Register now to access 7 million high quality study materials (What's Course Hero?) Course Hero is the premier provider of high quality online educational resources. With millions of study documents, online tutors, digital flashcards and free courseware, Course Hero is helping students learn more efficiently and effectively. Whether you're interested in exploring new subjects or mastering key topics for your next exam, Course Hero has the tools you need to achieve your goals.
13 Pages
chapter01
Course: IS 2820, Spring 2010School: Webber
Rating:
Word Count: 2731
Document Preview
of Management Information Security 1-1 Chapter 1 Introduction to the Management of Information Security Chapter Overview The opening chapter establishes the foundation for understanding the field of Information Security. This is accomplished by explaining the importance of information technology and defining who is responsible for protecting an organizations information assets. In this chapter the student will...
Unformatted Document Excerpt
Coursehero >> Florida >> Webber >> IS 2820Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
of Management Information Security
1-1
Chapter 1 Introduction to the Management of Information Security
Chapter Overview
The opening chapter establishes the foundation for understanding the field of Information Security. This is accomplished by explaining the importance of information technology and defining who is responsible for protecting an organizations information assets. In this chapter the student will come to know and understand the definition and key characteristics of information security as well as the come to recognize the characteristics that differentiate information security management from general management.
Chapter Objectives
When you complete this chapter, you will be able to: Recognize the importance of information technology and understand who is responsible for protecting an organizations information assets Know and understand the definition and key characteristics of information security Know and understand the definition and key characteristics of leadership and management Recognize the characteristics that differentiate information security management from general management
INTRODUCTION
Information technology is the vehicle that stores and transports informationa companys most valuable resourcefrom one business unit to another. But what happens if the vehicle breaks down, even for a little while? As businesses have become more fluid, the concept of computer security has been replaced by the concept of information security. Because this new concept covers a broader range of issues, from the protection of data to the protection of human resources, information security is no longer the sole responsibility of a discrete group of people in the company; rather, it is the responsibility of every employee, and especially managers. Organizations must realize that information security funding and planning decisions involve more than just technical managers: Rather, the process should involve three distinct groups of decision makers, or communities of interest: Information security managers and professionals Information technology managers and professionals Nontechnical business managers and professionals
Management of Information Security
1-2
These communities of interest fulfill the following roles: The information security community protects the organizations information assets from the many threats they face. The information technology community supports the business objectives of the organization by supplying and supporting information technology appropriate to the business needs. The nontechnical general business community articulates and communicates organizational policy and objectives and allocates resources to the other groups.
WHAT IS SECURITY?
Understanding the technical aspects of information security requires that you know the definitions of certain information technology terms and concepts. In general, security is defined as the quality or state of being secureto be free from danger. Security is often achieved by means of several strategies usually undertaken simultaneously or used in combination with one another. Specialized areas of security Physical security, which encompasses strategies to protect people, physical assets, and the workplace from various threats including fire, unauthorized access, or natural disasters Personal security, which overlaps with physical security in the protection of the people within the organization Operations security, which focuses on securing the organizations ability to carry out its operational activities without interruption or compromise Communications security, which encompasses the protection of an organizations communications media, technology, and content, and its ability to use these tools to achieve the organizations objectives Network security, which addresses the protection of an organizations data networking devices, connections, and contents, and the ability to use that network to accomplish the organizations data communication functions
Management of Information Security Information security includes the broad areas of information security management, computer and data security, and network security. At the heart of the study of information security is the concept of policy. Policy, awareness, training, education, and technology are vital concepts for the protection of information and for keeping information systems from danger.
