Principals of Information Security, Fourth Edition

Principals of Information Security, Fourth Edition

Principles of Information Security, Fourth Edition Chapter 10 Implementing Information Security Introduction 2 SecSDLC implementation phase is accomplished through changing configuration and operation of organizations information systems Implementation includes changes to:

Procedures (through policy) People (through training) Hardware (through firewalls) Software (through encryption) Data (through classification) Organization translates blueprint for information

security into a concrete project plan Principles of Information Security, Fourth Edition 3 Information Security Project Management Once organizations vision and objectives are understood, process for creating project plan can be defined Major steps in executing project plan are:

Planning the project Supervising tasks and action steps Wrapping up Each organization must determine its own project management methodology for IT and information security projects Principles of Information Security, Fourth Edition Developing the Project Plan 4

Creation of project plan can be done using work breakdown structure (WBS) Major project tasks in WBS are: Work to be accomplished Assignees Start and end dates

Amount of effort required Estimated capital and noncapital expenses Identification of dependencies between/among tasks Each major WBS task is further divided into smaller tasks or specific action steps Principles of Information Security, Fourth Edition 5 Table 10-1 Example Project Plan Work

Breakdown StructureEarly Draft 6 Project Planning Considerations As project plan is developed, adding detail is not always straightforward Special considerations include financial, priority, time and schedule, staff, procurement, organizational feasibility, and training Principles of Information Security, Fourth Edition Project Planning Considerations (contd.)

Financial considerations 7 No matter what information security needs exist, the amount of effort that can be expended depends on funds available Cost benefit analysis must be verified prior to development of project plan Both public and private organizations have budgetary constraints, though of a different nature

To justify an amount budgeted for a security project at either public or for-profit organizations, it may be useful to benchmark expenses of similar organizations Principles of Information Security, Fourth Edition 8 Project Planning Considerations (contd.) Priority considerations In general, the most important information security controls should be scheduled first

Implementation of controls is guided by prioritization of threats and value of threatened information assets Principles of Information Security, Fourth Edition 9 Project Planning Considerations (contd.) Time and scheduling considerations Time impacts dozens of points in the development of a project plan, including: Time to order, receive, install, and configure security control Time to train the users Time to realize return on investment of control

Principles of Information Security, Fourth Edition 10 Project Planning Considerations (contd.) Staffing considerations Lack of enough qualified, trained, and available personnel constrains project plan Experienced staff is often needed to implement available technologies and develop and implement policies and training programs Principles of Information Security, Fourth Edition

11 Project Planning Considerations (contd.) Procurement considerations IT and information security planners must consider acquisition of goods and services Many constraints on selection process for equipment and services in most organizations, specifically in selection of service vendors or products from manufacturers/suppliers

These constraints may eliminate a technology from realm of possibilities Principles of Information Security, Fourth Edition 12 Project Planning Considerations (contd.) Organizational feasibility considerations Policies require time to develop; new technologies require time to be installed, configured, and tested Employees need training on new policies and

technology, and how new information security program affects their working lives Changes should be transparent to system users unless the new technology is intended to change procedures (e.g., requiring additional authentication or verification) Principles of Information Security, Fourth Edition 13 Project Planning Considerations (contd.) Training and indoctrination considerations Size of organization and normal conduct of business

may preclude a single large training program on new security procedures/technologies Thus, organization should conduct phased-in or pilot approach to implementation Principles of Information Security, Fourth Edition 14 Scope Considerations Project scope: concerns boundaries of time and effort-hours needed to deliver planned features and quality level of project deliverables

In the case of information security, project plans should not attempt to implement the entire security system at one time Principles of Information Security, Fourth Edition 15 The Need for Project Management Project management requires a unique set of skills and thorough understanding of a broad body of specialized knowledge Most information security projects require a trained project manager (a CISO) or skilled IT manager versed in project management techniques

Principles of Information Security, Fourth Edition 16 The Need for Project Management (contd.) Supervised implementation Some organizations may designate champion from general management community of interest to supervise implementation of information security project plan An alternative is to designate senior IT manager or CIO to lead implementation

Optimal solution is to designate a suitable person from information security community of interest It is up to each organization to find the most suitable leadership for a successful project implementation Principles of Information Security, Fourth Edition 17 The Need for Project Management (contd.) Executing the plan

