Lecture3.1

Lecture3.1 - TEL2813/IS2820 Security Management Developing...

Info iconThis preview shows pages 1–12. Sign up to view the full content.

View Full Document Right Arrow Icon
TEL2813/IS2820 Security Management Developing the Security Program Jan 24, 2006
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Introduction Some organizations use security programs to describe the entire set of personnel, plans, policies, and initiatives related to information security Information security program describe the structure and organization of the effort that contains risks to the information assets of organization
Background image of page 2
Organizing for Security Some variables that determine how to structure an information security program are: Organizational culture Size Security personnel budget Security capital budget
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Security in Large Organizations Information security departments in large organizations tend to form and re-form internal groups to meet long-term challenges even as they handle day-to-day security operations Functions are likely to be split into groups In contrast, smaller organizations typically create fewer groups, perhaps only having one general group of specialists
Background image of page 4
Very Large Organizations More than 10,000 Computers Security budgets often grow faster than IT budgets Even with large budgets, average amount spent on security per user is still smaller than any other type of organization Where small orgs spend more than $5,000 per user on security, very large organizations spend about 1/18th of that, roughly $300 per user Does a better job in the policy and resource mgmt areas, although only 1/3 of organizations handled incidents according to an IR plan
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Large Organizations With 1,000 to 10,000 computers At this size, approach to security has often matured, integrating planning and policy into organization’s culture Unfortunately, large organization does not always put large amounts of resources into security considering vast numbers of computers and users often involved Tend to spend proportionally less on security
Background image of page 6
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Security in Large Organizations An approach: separate functions into 4 areas: Functions performed by non-technology business units outside of IT Legal; training Functions performed by IT groups outside of information security area Network/systems security administrator Functions performed within information security department as customer service Risk assessment; systems testing; incident response Functions performed within the information security department as compliance Policy; compliance
Background image of page 8
Responsibilities in Large Organizations Remains CISO’s responsibility to see that information security functions are adequately performed somewhere within the organization Deployment of full-time security personnel depends on a number of factors, including sensitivity of information to be protected, industry regulations and general profitability The more money a company can dedicate to its personnel budget, the more likely it is to maintain a large information security staff
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Typical Information Security Staffing in a Large Organization
Background image of page 10
Typical InfoSec Staffing in a Very Large Organization
Background image of page 11

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 12
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 55

Lecture3.1 - TEL2813/IS2820 Security Management Developing...

This preview shows document pages 1 - 12. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online