Information Security Governance

2,427
-1

Published on

Information Security Governance

Published in: Business, Technology
4 Comments
7 Likes
Statistics
Notes
No Downloads
Views
Total Views
2,427
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
533
Comments
4
Likes
7
Embeds 0
No embeds

No notes for slide

Information Security Governance

  1. 1. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Compiled by; Mark E.S. Bernard, CGEIT, CRISC, CISM, CISSP CISA, ISO 27001 Lead Auditor, SABSA-F2, CNA
  2. 2.  INFORMATION SECURITY GOVERNANCE  FRAMEWORK  VISION  TERMS OF REFERNCE  GOALS  BUSINESS BENEFITS  CRITICAL SSUCESS FACTORS  KEY PERFORMANCE INDICATORS  MONITORING  ARCHITECURE *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  3. 3. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  4. 4. Governance Framework Defined  A Vision is a broadly defined, clear and compelling statement about the Enterprise’s purpose for Enterprise Security.  Strategic Objectives are a set of goals that are necessary and sufficient to move the Enterprise towards its vision for Enterprise Security.  Critical Success Factors (CSF) are a set of outcomes that are necessary to achieve the strategic objectives for Enterprise Security.  Key Performance Indicators (KPI) are concrete metrics tracked to ensure that Enterprise Security’s critical success factors are being achieved.  Key actions and business changes are the initiatives to be delivered in order to achieve the Enterprise Vision and Strategic Objectives for Enterprise Security. Strategic objectives CSFs KPIs / targets Key actions / business changes Vision *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  5. 5. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  6. 6. “We will build and implement an information security program which will identify threats and risks to the Enterprise’s information assets, systems resources including human assets before they become an employee or management concern.” *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  7. 7. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  8. 8. Purpose: Management shall review the organization’s Information Security Management System (ISMS) at planned intervals (at least once a year) to ensure its continuing suitability, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and information security objectives. The results of the reviews shall be clearly documented and records shall be maintained, (ISO27k clause 4.3.3). Goals: The ISMS Management Review Committee has been formed to provide an effective joint forum which will contribute to the following goals: • Decision making which supports the Corporate Security Office (CSO) program; • Balanced and informed review and advisory services contributing to a range of CSO planning, service delivery and issue resolution activities; and • Proactive CSO alignment with higher level joint governance functions to improve the effectiveness and efficiency within the CSO domain. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  9. 9. Committee Functions: Review input (ISO27k clause 7.2) The input to a management review shall include: a). results of ISMS audits and reviews; b). feedback from interested parties; c). techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness; d). status of preventive and corrective actions; e). vulnerabilities or threats not adequately addressed in the previous risk assessment; f). results from effectiveness measurements; g). follow-up actions from previous management reviews; h). any changes that could affect the ISMS; and i). recommendations for improvement. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  10. 10. Review output (ISO27k clause 7.3) The output from the management review shall include any decisions and actions related to the following. a). Improvement of the effectiveness of the ISMS. b). Update of the risk assessment and risk treatment plan. c). Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to: 1). business requirements; 2). security requirements; 3). business processes effecting the existing business requirements; 4). regulatory or legal requirements; 5). contractual obligations; and 6). levels of risk and/or criteria for accepting risks. d). Resource needs. e). Improvement on how the effectiveness of controls is being measured *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  11. 11. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Day-to-day management of the Information Security Governance is the responsibility of the Chief Information Security Officer. The Information Security Governance Committee Provides Oversight and convene as often as necessary. Usually this committee meets more often during implementation and then these meets are facilitated every 3 – 6 months or when a security incident occurs.
