SlideShare ist ein Scribd-Unternehmen logo

Introduction to the management of information security

S
Sammer Qader

Introduction to the Management of Information Security

Bildung
1 von 14
Downloaden Sie, um offline zu lesen
1 University of Technology Computer Science Department UCHAPTER 1 Introduction to the Management of Information Security U(1) UPrepared by SAMMER A.QADER 2017
2 If this is the information superhighway, it’s going through a lot of bad, bad, neighborhoods.-- DORIAN BERGER, 1997 UObjectives Upon completion of this material, you should be able to: Describe the importance of the manager’s role in securing an organization’s use of information technology, and understand who is responsible for protecting an organization’s information assets Enumerate and discuss the key characteristics of information security Know & understand the definition & key characteristics of leadership & management Recognize the characteristics that differentiate information security management from general management 1.1 UIntroduction: • Information technology is critical to business and society ... & always has been (what happens if it’s not available?) • Computer security is evolving into information security. • Information security is the responsibility of every member of an organization, but managers play a critical role. U1.2 Information security involves 3 distinct communities of interest: Organizations must realize that information security funding and planning decisions involve more than just technical managers, such as information security managers or members of the information security team. Altogether, they should involve three distinct groups of decision makers, or communities of interest: 1- Information security managers & professionals. 2- Information technology managers & professionals. 3- Non-technical business managers & professionals.
3 1.3U Communities of Interest : The communities of interest and the roles they fulfill include the following: Information security community: protect information assets from threats IT community: support business objectives by supplying appropriate information technology Business community: policy and resources 1.4 UWhat Is Security? In order to understand the varied aspects of information security, you must know the definitions of certain IT terms and concepts. This knowledge enables you to communicate effectively with the IT and information security communities. • The quality or state of being secure—to be free from danger. • Security is achieved using several strategies altogether. U1.4.1 Specialized Areas of Security : Physical security: Protecting people, physical assets, and the workplace from various threats, including fire, unauthorized access, and natural disasters . Operations security: Protecting the organization’s ability to carry out its operational activities without interruption or compromise . Communications security : Protecting the organization’s communications media, technology, and content, and its ability to use these tools to achieve the organization’s objectives Network security: Protecting the organization’s data networking devices, connections, and contents as well as protecting the ability to use that network to accomplish the organization’s data communication functions.
4 U1.4.2 Information Security : is the protection of information and its critical characteristics (confidentiality, integrity, and availability), including the systems and hardware that use, store, and transmit that information, through the application of policy, training and awareness programs, and technology. Figure 1-1 shows that InfoSec includes: InfoSec includes information security management, computer security, data security, and network security Policy is a central to all information security efforts figure (1.1) Components of Information Security Figure (1.1)
5 McCumber ( NSTISSC) Security Model Figure (1.2)
6 U1.4.3 CIA Triangle The C.I.A. triangle is made up of: – Confidentiality – Integrity – Availability Over time the list of characteristics has expanded, but these three remain central Figure (1.3)
7 U1.5 Characteristics Key Concepts of Information Security include : 1. Confidentiality: Ensures that only those with sufficient privileges may access certain information. • Information classification • Secure document storage • Application of general security policies • Education of information. 2. Integrity : is the quality or state of being whole, complete, and uncorrupted • The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state • Corruption can occur while information is being compiled, stored, or transmitted 3. Availability : Availability is making information accessible to user access without interference or obstruction in the required format • A user in this definition may be either a person or another computer system • Availability means availability to authorized users 4. Privacy : • Information is to be used only for purposes known to the data owner • This does not focus on freedom from observation, but rather that information will be used only in ways known to the owner 5. Identification: • Information systems possess the characteristic of identification when they are able to recognize individual users • Identification and authentication are essential to establishing the level of access or authorization that an individual is granted 6. Authentication : • Authentication occurs when a control provides proof that a user possesses the identity that he or she claims
