CH.5 Developing the Security Program

¡Supera tus tareas y exámenes ahora con Quizwiz!

technology product

Advanced technical training can be selected or developed based on job category, job function, or ____.

Help desk

An important part of the information security team Enhances the security team's ability to identify potential problems When a user calls the help desk with a complaint , the user's problem may turn out to be related to a bigger problem, such as a hacker, denial-of-service attack, or a virus Because help desk technicians perform a specialized role in information security, they have a need for specialized training

Security Awareness (cont'd.)

Awareness can take on different forms for particular audiences A security awareness program can use many methods to deliver its message Recognize that people tend to practice a tuning out process (acclimation) Awareness techniques should be creative and frequently changed Many security awareness components are available at little or no cost Others can be very expensive

Purpose of SETA is to enhance security

By building in-depth knowledge, to design, implement, or operate security programs for organizations and systems By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely By improving awareness of the need to protect system resources

Types of delivery methods

-One-on-one -Formal class -Computer-based training (CBT) -Distance learning/web seminars -User support group -On-the-job training -Self-study (non-computerized)

Security newsletter

A cost-effective way to disseminate security information Newsletters can be in the form of hard copy, e-mail, or intranet Topics can include threats to the organization's information assets, schedules for upcoming security classes, and the addition of new security personnel

Security poster series

A simple and inexpensive way to keep security on people's minds Professional posters can be quite expensive, so in-house development may be the best solution Keys to a good poster series: Varying the content and keeping posters updated Keeping them simple, but visually interesting Making the message clear Providing information on reporting violations

A knowledge map

Can help potential students assess information security programs -Identifies the skills and knowledge clusters obtained by the program's graduates -Creating the map can be difficult because many academics are unaware of the numerous subdisciplines within the field of information security -Each of which may have different knowledge requirements

Using the wrong method

Can hinder the transfer of knowledge Leading to unnecessary expense and frustrated, poorly trained employees

SETA program

Designed to reduce accidental security breaches Consists of three elements: security education, security training, and security awareness

Security Awareness

Effective training and awareness programs make employees accountable for their actions Dissemination and enforcement of policy become easier when training and awareness programs are in place Demonstrating due care and due diligence can help indemnify the institution against lawsuits Security awareness and security training are designed to modify any employee behavior that endangers the security of the organization's information Security training and awareness activities can be undermined if management does not set a good example

Best practices

Focus on people Refrain from using technical jargon Use every available venue Define learning objectives, state them clearly, and provide sufficient detail and coverage Keep things light Don't overload the users Help users understand their roles in InfoSec Take advantage of in-house communications media Make the awareness program formal Plan and document all actions Provide good information early, rather than perfect information late

By functional background

General user Managerial user Technical user

Large organizations

Have 1,000 to 10,000 computers Security approach has often matured, integrating planning and policy into the organization's culture -Do not always put large amounts of resources into security -Considering the vast numbers of computers and users often involved -They tend to spend proportionally less on security

Small organizations

Have between 10 and 100 computers Have a simple, centralized IT organizational model Spend disproportionately more on security Information security is often the responsibility of a single security administrator Have little in the way of formal policy, planning, or security measures -Commonly outsource their Web presence or electronic commerce operations -Security training and awareness is commonly conducted on a 1-on-1 basis -Policies (when they exist) are often issue-specific -Formal planning is often part of IT planning -Threats from insiders are less likely Every employee knows every other employee

Medium-sized organizations

Have between 100 and 1000 computers Have a smaller total budget Have same sized security staff as the small organization, but a larger need Must rely on help from IT staff for plans and practices Ability to set policy, handle incidents, and effectively allocate resources is worse than any other size -May be large enough to implement a multi-tiered approach to security With fewer dedicated groups and more functions assigned to each group -Tend to ignore some security functions

Awareness, training, and education programs offer two major benefits

Improving employee behavior Enabling the organization to hold employees accountable for their actions

Information Security Within An Organization

In large organizations InfoSec is often located within the information technology department Headed by the CISO who reports directly to the top computing executive, or CIO An InfoSec program is sometimes at odds with the goals and objectives of the IT department as a whole

Other best practices

Increased use of short, task-oriented modules Available during the normal work week

Depth of knowledge

Indicated by a level of mastery using an established taxonomy of learning objectives or a simple scale such as "understanding → accomplishment → proficiency → mastery." Because many institutions have no frame of reference for which skills and knowledge are required for a particular job area They may refer to the certifications offered in that field

Trinket programs

Inexpensive on a per-unit basis They can be expensive to distribute

The ten commandments of information security awareness training

Information security is a people, rather than a technical, issue If you want them to understand, speak their language If they cannot see it, they will not learn it Make your point so that you can identify it and so can they. Never lose your sense of humor Make your point, support it, and conclude it Always let the recipients know how the behavior that you request will affect them Ride the tame horses Formalize your training methodology Always be timely, even if it means slipping schedules to include urgent information