1-3
CIA Triangle The C.I.A. triangle - confidentiality, integrity, and availability - has expanded into a more comprehensive list of critical characteristics of information. NSTISSC Security Model The NSTISSC Security Model provides a more detailed perspective on security. While the NSTISSC model covers the three dimensions of information security, it omits discussion of detailed guidelines and policies that direct the implementation of controls. Another weakness of using this model with too limited an approach is to view it from a single perspective. NSTISSC Security Model
Key Concepts of Information Security
Management of Information Security
1-4
Confidentiality Confidentiality of information ensures that only those with sufficient privileges may access certain information. When unauthorized individuals or systems can access information, confidentiality is breached. To protect the confidentiality of information, a number of measures are used: Information classification Secure document storage Application of general security policies Education of information custodians and end users Integrity Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state. Corruption can occur while information is being compiled, stored, or transmitted. Availability Availability is the characteristic of information that enables user access to information without interference or obstruction and in a required format. A user in this definition may be either a person or another computer system. Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users. Privacy The information that is collected, used, and stored by an organization is to be used only for the purposes stated to the data owner at the time it was collected. This definition of privacy does focus on freedom from observation (the meaning usually associated with the word), but rather means that information will be used only in ways known to the person providing it. Identification An information system possesses the characteristic of identification when it is able to recognize individual users. Identification and authentication are essential to establishing the level of access or authorization that an individual is granted. Authentication Authentication occurs when a control provides proof that a user possesses the identity that he or she claims. Authorization After the identity of a user is authenticated, a process called authorization provides assurance that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset. Accountability
Management of Information Security
1-5
The characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process. For example, audit logs that track user activity on an information system provide accountability.
WHAT IS MANAGEMENT?
Management is the process of achieving objectives using a given set of resources. To make the information security process more effective, it is important to understand certain core principles of management. A manager is someone who works with and through other people by coordinating their work activities in order to accomplish organizational goals. A manager has many roles to play within organizations, including the following: Informational role: Collecting, processing, and using information that can affect the completion of the objective Interpersonal role: Interacting with superiors, subordinates, outside stakeholders, and other parties that influence or are influenced by the completion of the task Decisional role: Selecting from among alternative approaches, and resolving conflicts, dilemmas, or challenges. The Difference between Leadership and Management The distinction between a leader and a manager arises in the execution of organizational tasks. The leader influences employees so that they are willing to accomplish objectives. He or she is expected to lead by example and demonstrate personal traits that instill a desire in others to follow. In other words, leadership provides purpose, direction, and motivation to those that follow. By comparison, a manager administers the resources of the organization. Characteristics of a Leader What makes a good leader? Bearing appearance and how one carries oneself Courage proceeding in the face of adversity Decisiveness making and expressing decisions in a clear and authoritative manner Dependability performing and completing tasks in a reliable and predictable manner Endurance withstanding mental, physical, and emotional hardship Enthusiasm displaying sincere interest in and exuberance for the accomplishment of tasks Initiative and identifying accomplishing tasks in the absence of specific guidance Integrity being of sound moral fiber and good ethical worth Judgment using sound personal decision making to determine effective and appropriate solutions
Management of Information Security Justice being impartial and fair in exercising authority Knowledge possessing a base of information gained through experience or education Loyalty expressing open support and faithfulness to ones organization and fellow employees Tact dealing with a situation without undue personal bias or creating offense Unselfishness performing duties by placing the welfare of others and the accomplishment of the mission first Action plan for improvement of leadership abilities: Know yourself and seek self-improvement. Be technically and tactically proficient. Seek responsibility and take responsibility for your actions. Make sound and timely decisions. Set the example. Know your [subordinates] and look out for their well-being. Keep your subordinates informed. Develop a sense of responsibility in your subordinates. Ensure the task is understood, supervised, and accomplished. Build the team. Employ your [team] in accordance with its capabilities.
1-6
BeKnowDo As a leader you must BE a person of strong and honorable character; committed to professional ethics; an example of individual values; and able to resolve complex ethical dilemmas. You must KNOW the details of your situation, the standards to which you work, yourself, human nature, and your team. You must DO by providing purpose, direction, and motivation to your teams. Behavioral Types of Leaders There are three basic behavioral types of leaders: the autocratic, the democratic, and the laissez-faire. Autocratic leaders reserve all decision-making responsibility for themselves, and are more do as I say types of managers. The democratic leader works in the opposite way, typically seeking input from all interested parties, requesting ideas and suggestions, and then formulating a position for which they seek the support of a majority opinion. While both autocratic and democratic leaders tend to be action-oriented, the laissez-faire leader tends to sit back and allow the process to develop as it goes, only making minimal decisions to avoid bringing the process to a complete halt. Characteristics of Management Two basic approaches to management exist:
Management of Information Security
1-7
Traditional management theory uses the core principles of planning, organizing, staffing, directing, and controlling (POSDC). Popular management theory categorizes the principles of management into planning, organizing, leading, and controlling (POLC).
