SlideShare a Scribd company logo

CNIT 160 Ch 4a: Information Security Programs

Sam Bowne
Sam Bowne

Slides for a college class by Sam Bowne. More information at https://samsclass.info/160/160_F19.shtml

Education
1 of 55
Download to read offline
CNIT 160: Cybersecurity Responsibilities 4. Information Security Program Development Part 1 Pages 190 - 202
Chapter Topics • Information Security Programs • Security Program Management • Security Program Operations • IT Service Management • Controls • Metrics and Monitoring • Continuous Improvement
Information Security Programs
Information Security Programs • Outcomes • Charter • Scope • Information Security Management Frameworks • Defining a Road Map • Information Security Architecture • The Open Group Architecture Framework • The Zachman Framework • Implementing a Security Architecture
Developing an Information Security Program • Four steps • Developing a security strategy • Gap analysis • Developing a road map • Developing a security program
Information Security Programs • The collection of activities to identify, communicate, and address risks • Consists of controls, processes, and practices • To increase resilience of computing environment, and • Ensure that risks are known and handled effectively
Enabling Business • Security program acts as a business enabler • Allowing it to consider new business ventures • While being aware of risks that can be mitigated • Like the brakes on a race car • Allowing it to move faster and stay on the road
Outcomes • Strategic alignment • Risk management • Value delivery • Resource management • Performance management • Assurance process integration
Strategic Alignment • Program must work in harmony with the rest of the organization • Being aware of new initiatives • Developing risk tolerance criteria that business leaders agree with • Establishing mutual trust • Use a security council or governance committee • With stakeholders across the business
Risk Management and Value Delivery • Risk Management • Identifies risks • Facilitates desired outcomes • Through appropriate risk treatment • Value Delivery • Reducing risk in critical activities • To an acceptable level
Resource Management • Permanent and temporary staff, external service providers, and tools • Must be managed so they are effectively used • To reduce risks in alignment with the risk management program • "Rightsizing" information security program budget • Assist with resource requests from security manager
Performance Management • Measure key activities • To ensure the are operating as planned • Security metrics
Assurance Process Integration • Information security program aligns with other assurance programs and processes • HR, finance, legal, audit, enterprise risk management, IT, and operations • Influences those activities to protect them from harm
Charter • Formal written definition of • Objectives of the program • Main timelines • Sources of funding • Names of principal leaders and managers • Business executives who are sponsoring the program • Gives security manager authority, shows support from leadership team
Security Manager Functions • Develop and • Enforce security policy • Risk management process • Security governance • Controls across business unit boundaries
Security Manager Functions • Develop and direct implementation of key security processes • Vulnerability management • Incident management • Third-party risk • Security architecture • Business continuity planning • Security awareness training
Team Sport • Security charter is ratified by executive management • Security manager can't dictate the program to others • Must lead and guide program through collaboration and consensus by stakeholders • Executive leaders and board of directors hold the ultimate responsibility or ownership for protecting information 

