Executive Blueprints, Inc : Executive Blueprints, Inc Security is a Management ISSUE By Louis W. Mehrmann Security is a Management Issue Index : Security is a Management Issue Index 1. Introduction 2. Definitions 3. Vulnerabilities and Risks 4. Policy and Procedures 5. Controls 6. Selective Protection Concept 7. Implementation Checklist Preparation : Preparation To get the most of this tutorial, we suggest that you prepare with writing instruments and your canvas (blank paper) available as you follow along. You can document your personal ideas and observations as you follow the presentation.
For best results, group participation or review is recommended. It is also suggested that you go through the entire process and then review the what you have learned in practice. Look for this icon in the top right corner as a prompt for you to document your personal strategy canvas. Introduction : Introduction Security is a management issue,
…………………………..not a technological one.
The technology exists to assist management in the
implementation and achievement of their security objectives.
Technology, however, is only a tool to be used in support of plans, programs, and guidelines which Management must specify.
These plans and programs should be developed to
meet the needs of the organization to address its
vulnerabilities to the risks of financial loss from unplanned, unintended events. How Safe Are You From Becoming a Headline : How Safe Are You From Becoming a Headline I Have to do
Something so this
To Our Company,
But What ? Could this Happen To Us ?
What should I Do ?
Who Can Help Me ? Information Security Definition : Information Security Definition Modification Disclosure Destruction Business Information Assets Definition: The protection of Information Assets from unauthorized disclosure, modification or destruction
by either accidental or intentional means. Vulnerabilities : Vulnerabilities ERRORS AND OMISSIONS DISHONEST EMPLOYEES FIRE AND NATURAL
EMPLOYEES WATER OTHER
(*) (*) including strangers Highly Dependent On
Nature of the Business
Resources (type of information) Risk Evaluation : Risk Evaluation Losses Controls $ Additional Security Measures Balanced Risk Options
Assume Identify Hazards : Identify Hazards Natural Hazards
Other Man Made Hazards
Other Key Issues : Key Issues There are Several Major Issues With Regard to Organization Security:
First is the need for a policy and active security program.
Second is the need for access controls both physical and logical.
Third is the need for audit and control programs to ensure that the security
program is effective.
Fourth is the need for a contingency plan to protect the organization from harm
during periods of time when information processing services are unavailable.
We will briefly touch on each of these areas of need and wrap up with a few ideas
on how to implement an effective security program. Security Policy : Security Policy Every organization should have a published organization-wide policy
relating to the protection of the organization’s information assets.
The policy should be signed by the organization’s CEO.
The policy should set direction and provide broad guidance.
Detailed guidelines should be spelled out in other documents.
The policy should be disseminated throughout the entire organization.
Employees should be required to sign a statement that they have read
and understand the security policy.
The policy should be regularly reviewed and updated to maintain
currency with the organization’s structure and assets. Security Manager : Security Manager Security is a line management responsibility.
However, the need exists for a knowledgeable security management (staff) function.
Ideally, this security manager staff position should be:
High in the organization
Outside of the Data Processing function
Capable of administering an organization-wide perspective
Responsible for assisting the CEO formulate and maintain currency of the security policy
Responsible for assisting line management to
- Interpret the security policy
- Establish departmental guidelines
- Communicate guidelines to employees
Responsible for the coordination of periodic security audits Ownership Program : Ownership Program The heart of a good security system is an effective “ownership program” which includes having all
of the information assets identified and ownership of each asset assigned and acknowledged.
We will just touch on this concept here but a complete tutorial is available on-line under the Ownership and
Classification education module.
An Owner is defined as:
An individual responsible for a specific information asset
Having “property rights” to that asset
The person responsible for making decisions on asset classification and protection
The approver of application controls and authorizer of access to the asset
A key participant in the risk assessment, risk acceptance and contingency planning processes
Other ownership program roles are:
Custodians – those who have “authorized possession” of the asset (normally a data processor)
Users – those who have “authorized access” to the asset Education and Awareness : Education and Awareness An integral component of a good security program is an effective education and awareness process.
Due to the dynamics of information assets and the ever changing environment requires an on-going
need to educate and maintain a constant level of awareness of the need to protect and preserve key
An effective education and awareness program will:
Provide an orientation tutorial and guidelines for all new employees
Periodically advise and update all employees of the need for information asset security
Elevate the level of awareness for security through seminars, films, publications, bulleting boards
Immediately alert all employees of potential threats
Train all employees on the effective use of access controls, SPAM prevention, etc.
