Everyone in an organization needs to be trained and made aware of information security, but not everyone needs a formal degree or certificate in information security. When management agrees that formal education is appropriate, an employee can investigate courses in continuing education from local institutions of higher learning. Several universities have formal coursework in information security. For people who are interested in researching formal information security programs, resources are available, such as the DHS/NSA-designated National Centers of Academic Excellence program. This program identifies universities that have had their coursework and practices in information security reviewed and found to meet national standards. Other local resources can also provide information on security education, such as Kennesaw State University’s Institute for Cybersecurity Workforce Development (cyberinstitute.kennesaw.edu).
Security training provides employees with detailed information and hands-on instruction to prepare them to perform their duties securely. Management of information security can develop customized in-house training or outsource the training program.
Alternatives to formal training programs are industry training conferences and programs offered through professional agencies such as SANS, ISC2, and ISSA. All of these agencies are described in other modules. Many of these programs are too technical for the average employee, but they may be ideal for the continuing education requirements of information security professionals.
A new venue for security training for both security professionals and the average end user is Massive Open Online Courses, which are available from a number of vendors, including Coursera. Many of these courses are free to enroll in, and a certificate of completion is provided upon payment of a nominal fee. The list of available topics ranges from the traditional academic introduction to security to technical topics and general information.
Several resources for conducting SETA programs offer assistance in the form of sample topics and structures for security classes. For organizations, the Computer Security Resource Center at NIST provides several useful documents free of charge in its special publications area.
A security awareness program is one of the least frequently implemented but most beneficial programs in an organization. A security awareness program is designed to keep information security at the forefront of users’ minds. These programs don’t have to be complicated or expensive. Good programs can include newsletters, security posters (see Figure 3-8 for an example), videos, bulletin boards, flyers, and trinkets. Trinkets can include security slogans printed on mouse pads, coffee cups, T-shirts, pens, or any object frequently used during the workday that reminds employees of security. In addition, a good security awareness program requires a dedicated person who is willing to invest time and effort to promoting the program, and a champion willing to provide the needed financial support.
The security newsletter is the most cost-effective method of disseminating security information and news to employees. Newsletters can be distributed via hard copy, e-mail, or intranet. Topics can include new threats to the organization’s information assets, the schedule for upcoming security classes, and the addition of new security personnel. The goal is to keep the idea of information security in users’ minds and to stimulate users to care about security. If a security awareness program is not actively implemented, employees may begin to neglect security matters, and the risk of employee accidents and failures is likely to increase.
Information Security Blueprint, Models, and Frameworks
Once an organization has developed its information security policies and standards, the information security community can begin developing the blueprint for the information security program. The organization’s policy will guide the selection and development of the blueprint, and the organization will use the blueprint to guide the implementation of the rest of the security program. This information security blueprint is the plan and basis for the design, selection, and implementation of all security program elements, including policies, risk management programs, education and training programs, technological controls, and program maintenance.
The blueprint is the organization’s detailed implementation of an information security framework. The blueprint specifies tasks and the order in which they are to be accomplished, just as an architect’s blueprint serves as the design template for the construction of a building. The framework is the philosophical foundation from which the blueprint is designed, like the style or methodology in which an architect was trained.
In choosing the framework to use for an information security blueprint, the organization should consider adapting or adopting a recognized or widely accepted information security model backed or promoted by an established security organization or agency. This exemplar framework can outline steps for designing and implementing information security in the organization. Several published information security frameworks from government agencies and other sources are presented later in this module. Because each information security environment is unique, the security team may need to modify or adapt pieces from several frameworks. Experience teaches that what works well for one organization may not precisely fit another.
One of the most widely referenced security models is Information Technology—Code of Practice for Information Security Management, which was originally published as British Standard BS7799. In 2000, this code of practice was adopted as ISO/IEC 17799, an international standard framework for information security by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard has been regularly revised and updated, and today it consists of an entire portfolio of standards related to the design, implementation, and management of an “information security management system.” The version released in 2000 was revised in 2005 to become ISO 17799:2005, and it was then renamed as ISO 27002 in 2007 to align it with ISO 27001.
While the details of the ISO/IEC 27000 series are available only to those who purchase the standard, its structure and general organization are well known and are becoming increasingly significant for all who work in information security. For a summary description of the structure of the most recent standard, ISO 27002:2013, see Table 3-5.
Here is the stated purpose of ISO/IEC 27002, as derived from its ISO/IEC 17799 origins:
ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices, including the selection, implementation, and management of controls, taking into consideration the organization’s information security risk environment(s).
It is designed to be used by organizations that intend to:
- Select controls within the process of implementing an information security management system based on ISO/IEC 27001;
- Implement commonly accepted information security controls;
- Develop their own information security management guidelines.
ISO/IEC 27002:2013 is focused on a broad overview of the various areas of security. It provides information on 14 security control clauses and addresses 35 control objectives and more than 110 individual controls. Its companion document, ISO/IEC 27001:2018, provides information for how to implement ISO/IEC 27002 and set up an information security management system (ISMS). ISO/IEC 27001’s primary purpose is to be used as a standard so organizations can adopt it to obtain certification and build an information security program; ISO 27001 serves better as an assessment tool than as an implementation framework. ISO 27002 is for organizations that want information about implementing security controls; it is not a standard used for certification. Figure 3-9 illustrates the ISO 27001 process.
In the United Kingdom, correct implementation of both volumes of these standards had to be determined by a BS7799-certified evaluator before organizations could obtain ISMS certification and accreditation. When the standard first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems:
- The global information security community had not defined any justification for a code of practice identified in ISO/IEC 17799.
- The standard lacked the measurement precision associated with a technical standard.
- There was no reason to believe that ISO/IEC 17799 was more useful than any other approach.
- It was not as complete as other frameworks.
- The standard was hurriedly prepared given the tremendous impact its adoption could have on industry information security controls.
The ISO/IEC 27000 series is becoming increasingly important in the field, especially among global organizations. Many certification bodies and corporate organizations are complying with it or will someday be expected to comply with it.
0 comments:
Post a Comment