home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
HACKING
/
CSL8_93.TXT
< prev
next >
Wrap
Text File
|
1994-07-17
|
12KB
|
241 lines
CSL BULLETIN
August 1993
SECURITY PROGRAM MANAGEMENT
This bulletin discusses the establishment and operation of a
security program as a management function and describes some of
the features and issues common to most organizations. OMB
Circular A-130, "Management of Federal Information Resources,"
June 25, 1993, requires that federal agencies establish computer
security programs. Because organizations differ in size,
complexity, management styles, and culture, it is not possible to
describe one ideal security program.
Structure of a Security Program
Security programs are often distributed throughout the
organization with different elements performing different
functions. Sometimes the distribution of the security function
may be haphazard, based on chance. Ideally, the structure of a
security program should result from the implementation of a
planned and integrated management philosophy.
Figure 1. shows a management structure based on that of an actual
federal agency. The agency consists of five major units, each
with several large computer facilities. Each facility runs
multiple applications. This type of organization needs to manage
security at the agency level, the unit level, the computer
facility level, and the application level.
Managing computer security at multiple levels brings many
benefits. Each level contributes to the overall security program
with different types of expertise, authority, and resources. In
general, the higher levels (such as the headquarters or unit
levels) better understand the organization as a whole, exercise
more authority, set policy, and enforce compliance with
applicable policies and procedures. On the other hand, the
systems levels (such as the computer facility and applications
levels) know the technical and procedural requirements and
problems. The levels of security program management are
complementary; each helps the other be more effective.
Most organizations have at least two levels of security
management. The central security program addresses the overall
management of security within the organization or a major
component of the organization, including such activities as
policy development and oversight. The system level security
program focuses on the management of security for a particular
information processing system. This function includes activities
such as selecting and installing safeguards and may be performed
by users, functional managers, or computer systems personnel.
Central Security Program
A central security program which manages or coordinates the use
of security-related resources across the entire organization
provides these benefits:
Efficiency and Economy
A central program can disseminate security-related information
throughout the agency in an efficient and cost-effective manner.
Information to be shared includes policies, regulations,
standards, training opportunities, and security incident reports.
Internal security-related information, such as procedures which
worked or did not work, virus infections, security problems and
solutions also should be shared within an organization. Often
these issues are specific to the operating environment and
culture of the organization.
Another use of an organization-wide conduit of information is the
increased ability to influence external and internal policy
decisions. A central security program office which speaks for
the entire organization is more likely to be listened to by upper
management and external organizations.
Also the central organization can share information with external
groups as illustrated in Figure 2. Since external interaction
occurs at both the organization and system levels, a central
security organization should be aware of the interactions at the
system level to exploit all important sources.
Sources of Security Information
NIST: Federal Information Processing Standards (FIPS), NIST
Publication List 91, Computer Security Publications,
and the NIST Computer Security BBS.
GSA: Federal Information Resources Management Regulation
(FIRMR) Parts 201-20 and 201-39.
OMB: OMB Circular A-130, Management of Federal Information
Resources, June 25, 1993
FIRST: Forum of Incident Response and Security Teams for
security incident-related information.
The central security program assists the organization in spending
its scarce security dollars more efficiently. Such organizations
can develop expertise and share it, reducing the need to contract
out repeatedly for similar services, such as contingency planning
or risk analysis. The expertise can be resident in the central
security program or distributed throughout the system-level
programs. Another advantage of a centralized program is its
ability to negotiate discounts based on volume purchasing of
security hardware and software.
Oversight
A central security program serves as an independent evaluation or
enforcement function to ensure that organizational subunits
secure resources cost-effectively and follow applicable policy.
With a central oversight function, organizations can take
responsibility for their own security programs, identify and
correct problems before they become major concerns, and avoid
external investigations and audits.
Elements of a Central Security Program
A program manager should be selected as the information
technology (IT) security program manager. The program should be
staffed with able personnel and linked to the program management
function and IT security personnel in other parts of the
organization. The security program requires a stable base in
terms of personnel, funding, and other support. Additionally,
the benefits of an oversight function cannot be achieved if the
security program is not recognized within an organization as
having expertise and authority.
To be effective, a central security program must be an
established part of organization management. If system managers
and applications owners do not consistently interact with the
security program, it becomes an empty token of upper management's
"commitment to security."
A security policy provides the foundation for the IT security
program and is the means for documenting and promulgating
important decisions about IT security. The central security
program should also publish standards, regulations, and
guidelines which implement and expand on policy.
A published mission and function statement grounds the IT
security program into the unique operating environment of the
organization. The statement should clearly establish the
function of the IT security program, define responsibilities for
the IT security program and other related programs and entities,
and provide the basis for evaluating the effectiveness of the IT
security program.
Long-term strategies should be developed to incorporate
security into the next generation of information technology.
Since the IT field moves rapidly, planning for future operating
environments is essential.
A compliance program enables the organization to assess
conformance with national and organization-specific policies and
requirements. National requirements include those prescribed
under the Computer Security Act of 1987, OMB Circular A-130,
Federal Information Resources Management Regulations (FIRMR), and
Federal Information Processing Standards (FIPS).
Liaisons should be established with internal groups including
the information resources management (IRM) office and traditional
security offices (such as personnel or physical security), other
offices such as Safety, Reliability, and Quality Assurance,
Internal Control, and the agency Inspector General. These
relationships facilitate integrating security into the management
of an organization. The relationships must be more than just
sharing information; the offices must influence each other to
assure that security is considered in agency plans for
info