8 7. Authorization • After the identity of a user is authenticated, a process called authorization provides assurance that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset 8. Accountability • The characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process U1.6 What Is Management? A process of achieving objectives using a given set of resources To manage the information security process, first understand core principles of management A manager is “someone who works with and through other people by coordinating their work activities in order to accomplish organizational goals” U1.6.1 Managerial Roles Informational role: Collecting, processing, and using information to achieve the objective Interpersonal role: Interacting with superiors, subordinates, outside stakeholders, and other Decisional role: Selecting from alternative approaches and resolving conflicts, dilemmas, or challenges U1.6.2 Differences Between Leadership and Management The leader influences employees so that they are willing to accomplish objectives He or she is expected to lead by example and demonstrate personal traits that instill a desire in others to follow Leadership provides purpose, direction, and motivation to those that follow
9 A Manager administer the resources of the organization by – Creating budgets – Authorizes expenditures – Hires employees A Manager can also be a leader. U1.6.3 Characteristics of a Leader 1. Patience 2. Courage 3. Decisiveness 4. Dependability 5. Endurance 6. Initiative 7. Integrity 8. Justice 9. Knowledge 10. Tact U1.6.4 What Makes a Good Leader? Action plan for improvement of leadership abilities 1. Knows and seeks self-improvement 2. Be technically and tactically proficient 3. Seek responsibility and take responsibility for your actions 4. Make sound and timely decisions and Set the example U1.6.5 Behavioral Types of Leaders Three basic behavioral types of leaders: – Autocratic- action-oriented, “Do as I say” – Democratic – action-oriented and likely to be less efficient – Laissez-faire – laid-back.
10 U1.7 Characteristics of Management Two well-known approaches to management: – Traditional management theory using principles of planning, organizing, staffing, directing, and controlling (POSDC) – Popular management theory categorizes principles of management into planning, organizing, leading, and controlling (POLC) UPlanning Planning: process that develops, creates, and implements strategies for the accomplishment of objectives Three levels of planning: – Strategic – occurs at highest level of organization – Tactical – focuses on production planning and integrates organizational resources – Operational – focuses on day-to-day operations of local resources In general, planning begins with the strategic plan for the whole organization – To do this successfully, organization must thoroughly define its goals and objectives UOrganization Organization: is a principle of management dedicated to structuring of resources to support the accomplishment of objectives Organizing tasks requires determining: – What is to be done – In what order – By whom – By which methods – When
11 ULeadership Encourages the implementation of the planning and organizing functions, including supervising employee behavior, performance, attendance, and attitude Leadership generally addresses the direction and motivation of the human resource UControl Control: – Monitoring progress toward completion – Making necessary adjustments to achieve the desired objectives Controlling function determines what must be monitored as well using specific control tools to gather and evaluate information USolving Problems All managers face problems that must be solved. Step 1: Recognize and Define the Problem Step 2: Gather Facts and Make Assumptions Step 3: Develop Possible Solutions Step 4: Analyze and Compare the Possible Solutions Step 5: Select, Implement, and Evaluate a Solution U1.7.1 Principles Of Information Security Management Information security management is part of the organizational management team. The extended characteristics of information security are known as the six Ps: • Planning • Policy • Programs • Protection • People • Project Management
12 U1.7.2 Information Security Planning Included in the InfoSec planning model are activities necessary to support the design, creation, and implementation of information security strategies as they exist within the IT planning environment U1.7.3 Information Security Planning Types Several types of InfoSec plans exist: • Incident response • Business continuity • Disaster recovery • Policy • Personnel • Technology rollout • Risk management and Security program including education, training and awareness UPolicyU: Policy: set of organizational guidelines that dictates certain behavior within the organization In InfoSec, there are three general categories of policy: • General program policy (Enterprise Security Policy) • An issue-specific security policy (ISSP) • System-specific policies (SSSPs) UPrograms Programs: specific entities managed in the information security domain , a security education training and awareness (SETA) program is one such entity Other programs that may emerge include a physical security program, complete with fire, physical access, gates, guards, and so on UProtection Risk management activities, including risk assessment and control, as well as protection mechanisms, technologies, and tools. UPeople
13 People are the most critical link in the information security program. It is imperative that managers continuously recognize the crucial role that people play Including information security personnel and the security of personnel, as well as aspects of the SETA program U1.8 Project Management The final component of a security manager’s skill set is the use of a project management Approach. Whether the task is to roll out a new security training program or to select and Implement a new firewall; it is important that the process be managed as a project Project management discipline should be present throughout all elements of the information security program. UInvolves • Identifying and controlling the resources applied to the project • Measuring progress and adjusting the process as progress is made toward the goal
14 UReferences Michael E. Whitman, Herbert J. Mattord-Management of Information Security- Cengage Learning (2013) .

