Beruflich Dokumente
Kultur Dokumente
Brian Mennecke
An Important Question
Who in an organization is responsible for security?
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002
Root cause!
Why wont Sr. Management engage in Security?
It is difficult to connect security securityrelated expenditures to profitability Increases in security will often increase costs and reduce efficiency
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002
Threats
Where do threats come from?
disgruntled current or former employees Hackers virus writers criminal groups those engaged in corporate espionage Terrorists foreign intelligence services information warfare by foreign militaries and various other actors.
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002
Barriers to Security
The worldwide diffusion of the Internet opens up new business opportunities (e.g., 3-R Framework) It also increases an organization's vulnerability since so many more individuals of unknown origin and intent now have access to its systems
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002
Clue IT In!
Organizations commonly look for technical certification when hiring IT staff, but how often is any effort made to educate new security workers on the organization's strategic focus or to communicate to them the criticality levels of their information assets?
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002
Three Cornerstones
Senior managers need to remember that security depends on the strength of the three cornerstones
Critical infrastructures Organization Technology
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002
Critical Infrastructures
Critical Infrastructure Protection Government-Industry Collaboration Management's Role in Critical Infrastructure Protection
To recognize that critical infrastructure protection is an essential component of corporate governance as well as organizational security
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002
Organization
Structure leads to locus of ownership of data and processes Business Environment: threats are based on
Value of the firm's intellectual property The degree of change the firm is facing Its accessibility Its industry position
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002
Technology
Firewalls and Intrusion Detection Password Layering Public Key Infrastructure Secure Servers VPNs
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002
Management Actions
Corporate boards should ensure that senior managers buy into the process of risk assessment Senior managers also need to ensure that technical and operational staff understand each other's requirements and cooperatively engaged in the process Establish an ongoing process of monitoring risk
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002
Security Concepts
Authentication: The process by which one entity verifies that another entity is who they claim to be Authorization: The process that ensures that a person has the right to access certain resources Confidentiality: Keeping private or sensitive information from being disclosed to unauthorized individuals, entities, or processes Integrity: Being about to protect data from being altered or destroyed in an unauthorized or accidental manner Confidentiality: Keeping private or sensitive information from being disclosed to unauthorized individuals, entities, or processes Nonrepudiation: The ability to limit parties from refuting that a legitimate transaction took place, usually by means of a signature
What is at risk?
Market share Customer privacy Ongoing, uninterrupted operations Morale of organizational members
How do we effectively manage the residual risk when protection and prevention actions are not taken?
Operational IS plan is a precise set of shorterterm goals and associated projects that will be executed by the IS department and by business managers in support of the strategic IS plan