Planning The process that develops, creates, and implements strategies for the accomplishment of objectives is called planning. There are three levels of planning: Strategic planning occurs at the highest levels of the organization and for a longer period of time, usually five or more years. Tactical planning focuses on production planning and integrates organizational resources at a level below the entire enterprise and for an intermediate duration (such as one to five years). Operational planning focuses on the day-to-day operation of local resources, and occurs in the short or immediate term.
Management of Information Security
1-8
Planning The general approach to planning begins with the creation of strategic plans for the entire organization. To better understand the planning process, an organization must thoroughly define its goals and objectives. Project management is the management of all aspects of a project from inception, through organization and start-up, task completion, and eventual wrap-up. Organization The principle of management dedicated to the structuring of resources to support the accomplishment of objectives. Organizing tasks requires determining what is to be done, in what order, by whom, by which methods, and according to what timeline. Leadership As noted earlier, leadership encourages the implementation of the planning and organizing functions. It includes supervising employee behavior, performance, attendance, and attitude. Leadership generally addresses the direction and motivation of the human resource. Control Monitoring progress toward completion, and making necessary adjustments to achieve the desired objectives, requires the exercise of control. In general, the control function serves to assure the organization of the validity of the plan. The controlling function also determines what must be monitored as well as applies specific control tools to gather and evaluate information. Control Tools There are four categories of control tools: Information control tools. Financial control tools. Operational control tools. Behavioral control tools
Management of Information Security
1-9
Solving Problems Step 1: Recognize and Define the Problem Step 2: Gather Facts and Make Assumptions Step 3: Develop Possible Solutions Step 4: Analyze and Compare the Possible Solutions Step 5: Select, Implement, and Evaluate a Solution
Management of Information Security
1-10
Feasibility Analyses: To review economic feasibility, you compare the costs and benefits of possible solutions. To review technological feasibility, you address the organizations ability to acquire the technology needed to implement a candidate solution. To review behavioral feasibility, you assess a candidate solution according to the likelihood that subordinates will adopt and support a solution, rather than resisting it. To review operational feasibility, you assess the organizations ability to integrate a candidate solution into its current business processes.
Principles of Information Security Management
Because information security management is charged with taking responsibility for a specialized program, certain characteristics of its management are unique to this community of interest. The extended characteristics of information security are known as the six Ps. Planning Policy Programs Protection People Project Management InfoSec Planning Planning as part of InfoSec management is an extension of the basic planning model discussed earlier in this chapter. Included in the InfoSec planning model are activities necessary to support the design, creation, and implementation of information security strategies, as they exist within the IT planning environment Several types of InfoSec plans exist: incident response planning, business continuity planning, disaster recovery planning, policy planning, personnel planning, technology rollout planning, risk management planning, and security program planning including education, training and awareness. Policy
Management of Information Security
1-11
The set of organizational guidelines that dictates certain behavior within the organization is called policy. In InfoSec, there are three general categories of policy: General program policy (Enterprise Security Policy) An issue-specific security policy (ISSP) System-specific policies (SSSPs) Programs Specific entities managed in the information security domain. A security education training and awareness (SETA) program is one such entity. Other programs that may emerge include a physical security program, complete with fire, physical access, gates, guards, and so on. Protection The protection function is executed via a set of risk management activities, including risk assessment and control, as well as protection mechanisms, technologies, and tools. Each of these mechanisms represents some aspect of the management of specific controls in the overall information security plan. People People are the most critical link in the information security program. As discussed in the Viewpoint section, it is imperative that managers continuously recognize the crucial role that people play in the information security program. This aspect of InfoSec includes security personnel and the security of personnel, as well as aspects of the SETA program mentioned earlier. Project Management The final component is the application of thorough project management discipline to all elements of the information security program. This effort involves identifying and controlling the resources applied to the project, as well as measuring progress and adjusting the process as progress is made toward the goal.
Discussion Topics
1. What is the defining difference between computer security and information security? ANSWER: The focus on all levels of management, not only the technical professionals. 2. Why can we argue that information security is really an application of social science? ANSWER: It relies on altering human behavior and making members of the organization aware of the new expected behaviors.
