Ch 10 - Implementing Information Security

Question 1

Story or Vignette

Change control meeting –> well-prepared project plan, feeling confident Kelvin Urich (he made sure to print enough handouts with the tasks/sub/and action items) –> meeting gets started (Naomi) walking the CC group through the items, smoothly –> then it gets time for Kelvin to present on the security updates plan. Once he is finished chaos erupts.

Answer 1

Kelvin Urich arrives at the empty conference room for the change control meeting. He is feeling confident that the project plan that he has created for the security updates is complete and well-ordered. Part of his confidence comes from the fact that the technical review committee members had approved his ideas the week prior.

In the handouts, he made sure to include the tasks, subtasks, action items, and had assigned dates to every action step and personnel to each required task.

Naomi (the change control supervisor) gets the meeting started by talking those present through each change control item up for discussion. Most items received the response “as planned”, but occasionally there someone answered either “cancelled” or “will be rescheduled”. But for the most part, she received the expected response.

Naomi then gets to items pertaining to security which Kelvin is going to brief the change control group on. Kelvin presents his plan and once he is done it’s time for comments or questions.

Instantly many hands are raised. And Kelvin realizes that many are technical analysts who had not been on the technical review committee that approved his plan. Additionally, he noticed that half the room were busy pulling calendars, and digital assistants.

People begin complaining about the workload being dumped on them and some comment they can’t make this happen on schedule. The meeting basically turns into chaos.

Question 2

Learning Objectives

Answer 2

1. How does an org’s info. security blueprint become a project plan?
2. What considerations must a project plan address?
3. What is the significance of a project manager’s role in the success of an information security project?
4. Be able to describe the need for project management when it comes to complex projects
5. Describe technical strategies and models for implementing a project plan
6. Anticipate and mitigate the non-technical problems that orgs. face in times of rapid change.

Question 3

Project plan aka

Answer 3

blueprint for information security

Question 4

Work Breakdown Structure (WBS)

Answer 4

a planning tool that breaks down the project into its major tasks which are then further divided into smaller tasks or subtasks/ action steps.

Question 5

In the WBS planning tool,

What are the attributes of the major tasks that are accounted for?

Answer 5

1. Work to be accomplished (activities & deliverables)
2. Individuals/Skill-set assigned to perform the task.
3. Start and end dates for the task
4. Amount of effort required (in hours or work days)
5. Estimated capital expenses
6. Estimated non-capital expenses
7. Identification of dependencies between and among tasks

Question 6

Projectitis

Answer 6

, wherein the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work.

Question 7

Deliverable

Answer 7

A deliverable is a completed document or program module that can either serve as the beginning point for a later task or become an element in the finished project

Question 8

RFP

Answer 8

Request for proposal

Question 9

resource

Answer 9

skill set or person, often called a resource, needed to accomplish the task

Question 10

Milestone

Answer 10

A milestone is a specific point in the project plan when a task that has a noticeable impact on the progress of the project plan is complete.

Question 11

Predecessors and successors (tasks/action steps)

Answer 11

Tasks or action steps that come before the specific task at hand are called predecessors, and those that come after the task at hand are called successors.

Question 12

Project scope

Answer 12

Project scope describes the amount of time and effort-hours needed to deliver the planned features and quality level of the project deliverables

Question 13

Project Planning Considerations

Answer 13

1. Financial Considerations - CBA - Cost-Benefit Analysis
2. Priority considerations
3. Time and Scheduling Considerations
4. Staffing Considerations
5. Procurement Considerations
6. Organizational Feasibility Considerations
7. Training and Indoctrination Considerations
8. Scope Considerations

Question 14

The Need for Project Management

Answer 14

1. Supervised Implementation - choose the leader and from which community of interest (IT, CISO, CIO)
2. Executing the Plan - negative feedback or cybernetic loop - measures progress periodically, and corrective action is taken for deviations. (effort/money, scheduling impact, quality/quantity of deliverable).
3. Project Wrap-up - a final report and a presentation. The goal of the wrap-up is to resolve any pending issues, critique the overall project effort, and draw conclusions about how to improve the process for the future.

Question 15

Technical Aspects of Implementation

Answer 15

1. Conversion Strategies
2. Prioritization among multiple components
3. Outsourcing
4. Technology governance

Question 16

Conversion strategies

Answer 16

The strategy to move from the old system or process to the new one.

