Mgmt Info Sec Chap 5 Notes


1. What is an information security program?

  • An information security program describes the structure and organization of the effort that strives to contain the risks to the information assets of a company.

2. What functions constitute a complete information security program?

  • A complete information security program is unique to the company, and takes into account business goals and the overall strategic plan, but still balances the need for protecting the assets of the organization.

3. What organizational variables can influence the size and composition of an information security program’s staff?

  • Organizational culture- the value placed on security by managerial staff can define the resources committed to security staff.
  •  Size- the size of the company influences the size of the security staff.
  •  Security personnel budget – Funds allocated to the program
  •  Security capital budget – Items in the capital budget can determine staffing needs.

4. What is the typical size of a security staff in a small organization? A medium sized organization? A large organization? A very large organization?

  •  Small – May be delegated to an IT staffer or manager
  •  Medium –  1 full time manager and assistance from IT staff
  • Large – approximately 17-22 employees is suggested by the text
  • Very Large –  49-65 members is suggested by the reading.

5. Where can an organization place the information security unit? Where should (and shouldn’t) it be placed?


  •  The text suggests many organizational locations for the InfoSec unit, and lists the pros and cons for each.  Recommended locations are Information technology, administrative services,  insurance and risk management , the legal department, or operations.
  •  Non recommended locations are security, internal auditing, help desk, accounting and finance, human resources, facilities management.
  •  The key to any successful placement will be the reporting chain of command and resource allocation.

6. Into what four areas should the information security
functions be divided?

  •  Functions performed outside of IT management and control, such as legal or training
  •  Functions performed by IT outside of InfoSec – example: network security administration.
  •  Functions performed by the infoSec department such as risk assessment or vulnerability assessment
  •  Functions performed by the InfoSec  department  as compliance enforcement- examples include policy creation, compliance audits

7. What are the five roles that an information security professional can assume?

  •  Chief Security Officer
  •  Security Manager
  •  Security Administrators And Analysts
  •  Security Technicians
  •  Security Staff

8. What are the three areas of the SETA program?

  •  Awareness, Training and Education

9. What can influence the effectiveness of a training program?

  •  Things that may influence the effectiveness of an information security training program include management support, training that is targeted to its audience, retention of information, information overload, and the style of information delivery.

10. What are some of the various ways to implement an awareness program?

  •  One way to implement security awareness if to use an array of items including training videos, posters, newsletters brochures, trinkets and computer based training. By varying method of delivery, the message does not become commonplace and lose its effectiveness.