Module 3 - Information Security Framework
The course is part of this learning path
This course looks at where the security function fits within the organizational structure and the role of the Information Security Officer in developing information security policies, standards, and procedures. It then provides an understanding of the principles of information security governance, how to carry out a security audit and the importance of stakeholder engagement in implementing the organization’s information assurance program. Finally, it looks at the incident management process and investigates the role digital forensics play in this, before reviewing the legal framework information security operates within.
The objectives of this course are to provide you with and understanding of:
- Where the security function fits within the organizational structure
- The role of the Information Security Officer
- Developing information security policies, standards, and procedures
- The principles of information security governance
- How to carry out a security audit
- Implementing an information assurance program and the importance of stakeholder engagement
- The incident management process and the role of digital forensics
- The legal information security framework
- Information assurance standards and how they should be applied within an organization
This course is ideal for members of information security management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities. It acts as a foundation for more advanced managerial or technical qualifications.
There are no specific pre-requisites to study this course, however, a basic knowledge of IT, an understanding of the general principles of information technology security, and awareness of the issues involved with security control activity would be advantageous.
We welcome all feedback and suggestions - please contact us at firstname.lastname@example.org if you are unsure about where to start or if would like help getting started.
Welcome to this video on implementing information security.
Information security implementation is about putting into practice the organization’s information assurance programme.
This video will review the implementation process looking at which stakeholders need to be involved at each stage and defining the main concepts of an implementation programme.
We’ll also look at the documentation required to support this process and the importance of the relationship between the information security team and other business teams to implement the information assurance programme effectively.
Planning should be the focus of the initial stages of an implementation programme. Creating a realistic plan will ensure the management team buys into what the organization’s trying to achieve before it’s implemented.
The project should start with an audit of the existing systems and infrastructure to ensure the baseline is as accurate as possible. This will help identify which aspects of the implementation programme carry the highest risk. The project plan then defines the timeframe for the implementation and enables resources and budget to be identified.
The plan should be structured so the organization gains the most benefit in the shortest timeframe, so tasks should be undertaken in order of importance. This order should be set by the management board and be focused on risk reduction.
The Information Assurance Manager is responsible for the outcomes of the programme and, therefore, should set the tasks and define the controls.
Implementation of the project should be managed by a skilled project manager, either from within or outside the organization.
The goals of the programme will have been set in the analysis phase, based on the governance, compliance and organizational requirements as they relate to information handling and security. The other areas that then need to be established are:
· The baseline, to identify the scale of the task; and
· The individual controls that need to be implemented to enable the planning of, for example, resources, technology, purchasing, integration, testing and installation.
A project workstream needs to be identified for each component of the plan. Each of these workstreams needs to be managed individually, with resources allocated to complete them on time and budget.
A stakeholder map of the people who have an interest in the outcome should be created.
A delegation of authority model – or DOA – should be publicised to ensure people with appropriate authority and responsibility are working in the right roles.
Work packages need to be assigned to each of the workstreams so that the deliverables can be managed. For example, a network security workstream might include delivery of firewalls, routers and switches. This workstream will deliver work packages for each component and will be resourced from technical teams and non-technical personnel like auditors and team leaders.
Finally, a security working group or steering committee should be established to report on progress to senior management. This allows the success of the security programme to be tracked and illustrate the implementation progress being made. The project manager should manage expectations and ensure that there are no surprises for the stakeholders.
The information assurance programme must be seen to be delivering positive benefits at all levels across the organization. The reduction of information risk, especially in terms of accountability, can lead to overall service improvements rather than just information security benefits.
Implementing an auditing solution that captures the event logs from network devices will help to identify bottlenecks in the network, system failures and misconfigurations. These tangible benefits should be expressed to all stakeholders. They are positive outcomes of co-operating with the information assurance implementation programme.
The benefits of the implementation programme should be pitched to management stakeholders in a meaningful way. For example, the Finance Director will be interested in the monetary value of the risk reduction programme, whilst the COO will be interested in improvements in the network.
One way to ensure CEO approval is to provide a clear business case detailing costs, benefits, impact and risks. This should include a return on investment calculation, based on how the security controls will positively affect the business or system they’re integrated in.