Scope • Define departments, business units, affiliates, and locations • Included in information security program • More relevant in larger organizations
Information Security Management Frameworks • Business process models • Include essential processes and activities • Needed by most organizations • Risk-centric
Three Most Popular Security Management Frameworks • ISO/IEC 27001:2013 • COBIT 5 • NIST CSF
ISO/IEC 27001:2013 • International standard • "Information technology - Security techniques - Information security management systems - Requirements" • Processes used to • Assess risk • Develop controls • Manage typical processes such as vulnerability management and incident management
COBIT 5 • From ISACA • Controls and governance framework • For managing an IT organization • COBIT 5 for Information Security • Additional standard to extend COBIT 5
NIST CSF • US National Institute of Standards and Technology (NIST) • Cyber Security Framework (CSF) • Developed in 2014 to address rampant security breaches and identity theft in the US
Ch 4a-1
Defining a Road Map • Required steps to achieve an objective • In support of the business vision and mission • Consists of various tasks and projects • Creating and implementing capabilities • Reducing information risk
Enterprise Architecture • Both a business function and a technical model • Business function • Activities ensuring that important business needs are met by IT systems • Model • Mapping business systems into IT environment and systems
Information Security Architecture • A subset within Enterprise Architecture • Concerned with two things • Protective characteristics in components in the enterprise architecture • Specific components n the enterprise architecture that provide preventive or detective security functions
Enterprise Architecture Ensures:
Two Layers of Information Security Architecture • Policy • Necessary characteristics of overall environment • Ex: centralized authentication, 
 endpoint-based web filtering • Standards • Vendor standards • Protocol standards • Configuration or hardening standards
Centralized Functions • Operate more effectively than isolated, local instances • Amplify workforce • So a small staff can manage hundreds or thousands of devices
• Authentication • Microsoft Active Directory (AD) • Lightweight Directory Access Protocol (LDAP) • Monitoring • SIEMs like Splunk • Device Management • Consistency for servers, workstations, mobile devices, and network devices Centralized Functions
Two Enterprise Architecture Frameworks • The Open Group Architecture Framework (TOGAF) • Zachman Framework • These are Enterprise Architecture models, not Enterprise Security Architecture models
The Open Group Architecture Framework (TOGAF) • Life-cycle enterprise architecture framework • For designing, planning, implementing, and governing • An enterprise technology architecture • A high-level approach
Phases in TOGAF
TOGAF Components
Zachman Framework • Established in the 1980s • Still dominant today • Likens IT enterprise architecture to construction and maintenance of an office building
Zachman Framework
Implementing a Security Architecture • Both a big-picture and a detailed plan • At enterprise level • Policy and governance • Decisions about major aspects • Such as brands of servers, workstations, and network devices
• At detail level • Configuration and change management on devices or groups of devices • Ex: Upgrade to DNS infrastructure • Might increase number of name servers • Requiring updates to most or all devices Implementing a Security Architecture
Changes to Architecture Models • Software-Defined Networking (SDN) • Virtualization • Microservices • Small, independent services that communicate over networks • Often in containers
Security Program Management
Security Program Management Topics • Security Governance (in this lecture) • Activities and Results • For later lectures: • Risk Management • The Risk Management Program • The Risk Management Process • Identifying and Grouping Assets • Risk Analysis • Risk Treatment
Security Program Management Topics (continued) • For later lectures • Audits and Reviews • Control Self-Assessment • Security Reviews • Policy Development • Third-Party Risk Management • Administrative Activities
Security Governance • Assemblage of management activities that • Identify, analyze and treat risks to key assets • Establish key roles and responsibilities • Measure key security processes
• Board of Directors • Establishes tone for risk appetite and risk management • Information Steering Committee • Chief Information Security Officer (CISO) • Audit • Chief Information Officer (CIO) • Management • All employees Security Governance Personnel
Information Steering Committee • Establishes operational strategy • For security and risk management • Sets strategic and operational roles and responsibilities • Security strategy should align with strategy for IT and the business overall
Chief Information Security Officer (CISO) • Responsible for • Developing security policy • Conducting risk assessments • Developing processes for • Vulnerability management • Incident management • Identity and access management • Security awareness and training • Compliance management
Audit • Responsible for examining selected business processes and information systems • To verify that they are designed and operating properly
Chief Information Officer (CIO) • Responsible for overall management of the IT organization, including • IT strategy • Development • Operations • Service desk
Management • Every manager should be at least partially responsible for the conduct of their employees • This establishes a chain of accountability
All Employees • Required to comply with • Security policy • Security requirements and processes • All other policies • Compliance with policy is a condition of employment
Reasons for Security Governance • Organizations are completely dependent on their information systems • Ineffective security governance can lead to negligence, and breaches
Security Governance Activities and Results • Risk management • Process improvement • incident response • Improved compliance • Business continuity and disaster recovery planning • Effectiveness measurement • Resource management • Improved IT governance
Results of Security Governance • Increased trust • From customers, suppliers, and partners • Improved reputation
Ch 4a-2

Recommended

CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleSam Bowne
 
CNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementCNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementSam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleSam Bowne
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsSam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramCNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramSam Bowne
 
CNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life CycleCNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life CycleSam Bowne
 

Recommended

CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleSam Bowne
 
CNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementCNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementSam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleSam Bowne
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsSam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramCNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramSam Bowne
 
CNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life CycleCNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life CycleSam Bowne
 
CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceSam Bowne
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentSam Bowne
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)Sam Bowne
 
CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)Sam Bowne
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsSam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)Sam Bowne
 
CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)Sam Bowne
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: IntroductionSam Bowne
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset SecuritySam Bowne
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCPKarthikeyan Dhayalan
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and TestingSam Bowne
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security AssessmentKarthikeyan Dhayalan
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureKarthikeyan Dhayalan
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development SecurityKarthikeyan Dhayalan
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security FrameworkKarthikeyan Dhayalan
 

More Related Content

What's hot

CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceSam Bowne
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentSam Bowne
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)Sam Bowne
 
CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)Sam Bowne
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsSam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)Sam Bowne
 
CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)Sam Bowne
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: IntroductionSam Bowne
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset SecuritySam Bowne
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and TestingSam Bowne
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureKarthikeyan Dhayalan
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development SecurityKarthikeyan Dhayalan
 

What's hot (20)

CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security Governance
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)
 
CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management Concepts
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)
 
CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: Introduction
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development Security
 