Define and assign individual management responsibilities
Implement an annual certification process
Provide adequate documentation and instructions for periodic audits Access Control : Access Control Physical Access Control
There are 3 basic areas for most facilities PUBLIC, PRIVATE, and RESTRICTED
Access to other than public should be limited to:
- Persons who work there on that shift
- Authorized, escorted visitors
Physical controls to be considered include:
- Limited entrances
- Combination locks
- Badge access
- Closed Circuit TV
- Limiting number of persons
- Low visibility of the facility Access Control : Access Control Data Classification
Classification of information is its systematic labeling to indicate a specific set of
protective controls on the basis of its sensitivity to destruction, modification, and
disclosure. We will just touch on this concept here but a complete tutorial is available on-line under the
Ownership and Classification education module.
Labels communicate sensitivity
A label indicates controls based on guidelines
Guidelines are assigned by the owner
Custodians and Users abide by the rules Access Control : Access Control Individual Identification and Authentication
Each individual accessing sensitive resources must have a unique ID and Password.
Never be shared
Be of sufficient length to resist an exhaustive attack
Be changed periodically (at least every six months)
Not be reused for an extended period of time
Contain no vowels
Other forms of identification
Magnetic stripe cards
Voice Data Access Controls : Data Access Controls Utilizes special software with the intent of restricting user access to job
Access rules must be kept current
Records should be kept on all accesses
Unsuccessful tries should be limited (3 and out rule)
Alert for suspicious unauthorized attempts
Special controls should be in place for dial-up access
Cryptography should be used for transmission or storage of sensitive information Audit and Control : Audit and Control Management Controls
Management controls are basic business controls applied to information assets and include:
Separation of duties
Span of management control
Change control (see additional education materials for this topic under Executive Blueprints education index)
DP function separate from principal users
Work processed according to procedures
Timely detection of errors
Error correction, recovery, restart procedures
Personnel procedures including job rotation, hiring, and termination
Periodic management reviews should be conducted utilizing a variety of techniques
including self-assessment, peer, and outside formal audit.
Audits should be conducted to review security procedures, plus physical & logical access
controls. An integral part of the audit should be independent testing and penetration tests.
Also, include the obvious but quite often overlooked simple exposure areas such as
locked desks, clean desks, locked terminals, locked offices, shredding of confidential
documents, and password confidentiality Application & Development Controls : Application & Development Controls Application and Development Controls
The primary focus in this area is on ensuring that the applications used for access and/or
manipulating information assets do “what and only what” they are intended to do.
Controls should ensure that:
There is complete accountability for changes
Changes are independently authorized by user management
Changes are agreed to by the development manager
No programmer has access to live data
Standards have been documented, agreed to, and are being enforced
Procedures are used to evaluate the validity, accuracy, and performance of applications.
Typical procedures employed here are phase reviews, walk-thrus, and inspections. Contingency Planning : Contingency Planning Contingency Planning addresses three key areas:
It is not a Data Processing plan. It is a business plan that addresses all critical business functions.
The plan should be clearly documented, distributed to all business functions and
stored off-site. Individual responsibilities and alternates should be defined for implementation of the plan.
Vital records (critical and sensitive to destruction) should be backed up regularly, stored
off-site in a controlled environment and periodically audited for completeness.
Users who are responsible for keeping the business running while Data Processing restores service
should have a documented plan with alternate procedures for critical business functions.
Plans should be tested yearly at a minimum by utilizing a variety of methods such as
drills, exercises, walk-thrus, and third party reviews. Selective Protection Concept : Selective Protection Concept Implementation Checklist : Implementation Checklist Check these process steps for implementation status Review Ownership Process : Review Ownership Process Have we identified our critical information assets
Have we analyzed our ability to protect our information assets
Have we provided for adequate protection
Have we considered needs and opportunity to enhance our procedures
Have we gained the support of all employees to protect our assets Certificate of Achievement : Certificate of Achievement www.ExecutiveBlueprints.com/certificates/091064.htm Free Certificate of Achievement for Completing this Course!
Click on the link below to print your free on-line Certificate of Achievement. Click on the special link above and connect to our web site
Type Your Name as you would like it to appear on the Certificate
Change your Page Setup or Printer to LANDSCAPE
Print your certificate
Note – Requires the ability to connect to the Internet and local connected printer. About Executive Blueprints, Inc : About Executive Blueprints, Inc Business Consulting Professionals Affiliated Consultants with years of Executive Business management and “real life” experience and success
Characterized by a passion for learning and talent for teaching. We consolidate experience and relevant information into seminars, self-paced tutorials, coaching and targeted support Projects to accommodate the demands of modern management.www.ExecutiveBlueprints.com So much more from : BizRolodex of Discounts
and the list keeps growing Go to www.ExecutiveBlueprints.com for
Calendar of Seminars
Email Newsletter Executive Blueprints is designed and managed by business leaders, with input and suggestions from business leaders, to support the efforts of current and future business leaders.
Get Connected, share your knowledge and learn from the experience of other successful executives. So much more from www.ExecBlue.com