L 06 Securityorganization
L 06 Securityorganization
L 06 Securityorganization
Le
ar
n
by ing
Do
in
g
IST 515
Objectives
This module will familiarize you with the following:
Security planning
Responsibilities of the chief information security
officer (CISO).
Security organizational structure - reporting
models.
What is the most effectively security structure
within an organization?
Security organization best practices.
Personnel security
Security awareness, training and education.
Readings
Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the
CISSP CBK, Auerbach, 2007. Domain 1 (Required).
Benson, C., Security Planning. (Required)
http://technet.microsoft.com/en-us/library/cc723503.aspx
Johnson, M. E. and Goetz, E., Embedding Information
Security into the Organization, IEEE Security & Privacy,
May/June 2007, pp. 16-24.
ISO, Organization of Information Security,
http://www.iso27001security.com/ISO27k_Organization_of_inf
ormation_security.rtf
PriceWaterhouseCooper, The Global State of Information
Security Survey, 2005.
me
nt
Organizational
nag
e
Security Policy
Se
cu
rity
Ma
Organizational
Design
Asset Classification
and Control
Compliance
Personnel Security
Awareness Education
Operational
Access Control
System Development
and Maintenance
Physical and
Environmental Security
Communications &
Operations Mgmt.
Business Continuity
Management
Security Governance.
Security Policies, Procedures, Standards,
Guidelines, and Baselines.
Security Planning.
Security Organization.
Personnel Security.
Security Audit and Control.
Security Awareness, Training and Education.
Risk Assessment and Management.
Professional Ethics.
Executive management.
Chief information security officer (CISO).
Information systems security professional.
Data /information / business owner.
Information systems auditor.
Information systems / IT professional.
Systems / network / security administrator.
Help desk administrator.
Administrative assistant / secretaries.
End users.
CISO Responsibilities
Organization of
Information
security
Executive Committee
Chaired by the Chief
Executive Officer
Audit Committee
Chaired by Head of
Audit
Security Committee
Chaired by Chief
Security Officer CSO
Information
Security
Manager
Risk Committee
Chaired by Risk
Manager
Local Security
Committees
One per location
Security
Administration
Policy &
Compliance
Information Asset
Owners (IAOs)
Risk &
Contingency
Management
Security
Operations
Site Security
Managers
(http://www.iso27001security.com/)
Security
Guards
Facilities
Management
CFO
COO
CIO
Legal/Chief
CPO
Corp Sec
Director
Information Security
Division SPOCS
Policy compliance
Technology security operations
Risk management
CTO
Real Estate
Workplace Service
Security
Office
CIO
LB
LB
Business IT
IT Infrastructure
CISO
Business information
security manager
Strategy, architecture
And consulting
Incident management
Compliance management
Incident Management
Information Security
Training & Awareness
Director of
Security
Risk Management
Critical Infrastructure
Protection &
Service Continuity
Security Infrastructure
& Technical Support
Security Infrastructure
& Technical Support
Standards, Policies
and Procedures
Separation of Duties
The same individual should not typically perform
the following functions:
Systems administration
Network management
Data entry
Computer operations
Security administration
Systems development and maintenance
Security auditing
Information systems management
Change management
Background Checks
Background checks can uncover the following problems:
Gaps in employment.
Misrepresentation of job titles.
Job duties.
Salary.
Reasons for leaving a job.
Validity and status of professional certification.
Education verification and degrees obtained.
Credit history.
Driving records.
Criminal history.
Personal references.
Social security number verification
(NIST, SP 800-100)
Security Awareness
(NIST, SP 800-100)
Security Awareness