Negative feedback ensures project progress is measured periodically Measured results compared against expected results When significant deviation occurs, corrective action taken Often, project manager can adjust one of three parameters for task being corrected: Effort and money allocated Scheduling impact Quality or quantity of deliverable Principles of Information Security, Fourth Edition 18 Figure 10-1 Negative Feedback Loop Principles of Information Security, Fourth Edition

19 The Need for Project Management (contd.) Project wrap-up Project wrap-up is usually handled as procedural task and assigned to mid-level IT or information security manager Collect documentation, finalize status reports, and deliver final report and presentation at wrap-up meeting

Goal of wrap-up is to resolve any pending issues, critique overall project effort, and draw conclusions about how to improve process Principles of Information Security, Fourth Edition 20 Technical Aspects of Implementation Some parts of implementation process are technical in nature, dealing with application of technology Others are not, dealing instead with human interface to technical systems

Principles of Information Security, Fourth Edition 21 Conversion Strategies As components of new security system are planned, provisions must be made for changeover from previous method of performing task to new method Four basic approaches: Direct changeover Phased implementation

Pilot implementation Parallel operations Principles of Information Security, Fourth Edition 22 The Bulls-Eye Model Proven method for prioritizing program of complex change

Issues addressed from general to specific; focus is on systematic solutions and not individual problems Relies on process of evaluating project plans in progression through four layers: Policies Networks Systems

Applications Principles of Information Security, Fourth Edition 23 Figure 10-2 The Bulls-Eye Model Principles of Information Security, Fourth Edition 24 To Outsource or Not Just as some organizations outsource IT operations, organizations can outsource part or all of information security programs Due to complex nature of outsourcing, its advisable

to hire best outsourcing specialists and retain best attorneys possible to negotiate and verify legal and technical intricacies Principles of Information Security, Fourth Edition 25 Technology Governance and Change Control Technology governance Complex process an organization uses to manage impact and costs from technology implementation, innovation, and obsolescence

By managing the process of change, organization can: Improve communication; enhance coordination; reduce unintended consequences; improve quality of service; and ensure groups are complying with policies Principles of Information Security, Fourth Edition 26 Nontechnical Aspects of Implementation Other parts of implementation process are not technical in nature, dealing with the human interface to technical systems

Include creating a culture of change management as well as considerations for organizations facing change Principles of Information Security, Fourth Edition 27 The Culture of Change Management Prospect of change can cause employees to build up resistance to change The stress of change can increase the probability of mistakes or create vulnerabilities

Resistance to change can be lowered by building resilience for change Lewin change model: Unfreezing Moving Refreezing Principles of Information Security, Fourth Edition

28 Considerations for Organizational Change Steps can be taken to make organization more amenable to change: Reducing resistance to change from beginning of planning process Develop culture that supports change Principles of Information Security, Fourth Edition 29

Considerations for Organizational Change (contd.) Reducing resistance to change from the start The more ingrained the previous methods and behaviors, the more difficult the change Best to improve interaction between affected members of organization and project planners in early project phases Three-step process for project managers: communicate, educate, and involve

Joint application development Principles of Information Security, Fourth Edition 30 Considerations for Organizational Change (contd.) Developing a culture that supports change Ideal organization fosters resilience to change Resilience: organization has come to expect change as

a necessary part of organizational culture, and embracing change is more productive than fighting it To develop such a culture, organization must successfully accomplish many projects that require change Principles of Information Security, Fourth Edition 31 Information Systems Security Certification and Accreditation It may seem that only systems handling secret government data require security certification and accreditation

In order to comply with the myriad of new federal regulation protecting personal privacy, organizations need to have some formal mechanism for verification and validation Principles of Information Security, Fourth Edition 32 Information Systems Security Certification and Accreditation (contd.) Certification versus accreditation Accreditation: authorizes IT system to process, store, or transmit information; assures systems of adequate

quality Certification: evaluation of technical and nontechnical security controls of IT system establishing extent to which design and implementation meet security requirements Principles of Information Security, Fourth Edition 33 Information Systems Security Certification and Accreditation (contd.) SP 800-37, Rev. 1: Guidelines for the Security Certification and Accreditation of Federal Information Technology Systems

