1

Managing the Security Function

Chapter 11

2

Figure 11-1: Organizational Issues

Top Management Support

Top-Management security awareness briefing (emphasis on brief)

Corporate security policy statement: Vision, not details

Follow-through when security must be upheld in conflicts

Business champions to give support and business advice

3

Figure 11-1: Organizational Issues

Should You Place Security Within IT?

Pros

Compatible technical skills

Making the CIO responsible for security breaches gives accountability

Cons

Difficult to blow the whistle on the IT staff

Vendor preference differences with networking staff (e.g., Cisco vs Check Point)

4

Figure 11-1: Organizational Issues

Should You Place Security Within IT?

Locating security outside IT

Can blow the whistle on IT actions

If a staff group, can only give advice

5

Figure 11-1: Organizational Issues

Security and Auditing

IT Auditing has the skills to determine whether IT rules are enforced, but IT auditing does not set policy

Internal Auditing also can audit IT-related procedures, but it does not make policy

6

Figure 11-1: Organizational Issues

Managed Security Service Providers (Figure 11-2)

On-site logging, off-site analysis

Practice-based expertise

Get plenty of experience on a daily basis—like fire departments

Separation of responsibilities: Can blow whistle on IT, even the CIO

7

Figure 11-1: Organizational Issues

Managed Security Service Providers (Figure 11-2)

What to Outsource?

Typically, intrusion detection and vulnerability assessment

Rarely policy and other control practices

Not commonly antivirus protection and other aspects of security, but MSSPs are expanding

8

Figure 11-1: Organizational Issues

Managed Security Service Providers (Figure 11-2)

Evaluating the MSSP

Diligence: Is it really reading the logs? (Contracts often are vague)

Skills and background of testers

9

Figure 11-1: Organizational Issues

Security and Business Staffs

Cannot Just Lob Policies Over the Wall

Security and Business Partners

Your Business Partner’s Security Affects You

Uniformed Security Personnel

They are often called first by suspicious users

They support investigations

10

Figure 11-1: Organizational Issues

Staffing and Training

Hiring staff: Expertise

Training is necessary because few people on the market are security experts

Certifications are good but vary in what they require and do not make up for lack of experience

Background checks should be done on the security staff

11

Figure 11-1: Organizational Issues

Staffing and Training

All workers involved in IT should have background checks, including the maintenance staff, consultants, and contractors

Should you hire a hacker?

They are likely to have the knowledge you need

But would you be afraid to fire or lay off one?

12

Figure 11-2: Managed Security Service Provider (MSSP)

Firm MSSP

MSSP LoggingServer

Log File

Security Manager

2.Encrypted &Compressed

Log Data

3.Analysis

5.Vulnerability

Test

4.Small Number of Alerts