Management of Information Security
1-12
Key Terms
Accountability Authentication Authorization Availability C.I.A. triangle Communications security Confidentiality Control Control tools Decisional role File hashing General business community Goal Hash value Identification Information security community Information security or InfoSec Information technology community Informational role Integrity Interpersonal role Leadership Management Manager Network security Objective Operations security Organization Personal security Physical security Planning Policy Privac
Principles of Information Security
1-13
Textbooks related to the document above:
Find millions of documents on Course Hero - Study Guides, Lecture Notes, Reference Materials, Practice Exams and more.
Course Hero has millions of course specific materials providing students with the best way to expand
their education.
Below is a small sample set of documents:
Below is a small sample set of documents:
Webber - IS - 2820
Management of Information Security1-1Chapter 1 Key TermsAccountability Authentication Authorization Availability C.I.A. triangle Communications security Confidentiality Control Control tools Decisional role File hashing General business community Goal
Webber - IS - 2813
TEL2813/IS2820 Security ManagementLecture 1 Jan 6, 2005 Contact James Joshi 721, IS Building Phone: 4126249982 Email: jjoshi@mail.sis.pitt.edu Web: /~jjoshi/TELCOM2813/Spring2005/ Office Hours: Wednesdays: 1.00 3.00 p.m. or By appointments GSA: w
Webber - IS - 2813
TEL2813/IS2820 Security ManagementSecurity PlanningLecture 2 Jan 13, 2005 Security PlanningYou got to be careful if you don't know where you're going, because you might not get there. Yogi Berra Introduction Successful organizations utilize
Webber - IS - 2813
TEL2813/IS2820 Security ManagementDeveloping the Security Program Jan 27, 2005 IntroductionSome organizations use security programsInformation security program to describe the entire set of personnel, plans, policies, and initiatives related to info
Webber - IS - 2813
TEL2813/IS2820 Security ManagementRisk Management: Identifying and Assessing Risk Lecture 7 Feb 17, 2005 Introduction Information security departments are created primarily to manage IT risk Managing risk is one of the key responsibilities of every m
Webber - IS - 2813
TEL2813/IS2820 Security ManagementProtection Mechanisms Lecture 9 Feb 24, 2005 Introduction (Continued)Some of the most powerful and widely used technical security mechanisms include: Access controls Firewalls Dialup protection Intrusion detect
Webber - IS - 2813
TEL2813/IS2820 Security ManagementSystems/Evaluations Lecture 11 April 7, 2005 Access control matrixObjects File 1 User 1 User 2 User 3 Subjects File 2 write write writeFile 3 write write read . read write writeFile n read readread write .
Ashford University - ACC - 306
Chapter 20 Earnings Per ShareQuestions for Review of Key TopicsQuestion 20-1A firm has a simple capital structure if it has no potentially dilutive securities outstanding. These are securities that are not yet common stock, but might become common stoc
American Academy of Art - PHYS - 133
Pre-lab Exercises Directions: For each lab, write a brief summary and include the following: 1. Title of lab 2. Objective(s) 3. Methods, including the organisms with which we will be working (two or three sentences should be sufficient) 4. Safety Concerns
NED Univ. of Engineering & Tech. - MECH - ME101
Extrusion: The Definitive Processing Guide and HandbookbyHarold F. Giles, Jr. John R. Wagner, Jr. Crescent Associates, Inc. Rochester, New York Eldridge M. Mount, III EMMOUNT Technologies Fairport, New YorkCopyright 2005 by William Andrew, Inc. No part
UCF - ZOO - 3733
Week 1 anatomy lab assignment1- Introduction to the lab (by GTAs/ TAs) 2- Review the lab syllabus quickly 3- Review the week 1 lab learning material from the lab syllabus 4- Find the structures on pictures, posters, and anatomical models using your lab A
