56 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
is successful, the safety of employees and products, and that all actions are
ethical and compliant with the appropriate laws and regulations.
2. Approving Authority: e Approving Authority conducts the business-
security risk assessment of the system and formally approves the operational
use of the system. is individual must be a senior employee of the organi-
zation, formally assigned the responsibility and authority for reviewing and
approving information systems with all of their associated risks for opera-
tions. To have the appropriate authority, the Approving Authority must have
adequate inuence over both the business operations and resources to make
balanced cost-benet, mission analysis–risk determination on the acceptabil-
ity of the residual system’s security risks.
3. Verication Entity: is is a person or group that takes actions to verify that
what is documented in the approved system security plan is what is being
done in the operations of the system. is is done by
N Conducting reviews of documents, such as compliance regulation and
directives, security plans, operations manuals, audit logs, and journals
N Interviewing personnel
N Testing (system mappings, vulnerability scans, penetration and social
engineering tests, etc.)
N On-site inspections
roughout, they report to the Approving Authority and system owner, iden-
tifying vulnerabilities and noncompliance issues in the system and potential
options for correcting the same. is document is typically called the security
assessment report.
4. System Owner: Of all the individuals in an organization responsible for
security, the system owner is responsible for over 85% of the actions. is
person is responsible for everything from developing, implementing, manag-
ing, manning, training, educating, resourcing, operating, maintaining, mon-
itoring, exercising, assessing, and reporting, to correcting the information
system’s security on a daily basis. is individual is responsible for developing
and maintaining all of the key security documents, including the system’s
security, contingency, incident response, patch management, conguration
management, POA&M, and budget plans. Additionally, the system owner
must report the security status, issues, and risk to senior management.
5. User Representative: e users are one of the main keys to the success of any
security program. e user representative ensures that concerns including
mission, cultural, frontline-operational, environmental, and user acceptabil-
ity are included in any system security solution. Additionally, they become
the conduit for communications between management and the user com-
munity to facilitate security promotion to the users and provide alternative
solutions back to management.
Enterprise Security Management Practices ◾ 57
© 2011 by Taylor & Francis Group, LLC
All of these vary in title and description of duties from one organization to
another. Examples of these are
Senior Management can be the Board of Directors, who are ultimately respon-
sible for the overall health of the enterprise, or the General Managers in ocer
level positions (like CEO and COO), who are responsible for daily decision
making and the infusion of values and culture throughout the organization.
Approving Authority in some nancial organizations is the Chief Financial
Ocer (CFO); in other organizations it is the newly designated CSO; but in
the majority of cases it is the CIO.
Verication Entity has been one or a combination of internal and external audit
and information system security professional functions, sometimes called the
Inspec tor General, Auditing, Compliance, Certier, or Certication Agent/
Group.
System Owner is the person who is in charge overall of directly managing the
information system’s operations and is called by a variety of titles in dier-
ent organizations or during dierent phases of the SDLC. Some of these are
Business Functional Manager or Director, or Project or Program Manager.
User’s Representative can be anyone from a representative appointed by the
users to the systems administrator.
Understanding the roles of each of the above, the ISSMP can now see why the
level of security education and awareness with each of these individuals is very
important to the success of any system security program. is will be discussed
more at the end of this chapter.
Some organizations have additional professional personnel who support the
above individuals in establishing and maintaining the security for a system. e
following are examples of some of these:
Risk Analyst: e Risk Analyst is responsible for overall risk management
activities that can include duciary, legal, regulatory, investment, health and
safety, and security. Additionally, this person knows the standard methods for
calculating risk and how to determine the various values for risk equations.
Chief Information Security Ocer (CISO): e CISO is responsible for
developing, implementing, and overseeing the information security program,
policies, standards, and guidelines, and conducting risk assessments, iden-
tifying practical security solutions, and promoting security awareness to all
levels of an organization.
Information System Security Ocer (ISSO): e ISSO is responsible for
direct oversight of the system’s security by conducting routine reviews of sys-
tem security logs and operations, and provides security advice to the System
58 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Owner. Sometimes they are called the Business Unit (Information) Security
Ocer (BSO/BISO), because they report to a business unit manager. e
ISSO or BISO sometimes has an additional reporting structure to the CSO
or CISO for receiving additional guidance, tasking, and reporting.
With the exception of the ISSO, who typically works with the System Owner,
the others can work for any number of senior managers. In some organizations the
Risk Analyst is a general sta person who works for single or multiple business
units, providing risk assessment support to a broad variety of reviews and deci-
sion-making processes, while in others, this individual is the Chief Risk Ocer
(CRO), providing risk analysis to the General Managers and the Board of Directors
on compliance and business issues. e CISO can work for one or more General
Managers or the CIO, CFO, or CSO, depending on the internal structure, his-
tory, cultures, business focus, personalities, and politics within an organization.