Empfohlen

Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introductionyuliana_mar
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
CompTIA Security+.pptx
CompTIA Security+.pptxCompTIA Security+.pptx
CompTIA Security+.pptxKiranKumar24546
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Securitychauhankapil
 

Empfohlen

Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introductionyuliana_mar
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
CompTIA Security+.pptx
CompTIA Security+.pptxCompTIA Security+.pptx
CompTIA Security+.pptxKiranKumar24546
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Securitychauhankapil
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurancebdemchak
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityjayashri kolekar
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
IT infrastructure security 101
IT infrastructure security 101IT infrastructure security 101
IT infrastructure security 101April Mardock CISSP
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
SECURITY SERVICES
SECURITY SERVICESSECURITY SERVICES
SECURITY SERVICESSHUBHA CHATURVEDI
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxChandanChandu928137
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber securityAnimesh Roy
 
Introduction to Information Security
Introduction to Information Security Introduction to Information Security
Introduction to Information Security Shreedevi Tharanidharan
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceCharles Lim
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingJim Geovedi
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical SecurityJorge Sebastiao
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Introduction to Information Management.pptx
Introduction to Information Management.pptxIntroduction to Information Management.pptx
Introduction to Information Management.pptxRodolfoIII2
 

Weitere ähnliche Inhalte

Was ist angesagt?

Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurancebdemchak
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityjayashri kolekar
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber securityAnimesh Roy
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceCharles Lim
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingJim Geovedi
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical SecurityJorge Sebastiao
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 

Was ist angesagt? (20)

Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurance
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Network Security
Network SecurityNetwork Security
Network Security
 
IT infrastructure security 101
IT infrastructure security 101IT infrastructure security 101
IT infrastructure security 101
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
SECURITY SERVICES
SECURITY SERVICESSECURITY SERVICES
SECURITY SERVICES
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
Introduction to Information Security
Introduction to Information Security Introduction to Information Security
Introduction to Information Security
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security Governance
 
Information security
Information securityInformation security
Information security
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical Security
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 

Ähnlich wie Introduction to the management of information security

chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Introduction to Information Management.pptx
Introduction to Information Management.pptxIntroduction to Information Management.pptx
Introduction to Information Management.pptxRodolfoIII2
 
Information security
Information security Information security
Information security razendar79
 
Keamanan informasi
Keamanan informasiKeamanan informasi
Keamanan informasiNova Novelia
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptxcejobelle
 
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERINGIT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERINGThumilvannanSambanda
 
Information security
Information securityInformation security
Information securityPraveen Minz
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfAbuHanifah59
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKATHEESKUMAR S
 
Instructor Manual Principles of Information Security, 7th Edition by Michael ...
Instructor Manual Principles of Information Security, 7th Edition by Michael ...Instructor Manual Principles of Information Security, 7th Edition by Michael ...
Instructor Manual Principles of Information Security, 7th Edition by Michael ...marcuskenyatta275
 
