Lecture5

Lecture5 - TEL2813/IS2820 Security Management Developing...

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon
    TEL2813/IS2820  Security Management Developing the Security Program Jan 27, 2005
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
    Introduction Some organizations use security programs to describe the entire set of personnel, plans,  policies, and initiatives related to information  security Information security program   used here to describe the structure and  organization of the effort that contains risks to the  information assets of organization
Background image of page 2
    Organizing for Security Some variables that determine how to  structure an information security  program are: Organizational culture Size Security personnel budget Security capital budget
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
    Security in Large  Organizations Information security departments in large  organizations tend to form and re-form  internal groups to meet long-term challenges  even as they handle day-to-day security  operations Functions are likely to be split into groups  In contrast, smaller organizations typically  create fewer groups, perhaps only having one  general group of specialists
Background image of page 4
    Very Large Organizations More than 10,000 Computers Security budgets often grow faster than IT  budgets Even with large budgets, average amount  spent on security per user is still smaller than  any other type of organization Where small orgs spend more than $5,000 per user  on security, very large organizations spend about  1/18th of that, roughly $300 per user Does a better job in the policy and resource  mgmt areas, although only 1/3 of  organizations handled incidents according to  an IR plan
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
    Large Organizations  With 1,000 to 10,000 computers At this size, approach to security has often  matured, integrating planning and policy into  organization’s culture Unfortunately, large organization does not  always put large amounts of resources into  security considering vast numbers of  computers and users often involved Tend to spend proportionally less on security
Background image of page 6
    Security in Large  Organizations An approach: separate functions into 4 areas: Functions performed by non-technology business  units outside of IT Legal; training Functions performed by IT groups outside of  information security area Network/systems security administrator Functions performed within information security  department as customer service Risk assessment; systems testing; incident response Functions performed within the information  security department as compliance Policy; compliance
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
    Responsibilities in Large  Organizations Remains CISO’s responsibility to see that  information security functions are adequately  performed somewhere within the organization
Background image of page 8
Image of page 9
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 53

Lecture5 - TEL2813/IS2820 Security Management Developing...

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online