Because the goals and objectives of the CIO and the CISO may come in conflict

It is not difficult to understand the current movement to separate information security from the IT division The challenge is to design a reporting structure for the InfoSec program that balances the needs of each of the communities of interest

Recent developments

Less use of centralized public courses and more on-site training

Very large organizations

More than 10,000 computers Security budgets often grow faster than IT budgets Even with a large budgets, the average amount spent on security per user is still smaller than any other type of organization -Does a better job in the policy and resource management areas -Only 1/3 of organizations handled incidents according to an IR plan

Selection of the training delivery method

Not always based on the best outcome for the trainee Often overriden by budget, scheduling, and needs of the organization

By skill level

Novice Intermediate Advanced

Security in Large Organizations

One approach separates functions into four areas: Functions performed by non-technology business units outside of IT Functions performed by IT groups outside of information security area Functions performed within information security department as customer service Functions performed within the information security department as compliance

Those that administer

Operate and administer the security tools and the security monitoring function Continuously improve the processes

Other options

Option 6: Legal Option 7: Internal audit Option 8: Help desk Option 9: Accounting and finance through IT Option 10: Human resources Option 11: Facilities management Option 12: Operations

Components of the Security Program

Organization's information security needs Unique to the culture, size, and budget of the organization Determining what level the information security program operates on depends on the organization's strategic plan Also the plan's vision and mission statements The CIO and CISO should use these two documents to formulate the mission statement for the information security program

Types of trinkets

Pens and pencils, mouse pads Coffee mugs, plastic cups Hats, T-shirts

Those that define

Provide the policies, guidelines, and standards Do the consulting and the risk assessment Develop the product and technical architectures Senior people with a lot of broad knowledge, but often not a lot of depth

CISO

Security managers commonly report to the ____.

The deployment of full-time security personnel depends on

Sensitivity of the information to be protected Industry regulations General profitability

Security awareness programs

Set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure Remind users of the procedures to be followed

The CISO has responsibility for information security functions

Should be adequately performed somewhere within the organization

Course design

Should enable a student to obtain the required knowledge and skills upon completion of the program Identify the prerequisite knowledge for each class

Seven-step methodology generally applies:

Step 1: Identify program scope, goals, and objectives Step 2: Identify training staff Step 3: Identify target audiences Step 4: Motivate management and employees Step 5: Administer the program Step 6: Maintain the program Step 7: Evaluate the program

Good training programs

Take advantage of the latest learning technologies and best practices

Security newsletter (cont'd.)

The goal is to keep the idea of information security uppermost in users' minds and to stimulate them to care about security Newsletters might include: Summaries of key policies Summaries of key news articles A calendar of security events, including training sessions, presentations, and other activities Announcements relevant to information security How-to's

The more money the company can dedicate to its personnel budget

The more likely it is to maintain a large information security staff

Those that build

The real "techies" who create and install security solutions

As organizations increase in size

Their security departments are not keeping up with increasingly complex organizational infrastructures

Information security departments tend to form internal groups

To meet long-term challenges and handle day-to-day security operations

Information Security Roles and Titles

Types of information security positions -Those that define -Those that build -Those that administer

Training methods

Use a local training program Use a continuing education department Use another external training agency Hire a professional trainer, a consultant, or someone from an accredited institution to conduct on-site training Organize and conduct training in-house using organization's own employees

Examples of security awareness components

Videos Posters and banners Lectures and conferences Computer-based training Newsletters Brochures and flyers Trinkets (coffee cups, pens, pencils, T-shirts) Bulletin boards

Training is often for one or a few individuals

Waiting until there is a large-enough group for a class can cost companies lost productivity

The ____ may also be called the Manager of Security.

administration

Security managers

are accountable for the day-to-day operation of the information security program.

information security program

describe the structure and organization of the effort that contains risks to the information assets of the organization

security administrator

security administrator The responsibilities of the ____ are a combination of the responsibilities of a security technician and a security manager.

Small organizations

spend more than $5,000 per user on security; very large organizations spend about 1/18th of that, roughly $300 per user


Conjuntos de estudio relacionados

Intermediate Accounting III Units 5-9

View Set

GOVT 2306 - Chapter 2: Texas Leg.: Reynolds

View Set

Chapter 18 Powerpoints/Endocrine Quiz#2

View Set

Branches of the Autonomic Nervous System

View Set

Knowledge & Clinical Judgement Beginning Test

View Set

Contratos. Situaciones laborales

View Set

C857 Software Quality Assurance, Overview

View Set