Roles And Responsibilities Of Security Team

Published Date: 02 Nov 2017

Information Security, Strategies & Policies

By

Dr. M. Hasan Islam

Muhammad Saad Naveed

FA-2012/M. SC. CE/CE/003

Assignment # 1

Muhammad Saad Naveed

Fa-2012-M Sc-CE-CE-003

Information Security, Strategies & Policies by Dr. M. Hasan Islam

Question NO. 1

Specify the objectives of Defense Organization

Operational objectives

Nonoperational/administrative objectives

Strategic objectives

Answer

Operational Objectives

Operational objectives are usually short term objectives that are defined by an organization in peruse of their long term strategic goals.

Information security organizations have operational objectives

Improve the Quality of the services they provide

Improve and advance security techniques

Advanced equipment/software

Cost efficient and flexible services to clients

Provide more controls

Improve internal communications

Administrative Objectives

Administrative Objectives are usually the objectives set by operational objectives and are responsibility of higher authorities to be met and will include the following

Hiring of qualified staff

Increase amount and quality of available resources to meet the operational objectives

Appointment of responsible and qualified security personnel as a team lead

Take an active part in Governments actions, law making programs regarding information security.

Educational program for current staff to increase their expertise

Cooperate and coordinate with other companies and clients in accomplishment of any secure data information system.

Strategic Objectives

Those objectives which are made for a long term company representation and success achievement in the market.

Information security organizations may have some of the following strategic objectives.

Market standing

Should provide better services so that more customers/clients could trust on them

Innovation

Policy of bringing new concepts and design in security infrastructure

Human resource

Creating a good team and update its expertise.

Physical resources

Keeping a good and advanced equipment and facilities

Productivity/Efficiency

Efficient use of the resources relative to the output;

Social Goodwill

Making the organization sound through awareness and be responsive to a broad community of stakeholder

Question NO. 2

Discuss the roles and responsibilities of the security team of organization.

Answer

Roles and Responsibilities of Security team

Security team of an organization is a team that creates and implements the security policies for the protection of the information system of the organization.

Appointment

Now days some organizations are focusing on having their own security team but organizations do go for the third party organization for the protection of their critical data.

In that case security teams are appointed by Information Resource Department of an Organization.

In some cases organization also consider logistics security.

Roles and Responsibilities

Roles and responsibilities of a security team may vary according to the demand of the hiring organizations but some of main roles and responsibilities are as follows

Roles

Generally security teams have their own classification among them for assigning different roles to the security persons.

Security analyzing team

The role of identifying, analyzing and scanning the current architecture of the organization’s data center for loop holes, vulnerability. And make recommendations such as new servers, firewall, camera installation etc.

Risk analyzing team

Identify the risks an organization can face in implementing the recommended security procedures and policies and make certain changes accordingly.

Developers/Designers

Design the recommended security architecture, program, camera installation etc.

Policy making team

Usually a technical report writing team. Documents the security policy.

Responsibilities

A security team is generally responsible for

Identify or mark the vulnerabilities, threats to the organization.

Check the previous record/data regarding any attack and its damages.

Enhance or implement security of applications, network, data center, framework etc.

Identify/analyze risks

Testing the applied security

Review or develop the security policy

Consultation with organization stake holders for developing laws for/against any type of security violation or breach.

Represent the enhanced security mechanism to the stakeholders (org. personals etc.)

Below is a table showing general security team concerns to different areas of responsibility.

Area of Responsibility

Teams with Complete Responsibility (%)

Teams with Partial Responsibility(%)

Teams with No Responsibility(%)

Network

63

33

4

Systems

58

39

3

Data

50

45

5

Applications

28

56

16

Infrastructure

20

40

40

Personnel

18

52

30

Question NO. 3

Answer

Review of Information Security Management System Standards: A Comparative Study of the Big Five

Motivation

The authors motivation is clear and it is concern regarding securing data and protection of critical information system. The main motivation for comparing the big five standards is to know which one is the best, comprehensive widely used and easy to understand and implement and what they focuses on.

The solution

Authors of the paper haven’t provided any solution as it was just a comparison. But improvement in the standards less used or complicated ones may be suggested. Recommendations or suggestions could be made for the organizations using less comprehensive standards. Also suggestions for standard proposing organizations could be made how they can improve theirs.

Evaluation of the comparison

The authors haven’t clearly recommended which standard organizations must choose. They have clearly compared all the standards and in some way made it easy for the new organizations to choose which one suits them.

My analysis

This seems to be a simple comparison on the basis of facts lying around all over the internet. I think research area was chosen to be limited to only the standard proposing organizations may be they could have listed or mentioned some of the known benefits organizations got by implementing these standards. Haven’t discussed that is there a need for standard specific organizations to also implement ISO because the scope of some standards is different means it is not information security.

Future directions

Refinement of standards should be future objective in this research area as well as some sort of complete classification of organizations using these different standards. Some sort of research on organization using these standards.

Questions not answered

Some questions are left

Organizations which choose less comprehensive standards still open to some sort of threat or lack of security management etc. although they are using their relevant standards?

Is there anything organizations can still do for both improving standards?

Why ISO did not covered the standards for those specific companies?

Is there a need for standard specific organizations to also implement ISO?

Do comparison among these standards with different scopes really helpful?

Take away

ISO is more widely used standard because it is more comprehensive, easy to implement where as others are a little specific to few business types.