Sie sind auf Seite 1von 15

Week Lecture Topics Readings

1 Introduction and overview of the subject Chapter 1 / No Tutorials

2 Information security management Chapter 1

3 Planning for security Chapter 2

4 Planning for contingencies Chapter 3


ISIT437/ISIT937
5 Information security policy Chapter 4
Information Technology Security and
6 Developing the security program Chapter 5
Risk Management
7 Security management models Chapter 6
8 Security management practices Chapter 7
Lecturer: Dr. Fenghui Ren
9 Risk management: identifying and accessing risk Chapter 8
Week 2: Information Security Management
10 Risk management: controlling risk Chapter 9
Autumn 2017
11 Protection mechanisms Chapter 10

12 Personnel and security Chapter 11


1 2
13 Revision No Reading

Consultation, Tutorial, Assignment What Is Management?


Consultation Hours
Monday 9:30 ~ 11:30 The process of achieving objectives using a given set
Wednesday 13:30 ~ 15:30 of resources
Manager
Tutorial on Wednesday was closed. Someone who works with and through other
people by coordinating their work activities in
Assignment 1 order to accomplish organizational goals
10 topics (depend on the last digit in your student
number)
Due midnight Sunday March 26th, 2017
Special topic is ok but need an approval
Your individual presentation (Assignment 2) must use
3 Management of Information Security, 3rd Edition
the same topic
What is Management? (contd.) Management Characteristics
Managerial roles Two basic approaches to management
Informational role Traditional management theory
Collecting, processing, and using information that can Uses the core principles of planning, organizing, staffing,
affect the completion of the objective directing, and controlling (POSDC)
Interpersonal role Popular management theory
Interacting with superiors, subordinates, outside Categorizes the principles of management into planning,
stakeholders, and other parties that influence or are organizing, leading, and controlling (POLC)
influenced by the completion of the task
Decisional role
Selecting from among alternative approaches, and
resolving conflicts, dilemmas, or challenges

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition

Management Characteristics Management Characteristics


(contd.) (contd.)
Planning
The process that develops, creates, and
implements strategies for the accomplishment of
objectives
Three levels of planning
Strategic, tactical, and operational
Planning process begins with the creation of strategic
plans for the entire organization

Figure 1-3 The planning-controlling link


Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition
Management Characteristics Management Characteristics
(contd.) (contd.)
An organization must thoroughly define its goals and Organizing
objectives The management function dedicated to the
Goals are the end results of the planning process structuring of resources to support the
Objectives are intermediate points that allow you accomplishment of objectives
to measure progress toward the goal Requires determining what is to be done, in what
order, by whom, by which methods, and according
to what timeline

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition

Management Characteristics Management Characteristics


(contd.) (contd.)
Leading Controlling
Leadership encourages the implementation of the Monitoring progress toward completion
planning and organizing functions Making necessary adjustments to achieve the
Includes supervising employee behavior, performance, desired objectives
attendance, and attitude
The control function serves to assure the
Leadership generally addresses the direction and organization of the validity of the plan
motivation of the human resource
Determines what must be monitored as well as
applies specific control tools to gather and
evaluate information

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition
Management Characteristics
Solving Problems
(contd.)
Step 1: Recognize and define the problem
Step 2: Gather facts and make assumptions
Step 3: Develop possible solutions
Step 4: Analyze and compare possible solutions
Step 5: Select, implement, and evaluate a solution

Figure 1-4 The control process


Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition

Source: Course Technology/Cengage Learning

Principles of Information
Planning
Security Management
The extended characteristics of information security Planning as part of InfoSec management
are known as the six Ps An extension of the basic planning model
Planning discussed earlier in this chapter
Policy Included in the InfoSec planning model
Programs Activities necessary to support the design,
Protection creation, and implementation of information
People security strategies
Project Management

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition
Planning (contd.) Policy
Policy
Types of InfoSec plans The set of organizational guidelines that dictates
certain behavior within the organization
Incident response planning
Three general categories of policy
Business continuity planning
Enterprise information security policy (EISP)
Disaster recovery planning
Sets the tone for the InfoSec department across the
Policy planning organization
Personnel planning Issue-specific security policy (ISSP)
Technology rollout planning Sets of rules of acceptable behavior within a specific
technology
Risk management planning
System-specific policies (SysSPs)
Security program planning
Technical in nature and control the equipments or
includes education, training and awareness
technology.
Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition

Programs Protection
Programs Executed through risk management activities
InfoSec operations that are specifically managed Including risk assessment and control, protection
as separate entities mechanisms, technologies, and tools
Example: a security education training and Each of these mechanisms represents some
awareness (SETA) program aspect of the management of specific controls in
Other types of programs the overall information security plan
Physical security program
complete with fire, physical access, gates, guards, etc.

