MgmtOfInfoSec_6e-Ch05_pr

Course Overview and Learning Objectives

• Course Title: Management of Information Security, 6th ed. - Whitman & Mattord

• Learning Objectives:

  • List and describe the functional components of an information security program.

  • Discuss how to plan and staff an organization’s information security program based on its size.

  • Explain the internal and external factors influencing an information security program.

  • Describe typical job titles and functions in an information security program.

  • Discuss components of a security education, training, and awareness program.

  • Explain the role of project management in information security.

Organizing for Security

• Definition: An information security program encompasses personnel, plans, policies, and initiatives related to information security.

• Key Variables in Structuring InfoSec Programs:

  • Organizational culture

  • Size of the organization

  • Security personnel budget

  • Security capital budget

Functions Needed to Implement the InfoSec Program

• Risk Assessment

• Risk Management

• Systems Testing

• Compliance

• Centralized Authentication

• Incident Response

Security in Organizations

• Large Organizations:

  • Complex structures with specialized groups for InfoSec functions.

  • Functions split into distinct groups.

• Medium-Sized Organizations:

  • May implement a multi-tiered approach, often with fewer dedicated teams.

  • May have limited full-time security staff.

• Small Organizations:

  • Typically one security administrator, may utilize general IT staff for security roles.

  • Generally less susceptible to insider threats due to small size.

Security Education, Training, and Awareness (SETA) Programs

• Goals of SETA:

  • Reduce accidental security breaches.

  • Improve employee behavior and awareness regarding security policies.

• Program Components:

  • Trainings tailored to user categories (general, managerial, technical).

  • Use various delivery methods (one-on-one, online training, seminars).

Project Management in InfoSec

• Information security is a series of continuous projects.

• Benefits of Project Management:

  • Ensures no steps are missed in project execution.

  • Enhances productivity and provides clear project direction.

  • Measures performance to maintain quality and budget expectations.

Information Security Professional Credentials

• Certifications:

  • Various organizations (ISC)2, ISACA, etc. offer certifications to validate expertise.

  • Some key certifications include:

    • CISSP (Certified Information Systems Security Professional)

    • CISM (Certified Information Security Manager)

    • CISA (Certified Information Systems Auditor)

Summary of Key Points

• InfoSec program structures vary with organizational size and culture.

• Professional certifications play an essential role in establishing credibility in the field.

• Effective training and awareness initiatives can significantly mitigate risks associated with information security.