In security terms, a strategy refers to high-level plans that illustrate a considerable improvement in security posture over a three to five-year timeframe.
The Information Security Strategy needs to be ambitious enough to influence the organization to invest in short-term actions on the basis that they move them closer to achieving the strategic objectives. For example, an organization might run three iterations of an information assurance implementation programme in a three-year period, successively building on the output of the previous programme.
To gain universal buy-in and acceptance from the organization, the security strategy should:
· State the high-level objectives;
· Explain how the risk profile of the organization will improve;
· State how the organization will benefit from implementing the strategy;
· Discuss trends in relation to threats and vulnerabilities;
· Support the organization strategy;
· Support the technical strategy; and
· Focus on cost savings.
The Information Security Strategy is a visionary document that shows the organization’s maturity and its depth of understanding of information assurance requirements. It should be written using non-technical language and state the goals of the business simply. This document can also form part of the organization’s marketing collateral to outline their goals and objectives.
The term architecture is defined as:
‘The complex or carefully designed structure of something.’
Like technical architecture, security architecture sets out a framework that allows controls and objectives to be delivered to the organization in a clear and consistent way. The security architect’s role is to ensure there’s an enterprise approach to mitigating risk and enforcing security controls.
An information security architecture defines a set of security principles to communicate the controls that need to be implemented. These should reflect the objectives of the Information Security Policy.
Think of the role of the security architect as the conductor, while the subject matter experts – for example, in firewalls, network devices and application security – are the groups of musicians in the orchestra.
A typical approach to security architecture is to define the security domains so that common controls can be developed to protect each domain. An example of this may be that all network devices use a common approach to securing services, with a common set of requirements placed on the network teams by the security architect – like a set of permitted protocols, or the requirement to separate traffic.
Finally, the security architecture must be fully supportive of the security strategy. The roles of security strategist and security architect often sit within the same team or can even be the same person.
As we’ve seen, the aim of the information security implementation programme is to deliver improvements in the organization’s security posture that provide value for money.
However, this can’t be achieved solely from a security approach. The Information Security Manager needs to work closely with other business teams who provide services to the organization, including:
· Business planning;
· Risk management; and
The business planning group will help align the security implementation programme with the strategic business objectives. For example, potential acquisitions of overseas offices which introduce a variety of new security threats, new user integration issues and infrastructure loading that wouldn’t previously have been considered. These risks and impacts will need to be scheduled into the security implementation programme.
The audit teams can highlight where they’re finding significant non-compliances or failures in the current systems to illustrate where ‘best value’ can be gained from changes in processes or technology.
Each of these interactions with the business functions will ensure the best value service is being provided to the organization and it will help gain the right level of support and funding for the information security implementation programme.
There should already be a variety of risk management teams in the organization with a good idea of the financial, technical and operational risks to the business from their own perspectives.
This can also include the health and safety risks which can be mitigated through training and insurance.
The CEO and Chief Finance Officer (CFO) will be interested in the monetary aspects of risk. Working with these areas of the organization will help the Information Security Manager determine whether the Annualized Loss Expectancy of specified risks or vulnerabilities, attributed to information security, warrant the expense of the security controls being proposed. For example, a managed firewall solution that costs $50,000 a year to mitigate a threat that’s valued at $5,000 per year wouldn’t provide value for money.
Solutions should cost less than the Annualized Loss Expectancy of the asset being analysed.
That’s the end of this video on implementing information security.
About the Author
Fred is a trainer and consultant specializing in cyber security. His educational background is in physics, having a BSc and a couple of master’s degrees, one in astrophysics and the other in nuclear and particle physics. However, most of his professional life has been spent in IT, covering a broad range of activities including system management, programming (originally in C but more recently Python, Ruby et al), database design and management as well as networking. From networking it was a natural progression to IT security and cyber security more generally. As well as having many professional credentials reflecting the breadth of his experience (including CASP, CISM and CCISO), he is a Certified Ethical Hacker and a GCHQ Certified Trainer for a number of cybersecurity courses, including CISMP, CISSP and GDPR Practitioner.