Developing the Security Program

Only available on StudyMode
  • Download(s) : 94
  • Published : October 2, 2012
Open Document
Text Preview
IS4231 INFORMATION SECURITY MANAGEMENT

05 Developing the Security Program

Objectives
2



Upon completion of this material you should be able to:
– – –

Explain the organizational approaches to information security List and describe the functional components of an information security program Determine how to plan and staff an organization’s information security program based on its size

IS4231 – 05 Developing the Security Program

Objectives (cont’d.)
3



Upon completion of this material you should be able to: (cont’d.) –



Evaluate the internal and external factors that influence the activities and organization of an information security program List and describe the typical job titles and functions performed in the information security program

IS4231 – 05 Developing the Security Program

Objectives (cont’d.)
4



Upon completion of this material you should be able to: (cont’d.) –

Describe the components of a security education, training, and awareness program and explain how organizations create and manage these programs

IS4231 – 05 Developing the Security Program

Introduction
5



Some organizations use security program to describe the entire set of personnel, plans, policies, and initiatives related to information security –

The term “information security program” is used here to describe the structure and organization of the effort that contains risks to the information assets of the organization

IS4231 – 05 Developing the Security Program

Organizing for Security
6



Variables involved in structuring an information security program – – – –

Organizational culture Size Security personnel budget Security capital budget Their security departments are not keeping up with increasingly complex organizational infrastructures



As organizations increase in size:


IS4231 – 05 Developing the Security Program

7

IS4231 – 01 Introduction to Information Security Management

8

IS4231 – 01 Introduction to Information Security Management

Organizing for Security (cont’d.)
9



Information security departments tend to form internal groups –

To meet long-term challenges and handle day-to-day security operations

• •

Functions are likely to be split into groups Smaller organizations typically create fewer groups –

Perhaps having only one general group of specialists

IS4231 – 05 Developing the Security Program

Organizing for Security (cont’d.)
10



Very large organizations
– – –

More than 10,000 computers Security budgets often grow faster than IT budgets Even with a large budgets, the average amount spent on security per user is still smaller than any other type of organization n Small

organizations spend more than $5,000 per user on security; very large organizations spend about 1/18th of that, roughly $300 per user

IS4231 – 05 Developing the Security Program

Organizing for Security (cont’d.)
11



Very large organizations (cont’d.)
– –

Does a better job in the policy and resource management areas Only 1/3 of organizations handled incidents according to an IR plan Have 1,000 to 10,000 computers Security approach has often matured, integrating planning and policy into the organization’s culture



Large organizations
– –

IS4231 – 05 Developing the Security Program

Organizing for Security (cont’d.)
12



Large organizations (cont’d.)


Do not always put large amounts of resources into security
n Considering

involved

the vast numbers of computers and users often



They tend to spend proportionally less on security

IS4231 – 05 Developing the Security Program

Security in Large Organizations
13



One approach separates functions into four areas:
– – – –

Functions performed by non-technology business units outside of IT Functions performed by IT groups outside of information security area Functions performed within information...
tracking img