Security Organization

Chao-Hsien Chu, Ph.D.

College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
chu@ist.psu.edu
ry
o
e
Th
e
c
i
ct
a
Pr

Le
ar
n
by ing
Do
in
g

IST 515

Objectives
This module will familiarize you with the following:
Security planning
Responsibilities of the chief information security
officer (CISO).
Security organizational structure - reporting
models.
What is the most effectively security structure
within an organization?
Security organization best practices.
Personnel security
Security awareness, training and education.

Readings
Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the
CISSP CBK, Auerbach, 2007. Domain 1 (Required).
Benson, C., Security Planning. (Required)
http://technet.microsoft.com/en-us/library/cc723503.aspx
Johnson, M. E. and Goetz, E., Embedding Information
Security into the Organization, IEEE Security & Privacy,
May/June 2007, pp. 16-24.
ISO, Organization of Information Security,
http://www.iso27001security.com/ISO27k_Organization_of_inf
ormation_security.rtf
PriceWaterhouseCooper, The Global State of Information
Security Survey, 2005.

me
nt

Organizational

nag
e

Security Policy

Se
cu

rity

Ma

Organizational
Design
Asset Classification
and Control

Compliance
Personnel Security
Awareness Education

Operational

Access Control

System Development
and Maintenance

Physical and
Environmental Security

Communications &
Operations Mgmt.

Business Continuity
Management

Security Management Practice

Security Governance.
Security Policies, Procedures, Standards,
Guidelines, and Baselines.
Security Planning.
Security Organization.
Personnel Security.
Security Audit and Control.
Security Awareness, Training and Education.
Risk Assessment and Management.
Professional Ethics.

Principles of Organizational Design

Strategic Alignment.
Organization structure - Functional vs. Matrix
Span of control hierarchy
Reporting relationship (governmance)
Job descriptions
Staffing and skill requirements (training)
Grading (reward structure)
Clarity about the boundaries with other organizational
groups
Alsbridge, "Designing Your Organization for BPO and Shared Services."
http://www.sourcingmag.com/content/c070219a.asp

Principles of Organizational Design

Strategic Alignment.
Organization structure - Functional vs. Matrix
Span of control hierarchy
Reporting relationship (governmance)
Job descriptions
Staffing and skill requirements (training)
Grading (reward structure)
Clarity about the boundaries with other organizational
groups
Alsbridge, "Designing Your Organization for BPO and Shared Services."
http://www.sourcingmag.com/content/c070219a.asp

Information Security Planning

Planning reduces the likelihood that the
organization will be reactionary toward the
security needs.
Security planning involves developing security
policies and implementing controls to prevent
computer risks from becoming reality.
The risk assessment provides a baseline for
implementing security plans to protect assets
against various threats.

Hierarchy of Security Planning

Strategic Planning (3-5 years). Strategic plans are aligned
with the strategic business and IT goals. They provide the
vision for projects to achieve the business objectives. The
plans should be reviewed annually or whenever major
change to the business occur.
Tactical Planning (6-18 months). Tactical plans provide
the broad initiatives to support and achieve the goals
specified in the strategic plans.
Operational and Project Planning. Specific plans with
milestones, dates and accountabilities provide the
communication and direction to ensure that the individual
projects are completed.

Type of Security Planning

Proactive Planning:
Develop security policies and controls.
Implement tools and techniques to aid in security.
- Secure access, secure data, and secure code.
- Techniques for network security firewall, VPN.
- Detection tools.
Implement technologies to keep the system running
in the event of a failure.
Reactive Planning:
Develop a contingency plan.

Examples of Security Plan

The Department of Housing and Urban Development,
SYSTEM SECURITY PLAN (SSP) TEMPLATE.
http://www.nls.gov/offices/cio/sdm/devlife/tempchecks/maste
mplate.doc
California State University, Chico.
http://www.csuchico.edu/ires/security/documents/Informa
tion%20Security%20Plan%20052009%20v5_1.pdf
Sample Security Plan Adventure Works.

Benson, C., Security Planning. (Required)

http://technet.microsoft.com/en-us/library/cc723503.aspx

Johnson, M. E. and Goetz, E., Embedding Information

Security into the Organization, IEEE Security & Privacy,
May/June 2007, pp. 16-24.

Security Related People

Security is the responsibility of everyone within
the organization. Related people include

Executive management.
Chief information security officer (CISO).
Information systems security professional.
Data /information / business owner.
Information systems auditor.
Information systems / IT professional.
Systems / network / security administrator.
Help desk administrator.
Administrative assistant / secretaries.
End users.

CISO Responsibilities

Communicate risks to executive

management.
Budget for information security
activities.
Ensure development of
policies, procedures, baselines,
standards, and guidelines.
Develop and provide security
awareness program.
Understand business objectives.
Maintain awareness of
emerging threats and
vulnerabilities.

Evaluate security incidents and

response.
Develop security compliance
program.
Establish security metrics.
Participate in management
meetings.
Ensure compliance with
governmental regulations.
Assist internal and external
auditors.
Stay abreast of emerging
technologies.

CISO Reporting Models

Reporting to the CEO.
Reporting to the information technology (IT)
department.
Reporting to corporate security.
Report to the administrative services department.
Report to the insurance and risk management
department.
Reporting to the internal audit department.
Reporting to the legal department.
What are the pros and cons of each reporting model?