4 Basic Approaches:

1. Direct changeover
2. Phased implementation
3. Pilot implementation
4. Parallel operations

Question 17

Pilot implementation

Answer 17

: In a pilot implementation, the entire security system is put in place in a single office, department, or division, and issues that arise are dealt with before expanding to the rest of the organization.

Question 18

Direct Changeover

Answer 18

Also known as going “cold turkey,” a direct changeover involves stopping the old method and beginning the new.

Question 19

Phased Implementation

Answer 19

A phased implementation is the most common conversion strategy and involves a measured rollout of the planned system, with a part of the whole being brought out and disseminated across an organization before the next piece is implemented.

Question 20

Parallel Operation conversion strategy

Answer 20

The parallel operations strategy involves running the new methods alongside the old methods. In general, this means running two systems concurrently; in terms of information systems

Question 21

Bull’s-Eye Model

Answer 21

A proven method for prioritizing a program of complex change is the bull’s-eye method. This methodology, which goes by many different names and has been used by many organizations, requires that issues be addressed from the general to the specific, and that the focus be on systematic solutions instead of individual problems.

Question 22

Negative feedback loop

or cybernetic loop

Answer 22

Question 23

4 levels of the Bull’s Eye model

Answer 23

1. Policies
2. Networks
3. Systems
4. Applications

Question 24

The implications of the 4 layers in the Bull’s Eye Model

Answer 24

1. Until sound and useable IT and information security policies are developed, communicated, and enforced, no additional resources should be spent on other controls.
2. Until effective network controls are designed and deployed, all resources should go toward achieving this goal (unless resources are needed to revisit the policy needs of the organization).
3. After policies and network controls are implemented, implementation should focus on the information, process, and manufacturing systems of the organization. Until there is well-informed assurance that all critical systems are being configured and operated in a secure fashion, all resources should be spent on reaching that goal.
4. Once there is assurance that policies are in place, networks are secure, and systems are safe, attention should move to the assessment and remediation of the security of the organization’s applications. This is a complicated and vast area of concern for many organizations. Most organizations neglect to analyze the impact of information

Question 25

Technology Governance

Answer 25

Technology governance, a complex process that organizations use to manage the effects and costs of technology implementation, innovation, and obsolescence, guides how frequently technical systems are updated and how technical updates are approved and funded. Technology governance also facilitates communication about technical advances and issues across the organization.

Question 26

change control process

Answer 26

deal with the impact of technical change on the operation of the organization through a change control process

Question 27

Importance or Benefits

of the Change Control Process

Answer 27

1. Improve comms across an org’s units/departments
2. Enhance coordination b/w groups within the org.
3. Reduce unintended consequences by having a process to resolve conflict/disruption
4. Improve quality of service
5. Assure management that all groups within are in compliance with the org’s policies

Question 28

Nontechnical Aspects of Implementation

The Human Factor/Interface to Technical Systems

Answer 28

1. The Culture of Change Mgmt.
2. Considerations for Organization Change
   
   1. Reducing Resistance to Change from the Start

Question 29

Nontechnical or Human Factors to Implementation

Culture of Change Mgmt.

Answer 29

People tend to resist change. We are creatures of habit.

Lewin Change Model:

1. Unfreezing - hard and fast habits
2. Moving - transition
3. Refreezing - integrating the new methods into the org’s culture

Question 30

Reducing Resistance to Change

Answer 30

1. Communicate - prime employees, don’t just drop the bomb of change all at once. Do it over time.
2. Educate - provide training and as much info as you can along the way.
3. Involve - Joint Application Development (JAD) - get the end-user/stakeholder involved in the project planning process. Let them have some ownership/stake in the game.

Question 31

Accreditation

Answer 31

In security management, accreditation is what authorizes an IT system to process, store, or transmit information. It is issued by a management official and serves as a means of assuring that systems are of adequate quality. It also challenges managers and technical staff to find the best methods to assure security, given technical constraints, operational constraints, and mission requirements.

Question 32

Certification

Answer 32

certification is “the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.”

Question 33

NSI

NSS

CNSS

NIST

IC

DNI

Answer 33

NSI - National Security Information

NSS - National Sec. systems

CNSS - Committee for National System Security

NIST - National Institute of Standards and Technology

IC- Intelligence Community

DNI - Director of national intelligence

Question 34

Tiered Risk Mgmt. Framework

Answer 34

Question 35

6 Steps Risk mgmt Framework

Answer 35

Question 36

NIACAP Process Overview

system security authorization agreement (SSAA)

Answer 36