Similar to CNIT 160 Ch 4a: Information Security Programs

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.pptit160320737038
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurancea3virani
 
project managmnet
project managmnetproject managmnet
project managmnetdarshan942
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.IGN MANTRA
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPScott Baron
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Resume-Amit 1.0
Resume-Amit 1.0Resume-Amit 1.0
Resume-Amit 1.0Amit Verma
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches Jim Kaplan CIA CFE
 
UMASS-NISTCSF-October-2016-Presentation-rev2.pptx
UMASS-NISTCSF-October-2016-Presentation-rev2.pptxUMASS-NISTCSF-October-2016-Presentation-rev2.pptx
UMASS-NISTCSF-October-2016-Presentation-rev2.pptxAbid Ur Rehman
 

Similar to CNIT 160 Ch 4a: Information Security Programs (20)

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurance
 
project managmnet
project managmnetproject managmnet
project managmnet
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Resume-Amit 1.0
Resume-Amit 1.0Resume-Amit 1.0
Resume-Amit 1.0
 
GRC– The Way Forward
GRC– The Way ForwardGRC– The Way Forward
GRC– The Way Forward
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
 
UMASS-NISTCSF-October-2016-Presentation-rev2.pptx
UMASS-NISTCSF-October-2016-Presentation-rev2.pptxUMASS-NISTCSF-October-2016-Presentation-rev2.pptx
UMASS-NISTCSF-October-2016-Presentation-rev2.pptx
 

More from Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Recently uploaded

2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701bronxfugly43
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Role Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxRole Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxNikitaBankoti2
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 

Recently uploaded (20)

2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Role Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxRole Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptx
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Asian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptxAsian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptx
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 

CNIT 160 Ch 4a: Information Security Programs

  • 1. CNIT 160: Cybersecurity Responsibilities 4. Information Security Program Development Part 1 Pages 190 - 202
  • 2. Chapter Topics • Information Security Programs • Security Program Management • Security Program Operations • IT Service Management • Controls • Metrics and Monitoring • Continuous Improvement
  • 4. Information Security Programs • Outcomes • Charter • Scope • Information Security Management Frameworks • Defining a Road Map • Information Security Architecture • The Open Group Architecture Framework • The Zachman Framework • Implementing a Security Architecture
  • 5. Developing an Information Security Program • Four steps • Developing a security strategy • Gap analysis • Developing a road map • Developing a security program
  • 6. Information Security Programs • The collection of activities to identify, communicate, and address risks • Consists of controls, processes, and practices • To increase resilience of computing environment, and • Ensure that risks are known and handled effectively
  • 7. Enabling Business • Security program acts as a business enabler • Allowing it to consider new business ventures • While being aware of risks that can be mitigated • Like the brakes on a race car • Allowing it to move faster and stay on the road
  • 8. Outcomes • Strategic alignment • Risk management • Value delivery • Resource management • Performance management • Assurance process integration
  • 9. Strategic Alignment • Program must work in harmony with the rest of the organization • Being aware of new initiatives • Developing risk tolerance criteria that business leaders agree with • Establishing mutual trust • Use a security council or governance committee • With stakeholders across the business
  • 10. Risk Management and Value Delivery • Risk Management • Identifies risks • Facilitates desired outcomes • Through appropriate risk treatment • Value Delivery • Reducing risk in critical activities • To an acceptable level
  • 11. Resource Management • Permanent and temporary staff, external service providers, and tools • Must be managed so they are effectively used • To reduce risks in alignment with the risk management program • "Rightsizing" information security program budget • Assist with resource requests from security manager
  • 12. Performance Management • Measure key activities • To ensure the are operating as planned • Security metrics
  • 13. Assurance Process Integration • Information security program aligns with other assurance programs and processes • HR, finance, legal, audit, enterprise risk management, IT, and operations • Influences those activities to protect them from harm
  • 14. Charter • Formal written definition of • Objectives of the program • Main timelines • Sources of funding • Names of principal leaders and managers • Business executives who are sponsoring the program • Gives security manager authority, shows support from leadership team
  • 15. Security Manager Functions • Develop and • Enforce security policy • Risk management process • Security governance • Controls across business unit boundaries
  • 16. Security Manager Functions • Develop and direct implementation of key security processes • Vulnerability management • Incident management • Third-party risk • Security architecture • Business continuity planning • Security awareness training
  • 17. Team Sport • Security charter is ratified by executive management • Security manager can't dictate the program to others • Must lead and guide program through collaboration and consensus by stakeholders • Executive leaders and board of directors hold the ultimate responsibility or ownership for protecting information 

