advertisement

Keys to Success for the Information Secu

100 %
0 %
advertisement
Information about Keys to Success for the Information Secu
Entertainment

Published on December 29, 2008

Author: aSGuest8287

Source: authorstream.com

advertisement

DTS Introduction - Housekeeping : DTS Introduction - Housekeeping Welcome! Kelvin Pye, Assistant Director Office of Business Development & Innovation DTS Technology Days Partnering with Gartner Services and others Chris Byrnes discussion Structuring and managing an IT security program. Appropriate metrics for an IT security program. How an IT security program fits into your overall governance model. How to manage risk assessment processes in an IT security program. Keys to Success for the Information Security Officer : Keys to Success for the Information Security Officer Chris Byrnes The Top Five Issues : The Top Five Issues Where does the CISO report? How does governance affect the CISO? How do regulatory compliance issues affect the CISO? What role does the CISO play in the budget process? How does security architecture affect security program management? 1. Where does the CISO report? : 1. Where does the CISO report? It depends on: The maturity level of your security program The maturity level of risk management by the rest of your organization. You can report directly to the CIO only after you have proven your trustworthiness, professionalism and business focus to the CIO. You can report outside of the CIO only after the CIO has proven to the executive team that you are successful Information Security Maturity : 50% 15% 5% Design AwarenessPhase CorrectivePhase Operations ExcellencePhase Maturity Blissful Ignorance 30% Time NOTE: Population distributions represent typical, large Global 2000-type organizations Develop New Policy Set Initiate Strategic Program Architecture Institute Processes Conclude "Catch-Up" Projects Track Technology and Business Change Continuous Process Improvement Assess Current State Establish (or Re-Establish)Security Team Information Security Maturity Over 30% of Organizations say Infosec is not part of IT department : Over 30% of Organizations say Infosec is not part of IT department Corporate decision to separate risk control from risk management Usually for compliance reasons A suitable reporting point exists Chief Risk Officer Head of Security (i.e. physical security or criminal investigation) Business model is subject to high levels of cybercrime IT department is already very large and specialized CIO CRO Political Wasteland The Fragmentation of the Infosec Team? : The Fragmentation of the Infosec Team? Governance Administration Monitor & Response Enterprise Risk Management Operations 2. How does governance affect the CISO? : 2. How does governance affect the CISO? Enterprise Risk Mgt Corporate & Operational Governance Regulatory Compliance Requirements Authorities Accountabilities Policies Controls Corporate Governance Strategy Policy Architecture Apps 3. How do regulatory compliance issues affect the CISO? : 3. How do regulatory compliance issues affect the CISO? Enterprise Risk Mgt Corporate & Operational Governance Regulatory Compliance Requirements Authorities Accountabilities Corporate Governance Strategy Policy Architecture Apps Legal Counsel 4. What role does the CISO play in the budget process? : Security Budget $ Risk Management Organization Business Unit Operations $ $ $ Translate Into Security Requirements Express Risk in TechnicalTerms Express Acceptable Risk Explain Risk Without Technical Terms $ 4. What role does the CISO play in the budget process? $ The 4I Model for Security Value : The 4I Model for Security Value Issue 2 Regulatory and Stakeholder Exposure INTEGRITY INVESTMENT INDEMNITY INSURANCE Reliability of Business Operations Expected Return Risk Management Expected financial return Brand enhancement Competitive differentiation Future agility Stakeholder support Increased accountability Compliance Improved awareness Business process integrity: confidentiality, availability, and accuracy Continuous improvement Understanding of risk Appropriate risk mitigation 5. How does security architecture affect security program management? : 5. How does security architecture affect security program management? Security architecture provides a defined level of security (baseline, trust level) to a defined set of resources (trust domain). Multiple baseline/multiple trust domain architectures are demanded by many (most?) businesses. Security architecture may be a responsibility of the enterprise architecture team – WITH SUPERVISION! The Activity Cycle of the CISO : The Activity Cycle of the CISO Information Security is maturing Enterprise Risk Management is emergent The role of the CISO is becoming clear. Let’s start by analyzing the audience: Who is looking at the information security function? What are they looking for? Strategic Planning Assumption : Strategic Planning Assumption As a result of pressure from their value chain partners and regulatory demands for transparency and privacy, 80% of large organizations (90% of publicly held ones) will implement defined, documented security architectures and baselines for over 60% of their IT assets by 2009. (0.7 probability). By 2009 70% of large commercial organizations will have implemented coherent, consistent risk management processes across major classes of risk in response to Board and auditor demands. (0.7 probability). Who Looks for What? : Who Looks for What? Slide 17: The Reality Is Three Views of the Same Object A Security Program Priorities : Priorities Business Policy Process Behavior Tools Melding Three Views : Melding Three Views Business Policy Process Behavior Tools Controls Architecture Process Slide 20: The Process View of a Security Program Slide 21: Security Officer’s Activity Cycle RUN The Govern/Plan/Build/Run Structure : The Govern/Plan/Build/Run Structure ISO/IEC 27001:2005 Information Security Management System (ISMS) Intro: Plan – Do – Check – Act Details: Establish – Implement – Monitor – Maintain Gartner: Govern – Plan – Build - Run These are cycles. All phases are iterative. In the Gartner AC the monitor function is explicit in Run phase. 27001 has no reference to governance It accepts that inputs (requirements and expectations) arrive somehow from “interested parties.” The Process Maturity Process : The Process Maturity Process Same objectives as QA/SixSigma/ISO9000 Conceptually similar to ITIL Formal definition & maturity assessment of individual security-related processes SEI/CMM equivalent Maturation plan for low maturity processes RACI analysis & simplification Four (?) Run Functions : Four (?) Run Functions Communications & Relationship Risk & Controls Assessment Management Identity & Access Management Threat & Vulnerability Management Slide 25: The Controls View of a Security Program Controls View : G RA Controls Controls View What Is A Control? : What Is A Control? What Is A Control? : CONTROL POLICY (accountability) PROCESS (Metrics, Accountability) Technology (Automation) What Is A Control? ISO/IEC 17799:2005 : ISO/IEC 17799:2005 Being renamed ISO/IEC 27002:2007 Explicitly a control structure Subset, map to COBIT 4.0 Eleven sections (up from 10) Slide 30: The Architecture View of a Security Program Architecture View : Architecture View Security architecture provides a defined level of security (baseline, trust level) to a defined set of resources (trust domain). Multiple baseline/multiple trust domain architectures are demanded by many (most?) businesses. Security architecture may be a responsibility of the enterprise architecture team – WITH SUPERVISION! Typical Content and Structure : Typical Content and Structure Vision Security Services Framework Process Model Roles & Responsibility Model Policy Framework Information Classification Framework Organization Models Security Information Flow Models Logical Design Models Trust Models Organizational Architecture Security Information Architecture Information Classification Register Technical Reference Models Security Infrastructure Architectures Security Services Architectures Application Security Architectures Business Viewpoint Information Viewpoint Technical Viewpoint Conceptual Level Logical Level Implementation Level Trust Level Definitions Conceptual Design Models Design Principles Requirements Templates Typical Contents – Security Architecture : Typical Contents – Security Architecture Vision/strategy Services framework, process model, role model, policy framework, classification framework, trust level definitions, conceptual design models Organization models, security information flow models, design principles, logical design models, trust models, trust domain models, requirements templates Organization architecture, security information architecture, information classification register, technical reference models, security infrastructure architectures, security services architecture, application security architectures The Role of the CISO : The Role of the CISO Translate business and regulatory requirements into policy, technical standards and controls Bring together process, architecture and controls perspectives into a single program Assure compliance to policy Measure compliance to policy Assure the sufficiency of policy The Role of the CISO Recommendations : Recommendations Search for staff with good communications skills and an understanding of your business Develop a process-oriented security program. Assign ownership and accountability for the risk management function, minimizing conflicts of interest and separations of duties issues Develop a continuous risk assessment process. Continuously monitor, measure, and report security posture to management. Build greater levels of accountability, transparency and measurability into security controls. Q&A : Q&A ? Department of Technology Services : Department of Technology Services Thank you. Slides will be available on the DTS website, as well as a recording of this session. Please complete the evaluation form and leave your business card at the registration desk. Next Event – DTS Customer Forum at the GTC West 2006 Conference, May 18th 2:00 – 4:00 PM, Sacramento Convention Center, Room 311 Coming soon, “The Demystification of Identity Management”

