CISOHeading an office with the mission and resources to assist in ensuring agency compliance with information security requirements; Periodically assessing risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency; Developing and maintaining risk-based, cost-effective information security policies, procedures, and control techniques to address all applicable requirements throughout the life cycle of each agency information system to ensure compliance with applicable requirements; Facilitating development of subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems; Ensuring that agency personnel, including contractors, receive appropriate information security awareness training; Training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; Periodically testing and evaluating the effectiveness of information security policies, procedures, and practices; Establishing and maintaining a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency; Developing and implementing procedures for detecting, reporting, and responding to security incidents; Ensuring preparation and maintenance of plans and procedures to provide continuity of operations for information systems that support the operations and assets of the agency; and Supporting the agency CIO in annual reporting to the agency head on the effectiveness of the agency information security program, including progress of remedial actions.
Ahmed Baig, CISO at Abu Dhabi Government Entity - Establishing effective risk management framework for compliance
Ahmed Qurram BaigInformation Security & GRC ExpertESTABLISHING EFFECTIVE RISK MANAGEMENTFRAMEWORK FOR COMPLIANCEStrategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat. - Sun Tzu
AGENDA• Challenges & benefits of information securitygovernance• Characteristics of an effective information securitygovernance program• Discussing industry’s best practices and steps in theinformation security program lifecycleAhmed Qurram Baig, Copyright, 2013.
CHALLENGES TO RISK MANAGEMENT & GOVERNANCE• Balancing extensive requirements originating frommultiple governing bodies.• Balancing legislation and company specific policy.• Evolution to support different requirements and newlegislation.• Prioritizing available funding according to requirementsintroduced.Ahmed Qurram Baig, Copyright, 2012.
BENEFITS OF RISK MANAGEMENT & GOVERNANCE• Strategic Alignment• Risk Management• Convergence & Business Process Assurance• Resources Management:• Governance provides clarity of roles and responsibilities• Governance empower people responsible with authority• Monitoring & Performance Measurement• Value DeliveryAhmed Qurram Baig, Copyright, 2012.
INFORMATION SECURITY, RISK & GOVERNANCE FRAMEWORKStrategicPlanningBusinessStrategyRisk Management / InformationSecurity StrategyOrganizationStructureRoles andResponsibilitiesEnterprise SecurityArchitectureImplementationPolicies and Standards GuidanceSenior ManagementSteering Committee &Executive ManagementERM / CISO / Steering Committee or Information Security ForumMonitoring&ReportingRiskAssessmentBusinessImpactAnalysisBusiness &RegulatoryRequirementAhmed Qurram Baig, Copyright, 2012.
STEPS : INFORMATION SECURITY FOR RISK MANAGEMENT, GOVERNANCE &COMPLIANCEAhmed Qurram Baig, Copyright, 2012.Define and enumerate the desired outcomesAssess current security and required stateDescribe the attributes and characteristics of current and desired statePerform a gap analysis to identify prerequisites to reach the desired stateDetermine available resources and constraintsDevelop a roadmap to address gaps using available resources and constraintsDevelop control objectives and controls supporting strategy
ENTERPRISE SECURITY ARCHITECTURE & RISK MANAGEMENTBusiness ArchitectureBusiness & Services Information SystemsEmployees & ThirdParty StaffLocations & FacilitiesDataApplicationHostNetworkRoles and ResponsibilitiesAuthority MatrixRecruitment ProcessDisciplinary ProcessAccess ManagementSecurity AwarenessGoals and ObjectivesKPI & KRI (Key RiskIndicators)Regulations &CompliancePhysical SecurityA s s u r a n c eTechnology SecurityAhmed Qurram Baig, Copyright, 2012.Policies andStandardsRisk Management Security Architecture
INFORMATION SECURITY & RISK MANAGEMENT ACTIVITIESGovernance and Strategic Security• Security Program Management• Policies/Procedures Creation and Review• Enterprise Security Architecture• Audit & Compliance ReadinessOperational Security• Security Operations• Incident & Breach response• Penetration Testing• Vulnerability Scanning / (Management)• Software and Application SecurityRisk Management• Independent Assessments• Continuous Monitoring & ReportingAhmed Qurram Baig, Copyright, 2012.SecurityAwareness&EducationPeople Process Technology Partners