Human Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxHuman Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxShreeveni
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information SecuritySARJERAO Sarju
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfssuserf98dd4
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.pptit160320737038
 

Ähnlich wie Introduction to the management of information security (20)

chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Introduction to Information Management.pptx
Introduction to Information Management.pptxIntroduction to Information Management.pptx
Introduction to Information Management.pptx
 
Information security
Information security Information security
Information security
 
Keamanan informasi
Keamanan informasiKeamanan informasi
Keamanan informasi
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptx
 
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERINGIT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
 
Information security
Information securityInformation security
Information security
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Instructor Manual Principles of Information Security, 7th Edition by Michael ...
Instructor Manual Principles of Information Security, 7th Edition by Michael ...Instructor Manual Principles of Information Security, 7th Edition by Michael ...
Instructor Manual Principles of Information Security, 7th Edition by Michael ...
 
Human Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxHuman Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptx
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdf
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
 
information security management
information security managementinformation security management
information security management
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
 
1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf
 

Mehr von Sammer Qader

Project integration management ch 4
Project integration management ch 4Project integration management ch 4
Project integration management ch 4Sammer Qader
 
Regression analysis algorithm
Regression analysis algorithm Regression analysis algorithm
Regression analysis algorithm Sammer Qader
 
Information & Data Architecture
Information & Data ArchitectureInformation & Data Architecture
Information & Data ArchitectureSammer Qader
 
Chapter 4 Ethical and Social Issues in Information Systems
Chapter 4 Ethical and Social Issues in Information SystemsChapter 4 Ethical and Social Issues in Information Systems
Chapter 4 Ethical and Social Issues in Information SystemsSammer Qader
 
Project integration management ch 4
Project integration management ch 4Project integration management ch 4
Project integration management ch 4Sammer Qader
 
Data classification sammer
Data classification sammer Data classification sammer
Data classification sammer Sammer Qader
 

Mehr von Sammer Qader (10)

Tam & toe
Tam & toeTam & toe
Tam & toe
 
Project integration management ch 4
Project integration management ch 4Project integration management ch 4
Project integration management ch 4
 
Text compression
Text compressionText compression
Text compression
 
Regression analysis algorithm
Regression analysis algorithm Regression analysis algorithm
Regression analysis algorithm
 
Transport laye
Transport laye Transport laye
Transport laye
 
Information & Data Architecture
Information & Data ArchitectureInformation & Data Architecture
Information & Data Architecture
 
Chapter 4 Ethical and Social Issues in Information Systems
Chapter 4 Ethical and Social Issues in Information SystemsChapter 4 Ethical and Social Issues in Information Systems
Chapter 4 Ethical and Social Issues in Information Systems
 
Project integration management ch 4
Project integration management ch 4Project integration management ch 4
Project integration management ch 4
 
Data classification sammer
Data classification sammer Data classification sammer
Data classification sammer
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 

Kürzlich hochgeladen

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 

Kürzlich hochgeladen (20)

Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 

Introduction to the management of information security

  • 1. 1 University of Technology Computer Science Department UCHAPTER 1 Introduction to the Management of Information Security U(1) UPrepared by SAMMER A.QADER 2017
  • 2. 2 If this is the information superhighway, it’s going through a lot of bad, bad, neighborhoods.-- DORIAN BERGER, 1997 UObjectives Upon completion of this material, you should be able to: Describe the importance of the manager’s role in securing an organization’s use of information technology, and understand who is responsible for protecting an organization’s information assets Enumerate and discuss the key characteristics of information security Know & understand the definition & key characteristics of leadership & management Recognize the characteristics that differentiate information security management from general management 1.1 UIntroduction: • Information technology is critical to business and society ... & always has been (what happens if it’s not available?) • Computer security is evolving into information security. • Information security is the responsibility of every member of an organization, but managers play a critical role. U1.2 Information security involves 3 distinct communities of interest: Organizations must realize that information security funding and planning decisions involve more than just technical managers, such as information security managers or members of the information security team. Altogether, they should involve three distinct groups of decision makers, or communities of interest: 1- Information security managers & professionals. 2- Information technology managers & professionals. 3- Non-technical business managers & professionals.
  • 3. 3 1.3U Communities of Interest : The communities of interest and the roles they fulfill include the following: Information security community: protect information assets from threats IT community: support business objectives by supplying appropriate information technology Business community: policy and resources 1.4 UWhat Is Security? In order to understand the varied aspects of information security, you must know the definitions of certain IT terms and concepts. This knowledge enables you to communicate effectively with the IT and information security communities. • The quality or state of being secure—to be free from danger. • Security is achieved using several strategies altogether. U1.4.1 Specialized Areas of Security : Physical security: Protecting people, physical assets, and the workplace from various threats, including fire, unauthorized access, and natural disasters . Operations security: Protecting the organization’s ability to carry out its operational activities without interruption or compromise . Communications security : Protecting the organization’s communications media, technology, and content, and its ability to use these tools to achieve the organization’s objectives Network security: Protecting the organization’s data networking devices, connections, and contents as well as protecting the ability to use that network to accomplish the organization’s data communication functions.
  • 4. 4 U1.4.2 Information Security : is the protection of information and its critical characteristics (confidentiality, integrity, and availability), including the systems and hardware that use, store, and transmit that information, through the application of policy, training and awareness programs, and technology. Figure 1-1 shows that InfoSec includes: InfoSec includes information security management, computer security, data security, and network security Policy is a central to all information security efforts figure (1.1) Components of Information Security Figure (1.1)
  • 5. 5 McCumber ( NSTISSC) Security Model Figure (1.2)
  • 6. 6 U1.4.3 CIA Triangle The C.I.A. triangle is made up of: – Confidentiality – Integrity – Availability Over time the list of characteristics has expanded, but these three remain central Figure (1.3)
  • 7. 7 U1.5 Characteristics Key Concepts of Information Security include : 1. Confidentiality: Ensures that only those with sufficient privileges may access certain information. • Information classification • Secure document storage • Application of general security policies • Education of information. 2. Integrity : is the quality or state of being whole, complete, and uncorrupted • The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state • Corruption can occur while information is being compiled, stored, or transmitted 3. Availability : Availability is making information accessible to user access without interference or obstruction in the required format • A user in this definition may be either a person or another computer system • Availability means availability to authorized users 4. Privacy : • Information is to be used only for purposes known to the data owner • This does not focus on freedom from observation, but rather that information will be used only in ways known to the owner 5. Identification: • Information systems possess the characteristic of identification when they are able to recognize individual users • Identification and authentication are essential to establishing the level of access or authorization that an individual is granted 6. Authentication : • Authentication occurs when a control provides proof that a user possesses the identity that he or she claims