Polytechnic - ME - ME4906
Lecture NotesME4906, Mechanical Engineering, PolyU2008/2009Chapter 5 Partial Differential Equations and Finite Difference Methods5.1 Finite DifferenceTaylors Expansion (Revisit)f ( x i + 1 ) = f ( x i ) + f ( x i )( x i + 1 x i ) + df dx f ( x i ) (
Polytechnic - ME - ME4906
SUBJECT DESCRIPTION_ Subject Title :Numerical Methods for Product AnalysisInstructor: Dr. G. P. Zheng, Department of Mechanical Engineering, Hong Kong PolyU. (E-mail): mmzheng@polyu.edu.hk, (Tel): 27666660 Objectives (Part II of the course): At the end
Polytechnic - ME - ME4906
Assignment #1 ME4906 Numerical Methods for Product Analysis (Deadline for submission: 01 April 2009, 10:00pm)(Mar 18, 2009)1. The temperature T of a rod depends on time (t) and position (x) and can be described as a function of t and x:T ( x, t ) = sin
Polytechnic - ME - ME4906
Lecture NotesME4906, Mechanical Engineering, PolyU2008/2009Chapter 5 Partial Differential Equations and Finite Difference Methods5.2 PDE of 1D Heat Transfer Problem5.2.1 Governing Equation and Analytical SolutionConsider an element (materials) of wi
Polytechnic - ME - ME4906
Lab Report (ME4906)Student Name_Student ID _1. Calculate the first derivative and its absolute error off ( x) = sin x x3at x=4 using the forward 2nd-order finite difference scheme with intervals h=0.1, 0.01, 0.001, and 0.0001.h f Error 0.1 0.01 0.00
Polytechnic - ME - ME4906
Tutorial questions: Chapter 5 EX1. Determine the types of the following PDEs(a) (b) Ans.T 2T =k 2 t x 2T 2T + =0 2x 2 y(a) Parabolic PDE.(b) Elliptic PDE 2u = 2 u 2u 2u + + 2 x 2 y 2zEX2. Calculate the partial differentiationof the following funct
Polytechnic - ME - ME4906
Solution to Class Test held on 4 March 20091. (a) B1= max(17, 21, 15) = 21,B= max(10, 6, 37) = 37.(b) Using the given value B 1= 2/7, we havecond (B, ) = BB 1= 37 (2/7) = 74/7.The system is therefore not ill-conditioned.2.Let Fk = f (k) (a)hk
Polytechnic - ME - ME4906
Chapter 5.3Finite Difference for PDE of 1D in Space Parabolic equations are employed to characterize time-variable (unsteady-state) problems. Conservation of energy can be used to develop an unsteady-state energy balance for the differential element in
Polytechnic - ME - ME4906
Lecture NotesME4906, Mechanical Engineering, PolyU2008/20095.3 Finite Difference for PDE of 1D in Space5.3.1 Explicit SchemeConsider the problem of 1D unsteady heat transfer defined below,T 2T = 2 t xThe solution domain is two-dimensional, space x
Polytechnic - ME - ME4906
Solution: 1. (a)22 22 T = sin(nx ) e 4 n t [4n 2 2 ] = 4n 2 2 sin(nx ) e 4n t t(b)22 22 T = cos(nx ) [n ] e 4 n t = n cos(nx ) e 4 n t x 22 2T T = ( ) = [n cos(nx ) e 4 n t ] x x 2 x x= n 2 2 sin(nx ) e 4 n (c) T 2T 4 2 t x22t= 4n 2 2 sin(nx ) e
Polytechnic - ME - ME4906
Lecture NotesME4906, Mechanical Engineering, PolyU2008/20095.3.2 Implicit SchemeIt has been shown that numerical instability occurs due to the explicit scheme. An implicit scheme is constructed as follows to avoid such instability of finite difference
Polytechnic - ME - ME4906
Chapter 6 Finite-Element Method Finite element method (FEM) provides an alternative to finite-difference (FD) methods, especially for systems with irregular geometry, unusual boundary conditions, or heterogeneous composition. This method divides the solu
Polytechnic - ME - ME4906
ME4906 Revision Questions (Part II)Chapter 5 1. 2. 3. 4. 5. 6. How is partial differentiation defined? EX2 of tutorial questions Give an example for parabolic and elliptic PDEs respectively. EX1 of tutorial questions EX2 of tutorial questions Give an exa
Polytechnic - ME - ME4906
Tutorial questions: Chapter 5 EX1. Determine the types of the following PDEs(a) (b) Ans.T 2T =k 2 t x 2T 2T + =0 2x 2 y(a) Parabolic PDE.(b) Elliptic PDE 2u = 2u 2u 2u + + 2x 2 y 2zEX2. Calculate the partial differentiationof the following functio
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410
Polytechnic - ME - ISE410