Provides guidance for the certification and accreditation of federal information systems Information processed by the federal government is grouped into one of three categories: National security information (NSI) Non-NSI Intelligence community (IC) Principles of Information Security, Fourth Edition 34 Figure 10-4 Risk Management Framework Principles of Information Security, Fourth Edition 35

Figure 10-3 Tiered Risk Management Framework Principles of Information Security, Fourth Edition 36 Figure 10-5 NIST SP 800-37, R.1: Security Control Allocation Principles of Information Security, Fourth Edition 37 Information Systems Security Certification and Accreditation (contd.) NSTISS Instruction-1000: National Information Assurance Certification and Accreditation Process (NIACAP)

The NIACAP is composed of four phases Phase 1 definition Phase 2 verification Phase 3 validation Phase 4 post accreditation Principles of Information Security, Fourth Edition 38 Figure 10-6 Overview of the NIACAP process Principles of Information Security, Fourth Edition 39 Information Systems Security Certification and Accreditation (contd.)

ISO 27001/ 27002 Systems Certification and Accreditation Entities outside the United States apply the standards provided under these standards Standards were originally created to provide a foundation for British certification of information security management systems (ISMS) Organizations wishing to demonstrate their systems have met this international standard must follow the certification process Principles of Information Security, Fourth Edition

40 Figure 10-11 Japanese ISMS Certification and Accreditation Principles of Information Security, Fourth Edition 41 Summary Moving from security blueprint to project plan Organizational considerations addressed by project plan Project managers role in success of an information

security project Technical strategies and models for implementing project plan Nontechnical problems that organizations face in times of rapid change Principles of Information Security, Fourth Edition

Recently Viewed Presentations

  • The Nuremberg Laws and their Effects of Eugenics

    The Nuremberg Laws and their Effects of Eugenics

    What was the Nazi Eugenics Program. The laws were made to improve the overall well-being of Germany. Even before the war, eugenics was taking place all over Germany. ... Hitler's support increased as a result of propaganda and military success.
  • Element of Art: Texture

    Element of Art: Texture

    What is shape? Shape is created when a line is enclosed. Artists use all kinds of shapes. Geometric shapes are precise and regular, like squares, rectangles, and triangles. Organic shapes are associated with things from the natural world, like plants...
  • Student Success at Ivy Tech

    Student Success at Ivy Tech

    Basic configuration and operation of managed switch Ethernet networks, network security, SQL databases, cloud-based data acquisition, cloud-based maintenance management, smart (IIoT) sensors, RFID systems, variable frequency drives, barcode systems, PLC Ethernet communications, and conveyors.
  • April Meeting: The Archivists' Round Table

    April Meeting: The Archivists' Round Table

    First to the North Pole April 6, 1909 Slide 16 Slide 17 1926 Byrd's flight over the North Pole The First Man to Reach the South Pole 1911 Slide 20 First solo flight across the Atlantic 1927 Charles Lindbergh Slide...
  • Le anemie del bambino percorsi diagnostico-terapeutici Giovanna Russo

    Le anemie del bambino percorsi diagnostico-terapeutici Giovanna Russo

    N.d.r. eccetto lieve pallore Anamnesi E.O. Hb G.R. MCV PLT G.B. F.L. 8,8 4.080.000 58 543.000 9600 N56 L33 E1 M10 Hb Foresi A + A2 HbF 0.5% HbA2 1.5% Sideremia 11 TRF 362 Sat. TRF 3% Ferritina 3.0 Valutazione...
  • The Book of Proverbs - crosstraining.us

    The Book of Proverbs - crosstraining.us

    The Book of Isaiah. ... Moody, 1980), 127. Harris, Archer, and Waltke, vol. 2, 916. ... commentators make the mistake of treating the "servitude of the nation" and the "desolation of Jerusalem" as synonyms since they both were predicted to...
  • UD IRB Guidelines for Applications for: Registrations of

    UD IRB Guidelines for Applications for: Registrations of

    Taste and food quality evaluation and consumer acceptance studies, a. if wholesome foods without additives are consumed or b. if a food is consumed that contains a food ingredient at or below the level and for a use found to...
  • B.S.B Presentation 2015

    B.S.B Presentation 2015

    Starting out in the Baking Industry. Started baking in an in-store bakery at Sainsbury's New Cross Gate. I was finding that I really enjoyed baking and decided I would look for a bakers apprenticeship.