Scribd
Upload
76 views27 pages

The Structure of Information Security: Slide 3

The document discusses the structure of an information security program within an organization. It recommends establishing an information security steering committee comprised of senior managers, as well as assigning security responsibilities to various roles including senior management, an information security management team, business unit managers, supervisors, employees, and third parties. The security program should involve creating policies and standards, awareness programs, and an infrastructure to support good security practices organization-wide. Business units are responsible for writing standards, reviewing policies, and ensuring compliance.

Uploaded by

jeypop
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
76 views27 pages

The Structure of Information Security: Slide 3

The document discusses the structure of an information security program within an organization. It recommends establishing an information security steering committee comprised of senior managers, as well as assigning security responsibilities to various roles including senior management, an information security management team, business unit managers, supervisors, employees, and third parties. The security program should involve creating policies and standards, awareness programs, and an infrastructure to support good security practices organization-wide. Business units are responsible for writing standards, reviewing policies, and ensuring compliance.

Uploaded by

jeypop
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

The Structure of Information Security

Slide 3

Thursday, March 15, 12

Programs Goal

To have the same performance in every


level of the organization.

Thursday, March 15, 12

Security Program
Uniform in the whole enterprise. Everyone knows and abide Organization structure must be set up

Thursday, March 15, 12

Organization Structure should involve:


Information security management who
provide direction, advice, focal point.

Internal Audit who report to Audit


of business unit.

Committee, directors and other senior managers

Steering Committee composed of all head


Thursday, March 15, 12

Organization Structure should involve:


Security Coordinator in each business unit. Security Administration in each business
unit.

Security Working Team in implementing


security programs.

Thursday, March 15, 12

Business Unit Responsibility


Creation & Implementation of Policies and
Standards.

Thursday, March 15, 12

each business unit must have the each business unit must have the

opportunity to approve the policies. opportunity to review and comment on the policies.

Thursday, March 15, 12

Business Unit Responsibilities


Policy

System Acces

System Devel

Asset Classification

Network Management

Sec. Organization

Reviewer CEO SVP, Marketing SVP, Dev. & Tech VP, Finance General Auditor GM, HR GM, Risk Mgmt Senior Consultant
Thursday, March 15, 12

Compliance

Personnel

Info. Sec

Physical

BCP

Business units have the responsibility for

writing information security standards for their area of responsibility can review information security standards for their impact on their business unit assist in the implementation of approved policies and standards

Business units must provide someone who Business units have the responsibility to

Thursday, March 15, 12

Business Unit Responsibility


Creation & Implementation of Policies and
Standards. Standards

Standard & Compliance of Policies and

Thursday, March 15, 12

Responsibility to ensure constant Enforcement of Compliance

compliance with policies & standard

Thursday, March 15, 12

Information Security Awareness Program


Purpose: demonstrating the Who, What,
Why of the Policies & Standards information

Perpetual program of reinforcement and

Thursday, March 15, 12

Obstacle to the Program


Budget Solution: demonstrate the effect to the Subject: access control, e-mail practice,
virus management. nancial (ROI, contribution to prot, etc)

Thursday, March 15, 12

Success Factor
Frequency Media

Thursday, March 15, 12

Frequency
Frequency of message delivered to staff Equal to ads, with educational message.

Thursday, March 15, 12

Message focus on:


Information security policies Information ownership Information classication Good information security practices
Thursday, March 15, 12

Additional Message:
Information security standards Information security monitoring Information security performance
measurement

More information security good practices


Thursday, March 15, 12

Media
Composition of the media used Mix of media (video, posters, presentations,
booklets, brochures, newsletters, and giveaway item)

Thursday, March 15, 12

Information Security Program Infrastructure


Mechanism within the organization that
supports good information security practices

Thursday, March 15, 12

Information Security Steering Committee


Comprised of Senior Managers (VP/
Director level)

Internal Audit, Legal, Human Resource,


Organized Labor.

Meets frequently
Thursday, March 15, 12

Assignment of Information Security Responsibilities

Senior Management Information Security Management Business Unit Managers First Line Supervisor Employees Third Parties
Thursday, March 15, 12

Info. Security Program Infrastructure

,m./m,.

Senior Management
Have the ultimate responsibility for deciding how the organization will handle risk Responsible for:
Making sure that audit recommendations are addressed in a timely and adequate manner Participating in the activities of the ISSC Providing adequate resources Educating organotions staff Reviewing and approving policies and strategies Providing resolution for info. Sec issues
Thursday, March 15, 12

Info. Security Program Infrastructure


Information Security Management
Responsible for the information security practices of the information security unit. For other units, providing services and advice Must be able to:
Drive the effort to create, publish, and implement info. Security policies and standards Coordinate the creation and testing of business continuity plans Manage the info.sec effort within the info.sec unit Administer info.sec software tools on behalf of the organization Provide enough education and awareness programs to the organization
Thursday, March 15, 12

Info. Security Program Infrastructure


Business Unit Managers
Support the info.security program by:
Participating in the process of reviewing policies Creating input for info. security standards Measuring info. Security within the unit Enforcing compliance with policies and standards Supporting info.security education and awareness Making sure resources are available to draft, test, and maintain BCP

Thursday, March 15, 12

Info. Security Program Infrastructure


First Line Supervisors
Carry out duties delegated by the business unit managers and a key piece of the communication chain that allows an organization to monitor its info.security program
Monitor the employess activities in light of organization info. security policies and standards Communicate security issues to Information Security, senior management, and ISSC Commnet on individual employees performance with respect to info. Security Reinforce the messages contained in the education and awareness elements of the program

Thursday, March 15, 12

Info. Security Program Infrastructure


Employees
Information security programs only work well when all employess participate, and employees participate most willingly when they feel they have a real role to play Employees participation such as:
Complying with info. Security policies and standards Reporting security breaches

Thursday, March 15, 12

Info. Security Program Infrastructure


Third Parties
Such as contractors, vendors, etc Responsible for complying with info. Security policies and standards of the organization with which they are contracted or to which they provide goods or services Where contractors operate in the organization site, ther are subject to the same rules and methods of enforcement as full-time employees Where contractors operate on their own site, the organization has right to audit the contractors info. Security programs

Thursday, March 15, 12

You might also like