Add a comment

Related presentations

Related pages

KEY TO SUCCESS - Department for Education

This section of the site provides secure access for Local Authority users to ... For further information ... How to register for EAS and Key to Success.
Read more

SUCCESS FACTORS IN INFORMATION SECURITY IMPLEMENTATION IN ...

SUCCESS FACTORS IN INFORMATION SECURITY IMPLEMENTATION IN ... Information security, Success ... having a culture of secure information in the ...
Read more

Event Registration - Washington Health Care Association

Keys to MDS 3.0 Success ... Enter Personal Information: Salutation: First Name: * Last Name: * Suffix: Organization: * Title: Address: * City: *
Read more

Information security - Wikipedia, the free encyclopedia

Hence a key concern for ... expected of Information Security and Information Assurance ... to secure IT systems; IWS - Information Security ...
Read more

Secure Processes are the key to New Payment Success

We now have the possibility to browse through limitless shops and purchase goods and services from almost anywhere in the world. This has revolutionised ...
Read more

Usenet.nl – finest downloads since 1979

We will send you your access information again. Send again. 25,000 terabytes of music, videos and posts. Sign up now for the highest ... Secure Your data ...
Read more

The Keys to BPM Project Success - BPTrends | BPM analysis ...

... much of that external information ... BPTrends January 2006 The Keys to BPM Project Success ... The key point to understand is that process ...
Read more

System Implementation Success Factors: It Is Not Just the ...

System Implementation Success ... that the key information system success factor is to ... build project commitment and secure funding and ...
Read more

Reading at an early age the key to success - Press ...

Reading at an early age the key to success. ... Don’t include personal or financial information, eg your National Insurance number or credit card details.
Read more