Lecture Note Professional practices in information technology - Lecture No. 30: Information Security (Cont’d). After studying this chapter you will be able to understand: Organizational structures, roles and responsibilities, information classification, risk management.
Professional Practices in Information Technology CSC 110 Professional Practices in Information Technology HandBook COMSATS Institute of Information Technology (Virtual Campus) Islamabad, Pakistan Professional Practices in Information Technology CSC 110 Lecture 30 Information Security (Cont’d) 30.1 Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management Organizational Structure Organization of and official responsibilities for security vary – BoD, CEO, BoD Committee – Director, Manager IT/IS Security Audit Typical Organizational Chart Professional Practices in Information Technology CSC 110 Figure 30.1: Typical Organizational Chart SecurityOriented Org Chart Figure 30.2: SecurityOriented Org Chart Professional Practices in Information Technology CSC 110 Further Separation Figure 30.3: Further Separation Organizational Structure Audit should be separate from implementation and operations – Independence is not compromised Responsibilities for security should be defined in job descriptions Senior management has ultimate responsibility for security Security officers/managers have functional responsibility Roles and Responsibilities Best Practices: – Least Privilege – Mandatory Vacations Professional Practices in Information Technology CSC 110 – Job Rotation – Separation of Duties Owners – Determine security requirements Custodians – Manage security based on requirements Users – Access as allowed by security requirements Information Classification – Not all information has thesame value – Need to evaluate value based on CIA – Value determines protection level – Protection levels determine procedures – Labeling informs users on handling Government classifications: – Top Secret – Secret Professional Practices in Information Technology CSC 110 – Confidential – Sensitive but Unclassified Private Sector classifications: – Confidential – Private – Sensitive – Public Criteria: – Value – Age – Useful Life – Personal Association Risk Management Risk Management is identifying, evaluating, and mitigating risk to an organization – It’s a cyclical, continuous process – Need to know what you have – Need to know what threats are likely Professional Practices in Information Technology CSC 110 – Need to know how and how well it is protected – Need to know where the gaps are Identification Assets Threats – Threatsources: manmade, natural Vulnerabilities – Weakness Controls – Safeguard .. .Professional Practices in Information Technology CSC 110 Lecture 30 Information Security (Cont’d) 30.1 Overview Organizational Structures Roles and Responsibilities Information Classification... Risk Management is identifying, evaluating, and mitigating risk to an organization – It’s a cyclical, continuous process – Need to know what you have – Need to know what threats are likely Professional Practices in Information Technology. .. Protection levels determine procedures – Labeling informs users on handling Government classifications: – Top Secret – Secret Professional Practices in Information Technology CSC 110 – Confidential – Sensitive but Unclassified