Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Information and Data Security
Dr. B. Chandra Mohan
Information and Data Security Team
Structure
• growing importance and scope of information
• Information security governance begins at the top with the Board of
Directors and CEO
Team Structure
1. Board of Directors and / Security Steering Committee
2. CEO or Executive Management
3. CIO/CISO
4. Security Director
5. Security Analyst
6. Security Architect
7. Security Engineer
8. Systems Administrator
9. Database Administrator
10. IS Auditor
11. End User
Security incident response team
• Processes IT security complaints or incidents.
• Assesses threats to IT resources.
• Alerts IT managers of imminent threats.
• Determines incident severity and escalates it, if necessary, with
notification to CTO and president’s senior staff.
• Coordinates security incidents (level 2 or 3) from discovery to closure.
• Reviews incidents, provides solutions/resolutions and closure.
Security Metrics
• Measurements provide single-point-in-time views of specific, discrete
factors,
• while metrics are derived by comparing to a predetermined baseline
of two or more measurements taken over time.
• Good metrics are those that are SMART, i.e. specific, measurable,
attainable, repeatable, and time-dependent.
The categories of security metrics
• Implementation – metrics used to show progress in implementing
policies and procedures and individual security controls
• Effectiveness/efficiency – metrics used to monitor results of security
control implementation for a single control or across multiple controls
• Impact – metrics used to convey the impact of the information
security program on the institution's mission, often through
quantifying cost avoidance or risk reduction produced by the overall
security program
•
Types of Security Metrics
• BASED ON LEVEL
• Strategic security metrics
• Security management metrics
• Operational security metrics
• Based on Object
• Process Security Metrics
• Network Security Metrics
• Software Security Metrics
• People Security Metrics
Application Security
• Number of Applications
• Percentage of Critical Applications
• Risk Assessment Coverage
• Security Testing Coverage
•
Configuration Change Management
• Mean-Time to Complete Changes
• Percent of Changes with Security Review
• Percent of Changes with Security Exceptions
Financial
• Information Security Budget as % of IT Budget
• Information Security Budget Allocation
Incident Management