Lecture Professional practices in information technology - Lecture 30: Information security. After studying this chapter you will be able to understand: Organizational structures, roles and responsibilities, information classification, risk management. | Lecture 30 Information Security (Cont’d) Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management Organizational Structure Organization of and official responsibilities for security vary BoD, CEO, BoD Committee Director, Manager IT/IS Security Audit Typical Org Chart Board of Directors/Trustees President CIO Security Director Project Security Architect Enterprise Security Architect Security Analyst System Auditor Security-Oriented Org Chart Board of Directors/Trustees President CIO Security Director Project Security Architect Enterprise Security Architect Security Analyst System Auditor IT Audit Manager Further Separation Audit Committee Board of Directors/Trustees President CIO Security Director Project Security Architect Enterprise Security Architect Security Analyst System Auditor IT Audit Manager Internal Audit Organizational Structure Audit should be separate from implementation and operations Independence is not compromised Responsibilities for security should be defined in job descriptions Senior management has ultimate responsibility for security Security officers/managers have functional responsibility Roles and Responsibilities Best Practices: Least Privilege Mandatory Vacations Job Rotation Separation of Duties Roles and Responsibilities Owners Determine security requirements Custodians Manage security based on requirements Users Access as allowed by security requirements Information Classification Not all information has the same value Need to evaluate value based on CIA Value determines protection level Protection levels determine procedures Labeling informs users on handling Information Classification Government classifications: Top Secret Secret Confidential Sensitive but Unclassified Unclassified Information Classification Private Sector classifications: Confidential Private Sensitive Public Information Classification Criteria: Value Age Useful Life . | Lecture 30 Information Security (Cont’d) Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management Organizational Structure Organization of and official responsibilities for security vary BoD, CEO, BoD Committee Director, Manager IT/IS Security Audit Typical Org Chart Board of Directors/Trustees President CIO Security Director Project Security Architect Enterprise Security Architect Security Analyst System Auditor Security-Oriented Org Chart Board of Directors/Trustees President CIO Security Director Project Security Architect Enterprise Security Architect Security Analyst System Auditor IT Audit Manager Further Separation Audit Committee Board of Directors/Trustees President CIO Security Director Project Security Architect Enterprise Security Architect Security Analyst System Auditor IT Audit Manager Internal Audit Organizational Structure Audit should be separate from implementation and operations Independence is .
