- Defining Security Principles
- Security Management Planning
- Risk Management and Analysis
- Policies, Standards, Guidelines, and Procedures
- Examining Roles and Responsibility
- Management Responsibility
- Understanding Protection Mechanisms
- Classifying Data
- Employment Policies and Practices
- Managing Change Control
- Security Awareness Training
Know what management's responsibility is in the information security environment.
Management's responsibility goes beyond the basics of support. It is not enough just to bless the information security program; management must own up to the program by becoming a part of the process. Becoming part of the process involves showing leadership in the same manner that managers show leadership in other aspects of the organization.
Management has specific goals for the organization, and most security and information system professionals are not in the position to understand or appreciate these nuances. Because security is not something that can be wrapped into a package and bought off the shelf, management must drive the attitudes for creating a good security program. This can only come after the analysis of risks, costs, and the requirements to ensure that information is not too secure to access. Management is responsible for doing the analysis and conveying this to the technical people responsible for implementing these policies.
User Information Security Responsibilities
One way to ensure that every current and future employee or user knows that security is part of his job function is to make it part of each job description. Spelling out the security function or expectations within the job description demonstrates the commitment to information security, as well as emphasizes that it is part of the job. After it is made part of the job description, it becomes something that can be considered in performance evaluations.
Outside contractors, vendors, or other people who provide external services directly on the company's network should include similar language within their statements of work. As with employees, this reinforces the company's commitment as well as makes the contractors' or vendors' adherence to the organization's security requirements a factor in their quality-of-service evaluations.
Socializing the Acceptable Usage Policy
One common method to ensure compliance is to have anyone who accesses the network read and sign the Acceptable Usage Policy before being given access to the systems and networks. This way, users are given the opportunity to understand the policies and ask questions so they know what their expectations are.
IT Roles and Responsibilities
The information technology (IT) staff is responsible for implementing and maintaining organization-wide information security policies, standards, guidelines, and procedures. They should provide input into security awareness education programs and ensure that everyone knows her role in maintaining security. Simply, IT provides the mechanisms that support the security program outlined by the policy.
This department must be able to strike a balance between education and enforcement, although that can be difficult. They should be viewed as a partner in the business process. If implemented as an enforcement-only group, the IT group will be feared. Fear can elicit adverse reactions to their real purpose, which can undermine the purpose of these policies. Additional training can help the technology people understand their place in the environment.
Other Roles and Responsibilities
For any information security program to be successful, it must be integrated into every aspect of the environment. Integration must include statements of work and responsibilities within the business environment, job descriptions, and how these will be audited and monitored.
A primary task in assigning roles in the information security process is how information security integrates into the business environment. As part of that integration, jobs that support security through the processes should be defined. For example, one way to do this is to define a separation of duties and control over company assets by coordinating efforts with everyone, including owners of data and facilities. By having these defined as part of the business process, there is no ambiguity as to who is responsible and when.
Another role to consider is how security is administered throughout the organization. A typical environment should have a central information security management group. The central group is in charge of the monitoring and enforcement of the policy and procedures whose membership would come from the organization's stakeholders. The closer placement of security enforcement with the stakeholders can help with the control of real-time connections with third parties. These liaisons can be responsible for educating these outsiders as well as monitoring and providing enforcement.
This, however, is not a perfect solution. Some people who work in this environment for an extended period might find ways to abuse the system and exploit it, for whatever reason. One way to combat this is to not allow a person to be the security liaison for more than a short period of timeone or two years, for example. At the end of the term, they pass the job to someone else.
The final area that should have a role in the information security process is the software development cycle. Whether software is developed internally or by contractors, or if the organization purchases commercial off-the-shelf (COTS) products, the goal should be to build secure systems wherein errors or manipulations can be trapped. Policy for coding and testing standards also can assist in the quality assurance process.