Principle of Information Security Module 3 Information Security Management part 1

Upon completion of this material, you should be able to:

• Describe the different management functions with respect to information security.
  
  
• Define information security governance and list the expectations of the organization’s senior management with respect to it.
  
  
• Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines.
  
  
• List the elements in an effective security education, training, and awareness program and describe a methodology for effectively implementing security policy in the organization.
  
  
• Explain what an information security blueprint is, identify its major components, and explain how it supports the information security program.
  
  

An organization’s information security effort succeeds only when it operates in conjunction with the organization’s information security policy. An information security program begins with policy, standards, and practices, which are the foundation for the information security program and its blueprint. The creation and maintenance of these elements require coordinated planning. The role of planning in modern organizations is hard to overemphasize. All but the smallest organizations engage in some planning, from strategic planning to manage the future direction of the organization to the operational day-to-day planning to control the use and allocation of resources.

As part of the organization’s management team, the InfoSec management team operates like all other management units. However, the InfoSec management team’s goals and objectives differ from those of the IT and general management communities in that the InfoSec management team is focused on the secure operation of the organization. In fact, some of the InfoSec management team’s goals and objectives may be contrary to or require resolution with the goals of the IT management team, as the primary focus of the IT group is to ensure the effective and efficient processing of information, whereas the primary focus of the InfoSec group is to ensure the confidentiality, integrity, and availability of information.

Security, by its very nature, will slow down the information flow into, through, and out of an organization as information is validated, verified, and assessed against security criteria. Because the chief information security officer (CISO) in charge of the security management team typically reports directly to the chief information officer (CIO), who is responsible for the IT function, issues and prioritization conflicts can arise unless upper management intervenes.