To Whom CISO Report

PWC Global State of Information

Security Survey2005

Organization of
Information
security

Executive Committee
Chaired by the Chief
Executive Officer

Audit Committee
Chaired by Head of
Audit

Security Committee
Chaired by Chief
Security Officer CSO

Information
Security
Manager

Risk Committee
Chaired by Risk
Manager

Local Security
Committees
One per location

Security
Administration

Policy &
Compliance

Information Asset
Owners (IAOs)

Risk &
Contingency
Management

Security
Operations

Site Security
Managers

(http://www.iso27001security.com/)

Security
Guards

Facilities
Management

Information Security Organization

CEO
CTO

CFO

COO

CIO

Legal/Chief
CPO

Corp Sec

Director
Information Security
Division SPOCS

Policy compliance
Technology security operations
Risk management

(Johnson and Goetz, 2007)

What are They?

CEO: Chief Executive Officer.
CFO: Chief Financial Officer.
CTO: Chief Technology Officer.
CIO: Chief Information Officer
COO: Chief Operating Officer.
CISO: Chief Information Security Officer.
CSO: Chief Security Officer.
CPO: Chief Privacy Officer.

Information Security Organization

Board
IA
CEO
CFO

CTO

Real Estate
Workplace Service

Security
Office

CIO

LB

LB

Business IT
IT Infrastructure

Health & Safety

Global security
Workplace security
Supply chain security

(Johnson and Goetz, 2007)

CISO
Business information
security manager

Strategy, architecture
And consulting

Host network security

Program process manager

Incident management

Compliance management

Incident Management

Information Security
Training & Awareness

Director of
Security

Risk Management

Critical Infrastructure
Protection &
Service Continuity

Security Infrastructure
& Technical Support

Security Infrastructure
& Technical Support

Standards, Policies
and Procedures

Information Security Organization

Security Advisory Group
Administration Assistant

Security Organization Best Practice

Job rotation. Job rotation reduce the risk of collusion of
activities between individuals.
Separation of duties. One individual should not have the
capability to execute all of the Steps of a particular process.
Least privilege (need to know). Granting users only the
accesses that are required to perform their job functions.
Mandatory vacations. Requiring mandatory vacations of a
specified consecutive-day period.
Job position sensitivity. The access and duties of an individual
for a particular department should be assess to determine the
sensitivity of the position.

Separation of Duties
The same individual should not typically perform
the following functions:

Systems administration
Network management
Data entry
Computer operations
Security administration
Systems development and maintenance
Security auditing
Information systems management
Change management

Personnel Security Hiring Practices

Managing the people aspect of security, from pre employment
to post employment, is critical to ensure trustworthy,
competent resources are employed to further the business
objectives that will protect the company information.

Developing job descriptions.

Developing confidentiality agreements.
Contacting references Reference checks.
Screening/investigating background.
Ongoing supervision and periodic performance reviews.
Determining policies on vendor, contractor, consultant and
temporary staff access.
Employee terminations need different levels of care.

Background Checks
Background checks can uncover the following problems:
Gaps in employment.
Misrepresentation of job titles.
Job duties.
Salary.
Reasons for leaving a job.
Validity and status of professional certification.
Education verification and degrees obtained.
Credit history.
Driving records.
Criminal history.
Personal references.
Social security number verification

Special Types of Background Checks

Individuals involved in technology.
Individuals with access to confidential or sensitive
information.
Employees with access to company proprietary or
competitive data.
Positions working with accounts payable, receivables, or
payroll.
Positions dealing directly with the public.
Employees working for healthcare industry-based
organizations or organizations dealing with financial
information.
Positions involving driving a motor vehicle.
Employees who will come in contact with children.

Elements of Professional Development

(NIST, SP 800-100)

The IT Security Learning Continuum

Manage
Acquire
Design & Develop
Implement & Operate
Review & Evaluate
Use

Security Basics & Literacy

Security Awareness
(NIST, SP 800-100)

Security Awareness

Provide the understanding of the importance of security

within an organization.
Inform employees about their roles, and expectations
surrounding their roles, in the observance of information
security requirements.
Provide guidance surrounding the performance of particular
security or risk management function, as well as provide
information surrounding the security or risk management
functions in general.
Educate users in the fulfillment of its security program
objectives, which may also include audit objectives for
organizations that are bound by regulatory compliance
(e.g., HIPPA, the Sarbanes-Oxley Act).

Topics for Security Awareness

Corporate security policies.
Organizations security
program.
Regulatory compliance
requirements.
Social engineering.
Business continuity.
Disaster recovery.
Emergency management.
Security incidence response.
Data classification.

Information labeling and

handling.
Personnel security, safety
and soundness.
Physical security.
Appropriate computing
resource use.
Proper care and handling of
security credentials
Risk assessment.
Accidents, errors or
omissions.

Awareness Activities and Methods

Formalized courses, face-to-face or online.

Use of posters to call attention to aspects of security.
Conduct business units walk-through.
Use intranet to post security reminders or host security
column.
Appointment of security awareness mentors.
Sponsor a security awareness day.
Sponsor an event with an external partner.
Provide trinkets for users that support security principles.
Provide security management videos, books, web sites,
and collateral for references.

Selected Professional Education

Certified Information Systems Security Professional

(CISSP), (ISC)2 http://www.isc2.org/

Systems Security Certified Practitioner (SSCP),

(ISC)2. http://www.isc2.org/

Certified Information Systems Auditor (CISA),

ISACA. http://www.isaca.org/

Certified Information Security Manager (CISM),

ISACA. http://www.isaca.org/

Global Information Assurance Certification (GIAC),

SANS Institute. http://www.giac.org/

Potential Practical Projects

Develop an information security plan.
Review and propose a security organization
redesign.
Develop a security hiring plan.
- Write a job description for a security position.
- Write an advertisement for a security job.
Develop a security background check program.
Develop a security awareness plan / program.
Develop a security training plan / program.