Information security functions fall into five main categories information security policy,strategy, and goverence,engineering,disaster recovery/business continuity,crisis management and incident response/investigation, and administrative/operational.
These functions should be organized in an information security department or directorate,headed by an information security manager who may also be known as the Information security officer.(ISO).
This individual directs,coordinates,plans, and organizes information security activities throughtout the organization.
The information security function must work with many other groups within and outside the organization, including physical security, risk management, internal audit, legal, internal and external customers,industry peers,research groups,and law enforcement and regulatory agencies
Manage compliance with information security policies and standards:-
Managers and the employees to whom security policies are applicable play the primary role in implementing and ensuring initial compliance with newly published policies. The organization-wide policies, standards, baselines, and guidelines, this responsibility extends to all managers and employees to whom they apply .
As for the security standards, this responsibility will be limited to managers and employees of the organizational element to which the procedures apply.
Manage approval of logical authentication and access controls:-
- Authentication system :- The Authentication system verifies the identity of the user and objects to the network. It requires that users(and objects) provide credentials for any type of the network access. Authentication systems are common in most network environments in the form of directory services. Some of the most commonly used authentication systems are Microsoft active Directory, Novell eDirectory, and RADIUS. Other more advanced authentication system must be able to communicate in some form with the access control component of the network.
- Access Control s:- The access control component contains the specific user, group, and access policies of the network and serves as a gateway for network access. It takes the authenticated user information and reviews the individual and group rights to resources that the connection should have. It then issues commands to the network infrastructure equipment to grant specific access to the appropriate resources.
Manage collection of information security metrics:-
- The business of the organization must be understood by the security manager. While this seems a simplistic requirement, for large multinational organizations,this may prove to be a formidable task.
- Information security operational risk metrics (orm) Internal fraud, external fraud, employment practices and workplace safety , clients, products and business practice , damage to physical assets, business disruption and system failures, execution, delivery, and process management.
Manage and assess information security risks :-
- Hardware: All servers, workstations, personal computers, laptops, removable media (CD's, floppies,tapes, etc.), communication lines, etc.
- Software: Identify the risks of a potential security problem due to outdated software, infrequent patches and updates to new versions, etc. Also take into account the potential issues with staff installing various file sharing apps (Kazaa, Sharereactor, E-Donkey, etc.), IM (chat) software, entertainment or freeware software coming from unknown and untrustworthy sources.
- Internet Threats: Web Browsing: define what constitutes restricted, forbidden and potentially malicious web sites, provide staff members with brief, and well summarised tips for safer browsing, additionally let them know that their Internet usage is strictly monitored in order to protect company's internal systems.
E-mail Use: define the "acceptable use" criteria of the E-mail system, what is allowed and what is not,the company policy on using the mail system for personal messages, etc. Also briefly explain the potential threats posed by (abusing) the mail system and of the potential problems as far as spreading malicious code is concerned.
Instant Messaging (IM) Software (ICQ, AIM, MSN, etc.): whether it is allowed or completely forbidden, provide them with short examples of how an attacker might use these programs to penetrate and steal/corrupt/modify company data. Downloading/Attachments: is downloading allowed or not, useful tips for safer downloading, explanation of trusted and untrustworthy sources, best practises for mail attachments if allowed, discussion of potential threats and dangers, use of virus scanners, etc.
Incident handling :-
The Information Security officer oversees information security activities within The company and provides consultation for incident investigations. The ISO must be notified of all information security incidents in order to maintain accurate incident data and to insure consistent information is communicated internally and externally.
It is also fair to say that the majority of small businesses are unlikely to have somebody in the information security role. This is either due to poor management or the assumption that it will be dealt with by the IT department.If a specific security role within a small organisation is not established, the responsibilities are often given to the most technical of the tea
The Information Security Officer is employed within an organisation to perform core duties such as assessing risk, developing security and continuity plans, and ensuring there is a proven technique for incident management. More importantly, the ISO is required to have a deep understanding of the organisation, successfully educating the staff and management of security issues in their relevant departments.
An ISO will help an organisation in preparation for an inevitable attack, providing solutions that will keep the business in operation whilst the incident is being managed (business continuity plans). In the long-run, it will save the organisation from loosing money and unnecessary system downtime.
This will be achieved through implementing policies and helping it comply with legislation such as the Data Protection Act(concerned with information storage), and the Computer Misuse Act (what employees can and cannot do in the workplace).
- To Develop information security goals and strategy.
- Information security policy and standards should be Developed and maintained.
- Review logical authentication controls and access controls within consistent period (network and systems).
- Approve and review physical access control to IT facilities.
- Develop and maintain IT business continuity plan of the company.
- Resolve information security incidents.
- Establish and maintain the organization's professional reputation in the field of information security management
- Provide solicited or unsolicited information security consultancy to all sections of IT and the rest of the organization.
- Manage compliance with information security policies and standards.
- Manage approval of logical authentication and access controls.
- Manage collection of information security metrics.
- Manage information security awareness program.
- Manage and assess information security risks.
- Manage preparation for information security audits.
- Facilitate the collection of security metrics.
- Facilitate regular reporting of collected metrics to information security officer.
- Facilitate compliance monitoring and regularly report to information security officer.
- Notify information security officer of any perceived risks to information security.
- Assist information security officer with implementation of information security controls.
- Assist information security officer with resolving information security incidents.
- Implement information security policies and standards.
- Develop and document information security procedures and guidelines.
- Categorize the information system (criticality/sensitivity)
- Select and tailor baseline (minimum) security controls
- Supplement the security controls based on risk assessment
- Document security controls in system security plan
- Implement the security controls in the information system
- Assess the security controls for effectiveness
- Authorize information system operation based on mission risk
- Monitor security controls on a continuous basis
CMS Chief Information Security Officer (CISO)
The CISO assists the CIO in the implementation and administration of the CMS Information Security Program.
- Assists the CIO in the fulfillment of his/her incident handling responsibilities.
- Maintains coordination and communication with the DHHS CISO and DHHS Security One for incident reporting, tracking and closure.
- Provides overall incident handling direction for lower priority level incidents to System Technical Support or Business Owners, and recommendations to the IHCM for more serious incidents.
- Recommends to the CIO, Senior Privacy Official, and BAT staff to activate the BAT, if not already activated, to provide advice to the Senior Core Leadership for Breach Management on breech notification.
- Participates as a member of the BAT for incidents involving system attacks and/or penetration in which PII might be compromised.
- Serves as an ad hoc consultant of the BAT for other incidents, e.g., lost laptops, stolen hard drives, missing cartridges.
- Monitors recommendations from the BAT to the Senior Core Leadership for Breach Management, as well as updates to the HHS Secure One/PII Breach Response Team.
- Coordinates lessons learned type briefings of incidents for Business Owners and System Developers/Maintainers.
Information security has come to play an extremely vital role in today's fast moving, but invariably technically fragile business environment. Consequently, secured communications are needed in order for both companies and customers to benefit from the advancements that the Internet is empowering us with.
The importance of this fact needs to be clearly highlighted so that adequate measures will be implemented, not only enhancing the company's daily business procedures and transactions, but also to ensure that the much needed security measures are implemented with an acceptable level of security competency.
It is sad to see that the possibility of having your company's data exposed to a malicious attacker is constantly increasing nowadays due to the high number of "security illiterate" staff also having access to sensitive, and sometimes even secret business information. Just imagine the security implications of someone in charge of sensitive company data, browsing the Internet insecurely through the company's network, receiving suspicious e-mails containing various destructive attachments, and let's not forget the significant threats posed by the constant use of any Instant Messaging (IM) or chat application