Scribd Logo
Hochladen

Willkommen bei Scribd!

  • The Structure of Information Security: Slide 3

    Hochgeladen von

    jeypop
    28 Ansichten27 Seiten
    The document discusses the structure of an information security program within an organization. It recommends establishing an information security steering committee comprised of senior managers, as well as assigning security responsibilities to various roles including senior management, an information security management team, business unit managers, supervisors, employees, and third parties. The security program should involve creating policies and standards, awareness programs, and an infrastructure to support good security practices organization-wide. Business units are responsible for writing standards, reviewing policies, and ensuring compliance.

    Originalbeschreibung:

    IMT

    Originaltitel

    Week 3

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    The document discusses the structure of an information security program within an organization. It recommends establishing an information security steering committee comprised of senior managers, as well as assigning security responsibilities to various roles including senior management, an information security management team, business unit managers, supervisors, employees, and third parties. The security program should involve creating policies and standards, awareness programs, and an infrastructure to support good security practices organization-wide. Business units are responsible for writing standards, reviewing policies, and ensuring compliance.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    28 Ansichten27 Seiten

    The Structure of Information Security: Slide 3

    Hochgeladen von

    jeypop
    The document discusses the structure of an information security program within an organization. It recommends establishing an information security steering committee comprised of senior managers, as well as assigning security responsibilities to various roles including senior management, an information security management team, business unit managers, supervisors, employees, and third parties. The security program should involve creating policies and standards, awareness programs, and an infrastructure to support good security practices organization-wide. Business units are responsible for writing standards, reviewing policies, and ensuring compliance.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 27

    The Structure of Information Security

    Slide 3

    Thursday, March 15, 12

    Programs Goal

    To have the same performance in every


    level of the organization.

    Thursday, March 15, 12

    Security Program
    Uniform in the whole enterprise. Everyone knows and abide Organization structure must be set up

    Thursday, March 15, 12

    Organization Structure should involve:


    Information security management who
    provide direction, advice, focal point.

    Internal Audit who report to Audit


    of business unit.

    Committee, directors and other senior managers

    Steering Committee composed of all head


    Thursday, March 15, 12

    Organization Structure should involve:


    Security Coordinator in each business unit. Security Administration in each business
    unit.

    Security Working Team in implementing


    security programs.

    Thursday, March 15, 12

    Business Unit Responsibility


    Creation & Implementation of Policies and
    Standards.

    Thursday, March 15, 12

    each business unit must have the each business unit must have the

    opportunity to approve the policies. opportunity to review and comment on the policies.

    Thursday, March 15, 12

    Business Unit Responsibilities


    Policy

    System Acces

    System Devel

    Asset Classification

    Network Management

    Sec. Organization

    Reviewer CEO SVP, Marketing SVP, Dev. & Tech VP, Finance General Auditor GM, HR GM, Risk Mgmt Senior Consultant
    Thursday, March 15, 12

    Compliance

    Personnel

    Info. Sec

    Physical

    BCP

    Business units have the responsibility for

    writing information security standards for their area of responsibility can review information security standards for their impact on their business unit assist in the implementation of approved policies and standards

    Business units must provide someone who Business units have the responsibility to

    Thursday, March 15, 12

    Business Unit Responsibility


    Creation & Implementation of Policies and
    Standards. Standards

    Standard & Compliance of Policies and

    Thursday, March 15, 12

    Responsibility to ensure constant Enforcement of Compliance

    compliance with policies & standard

    Thursday, March 15, 12

    Information Security Awareness Program


    Purpose: demonstrating the Who, What,
    Why of the Policies & Standards information

    Perpetual program of reinforcement and

    Thursday, March 15, 12

    Obstacle to the Program


    Budget Solution: demonstrate the effect to the Subject: access control, e-mail practice,
    virus management. nancial (ROI, contribution to prot, etc)

    Thursday, March 15, 12

    Success Factor
    Frequency Media

    Thursday, March 15, 12

    Frequency
    Frequency of message delivered to staff Equal to ads, with educational message.

    Thursday, March 15, 12

    Message focus on:


    Information security policies Information ownership Information classication Good information security practices
    Thursday, March 15, 12

    Additional Message:
    Information security standards Information security monitoring Information security performance
    measurement

    More information security good practices


    Thursday, March 15, 12

    Media
    Composition of the media used Mix of media (video, posters, presentations,
    booklets, brochures, newsletters, and giveaway item)

    Thursday, March 15, 12

    Information Security Program Infrastructure


    Mechanism within the organization that
    supports good information security practices

    Thursday, March 15, 12

    Information Security Steering Committee


    Comprised of Senior Managers (VP/
    Director level)

    Internal Audit, Legal, Human Resource,


    Organized Labor.

    Meets frequently
    Thursday, March 15, 12

    Assignment of Information Security Responsibilities

    Senior Management Information Security Management Business Unit Managers First Line Supervisor Employees Third Parties
    Thursday, March 15, 12

    Info. Security Program Infrastructure

    ,m./m,.

    Senior Management
    Have the ultimate responsibility for deciding how the organization will handle risk Responsible for:
    Making sure that audit recommendations are addressed in a timely and adequate manner Participating in the activities of the ISSC Providing adequate resources Educating organotions staff Reviewing and approving policies and strategies Providing resolution for info. Sec issues
    Thursday, March 15, 12

    Info. Security Program Infrastructure


    Information Security Management
    Responsible for the information security practices of the information security unit. For other units, providing services and advice Must be able to:
    Drive the effort to create, publish, and implement info. Security policies and standards Coordinate the creation and testing of business continuity plans Manage the info.sec effort within the info.sec unit Administer info.sec software tools on behalf of the organization Provide enough education and awareness programs to the organization
    Thursday, March 15, 12

    Info. Security Program Infrastructure


    Business Unit Managers
    Support the info.security program by:
    Participating in the process of reviewing policies Creating input for info. security standards Measuring info. Security within the unit Enforcing compliance with policies and standards Supporting info.security education and awareness Making sure resources are available to draft, test, and maintain BCP

    Thursday, March 15, 12

    Info. Security Program Infrastructure


    First Line Supervisors
    Carry out duties delegated by the business unit managers and a key piece of the communication chain that allows an organization to monitor its info.security program
    Monitor the employess activities in light of organization info. security policies and standards Communicate security issues to Information Security, senior management, and ISSC Commnet on individual employees performance with respect to info. Security Reinforce the messages contained in the education and awareness elements of the program

    Thursday, March 15, 12

    Info. Security Program Infrastructure


    Employees
    Information security programs only work well when all employess participate, and employees participate most willingly when they feel they have a real role to play Employees participation such as:
    Complying with info. Security policies and standards Reporting security breaches

    Thursday, March 15, 12

    Info. Security Program Infrastructure


    Third Parties
    Such as contractors, vendors, etc Responsible for complying with info. Security policies and standards of the organization with which they are contracted or to which they provide goods or services Where contractors operate in the organization site, ther are subject to the same rules and methods of enforcement as full-time employees Where contractors operate on their own site, the organization has right to audit the contractors info. Security programs

    Thursday, March 15, 12

    Das könnte Ihnen auch gefallen