























Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This lecture was delivered by Dr. Samarendra Jeethesh at Ankit Institute of Technology and Science for System Security and Cryptography course. It includes: Implementing, Security, Organization, Security, Blueprint, Project, Plan, Technical, Strategies, Principles
Typology: Slides
1 / 31
This page cannot be seen from the preview
Don't miss anything!
























Principles of Information Security - Chapter 10 Slide 2
Upon completion of this chapter you should beable to:
Principles of Information Security - Chapter 10 Slide 4
Once the organization’s vision and objectivesare documented and understood, the blueprintcan be turned into a project plan The major steps in executing the project planare:
Principles of Information Security - Chapter 10 Slide 5
Creation of a detailed project plan using asimple planning tool, such as the workbreakdown structure (WBS)
Principles of Information Security - Chapter 10 Slide 7
No matter what information security needs existin the organization, the amount of effort that canbe expended depends on the funds available Cost-benefit analysis must be verified prior todevelopment of the project plan Both public and private organizations havebudgetary constraints, albeit of a differentnature To justify an amount budgeted for a securityproject at either public or for-profitorganizations, it may be useful to benchmarkexpenses of similar organizations
Principles of Information Security - Chapter 10 Slide 8
In general, the most important informationsecurity controls should be scheduled first The implementation of controls is guided by theprioritization of threats and the value of theinformation assets threatened A control that costs a little more and is a littlelower on the prioritization list but addressesmany more specific vulnerabilities and threatshave higher priority than a less expensive,higher priority component that only addressesone particular vulnerability
Principles of Information Security - Chapter 10 Slide 10
The lack of enough qualified, trained, andavailable personnel also constrains the projectplan Experienced staff is often needed to implementavailable technologies and to develop andimplement policies and training programs If no staff members are trained to configure afirewall that is being purchased, someone mustbe trained, or someone must be hired who isexperienced with that particular technology
Principles of Information Security - Chapter 10 Slide 11
It is unrealistic for an organization to install allinformation security components at once In addition to the constraints of handling somany complex tasks at one time, there are theproblems of interrelated conflicts between theinstallation of information security controls andthe daily operations of the organization The installation of new information securitycontrols may also conflict with existing controls
Principles of Information Security - Chapter 10 Slide 13
Policies require time to develop and newtechnologies require time to be installed,configured, and tested Employees need to understand how a newprogram impacts their working lives The goal of the project plan is to avoid newsecurity components from directly impacting theday-to-day operations of the individualemployees Changes should be transparent to users, unlessthe new technology causes changes toprocedures, such as requiring additionalauthentication or verification
Principles of Information Security - Chapter 10 Slide 14
The size of the organization and the normalconduct of business may preclude a single largetraining program As a result, the organization should conduct aphased in or pilot approach to implementation In the case of policies, it may be sufficient tobrief all supervisors on new policy and thenhave the supervisors update end users innormal meetings Ensure that compliance documents are alsodistributed, requiring all employees to read,understand, and agree to the new policies
Principles of Information Security - Chapter 10 Slide 16
Project management requires a unique set ofskills and a thorough understanding of a broadbody of specialized knowledge It is a realistic assumption that most informationsecurity projects require a trained projectmanager, CISO, or skilled IT manager versed inproject management techniques to oversee theproject In addition, when selecting advanced orintegrated technologies or outsourced serviceseven experienced project managers are advisedto seek expert assistance when engaging in aformal bidding process
Principles of Information Security - Chapter 10 Slide 17
Some organizations may designate a championfrom general management to supervise theimplementation of the project plan An alternative is to designate a senior ITmanager or the CIO of the organization to leadthe implementation The optimal solution is to designate a suitableperson from the information security communityof interest, since the inherent focus is on theinformation security needs of the organization It is up to each organization to find theleadership for a successful projectimplementation
Principles of Information Security - Chapter 10 Slide 20