A Global Info Sec Policy Strategy


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

A Global Info Sec Policy Strategy

  1. 1. x Company Global Information Security Policy and Standards Strategy for global enterprise adoption Harry Contreras CISSP - Phoenix, AZ
  2. 2. Global Information Security Global Information Security Policy Presentation Date - AgendaGlobal Information Security Policy Development andAdoption Strategy • Policy program overview and strategy • Review present state of X-Co InfoSec Policy • Intranet site presence and relationships • Interdependencies to negotiate and maintain • Concurrence on stated future direction & strategy
  3. 3. Global Information Security Information Security Policy – Program Lifecycle Collaborate Converge Adopt GovernWith stakeholders define Unify divergent policy Authorize, endorse the Initiate policy governancerequired policy, into the corporate body corporate policy & body to oversee andstandards and of works. standards for global underwrite policy actionsprocesses to protect X- Focus business unit implementation. to maintain currency andCo interests and meet policy reference sites to Communicate via relevancy for the global X-business needs. point to corporate site. compliance & security Co enterprise. awareness programs. Content delivery via Intranet site vehicle.Key Benefits - Key Benefits - Key Benefits - Key Benefits• Corporate policy meets • Multiple policies are • Recognized as • Policy council oversightglobal X-Co business now one authoritative policy • Annual review addressesrequirements • OpCos can focus on • Translated for global changes in business• Regulatory requirements business issues employee population climate, risks and newmet in corporate program regulatory issues Collaborate Converge Adopt Govern
  4. 4. Global Information Security Information Security Policy – Program Timeline Policy Program Delivery Milestones For a “C-Level” audience (In the format or your choice) Layout of “high-level” timeline with Milestones Key events over timeQ1-Year Q4-Year Milestones Collaborate Converge Adopt Govern
  5. 5. Global Information Security Information Security Policy – Program TimelineMilestone TimeLine Entry Description/ Forecast Policy Finalization Activity for Initial review period and vetting of policy content by X-Co & OpCoMm/Dd/Yyyy Version 1.0 stakeholders and authorizers Policy Authorization and InfoSec Policy Version 1.0 is endorsed by C-Level Officers. CISO andMm/Dd/Yyyy Endorsement CCO of X-Co sign off on InfoSec policy for the enterprise Policy Communication Plan Communications to All X-Co, OpCo Management and IT leadership withMm/Dd/Yyyy Launch announcement of “Compliance by Date” for the company Global InfoSec Governance Global InfoSec council formed to represent corporate and OpCo ITMm/Dd/Yyyy Council Formed security interests for the enterprise Develop “high-level” Project Plan Develop policy revision changes Compilation period begins to assimilate changes to present policy inMm/Dd/Yyyy WBS for presentation of developing plan milestones. for Policy v1.0 preparation of the InfoSec Policy Version 2.0 Proposed Policy Changes for Period ends for accepting proposed policy changes to developing InfoSecMm/Dd/Yyyy Policy V2 - Freeze Policy version 2.0 Proposed Compliance Date for Company-wide compliance by date for InfoSec Policies from version 1.0Mm/Dd/Yyyy Policy V1.0 (1 Mm/Dd/Yyyy) Annual Policy Review Cycle for Global InfoSec Governance council reviews and assesses proposedMm/Dd/Yyyy Version 2.0 changes to Policy version 1.0 in preparation for delivering Version 2.0 InfoSec Governance Council Global InfoSec Governance council approves InfoSec Policy version 2.0Mm/Dd/Yyyy Accept Policy Version 2.0 and forecasts future compliance by date Collaborate Converge Adopt Govern
  6. 6. Global Information Security Information Security Policy Development & Strategy Approach for Collaboration and ConvergenceEstablish top-level Intranet presence for InfoSec Policy • Utilize corporate intranet site: intra.X-Co.com • Serve up policy & standards in document repository • Distribute linkage to other OpCosIntegrate cross-linkages with existing OpCos policy sites • As corporate body of content increases • Converge OpCo policies & remove site references Collaborate Converge
  7. 7. Global Information Security Information Security Policy – Site Relationships Intranet.X-Co.com Corporate Intranet Site Opco Opco Opco Opco OpcoIntranet Intranet Intranet Intranet Intranet Site Site Site Site SiteOpCo A OpCo B OpCo C OpCo D OpCo E Collaborate Converge
  8. 8. Global Information SecurityConverged - Information Security “Portal” PageX Company Intranet SiteCorporate Security Page - Policy Hosting Location Corporate Global Global Information Security Policy & Standards Library • Information Security Policy • Security Position Statements • Security Standards • Code of Business Conduct Overview & Introduction Security Awareness • CISO quarterly remarks Content Policy & Standards Repository • Today’s Hot Topics Security Topic– Quick Reference • Awareness Library •Tools & Resources Security Awareness Section Links to OpCo policy content Links to Policy sites • Marsh • Mercer • Guy Carpenter Content and presentation format to • Oliver Wyman • Kroll be collaboratively developed with Communications. Incident Reporting • Report an Incident hereCollaborate Converge
  9. 9. Global Information Security Information Security Policy & Standards - FrameworkOverarching Global Policy (Core) Authorized & Endorsed (AUP) Acceptable Use Policy Acceptable Use Privacy and Data endorsed by Human Resources,IT Security Policy Manual Protection Legal and Compliance Implementation policy details PolicySecurity Position Statements (Core) Collaborate on preexisting Addresses new technologies & Mitigating immediate business risks content from OpCos for AUP convergence into these twoSubordinate Security Standards Detailed technology specs categories Required compliance controlsSecurity Awareness Content Awareness Library of Tools & Resources Security IT Security IT Security IT Security Position Policy Standards Awareness Statements Manual Materials Converge Adopt
  10. 10. Global Information SecurityStrategy for Adoption and Governance within X-CoObtain Authority and Endorsements • CISO – Chief Information Security Officer • CCO – Chief Compliance Officer acknowledgement • CIOs of the Operating Companies • Global InfoSec Council (Governance over InfoSec policy) • Legal, Human Resources and Compliance stakeholdersPartnerships and Socialization • Corporate Communications • Internal Audit • Compliance Organizations (e.g. SOX, HIPAA)Communicate • Promotion through Communications functions • Security Awareness Campaign (Year) Adopt Govern
  11. 11. Global Information Security Information Security Policy GovernanceIT Security Policy Development • Global InfoSec Council – Governance participation • IT Security Policy Content Review Cycle (Annual)Communications • Intranet Content Publication • IT Security Bulletins and Alerts • User Awareness Campaign Development Govern
  12. 12. Global Information Security Critical Success FactorsBuild Relationships with All OpCos and include inthe Governance bodyDefine & ‘converge” Information Security Processes • Set up GIS Intranet Policy Service Page • Automate policy services and supportDeploy Updated Security Policy and Standards • IT Security Policy Education with Business Units Govern
  13. 13. Global Information Security Information Security Policy - Summary Collaborate, Converge, Adopt and Govern - Sustaining Objectives -Security - Be recognized as the visionary security leaders that collaborativelyconsults with the business.Security –Enable the business with compliant and consistent security policyand controls focused on secure future computing within the X-Coenvironment.Security - Ensure governed, integrated protection for entire X-Co enterpriseand resources. Protecting Colleagues, Clients and Corporate Assets of X-Co, Inc. Collaborate Converge Adopt Govern