In this video, Kip Boyle introduces the basic functions that make up an effective information security program. Learn about the role of an information security program in an organization.
- [Instructor] Let's survey the typical functions of an information security program. These functions are often preformed by separate teams in very large organizations or by a single team in smaller ones. Some of the following functions may be outsourced, especially when the work is highly repetitive and reliable vendors are available. Many medium or smaller sized companies often outsource information security functions to keep costs within their small budgets. The Security Operations Center or SOC is the organizational focal point where information systems are monitored to detect incidents, assessed to detect vulnerabilities, and defended when they're under attack.
The SOC may have dedicated rooms at larger organizations. The types of information systems monitored by a SOC include websites, applications, databases, data centers and servers, networks, desktops and other endpoints. To operate smoothly, your SOC must have clearly spelled out roles and responsibilities, as well as incidence response procedures that describe the steps to be taken when an alert or report is received.
A SOC is typically based around a security information and event management system, or SIEM. A SIEM attempts to create a single pane of glass for the security analysts to monitor the entire organization. A SIEM aggregates and correlates data from security feeds, such as system logs, firewalls, enterprise antimalware systems, vulnerability assessment systems, and intrusion detection and prevention systems. A typical SOC is staffed by analysts, security engineers, and managers.
They are usually trained in computer engineering, cryptography, and network engineering. SOC staff will usually have earned one or more information security credentials. Strategic and tactical business planning is another common information security function. A good example is when the business wants to use a new technology or methodology to make them more competitive. A great information security team will work hard to find ways to use that new technology within the boundaries of the organization's risk tolerance.
This may require the information security team to find new ways of working, such as when agile software development became popular, or deploy new security products, like executive level email encryption. The output of this work is usually a multiyear roadmap. Most information security teams provide cybersecurity guidance to the larger and riskier projects undertaken by the organization. A yearlong migration of a line of business software package from one vendor to another is a good example.
Another example would be the implementation of a cloud-based file sharing service. In each case, the information security team helps the project team make good decisions about how the new system will be implemented, consistent with the information security policy and the organizational risk appetite. Administrative ownership for compliance activities is often found outside the information security department, but it's common for us to provide support to the compliance team for periodic reviews or planning.
An insurance company, for example, will be periodically audited by their state insurance commissioner and many of the questions will be about cybersecurity and you may be the best person to respond. Security administration is another common information security program function. And that may include identity and access management, which is the daily task of creating new user accounts and modifying permissions to allow or deny network access. Another common administrative function is evaluating whether new vendors are secure enough to handle your organization's data.
Finally, your team may need to do firewall administration by adding and modifying firewall rules based on legitimate requests. The final function I want to talk about is risk management, which is discipline of dealing with uncertainty about your future. As you've probably noticed, risk management is a thematic responsibility woven into all the information security functions. It's also an annual program of work that's designed to uncover and deal with new risks.
I'll describe this process in much more detail in future videos.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance