SlideShare a Scribd company logo
1 of 55
Download to read offline
CNIT 160:
Cybersecurity
Responsibilities
4. Information Security
Program Development

Part 1

Pages 190 - 202
Chapter Topics
• Information Security Programs
• Security Program Management
• Security Program Operations
• IT Service Management
• Controls
• Metrics and Monitoring
• Continuous Improvement
Information Security
Programs
Information Security
Programs
• Outcomes
• Charter
• Scope
• Information Security Management Frameworks
• Defining a Road Map
• Information Security Architecture
• The Open Group Architecture Framework
• The Zachman Framework
• Implementing a Security Architecture
Developing an Information
Security Program
• Four steps
• Developing a security strategy
• Gap analysis
• Developing a road map
• Developing a security program
Information Security
Programs
• The collection of activities to identify,
communicate, and address risks
• Consists of controls, processes, and
practices
• To increase resilience of computing
environment, and
• Ensure that risks are known and handled
effectively
Enabling Business
• Security program acts as a business enabler
• Allowing it to consider new business
ventures
• While being aware of risks that can be
mitigated
• Like the brakes on a race car
• Allowing it to move faster and stay on the
road
Outcomes
• Strategic alignment
• Risk management
• Value delivery
• Resource management
• Performance management
• Assurance process integration
Strategic Alignment
• Program must work in harmony with the rest
of the organization
• Being aware of new initiatives
• Developing risk tolerance criteria that
business leaders agree with
• Establishing mutual trust
• Use a security council or governance
committee
• With stakeholders across the business
Risk Management and
Value Delivery
• Risk Management
• Identifies risks
• Facilitates desired outcomes
• Through appropriate risk treatment
• Value Delivery
• Reducing risk in critical activities
• To an acceptable level
Resource Management
• Permanent and temporary staff, external
service providers, and tools
• Must be managed so they are effectively used
• To reduce risks in alignment with the risk
management program
• "Rightsizing" information security program
budget
• Assist with resource requests from security
manager
Performance Management
• Measure key activities
• To ensure the are operating as planned
• Security metrics
Assurance Process
Integration
• Information security program aligns with
other assurance programs and processes
• HR, finance, legal, audit, enterprise risk
management, IT, and operations
• Influences those activities to protect
them from harm
Charter
• Formal written definition of
• Objectives of the program
• Main timelines
• Sources of funding
• Names of principal leaders and managers
• Business executives who are sponsoring the
program
• Gives security manager authority, shows
support from leadership team
Security Manager Functions
• Develop and
• Enforce security policy
• Risk management process
• Security governance
• Controls across business unit boundaries
Security Manager Functions
• Develop and direct implementation of key
security processes
• Vulnerability management
• Incident management
• Third-party risk
• Security architecture
• Business continuity planning
• Security awareness training
Team Sport
• Security charter is ratified by executive
management
• Security manager can't dictate the program to
others
• Must lead and guide program through
collaboration and consensus by stakeholders
• Executive leaders and board of directors hold
the ultimate responsibility or ownership for
protecting information 

Scope
• Define departments, business units,
affiliates, and locations
• Included in information security program
• More relevant in larger organizations
Information Security
Management Frameworks
• Business process models
• Include essential processes and activities
• Needed by most organizations
• Risk-centric
Three Most Popular Security
Management Frameworks
• ISO/IEC 27001:2013
• COBIT 5
• NIST CSF
ISO/IEC 27001:2013
• International standard
• "Information technology - Security techniques -
Information security management systems -
Requirements"
• Processes used to
• Assess risk
• Develop controls
• Manage typical processes such as vulnerability
management and incident management
COBIT 5
• From ISACA
• Controls and governance framework
• For managing an IT organization
• COBIT 5 for Information Security
• Additional standard to extend COBIT 5
NIST CSF
• US National Institute of Standards and
Technology (NIST)
• Cyber Security Framework (CSF)
• Developed in 2014 to address rampant
security breaches and identity theft in the
US
Ch 4a-1
Defining a Road Map
• Required steps to achieve an objective
• In support of the business vision and
mission
• Consists of various tasks and projects
• Creating and implementing capabilities
• Reducing information risk
Enterprise Architecture
• Both a business function and a technical
model
• Business function
• Activities ensuring that important
business needs are met by IT systems
• Model
• Mapping business systems into IT
environment and systems
Information Security
Architecture
• A subset within Enterprise Architecture
• Concerned with two things
• Protective characteristics in components
in the enterprise architecture
• Specific components n the enterprise
architecture that provide preventive or
detective security functions
Enterprise Architecture
Ensures:
Two Layers of Information
Security Architecture
• Policy
• Necessary characteristics of overall
environment
• Ex: centralized authentication, 

endpoint-based web filtering
• Standards
• Vendor standards
• Protocol standards
• Configuration or hardening standards
Centralized Functions
• Operate more effectively than isolated,
local instances
• Amplify workforce
• So a small staff can manage hundreds or
thousands of devices
• Authentication
• Microsoft Active Directory (AD)
• Lightweight Directory Access Protocol
(LDAP)
• Monitoring
• SIEMs like Splunk
• Device Management
• Consistency for servers, workstations,
mobile devices, and network devices
Centralized Functions
Two Enterprise Architecture
Frameworks
• The Open Group Architecture Framework
(TOGAF)
• Zachman Framework
• These are Enterprise Architecture models,
not Enterprise Security Architecture
models
The Open Group Architecture
Framework (TOGAF)
• Life-cycle enterprise architecture
framework
• For designing, planning, implementing,
and governing
• An enterprise technology architecture
• A high-level approach
Phases in TOGAF
TOGAF
Components
Zachman Framework
• Established in the 1980s
• Still dominant today
• Likens IT enterprise architecture to
construction and maintenance of an office
building
Zachman Framework
Implementing a Security
Architecture
• Both a big-picture and a detailed plan
• At enterprise level
• Policy and governance
• Decisions about major aspects
• Such as brands of servers, workstations,
and network devices
• At detail level
• Configuration and change management
on devices or groups of devices
• Ex: Upgrade to DNS infrastructure
• Might increase number of name servers
• Requiring updates to most or all
devices
Implementing a Security
Architecture
Changes to Architecture
Models
• Software-Defined Networking (SDN)
• Virtualization
• Microservices
• Small, independent services that
communicate over networks
• Often in containers
Security Program
Management
Security Program
Management Topics
• Security Governance (in this lecture)
• Activities and Results
• For later lectures:
• Risk Management
• The Risk Management Program
• The Risk Management Process
• Identifying and Grouping Assets
• Risk Analysis
• Risk Treatment
Security Program Management
Topics (continued)
• For later lectures
• Audits and Reviews
• Control Self-Assessment
• Security Reviews
• Policy Development
• Third-Party Risk Management
• Administrative Activities
Security Governance
• Assemblage of management activities that
• Identify, analyze and treat risks to key
assets
• Establish key roles and responsibilities
• Measure key security processes
• Board of Directors
• Establishes tone for risk appetite and risk
management
• Information Steering Committee
• Chief Information Security Officer (CISO)
• Audit
• Chief Information Officer (CIO)
• Management
• All employees
Security Governance
Personnel
Information Steering
Committee
• Establishes operational strategy
• For security and risk management
• Sets strategic and operational roles and
responsibilities
• Security strategy should align with strategy
for IT and the business overall
Chief Information Security
Officer (CISO)
• Responsible for
• Developing security policy
• Conducting risk assessments
• Developing processes for
• Vulnerability management
• Incident management
• Identity and access management
• Security awareness and training
• Compliance management
Audit
• Responsible for examining selected
business processes and information
systems
• To verify that they are designed and
operating properly
Chief Information Officer
(CIO)
• Responsible for overall management of the
IT organization, including
• IT strategy
• Development
• Operations
• Service desk
Management
• Every manager should be at least partially
responsible for the conduct of their
employees
• This establishes a chain of accountability
All Employees
• Required to comply with
• Security policy
• Security requirements and processes
• All other policies
• Compliance with policy is a condition of
employment
Reasons for Security
Governance
• Organizations are completely dependent
on their information systems
• Ineffective security governance can lead to
negligence, and breaches
Security Governance
Activities and Results
• Risk management
• Process improvement
• incident response
• Improved compliance
• Business continuity and disaster recovery
planning
• Effectiveness measurement
• Resource management
• Improved IT governance
Results of Security
Governance
• Increased trust
• From customers, suppliers, and partners
• Improved reputation
Ch 4a-2

More Related Content

What's hot

What's hot (20)

CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security Governance
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)
 
CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management Concepts
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)
 
CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: Introduction
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 -  Asset SecurityCISSP - Chapter 2 -  Asset Security
CISSP - Chapter 2 - Asset Security
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3  - System security architectureCISSP - Chapter 3  - System security architecture
CISSP - Chapter 3 - System security architecture
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development Security
 

Similar to CNIT 160 Ch 4a: Information Security Programs

Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurance
a3virani
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
Scott Baron
 
Resume-Amit 1.0
Resume-Amit 1.0Resume-Amit 1.0
Resume-Amit 1.0
Amit Verma
 
GRC– The Way Forward
GRC– The Way ForwardGRC– The Way Forward
GRC– The Way Forward
Rochester Security Summit
 

Similar to CNIT 160 Ch 4a: Information Security Programs (20)

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Chapter 1 Security Framework
Chapter 1   Security FrameworkChapter 1   Security Framework
Chapter 1 Security Framework
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurance
 
project managmnet
project managmnetproject managmnet
project managmnet
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting   itweb workshopSLVA - Security monitoring and reporting   itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Resume-Amit 1.0
Resume-Amit 1.0Resume-Amit 1.0
Resume-Amit 1.0
 
GRC– The Way Forward
GRC– The Way ForwardGRC– The Way Forward
GRC– The Way Forward
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Cyber security series administrative control breaches
Cyber security series   administrative control breaches Cyber security series   administrative control breaches
Cyber security series administrative control breaches
 
UMASS-NISTCSF-October-2016-Presentation-rev2.pptx
UMASS-NISTCSF-October-2016-Presentation-rev2.pptxUMASS-NISTCSF-October-2016-Presentation-rev2.pptx
UMASS-NISTCSF-October-2016-Presentation-rev2.pptx
 

More from Sam Bowne

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Recently uploaded

Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
EADTU
 
SURVEY I created for uni project research
SURVEY I created for uni project researchSURVEY I created for uni project research
SURVEY I created for uni project research
CaitlinCummins3
 
MuleSoft Integration with AWS Textract | Calling AWS Textract API |AWS - Clou...
MuleSoft Integration with AWS Textract | Calling AWS Textract API |AWS - Clou...MuleSoft Integration with AWS Textract | Calling AWS Textract API |AWS - Clou...
MuleSoft Integration with AWS Textract | Calling AWS Textract API |AWS - Clou...
MysoreMuleSoftMeetup
 

Recently uploaded (20)

Mattingly "AI & Prompt Design: Named Entity Recognition"
Mattingly "AI & Prompt Design: Named Entity Recognition"Mattingly "AI & Prompt Design: Named Entity Recognition"
Mattingly "AI & Prompt Design: Named Entity Recognition"
 
How To Create Editable Tree View in Odoo 17
How To Create Editable Tree View in Odoo 17How To Create Editable Tree View in Odoo 17
How To Create Editable Tree View in Odoo 17
 
Improved Approval Flow in Odoo 17 Studio App
Improved Approval Flow in Odoo 17 Studio AppImproved Approval Flow in Odoo 17 Studio App
Improved Approval Flow in Odoo 17 Studio App
 
The Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDFThe Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDF
 
VAMOS CUIDAR DO NOSSO PLANETA! .
VAMOS CUIDAR DO NOSSO PLANETA!                    .VAMOS CUIDAR DO NOSSO PLANETA!                    .
VAMOS CUIDAR DO NOSSO PLANETA! .
 
Mattingly "AI and Prompt Design: LLMs with NER"
Mattingly "AI and Prompt Design: LLMs with NER"Mattingly "AI and Prompt Design: LLMs with NER"
Mattingly "AI and Prompt Design: LLMs with NER"
 
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
 
An overview of the various scriptures in Hinduism
An overview of the various scriptures in HinduismAn overview of the various scriptures in Hinduism
An overview of the various scriptures in Hinduism
 
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
 
Rich Dad Poor Dad ( PDFDrive.com )--.pdf
Rich Dad Poor Dad ( PDFDrive.com )--.pdfRich Dad Poor Dad ( PDFDrive.com )--.pdf
Rich Dad Poor Dad ( PDFDrive.com )--.pdf
 
diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....
 
SURVEY I created for uni project research
SURVEY I created for uni project researchSURVEY I created for uni project research
SURVEY I created for uni project research
 
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading RoomSternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
 
Supporting Newcomer Multilingual Learners
Supporting Newcomer  Multilingual LearnersSupporting Newcomer  Multilingual Learners
Supporting Newcomer Multilingual Learners
 
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjj
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjjStl Algorithms in C++ jjjjjjjjjjjjjjjjjj
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjj
 
MuleSoft Integration with AWS Textract | Calling AWS Textract API |AWS - Clou...
MuleSoft Integration with AWS Textract | Calling AWS Textract API |AWS - Clou...MuleSoft Integration with AWS Textract | Calling AWS Textract API |AWS - Clou...
MuleSoft Integration with AWS Textract | Calling AWS Textract API |AWS - Clou...
 
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
 
How to Manage Website in Odoo 17 Studio App.pptx
How to Manage Website in Odoo 17 Studio App.pptxHow to Manage Website in Odoo 17 Studio App.pptx
How to Manage Website in Odoo 17 Studio App.pptx
 
e-Sealing at EADTU by Kamakshi Rajagopal
e-Sealing at EADTU by Kamakshi Rajagopale-Sealing at EADTU by Kamakshi Rajagopal
e-Sealing at EADTU by Kamakshi Rajagopal
 
Basic Civil Engineering notes on Transportation Engineering & Modes of Transport
Basic Civil Engineering notes on Transportation Engineering & Modes of TransportBasic Civil Engineering notes on Transportation Engineering & Modes of Transport
Basic Civil Engineering notes on Transportation Engineering & Modes of Transport
 

CNIT 160 Ch 4a: Information Security Programs

  • 1. CNIT 160: Cybersecurity Responsibilities 4. Information Security Program Development Part 1 Pages 190 - 202
  • 2. Chapter Topics • Information Security Programs • Security Program Management • Security Program Operations • IT Service Management • Controls • Metrics and Monitoring • Continuous Improvement
  • 4. Information Security Programs • Outcomes • Charter • Scope • Information Security Management Frameworks • Defining a Road Map • Information Security Architecture • The Open Group Architecture Framework • The Zachman Framework • Implementing a Security Architecture
  • 5. Developing an Information Security Program • Four steps • Developing a security strategy • Gap analysis • Developing a road map • Developing a security program
  • 6. Information Security Programs • The collection of activities to identify, communicate, and address risks • Consists of controls, processes, and practices • To increase resilience of computing environment, and • Ensure that risks are known and handled effectively
  • 7. Enabling Business • Security program acts as a business enabler • Allowing it to consider new business ventures • While being aware of risks that can be mitigated • Like the brakes on a race car • Allowing it to move faster and stay on the road
  • 8. Outcomes • Strategic alignment • Risk management • Value delivery • Resource management • Performance management • Assurance process integration
  • 9. Strategic Alignment • Program must work in harmony with the rest of the organization • Being aware of new initiatives • Developing risk tolerance criteria that business leaders agree with • Establishing mutual trust • Use a security council or governance committee • With stakeholders across the business
  • 10. Risk Management and Value Delivery • Risk Management • Identifies risks • Facilitates desired outcomes • Through appropriate risk treatment • Value Delivery • Reducing risk in critical activities • To an acceptable level
  • 11. Resource Management • Permanent and temporary staff, external service providers, and tools • Must be managed so they are effectively used • To reduce risks in alignment with the risk management program • "Rightsizing" information security program budget • Assist with resource requests from security manager
  • 12. Performance Management • Measure key activities • To ensure the are operating as planned • Security metrics
  • 13. Assurance Process Integration • Information security program aligns with other assurance programs and processes • HR, finance, legal, audit, enterprise risk management, IT, and operations • Influences those activities to protect them from harm
  • 14. Charter • Formal written definition of • Objectives of the program • Main timelines • Sources of funding • Names of principal leaders and managers • Business executives who are sponsoring the program • Gives security manager authority, shows support from leadership team
  • 15. Security Manager Functions • Develop and • Enforce security policy • Risk management process • Security governance • Controls across business unit boundaries
  • 16. Security Manager Functions • Develop and direct implementation of key security processes • Vulnerability management • Incident management • Third-party risk • Security architecture • Business continuity planning • Security awareness training
  • 17. Team Sport • Security charter is ratified by executive management • Security manager can't dictate the program to others • Must lead and guide program through collaboration and consensus by stakeholders • Executive leaders and board of directors hold the ultimate responsibility or ownership for protecting information 

  • 18. Scope • Define departments, business units, affiliates, and locations • Included in information security program • More relevant in larger organizations
  • 19. Information Security Management Frameworks • Business process models • Include essential processes and activities • Needed by most organizations • Risk-centric
  • 20. Three Most Popular Security Management Frameworks • ISO/IEC 27001:2013 • COBIT 5 • NIST CSF
  • 21. ISO/IEC 27001:2013 • International standard • "Information technology - Security techniques - Information security management systems - Requirements" • Processes used to • Assess risk • Develop controls • Manage typical processes such as vulnerability management and incident management
  • 22. COBIT 5 • From ISACA • Controls and governance framework • For managing an IT organization • COBIT 5 for Information Security • Additional standard to extend COBIT 5
  • 23. NIST CSF • US National Institute of Standards and Technology (NIST) • Cyber Security Framework (CSF) • Developed in 2014 to address rampant security breaches and identity theft in the US
  • 25. Defining a Road Map • Required steps to achieve an objective • In support of the business vision and mission • Consists of various tasks and projects • Creating and implementing capabilities • Reducing information risk
  • 26. Enterprise Architecture • Both a business function and a technical model • Business function • Activities ensuring that important business needs are met by IT systems • Model • Mapping business systems into IT environment and systems
  • 27. Information Security Architecture • A subset within Enterprise Architecture • Concerned with two things • Protective characteristics in components in the enterprise architecture • Specific components n the enterprise architecture that provide preventive or detective security functions
  • 29. Two Layers of Information Security Architecture • Policy • Necessary characteristics of overall environment • Ex: centralized authentication, 
 endpoint-based web filtering • Standards • Vendor standards • Protocol standards • Configuration or hardening standards
  • 30. Centralized Functions • Operate more effectively than isolated, local instances • Amplify workforce • So a small staff can manage hundreds or thousands of devices
  • 31. • Authentication • Microsoft Active Directory (AD) • Lightweight Directory Access Protocol (LDAP) • Monitoring • SIEMs like Splunk • Device Management • Consistency for servers, workstations, mobile devices, and network devices Centralized Functions
  • 32. Two Enterprise Architecture Frameworks • The Open Group Architecture Framework (TOGAF) • Zachman Framework • These are Enterprise Architecture models, not Enterprise Security Architecture models
  • 33. The Open Group Architecture Framework (TOGAF) • Life-cycle enterprise architecture framework • For designing, planning, implementing, and governing • An enterprise technology architecture • A high-level approach
  • 36. Zachman Framework • Established in the 1980s • Still dominant today • Likens IT enterprise architecture to construction and maintenance of an office building
  • 38. Implementing a Security Architecture • Both a big-picture and a detailed plan • At enterprise level • Policy and governance • Decisions about major aspects • Such as brands of servers, workstations, and network devices
  • 39. • At detail level • Configuration and change management on devices or groups of devices • Ex: Upgrade to DNS infrastructure • Might increase number of name servers • Requiring updates to most or all devices Implementing a Security Architecture
  • 40. Changes to Architecture Models • Software-Defined Networking (SDN) • Virtualization • Microservices • Small, independent services that communicate over networks • Often in containers
  • 42. Security Program Management Topics • Security Governance (in this lecture) • Activities and Results • For later lectures: • Risk Management • The Risk Management Program • The Risk Management Process • Identifying and Grouping Assets • Risk Analysis • Risk Treatment
  • 43. Security Program Management Topics (continued) • For later lectures • Audits and Reviews • Control Self-Assessment • Security Reviews • Policy Development • Third-Party Risk Management • Administrative Activities
  • 44. Security Governance • Assemblage of management activities that • Identify, analyze and treat risks to key assets • Establish key roles and responsibilities • Measure key security processes
  • 45. • Board of Directors • Establishes tone for risk appetite and risk management • Information Steering Committee • Chief Information Security Officer (CISO) • Audit • Chief Information Officer (CIO) • Management • All employees Security Governance Personnel
  • 46. Information Steering Committee • Establishes operational strategy • For security and risk management • Sets strategic and operational roles and responsibilities • Security strategy should align with strategy for IT and the business overall
  • 47. Chief Information Security Officer (CISO) • Responsible for • Developing security policy • Conducting risk assessments • Developing processes for • Vulnerability management • Incident management • Identity and access management • Security awareness and training • Compliance management
  • 48. Audit • Responsible for examining selected business processes and information systems • To verify that they are designed and operating properly
  • 49. Chief Information Officer (CIO) • Responsible for overall management of the IT organization, including • IT strategy • Development • Operations • Service desk
  • 50. Management • Every manager should be at least partially responsible for the conduct of their employees • This establishes a chain of accountability
  • 51. All Employees • Required to comply with • Security policy • Security requirements and processes • All other policies • Compliance with policy is a condition of employment
  • 52. Reasons for Security Governance • Organizations are completely dependent on their information systems • Ineffective security governance can lead to negligence, and breaches
  • 53. Security Governance Activities and Results • Risk management • Process improvement • incident response • Improved compliance • Business continuity and disaster recovery planning • Effectiveness measurement • Resource management • Improved IT governance
  • 54. Results of Security Governance • Increased trust • From customers, suppliers, and partners • Improved reputation