MANAGEMENT of
INFORMATION
SECURITY Third
Edition
CHAPTER 1
INTRODUCTION TO THE
MANAGEMENT OF
INFORMATION SECURITY
If this is the information superhighway, it’s going through
a lot of bad, bad neighborhoods. – Dorian Berger
Objectives
• Upon completion of this material, you should be
able to:
– Describe the importance of the manager’s role in
securing an organization’s use of information
technology, and understand who is responsible for
protecting an organization’s information assets
– Enumerate and discuss the key characteristics of
information security
Management of Information Security, 3rd Edition
Objectives (cont’d.)
– Enumerate and define the key characteristics of
leadership and management
– Differentiate information security management from
general management
Management of Information Security, 3rd Edition
Introduction
• Information technology
– The vehicle that stores and transports information
from one business unit to another
– The vehicle can break down
• The concept of
computer security has been
replaced by the concept of
information security
– Covers a broad range of issues
• From protection of data to protection of human resources
Management of Information Security, 3rd Edition
Introduction (cont’d.)
• Information security is no longer the sole
responsibility of a discrete group of people in the
company
– It is the responsibility of every employee, especially
managers
Management of Information Security, 3rd Edition
Introduction (cont’d.)
• Groups of decision makers
1. Information security managers and professionals
2. Information technology managers and professionals
3. Non-technical business managers and professionals
Management of Information Security, 3rd Edition
1. InfoSec Community
• Protects the organization’s information assets
from the threats they face.
Management of Information Security, 3rd Edition
2. IT Community
• Supports the business objectives of the
organization by supplying and supporting
information technology appropriate to the
business needs
Management of Information Security, 3rd Edition
3. Non-Technical Community
• Articulates and communicates organizational
policy and objectives and allocates resources to
the other groups
Management of Information Security, 3rd Edition
What Is Security?
• The quality or state of being free from danger
• Specialized areas of security
– Physical security,
– operations security,
– communications security, and
– network security
Management of Information Security, 3rd Edition
Information Security
• The protection of information and its critical
elements:
– confidentiality,
– integrity and
– availability
• Policy,
• Training and awareness programs
• Technology
Management of Information Security, 3rd Edition
CNSS Security Model
Figure 1-1 Components of Information security
Source: Course Technology/Cengage Learning
Management of Information Security, 3rd Edition
CNSS Security Model (cont’d.)
• C.I.A. triangle
– Confidentiality, integrity, and availability
– Has expanded into a more comprehensive list of
critical characteristics of information
• NSTISSC (CNSS) Security Model
– Also known as the
McCumber Cube
– Provides a more detailed perspective on security
– Covers the three dimensions of information security
Management of Information Security, 3rd Edition
CNSS Security Model (cont’d.)
Figure 1-2 CNSS security Model
Source: Course Technology/Cengage Learning
(adapted from NSTISSI No. 4011)
Management of Information Security, 3rd Edition
Confidentiality
• The characteristic of information whereby only
those with sufficient privileges may access certain
information
• Measures used to protect confidentiality
– Information classification
– Secure document storage
– Application of general security policies
– Education of information custodians and end users
Management of Information Security, 3rd Edition
Integrity
• The quality or state of being whole, complete, and
uncorrupted
• Information integrity is threatened
– If exposed to corruption, damage, destruction, or other
disruption of its authentic state
• Corruption can occur while information is being
compiled, stored, or transmitted
Management of Information Security, 3rd Edition
Availability
• The characteristic of information that enables user
access to information in a required format,
without interference or obstruction
– A user in this definition may be either a person or
another computer system
– Availability does not imply that the information is
accessible to any user
• Implies availability to authorized users
Management of Information Security, 3rd Edition
Privacy
• Information collected, used, and stored by an
organization is to be used only for the purposes
stated to the data owner at the time it was
collected
• Privacy as a characteristic of information does not
signify freedom from observation
– Means that information will be used only in ways
known to the person providing it
Management of Information Security, 3rd Edition
Identification & Authentication
• An information system possesses the
characteristic of identification when it is able to
recognize individual users.