  • 18. Scope • Define departments, business units, affiliates, and locations • Included in information security program • More relevant in larger organizations
  • 19. Information Security Management Frameworks • Business process models • Include essential processes and activities • Needed by most organizations • Risk-centric
  • 20. Three Most Popular Security Management Frameworks • ISO/IEC 27001:2013 • COBIT 5 • NIST CSF
  • 21. ISO/IEC 27001:2013 • International standard • "Information technology - Security techniques - Information security management systems - Requirements" • Processes used to • Assess risk • Develop controls • Manage typical processes such as vulnerability management and incident management
  • 22. COBIT 5 • From ISACA • Controls and governance framework • For managing an IT organization • COBIT 5 for Information Security • Additional standard to extend COBIT 5
  • 23. NIST CSF • US National Institute of Standards and Technology (NIST) • Cyber Security Framework (CSF) • Developed in 2014 to address rampant security breaches and identity theft in the US
  • 25. Defining a Road Map • Required steps to achieve an objective • In support of the business vision and mission • Consists of various tasks and projects • Creating and implementing capabilities • Reducing information risk
  • 26. Enterprise Architecture • Both a business function and a technical model • Business function • Activities ensuring that important business needs are met by IT systems • Model • Mapping business systems into IT environment and systems
  • 27. Information Security Architecture • A subset within Enterprise Architecture • Concerned with two things • Protective characteristics in components in the enterprise architecture • Specific components n the enterprise architecture that provide preventive or detective security functions
  • 29. Two Layers of Information Security Architecture • Policy • Necessary characteristics of overall environment • Ex: centralized authentication, 
 endpoint-based web filtering • Standards • Vendor standards • Protocol standards • Configuration or hardening standards
  • 30. Centralized Functions • Operate more effectively than isolated, local instances • Amplify workforce • So a small staff can manage hundreds or thousands of devices
  • 31. • Authentication • Microsoft Active Directory (AD) • Lightweight Directory Access Protocol (LDAP) • Monitoring • SIEMs like Splunk • Device Management • Consistency for servers, workstations, mobile devices, and network devices Centralized Functions
  • 32. Two Enterprise Architecture Frameworks • The Open Group Architecture Framework (TOGAF) • Zachman Framework • These are Enterprise Architecture models, not Enterprise Security Architecture models
  • 33. The Open Group Architecture Framework (TOGAF) • Life-cycle enterprise architecture framework • For designing, planning, implementing, and governing • An enterprise technology architecture • A high-level approach
  • 36. Zachman Framework • Established in the 1980s • Still dominant today • Likens IT enterprise architecture to construction and maintenance of an office building
  • 38. Implementing a Security Architecture • Both a big-picture and a detailed plan • At enterprise level • Policy and governance • Decisions about major aspects • Such as brands of servers, workstations, and network devices
  • 39. • At detail level • Configuration and change management on devices or groups of devices • Ex: Upgrade to DNS infrastructure • Might increase number of name servers • Requiring updates to most or all devices Implementing a Security Architecture
  • 40. Changes to Architecture Models • Software-Defined Networking (SDN) • Virtualization • Microservices • Small, independent services that communicate over networks • Often in containers
  • 42. Security Program Management Topics • Security Governance (in this lecture) • Activities and Results • For later lectures: • Risk Management • The Risk Management Program • The Risk Management Process • Identifying and Grouping Assets • Risk Analysis • Risk Treatment
  • 43. Security Program Management Topics (continued) • For later lectures • Audits and Reviews • Control Self-Assessment • Security Reviews • Policy Development • Third-Party Risk Management • Administrative Activities
  • 44. Security Governance • Assemblage of management activities that • Identify, analyze and treat risks to key assets • Establish key roles and responsibilities • Measure key security processes
  • 45. • Board of Directors • Establishes tone for risk appetite and risk management • Information Steering Committee • Chief Information Security Officer (CISO) • Audit • Chief Information Officer (CIO) • Management • All employees Security Governance Personnel
  • 46. Information Steering Committee • Establishes operational strategy • For security and risk management • Sets strategic and operational roles and responsibilities • Security strategy should align with strategy for IT and the business overall
  • 47. Chief Information Security Officer (CISO) • Responsible for • Developing security policy • Conducting risk assessments • Developing processes for • Vulnerability management • Incident management • Identity and access management • Security awareness and training • Compliance management
  • 48. Audit • Responsible for examining selected business processes and information systems • To verify that they are designed and operating properly
  • 49. Chief Information Officer (CIO) • Responsible for overall management of the IT organization, including • IT strategy • Development • Operations • Service desk
  • 50. Management • Every manager should be at least partially responsible for the conduct of their employees • This establishes a chain of accountability
  • 51. All Employees • Required to comply with • Security policy • Security requirements and processes • All other policies • Compliance with policy is a condition of employment
  • 52. Reasons for Security Governance • Organizations are completely dependent on their information systems • Ineffective security governance can lead to negligence, and breaches
  • 53. Security Governance Activities and Results • Risk management • Process improvement • incident response • Improved compliance • Business continuity and disaster recovery planning • Effectiveness measurement • Resource management • Improved IT governance
  • 54. Results of Security Governance • Increased trust • From customers, suppliers, and partners • Improved reputation