ITS 305 - Security Policies and Auditing

Chapter 5, Developing the Security Program

Objectives:

This lesson discusses information security programs. Objectives important to this lesson:

  1. How an information security organization might be structured
  2. How categorizing the duties of an IT security department helps
  3. What an IT security department may contribute to a security education, training, and awareness program
Concepts:

This chapter spends a great many pages covering various ways that organizations of different sizes might construct their IT security  team/division/department. To cut to the chase, larger organizations will have much larger needs, but the way they organize their staff to meet those needs will vary greatly with the size of the organization, the culture of the organization in question, the funding allocated to the IT security function, and changing laws or company rules.

As you might expect, the largest organizations tend to have the most differentiation in the duties of staff. The text lists four functions that might be used as categories for the work related to IT security that is done in a large organization:

  • functions by non-technical staff outside IT - e.g. activities of legal staff and trainers
  • functions by IT staff outside the IT security area - e.g. network administration, program and operating system security activities
  • functions by IT security staff as a customer service - e.g. risk assessment, system evaluation, incident response
  • functions by IT security staff in compliance with laws or rules - e.g. policy making, compliance monitoring

The smaller an organization is, the more likely that some functions in different categories are performed by the same staff.

The authors present a several pages from another text from page 174 to page 183, discussing what part of an organization might be the division that contains the IT security functions. Up to this point, the assumption has been that this is a subset of the functions of the IT department. Several alternatives are discussed, which might be considered by a company that is deciding how it should be structured. According to this discussion, IT security functions might be housed in:

  • an Information Technology department
  • a Security department
  • an Administrative Services department
  • an Insurance and Risk Management department
  • a Strategy and Planning department
  • a Legal department
  • an Internal Auditing department
  • a part of the Help Desk
  • a Facilities Management department
Some of these suggestions will seem more logical to you than others. The point is that the structure of a company depends greatly on how the people who create the structure see the core functions of the company.

We will move ahead to the discussion that starts on page 189 about Security Education, Training, and Awareness (SETA) programs. The text says that such programs offer three main benefits, but we should consider these benefits as goals, since they are not guaranteed:

  • Improving employees' security related behavior
  • Informing employees where to report violations and incidents
  • Enabling the organization to hold employees accountable for their actions
The first goal is useful, and should be ongoing. There will never be an end to information we could share with staff to minimize risk. The second goal sounds a lot like "here's how to rat out your neighbor", but it does not have to be like that. It should be handled more like "here's where to  turn when you need security help". The third goal may need to exist to give employees a reason to think about security issues that they can actually affect. If employees are free to do whatever they please, our SETA program has had no benefit for them or for the company.

As the acronym says, there are three parts to a SETA program, each of which the text breaks down into components in the next several pages:

  • Education - ongoing education for the professionals who perform the customer service and compliance functions noted earlier in the chapter; professional staff in this area will need periodic enhancement of their skills and knowledge, regardless of whether the organization requires staff to pursue formal certification
  • Training - training generally means teaching someone how to do something without necessarily teaching them the formal knowledge that a professional employee may need; training in this sense is the practical information that people need to do a job that is not an IT security job, such as knowing how to update the virus signatures on a workstation, or knowing how to scan a file or a hard drive for viruses;
    training will need to be refreshed or updated as your environment changes;
    different training may be offered to staff who perform different jobs or who have different skill levels
  • Awareness - this part of the program is a reminder to staff to be aware and act on their awareness, to promote new information as needed, to remind users to use the training related to their jobs;
    the text presents several methods of presenting material in an awareness program, much of it resembling advertising