  • 8. 8 7. Authorization • After the identity of a user is authenticated, a process called authorization provides assurance that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset 8. Accountability • The characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process U1.6 What Is Management? A process of achieving objectives using a given set of resources To manage the information security process, first understand core principles of management A manager is “someone who works with and through other people by coordinating their work activities in order to accomplish organizational goals” U1.6.1 Managerial Roles Informational role: Collecting, processing, and using information to achieve the objective Interpersonal role: Interacting with superiors, subordinates, outside stakeholders, and other Decisional role: Selecting from alternative approaches and resolving conflicts, dilemmas, or challenges U1.6.2 Differences Between Leadership and Management The leader influences employees so that they are willing to accomplish objectives He or she is expected to lead by example and demonstrate personal traits that instill a desire in others to follow Leadership provides purpose, direction, and motivation to those that follow
  • 9. 9 A Manager administer the resources of the organization by – Creating budgets – Authorizes expenditures – Hires employees A Manager can also be a leader. U1.6.3 Characteristics of a Leader 1. Patience 2. Courage 3. Decisiveness 4. Dependability 5. Endurance 6. Initiative 7. Integrity 8. Justice 9. Knowledge 10. Tact U1.6.4 What Makes a Good Leader? Action plan for improvement of leadership abilities 1. Knows and seeks self-improvement 2. Be technically and tactically proficient 3. Seek responsibility and take responsibility for your actions 4. Make sound and timely decisions and Set the example U1.6.5 Behavioral Types of Leaders Three basic behavioral types of leaders: – Autocratic- action-oriented, “Do as I say” – Democratic – action-oriented and likely to be less efficient – Laissez-faire – laid-back.
  • 10. 10 U1.7 Characteristics of Management Two well-known approaches to management: – Traditional management theory using principles of planning, organizing, staffing, directing, and controlling (POSDC) – Popular management theory categorizes principles of management into planning, organizing, leading, and controlling (POLC) UPlanning Planning: process that develops, creates, and implements strategies for the accomplishment of objectives Three levels of planning: – Strategic – occurs at highest level of organization – Tactical – focuses on production planning and integrates organizational resources – Operational – focuses on day-to-day operations of local resources In general, planning begins with the strategic plan for the whole organization – To do this successfully, organization must thoroughly define its goals and objectives UOrganization Organization: is a principle of management dedicated to structuring of resources to support the accomplishment of objectives Organizing tasks requires determining: – What is to be done – In what order – By whom – By which methods – When
  • 11. 11 ULeadership Encourages the implementation of the planning and organizing functions, including supervising employee behavior, performance, attendance, and attitude Leadership generally addresses the direction and motivation of the human resource UControl Control: – Monitoring progress toward completion – Making necessary adjustments to achieve the desired objectives Controlling function determines what must be monitored as well using specific control tools to gather and evaluate information USolving Problems All managers face problems that must be solved. Step 1: Recognize and Define the Problem Step 2: Gather Facts and Make Assumptions Step 3: Develop Possible Solutions Step 4: Analyze and Compare the Possible Solutions Step 5: Select, Implement, and Evaluate a Solution U1.7.1 Principles Of Information Security Management Information security management is part of the organizational management team. The extended characteristics of information security are known as the six Ps: • Planning • Policy • Programs • Protection • People • Project Management
  • 12. 12 U1.7.2 Information Security Planning Included in the InfoSec planning model are activities necessary to support the design, creation, and implementation of information security strategies as they exist within the IT planning environment U1.7.3 Information Security Planning Types Several types of InfoSec plans exist: • Incident response • Business continuity • Disaster recovery • Policy • Personnel • Technology rollout • Risk management and Security program including education, training and awareness UPolicyU: Policy: set of organizational guidelines that dictates certain behavior within the organization In InfoSec, there are three general categories of policy: • General program policy (Enterprise Security Policy) • An issue-specific security policy (ISSP) • System-specific policies (SSSPs) UPrograms Programs: specific entities managed in the information security domain , a security education training and awareness (SETA) program is one such entity Other programs that may emerge include a physical security program, complete with fire, physical access, gates, guards, and so on UProtection Risk management activities, including risk assessment and control, as well as protection mechanisms, technologies, and tools. UPeople
  • 13. 13 People are the most critical link in the information security program. It is imperative that managers continuously recognize the crucial role that people play Including information security personnel and the security of personnel, as well as aspects of the SETA program U1.8 Project Management The final component of a security manager’s skill set is the use of a project management Approach. Whether the task is to roll out a new security training program or to select and Implement a new firewall; it is important that the process be managed as a project Project management discipline should be present throughout all elements of the information security program. UInvolves • Identifying and controlling the resources applied to the project • Measuring progress and adjusting the process as progress is made toward the goal
  • 14. 14 UReferences Michael E. Whitman, Herbert J. Mattord-Management of Information Security- Cengage Learning (2013) .