure.
6. IT Roles
Security Manager
The title given to the responsible body of organization to manage security
IT security specialist
IT security specialists analyze an organization’s cybersecurity posture and its
past breaches to understand how incidents occur and what needs to be done
to prevent them. Given that IT and cybersecurity are such broad topics,
organizations will usually have many IT security specialists, each one focusing
on a specific area.
8. Within IT Department
Placing the IT security department within the information technology
department is attractive because security and IT share many of the same
technological skill set.
Report to the responsible of IT of the organization directly, for instance,
Chief Information Officer (CIO).
CIO will be accountable for security breaches
CIO will support the security department to create safe IT infrastructure
Easier to implement security changes.
Dependent of IT department
9. Outside of IT Department
Easier to deal with other departments
Enforce security policies on IT department as well
Mostly advised option
Conflict with the IT department
10. Hybrid Solution
Role segregation
Operational aspects are divided
IT maintains devices such as firewalls and others
Planning, policy making and auditing relates to security
12. Top Management Support
Top management support is crucial to the success of any security program.
IT security is hard to succeed unless top management gives strong and
consistent support.
Support of top management will help in the following:
Budget
Support in conflict
Setting personal examples
14. Special Relationships
To be successful, the IT security department must develop productive
relationships with other departments.
Some departments in an organization are of special importance to the IT
security department
15. HR Department
The relationship between HR and IT security should be rich.
HR is responsible of security training programs.
Controls the process of recruitment and termination of employees.
IT security should be involved in the recruitment and termination process
to ensure security issues are taken into account.
HR is involved in penalities when employees break security rules.
16. The legal Department
Legal department deals with all the issues related to a countries law and
regulations.
It is important to have good relationships with legal department
Legal department should ensure that security policies are legally sound
The legal department should be involved if security incident happens
17. Audit Department
Most of the big companies such as banks have internal audit department.
This department examines organizational units for efficiency, effectiveness
and adequate controls.
The IT audit department examines the efficiency, effectiveness and controls
of processes involving information technology.
IT security audit is usually placed under one of the audit departments. Not
the IT security department
This makes the IT security audit independent of IT security department
18. All other departments
The security department should have good relationships with all the
departments in the organization
Security department is not about developing and distributing policies to
other departments
Other departments does not trust security department because security
makes life harder
It is important to have good relationships with other department to have a
conflict free and successful security
20. Outsourcing
It is not common to fully outsource IT security
However, it is an option
Most companies outsource some of the IT security
This allows companies not to lose control of their security
21. Email Outsourcing
The most common IT security outsourcing is for email
Email connections to and from the Internet are routed through the
outsourcer
The outsourcer provides inbound and outbound filtering
This avoids spam and malware in attachments and scripts in email bodies
Outsourcing email filtering is effective because filtering is becoming a
highly specialized field
Email filtering relies on rapid response to new threats
Lists of dangerous email sources are updated hourly or even more rapidly
22. Managed Security Service Provider
This is outsourcing alternative to delegate even more controls to an
outside firm
This firm is generally known as Managed Security Service Provider (MSSP)
MSSP places a central logging server on your network.
Ther server uploads the firm’s event log data to MSSP site.
Security experts and security scanning programs checks the logs and alert
in case of an incident
23. Why use MSSP?
Security experts are expected to sit idle most of the time because incidents
do not happen regularly
Internal security experts might not be as capable as the MSSP security
experts due to the extent of security events MSSP handles every day.
MSSP is independent and will not make exceptions in the companies
policy for any top management staff
MSSP can observe the IT staff of the company
24. Continued
All controls should not be given to MSSP
Policy development and planning are very important for the organization
to handle
Contract should be specific even in simple matters
MSSP should be regularly checked with
Poor job by MSSP can cause great damages to the company
26. What is ITAM?
IT Asset Management (ITAM) is defined as the set of business practices
that join financial, contractual and inventory functions to support lifecycle
management and strategic decision making for the IT environment in
support of the organization’s overall business objectives.
27. Why do ITAM?
Manage IT Assets so that maximum value is gained
from the use of the assets across the lifecycle and
beyond
Value is:
• Financial accountability
• Risk reduction such as through proper disposition of waste
• Efficiency, performance
• Customer satisfaction
• Control, long-term manageability
28. Key Process Areas
Acquisition Management Disposal Management Policy Management
Asset Identification Documentation Management Program Management
Compliance Management Financial Management Project Management
Communication and Education
Management
Legislation Management Vendor Management
29. To Manage or Not to Manage?
Cost of asset
Volume in the environment
Life expectancy
Risk factors if not managed
Security risks
Loss of productivity
Sarbanes Oxley & other legislation
Redeployment
Leased
Mobility of asset
Cost of building the IT asset management processes
30. Commonly Managed Assets
Software – Licensing compliance risk – high cost and audits
Mainframes – high cost
Laptops – mobility, cost, risk factors
Desktops – redeployment candidate, often leased
BYOD devices – risk factors
Telecom – division of ownership
Servers – cost, risk to business continuity
Should we Manage?
Printers
Monitors
Hub, routers, firewalls
31. IT Asset Management Policies
Policies govern behaviors within the organization.
The purpose of asset management policies are to
have assets that are:
Trackable
Maintainable
Cost effective
Used for the good of the organization
Topics are many times buried in policies with other
names such as Security, Acceptable use, Disaster
Recovery, Expenses, etc.
32. Policy Topics for Asset Management
Privacy – no expectation of privacy
Prohibited use – limitations on use of equipment and or software
Personal use – rules for use non-business
Use of non-corporate assets on the network – BYOD devices and software
allowed? Dialing in from home?
Physical security of the equipment – loss and theft prevention, usually in
the Security policy
Commitment to energy conservation – Energy Star program, monitor sleep
settings
Environmental Self Audit – policy for disclosure, escalation methods