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition
People Project Management
People Project management
The most critical link in the information security Identifying and controlling the resources applied to
program the project
Managers must recognize the crucial role that Measuring progress
people play in the information security program Adjusting the process as progress is made
This area of InfoSec includes security personnel
and the security of personnel, as well as aspects
of a SETA program

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition

Project Management (contd.) Project Management (contd.)


Information security is a process, not a project
Each element of an information security program
must be managed as a project
A continuous series, or chain, of projects
Some aspects of information security are not project
based
They are managed processes (operations)
Monitoring internal/external environments,
ongoing risk assessments, continuous
vulnerability assessment.

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition

Source: Course Technology/Cengage Learning


Applying Project Management
Project Management (contd.)
to Security
Project Management First identify an established project management
The application of knowledge, skills, tools, and methodology
techniques to project activities to meet project PMBoK (Project Management Body of Knowledge) is
requirements considered the industry best practice
Accomplished through the use of processes Other project management practices exist
Such as initiating, planning, executing, controlling, and
closing
Involves the temporary assemblage resources to
complete a project
Some projects are iterative, occurring regularly

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition

PMBoK Knowledge Areas


Project integration management
Includes the processes required to coordinate
occurs between components of a project
Elements of a project management effort that require
integration
The development of the initial project plan
Monitoring of progress during plan execution
Control of plan revisions
Control of the changes made to resource
allocations
As measured performance causes adjustments to the
project plan
ManagementTable 1-1 Project
of Information management
Security, 3rd Edition knowledge areas Management of Information Security, 3rd Edition

Source: Course Technology/Cengage Learning


PMBoK Knowledge Areas PMBoK Knowledge Areas
(contd.) (contd.)
Project plan development
The process of integrating all of the project
elements into a cohesive plan
Goal is to complete the project within the allotted work
time using no more than the allotted project resources
Core components of project plan
Work time, resources, and project deliverables
Changing one element affects the other two
Likely requires revision of the plan

Figure 1-7 Project plan inputs


Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition

Source: Course Technology/Cengage Learning

PMBoK Knowledge Areas PMBoK Knowledge Areas


(contd.) (contd.)
When integrating the disparate elements of a Project scope management
complex information security project, complications Ensures that project plan includes only those
are likely to arise activities necessary to complete it
Conflicts among communities of interest Scope creep
Far-reaching impact The quantity or quality of project deliverables is
Resistance to new technology expanded from the original project plan
Major processes
scope planning, definition, verification and change
control

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition
PMBoK Knowledge Areas PMBoK Knowledge Areas
(contd.) (contd.)
Project time management Project time management includes the following
Ensures that project is finished by identified processes
completion date while meeting objectives Activity definition
Failure to meet project deadlines is among most Activity sequencing
frequently cited failures in project management Activity duration estimating
Many missed deadlines are caused by poor planning
Schedule development
Schedule control

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition

PMBoK Knowledge Areas PMBoK Knowledge Areas


(contd.) (contd.)
Project cost management Project quality management
Ensures that a project is completed within the Ensures project meets project specifications
resource constraints Quality objective met
Some projects are planned using only a financial When deliverables meet requirements specified in
budget project plan
From which all resources must be procured A good plan defines project deliverables in
Includes resource planning, cost estimating, cost unambiguous terms
budgeting, and cost control For easy comparison against actual results
Includes quality planning, quality assurance and
quality control

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition
PMBoK Knowledge Areas PMBoK Knowledge Areas
(contd.) (contd.)
Project human resource management Project communications management
Ensures personnel assigned to project are Conveys details of project activities to all involved
effectively employed Includes the creation, distribution, classification,
Staffing a project requires careful estimates of storage, and destruction of documents, messages,
effort required and other associated project information
Unique complexities Includes communications planning, information
Extended clearances distribution, performance reporting and
Deploying technology new to the organization administrative closure
Includes organizational planning, staff acquisition
and team development

