ch 5

InfoSec Program

Structure managing risks to information assets.

Essential Functions

Basic InfoSec functions performed organization-wide.

Policy

Includes program, issue-specific, and system-specific policies.

Program Management

Central and system-level security program oversight.

Risk Management

Involves assessment, mitigation, and uncertainty analysis.

Life-cycle Planning

Security plan phases: initiation to maintenance.

Personnel/User Issues

Staffing and user administration responsibilities.

Contingency Planning

Business plan and resource identification strategies.

Incident Handling

Includes detection, reaction, recovery, and follow-up.

Awareness and Training

SETA plans and policy/procedure training.

Physical Security

Involves guards, locks, and alarms.

Organizational Culture

Positive view enhances InfoSec program support.

Organizational Size

Large firms have dedicated InfoSec divisions.

Reporting Structure

InfoSec can report to various departments.

CIO vs CISO

CIO focuses on efficiency; CISO on security.

CISO

Oversees InfoSec program and strategic planning.

Security Managers

Responsible for daily operations and objectives.

Security Technicians

Configure systems and troubleshoot security issues.

SETA Purpose

Reduce breaches by promoting secure behavior.

SETA Elements

Education, training, and awareness for security.

Work Breakdown Structure

Breaks projects into manageable tasks.

Gantt Chart

Displays project activities and timelines visually.

Certifications

Professional credentials for InfoSec roles.

CISSP

Certification for security managers and CISOs.

CISM

For experienced InfoSec managers and consultants.

CISA

Certification for auditors and security professionals.

GIAC

Series of InfoSec certifications across domains.

Career Paths

Includes law enforcement, military, and IT.