Implementing Security-Computer And System Security-Lecture Slides, Slides of Cryptography and System Security

This lecture was delivered by Dr. Samarendra Jeethesh at Ankit Institute of Technology and Science for System Security and Cryptography course. It includes: Implementing, Security, Organization, Security, Blueprint, Project, Plan, Technical, Strategies, Principles

Typology: Slides

2011/2012

Uploaded on 07/17/2012

pameela
pameela 🇮🇳

4.8

(5)

94 documents

1 / 31

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Implementing Security
Chapter 10
Change is good. You go first!
-- Dilbert
docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f

Partial preview of the text

Download Implementing Security-Computer And System Security-Lecture Slides and more Slides Cryptography and System Security in PDF only on Docsity!

Implementing Security

Chapter 10

Change is good. You go first!

-- Dilbert

Principles of Information Security - Chapter 10 Slide 2

Learning Objectives:

Upon completion of this chapter you should beable to:

  • Understand how the organization’s security blueprint becomes a project plan. - Understand the numerous organizational considerations that must be addressed by the project plan. - Grasp the significant role and importance of the project manager in the success of an information security project. - Understand the need for professional project management for complex projects. - Take in the technical strategies and models for implementing the project plan. - Grasp the nontechnical problems that organizations face in times of rapid change.

Principles of Information Security - Chapter 10 Slide 4

Project Management 

Once the organization’s vision and objectivesare documented and understood, the blueprintcan be turned into a project plan  The major steps in executing the project planare:

  • Planning the project– Supervising tasks and maintaining control– Wrapping up the project plan  Each organization has its own projectmanagement methodology for IT andinformation security projects and informationsecurity projects should follow theorganizational practices

Principles of Information Security - Chapter 10 Slide 5

Developing the Project Plan 

Creation of a detailed project plan using asimple planning tool, such as the workbreakdown structure (WBS)

  • Common task attributes are:
    • Work to be accomplished (activities and deliverables)• Individuals (or skills set) assigned to perform the task• Start and end dates for the task (when known)• Amount of effort required for completion in hours or work days - Estimated capital expenses for the task• Estimated non-capital expenses for the task• Other tasks on which the task depends - Each major task is then further divided into either smaller tasks or specific action steps

Principles of Information Security - Chapter 10 Slide 7

Financial 

No matter what information security needs existin the organization, the amount of effort that canbe expended depends on the funds available  Cost-benefit analysis must be verified prior todevelopment of the project plan  Both public and private organizations havebudgetary constraints, albeit of a differentnature  To justify an amount budgeted for a securityproject at either public or for-profitorganizations, it may be useful to benchmarkexpenses of similar organizations

Principles of Information Security - Chapter 10 Slide 8

Priority 

In general, the most important informationsecurity controls should be scheduled first  The implementation of controls is guided by theprioritization of threats and the value of theinformation assets threatened  A control that costs a little more and is a littlelower on the prioritization list but addressesmany more specific vulnerabilities and threatshave higher priority than a less expensive,higher priority component that only addressesone particular vulnerability

Principles of Information Security - Chapter 10 Slide 10

Staffing 

The lack of enough qualified, trained, andavailable personnel also constrains the projectplan  Experienced staff is often needed to implementavailable technologies and to develop andimplement policies and training programs  If no staff members are trained to configure afirewall that is being purchased, someone mustbe trained, or someone must be hired who isexperienced with that particular technology

Principles of Information Security - Chapter 10 Slide 11

Scope 

It is unrealistic for an organization to install allinformation security components at once  In addition to the constraints of handling somany complex tasks at one time, there are theproblems of interrelated conflicts between theinstallation of information security controls andthe daily operations of the organization  The installation of new information securitycontrols may also conflict with existing controls

Principles of Information Security - Chapter 10 Slide 13

Organizational Feasibility 

Policies require time to develop and newtechnologies require time to be installed,configured, and tested  Employees need to understand how a newprogram impacts their working lives  The goal of the project plan is to avoid newsecurity components from directly impacting theday-to-day operations of the individualemployees  Changes should be transparent to users, unlessthe new technology causes changes toprocedures, such as requiring additionalauthentication or verification

Principles of Information Security - Chapter 10 Slide 14

Training and Indoctrination 

The size of the organization and the normalconduct of business may preclude a single largetraining program  As a result, the organization should conduct aphased in or pilot approach to implementation  In the case of policies, it may be sufficient tobrief all supervisors on new policy and thenhave the supervisors update end users innormal meetings  Ensure that compliance documents are alsodistributed, requiring all employees to read,understand, and agree to the new policies

Principles of Information Security - Chapter 10 Slide 16

Project Management 

Project management requires a unique set ofskills and a thorough understanding of a broadbody of specialized knowledge  It is a realistic assumption that most informationsecurity projects require a trained projectmanager, CISO, or skilled IT manager versed inproject management techniques to oversee theproject  In addition, when selecting advanced orintegrated technologies or outsourced serviceseven experienced project managers are advisedto seek expert assistance when engaging in aformal bidding process

Principles of Information Security - Chapter 10 Slide 17

Supervising Implementation 

Some organizations may designate a championfrom general management to supervise theimplementation of the project plan  An alternative is to designate a senior ITmanager or the CIO of the organization to leadthe implementation  The optimal solution is to designate a suitableperson from the information security communityof interest, since the inherent focus is on theinformation security needs of the organization  It is up to each organization to find theleadership for a successful projectimplementation

  • Principles of Information Security - Chapter
  • Slide
  • Figure 10-

Principles of Information Security - Chapter 10 Slide 20

Wrap-up 

Project wrap-up is usually handled as aprocedural task assigned to a mid-level ITor information security manager

These managers collect documentation,finalize status reports, and deliver a finalreport and a presentation at a wrap-upmeeting

The goal of the wrap-up is to resolve anypending issues, critique the overall effortof the project, and draw conclusions abouthow to improve the process for the future