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition

PMBoK Knowledge Areas PMBoK Knowledge Areas


(contd.) (contd.)
Project risk management Project procurement
Assesses, mitigates, manages, and reduces the Acquiring needed project resources
impact of adverse occurrences on the project Project managers may simply requisition
Information security projects have unique (higher resources from organization, or may have to
than normal) risks purchase
Includes risk identification, risk quantification, risk Includes procurement planning, solicitation
response development and risk response control planning, solicitation, source selection, contract
administration and contract closeout

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition
Project Management Tools
Project Management Tools
(contd.)
Many tools exist Projectitis
Most project managers combine software tools Occurs when the project manager spends more
that implement one or more of the dominant time documenting project tasks, collecting
modeling approaches performance measurements, recording project
Project management certification task information, and updating project completion
The Project Management Institute (PMI) forecasts than accomplishing meaningful project
work
Leading global professional association
Sponsors two certificate programs: The Project Precursor to projectitis
Management Professional (PMP) and Certified Associate Developing an overly elegant, microscopically
in Project Management (CAPM) detailed plan before gaining consensus for the
work required
Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition

Work Breakdown Structure


Work Breakdown Structure
(contd.)
Work breakdown structure (WBS) Determine minimum attributes for each task
Simple planning tool for creating a project plan The work to be accomplished (activities and
The project plan is first broken down into a few deliverables)
major tasks Estimated amount of effort required for completion
Each task is placed on the WBS task list in hours or workdays
The common or specialty skills needed to perform
the task
Task interdependencies

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition
Work Breakdown Structure Work Breakdown Structure
(contd.) (contd.)
As the project plan develops, additional attributes can
be added
Estimated capital and noncapital expenses for the
task
Task assignment according to specific skills
Start and end dates
Work to be accomplished
Amount of effort
Task dependencies
Start and ending dates

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition

Source: Course Technology/Cengage Learning

Task-Sequencing Approaches
Many possibilities for task assignment and
scheduling
For modest and large size projects
A number of approaches can assist the project
manager in this sequencing effort
Network scheduling
Refers to the web of possible pathways to project
completion

Table 1-3 Later draft work breakdown structure


Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition
Task Sequencing Approaches Task Sequencing Approaches
(contd.) (contd.)

Figure 1-8 Simple


Management network
of Information dependency
Security, 3rd Edition Management of Information Security, 3rd Edition

Task Sequencing Approaches Task Sequencing Approaches


(contd.) (contd.)
Program Evaluation and Review Technique (PERT) Three key questions
Most popular technique How long will this activity take?
Originally developed in the late 1950s for What activity occurs immediately before this
government-driven engineering projects activity can take place?
What activity occurs immediately after this
activity?
Determine the critical path
By identifying the slowest path through the various
activities

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition
Task Sequencing Approaches Task Sequencing Approaches
(contd.) (contd.)
Slack time
How much time is available for starting a
noncritical task without delaying the project as a
whole
Tasks which have slack time are logical
candidates for accepting a delay

Figure 1-10 PERT example


Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition

Task Sequencing Approaches Task Sequencing Approaches


(contd.) (contd.)
PERT advantages PERT disadvantages
Makes planning large projects easier Diagrams can be awkward and cumbersome,
By facilitating the identification of pre- and post- activities especially in very large projects
Determines the probability of meeting Diagrams can become expensive to develop and
requirements maintain
Anticipates the impact of system changes Due to the complexities of some project development
processes
Presents information in a straightforward format
understood by managers Difficulty in estimating task durations
Inaccurate estimates invalidate any close critical path
Requires no formal training
calculations

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition
Task Sequencing Approaches Task Sequencing Approaches
(contd.) (contd.)
Gantt chart
Easy to read and understand; easy to present to
management
Easier to design and implement than the PERT
diagrams, yielding much of the same information
Lists activities on the vertical axis of a bar chart,
and provides a simple time line on the horizontal
axis

Management of Information Security, 3rd Edition Management of Information Security, 3rd Edition

Automated Project Tools


Microsoft Project
A widely used project management tool
Keep in mind:
A software program is no substitute for a skilled
and experienced project manager
Manager must understand how to define tasks, allocate
scarce resources, and manage assigned resources
A software tool can get in the way of the work
Choose a tool that you can use effectively

Management of Information Security, 3rd Edition