• Authentication occurs when a control proves that
a user possesses the identity that he or she claims
• Identification and authentication are essential to
establishing the level of access or authorization
that an individual is granted
Management of Information Security, 3rd Edition
Accountability
• Accountability exists when a control provides
assurance that every activity undertaken can be
attributed to a named person or automated process
Management of Information Security, 3rd Edition
Leaders & Managers
• Leaders
– Influence employees to accomplish objectives
– Lead by example; demonstrating personal traits that
instill a desire in others to follow
– Provide purpose, direction, and motivation to those
that follow
• Managers
– Administers the resources of the organization
– Creates budgets, authorizes expenditures and hires
employees
Management of Information Security, 3rd Edition
Roles
• Informational role
– Collecting, processing, and using information that can
affect the completion of the objective
• Interpersonal role
– Interacting with superiors, subordinates, outside
stakeholders, and other parties that influence or are
influenced by the completion of the task
• Decisional role
– Selecting from among alternative approaches, and
resolving conflicts, dilemmas, or challenges
Management of Information Security, 3rd Edition
Solving Problems
• Step 1: Recognize and define the problem
• Step 2: Gather facts and make assumptions
• Step 3: Develop possible solutions
• Step 4: Analyze and compare possible solutions
• Step 5: Select, implement, and evaluate a solution
Management of Information Security, 3rd Edition
Six P’s
• The extended characteristics of information
security are known as the six P’s
– Planning
– Policy
– Programs
– Protection
– People
– Project Management
Management of Information Security, 3rd Edition
1. Planning
• Planning as part of InfoSec management
– An extension of the basic planning model discussed
earlier in this chapter
• Included in the InfoSec planning model
– Activities necessary to support the design, creation,
and implementation of information security strategies
Management of Information Security, 3rd Edition
Planning (cont’d.)
• Types of InfoSec plans
– Incident response planning
– Business continuity planning
– Disaster recovery planning
– Policy planning
– Personnel planning
– Technology rollout planning
– Risk management planning
– Security program planning
• includes education, training and awareness
Management of Information Security, 3rd Edition
2. Policy
• Policy
– The set of organizational guidelines that dictates
certain behavior within the organization
• Three general categories of policy
– Enterprise information security policy (EISP)
– Issue-specific security policy (ISSP)
– System-specific policies (SysSPs)
Management of Information Security, 3rd Edition
3. Programs
• Programs
– InfoSec operations that are specifically managed as
separate entities
– Example: a security education training and awareness
(SETA) program
• Other types of programs
– Physical security program
• complete with fire, physical access, gates, guards, etc.
Management of Information Security, 3rd Edition
4. Protection
• Executed through risk management activities
– Including risk assessment and control, protection
mechanisms, technologies, and tools
– Each of these mechanisms represents some aspect of
the management of specific controls in the overall
information security plan
Management of Information Security, 3rd Edition
5. People
• People
– The most critical link in the information security
program
– Managers must recognize the crucial role that people
play in the information security program
– This area of InfoSec includes security personnel and
the security of personnel, as well as aspects of a SETA
program
Management of Information Security, 3rd Edition
6. Project Management
• Project management
– Identifying and controlling the resources applied to the
project
– Measuring progress
– Adjusting the process as progress is made
Management of Information Security, 3rd Edition
Project Management (cont’d.)
• Information security is a process, not a project
– Each element of an information security program must
be managed as a project
– A continuous series, or chain, of projects
• Some aspects of information security are not
project based
– They are managed processes (operations)
Management of Information Security, 3rd Edition
Project Management (cont’d.)
Figure 1-4 The information security program chain
Source: Course Technology/Cengage Learning
Management of Information Security, 3rd Edition
Summary
• What is security?
• What is leadership &management?
• Six P’s
1. Planning
2. Policy
3. Programs
4. Protection
5. People
6. Project management
• Applying project management to security
Management of Information Security, 3rd Edition