In the majority of cases the CISO works for the CIO, because system security is
viewed as an information technology function. In some cases the CISO works for
the CFO, because the organization is viewed as being a nancial business, and
information systems are viewed as only a support element. In others the CISO
works for the CSO where there is one, because information security is viewed as an
organizational requirement that requires the integration of all security disciplines
(personnel, computer, and physical). Sometimes the CISO does not work for the
CIO, because there is a concern for conict of interest, e.g., the CIO could be more
concerned with availability, whereas the CISO is concerned with all security func-
tions (availability, integrity, and condentiality). Another reason could be a senior
management concern that the CIO does not fully respect the priority of business
requirements over technology.
Each of the above roles holds a key responsibility for ensuring that an informa-
tion system maintains an adequate level of security, but the most key are the System
Owner and ISSO, because they are the ones who are supposed to be monitoring the
system’s security status on a daily basis and have the most security knowledge. ey
are also responsible for making sure that the system’s needs are reected in the orga-
nization’s budget and the Approving Authority is aware of any security concerns
related to its systems. e latter is accomplished by providing reports and presenta-
tions to senior management, so they can take actions to resolve any security issues.
An ISSMP has the potential to support or be in the position of any of the above
roles, because the ISSMP’s professional expertise is needed for ensuring the success
of each role. To become qualied for any of these roles does require experience and
additional qualications and knowledge. To be successful in an organization, all of
the above need to understand how to successfully gain resources and present them
to management.
Enterprise Security Management Practices ◾ 59
© 2011 by Taylor & Francis Group, LLC
Resourcing Security
To understand how to gain additional resources requires an understanding of sev-
eral additional concepts and processes.
Maslow’s Hierarchy of Needs
Project Management
Planning, Programming, Budget, and Execution
Needs Justication
Hierarchy of Needs is the result of Maslow’s theory of what motivates individuals
to take the actions that they do. Maslow identied ve levels of needs: physiologi-
cal, safety, love, esteem, and self-actualization. Figure1.13 provides a visual repre-
sentation of the ve levels and some of the actual needs at each level.
Maslow’s theory is that one must achieve, maintain, and satisfy the lowest
levels before one can take on the next level of needs. is theory is not as rigid as
it seems, because an individual’s priorities can uctuate from minute to minute
(for example, if one cannot breathe one quickly refocuses on the Physiological
Level, or if one’s home is lost one refocuses on the Safety Level until shelter is
obtained), but for the most part individuals are subconsciously at one or two lev-
els. Knowing which need levels individuals are at is very important to the ISSMP,
because understanding what motivates individuals is one of the keys to developing
strategies for inuencing, managing, leading, selling, and convincing other indi-
viduals. For example,
Desire forLevels
achievement, confidence, independence, freedom,
reputation, recognition, attention, or appreciation
the very basic needs to live: air, water,
food, and sleep
Safety
Esteem
Love
Self-Actualization
Physiological
“affectionate relations with people”
stability, place to live, job, savings, insurance,
job skills, education, etc.
contributing to society, adding to wisdom, art, religion
Figure 1.13 Maslow’s Hierarchy of Needs.
60 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Situation: A manager of a profit center supported by an information system is
in fear of losing his job. Which level is he at and how do you convince him
to buy a firewall?
Strategy: He is focused on the Safety Level, so explain how the lack of a fire-
wall can adversely impact the success of the profit center and that a security
incident can be highly embarrassing to the organization, which will result in
the loss of clients.
Situation: A project team of professionals is working on a project in a very high
growth industry with a lot of competitors paying higher salaries. Which
level are they at, and what do we do to motivate them to stay working on
this important project?
Strategy: In general, the team is financially stable and educated so they can
be at the Love Level or the Esteem Level. If the members are at the Love
Level, the ISSMP will need to take actions to improve the group dynamic to
increase the individuals’ sense of belonging. Increasing group interaction by
holding meetings with interactive exercises would be one solution; another
action could be to generate a name for the team, create a logo, and produce
a banner, caps, buttons, or shirts. If some or all of the members are at the
Esteem Level, an appropriate action would be to compliment individuals on
providing good ideas or the group for successes.
All too often when a manager is asked, “How do you motivate someone?” the
manager’s immediate answer is, “More money!” Usually the best answer is to deter-
mine what level the person is at and take an action appropriate for supporting
the need at that level. (Source: Maslow, A. H. A eory of Human Motivation.
Psychological Review 50 (1943): 370–96.)
Project Management principles need to be understood if an ISSMP is going to be
successful in managing or assisting in any medium or major eort. e best place
to gain knowledge on how to manage a project is from the Project Management
Institute (PMI) or one of their chapters in 170 countries. To the PMI, project man-
agement consists of understanding some 45 processes that are required for success-
fully managing projects. ese processes consist of ve basic process groups and
nine knowledge areas (see Figure1.14).
e basic process groups as dened by PMI in their publication, A Guide to the
Project Management Body of Knowledge (PMBOK® Guide; 3rd edition, p. 41), are
as follows:
Initiating Process Group: Denes and authorizes the project or a project phase
Planning Process Group: Denes and renes objectives and plans the course
of action required to attain the objectives and scope that the project was
undertaken to address
Executing Process Group: Integrates people and other resources to carry out
the project management plan for the project
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.