  12. 12. Management Level Strategic Alignment Risk Management Value Delivery Performance Measurement Resource Management Process Assurance Board of Directors Require demonstrable Alignment Institute a policy of risk management in all activities and ensure regulatory compliance Require reporting of Enterprise Security activity costs Require reporting of Enterprise Security activity effectiveness Institute a policy of knowledge management and resource utilization Institute a policy of assurance process Integration Executive Management Institute processes to Integrate Enterprise Security With business objectives Ensure roles and responsibilities include risk management in all activities and monitorregulatory compliance Require business case studies of Enterprise Security Initiatives Require monitoring and metrics for Enterprise Security Activities Ensure processes for knowledge capture and efficiency metrics Provide oversight of all assurance functions and plans for integration Management Review Committee Review Enterprise Security strategy and integration efforts, and ensure business owners support integration Identify emerging risks, promote business unit Enterprise & Security practices and identify compliance issues Review Accuracy of Enterprise Security initiatives to serve business functions Review and advise according to Enterprise Security Initiatives and ensure they meet business objectives Review processes for knowledge capture and dissemination Identify critical business processes and assurance providers, and direct integration assurance efforts Enterprise Security Office Develop Enterprise Security strategy, oversee the Enterprise Security program and initiatives, and liaise with business process owners for ongoing alignments Ensure risk and business impact assessments, develop risk mitigation strategies, and enforce policy and regulatory compliance Monitor utilization and effectiveness of Enterprise Security resources Develop and implement monitoring and metrics approaches,and direct and monitor Enterprise Security activities Develop methods for knowledge capture and dissemination, and metrics for effectiveness and efficiency Liaise with other assurance providers, and ensure that gaps and overlaps are identified and Addressed *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  13. 13. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Governance over policies, procedures, & standards can be communicated using the RACI chart. This is an effective tool that can visually sum up each step of the process and empower managers and employees to handles their part of the process effectively and efficiently..
  14. 14. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  15. 15.  Develop an innovative Information Security Program that identifies risks and implements safeguards to mitigate those risks.  The Information Security Program must meet all of the Enterprise’s expectations while having little impact on existing budgets and/or schedules.  Develop an effective, efficient Information Security Program that will enhance all services provided by the Enterprise while not impeding existing services to our clients.  Isolate and mitigate potential risks and/or threats prior to an issue developing into an employee, or management concern or problem.  Enhance the Enterprise’s ability to attract and maintain customers, investors and partners because of its ability to efficiently and effectively protect information. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  16. 16. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  17. 17.  Reduce risks and threats to the Confidentiality, Integrity and Availability of the Enterprise’s Information Assets and System Resources by providing policies, practices and standards designed to mitigate or eliminate all known risks and threat.  Improve the effectiveness and efficiency of Information Security Management by implementing a world class best practice and framework for consistent, concise security administration.  Improve effectiveness and efficiencies of existing security mechanisms by formalizing new practices to monitor compliance and maintain sensitive data awareness.  Improve reassurance testing and validation outcomes by Internal Audit and External Auditors to further assure the Enterprise’s Investors, Board of Directors and Executive Management Team that the Enterprise’s Information Assets and System Resources are secure.  Reduce the likelihood that an accidental incident caused by Enterprise staff potentially resulting in an adverse affect on the Enterprise’s reputation or liabilities potentially leading to financial losses, by providing an ongoing information security education and awareness program. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  18. 18. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  19. 19.  Information security policy, objectives, and activities that reflect business objectives  An approach and framework to implementing, maintaining, monitoring, and improving information security that is consistent with the Enterprise’s culture  Visible support and commitment from all levels of management, especially Executives  A good understandingof the information security requirements, risk assessment, and risk management  Effective marketing of information security to all managers, employees, and other parties to achieve awareness  Distribution of guidance on information security policy and standards to all managers, employees and other parties  Provision to fund information security management activities  Providing appropriate awareness, training, and education  Establishing an effective information security incident management process  Implementation of a measurement system that is used to evaluate performance in information security managementand feedback suggestions for improvement. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  20. 20. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  21. 21. Strategic Alignment  Enterprise Security Office activities do not materially hinder business  The Enterprise Security Office program enables business activities  Enterprise Security Office activities have provided predictable, robust operations  Enterprise Security Office incidents have not significantly impacted business operations  Trends for adverse impacts are continuously improving  The Enterprise Security Office organization is responsive to business requirements  The cost of Enterprise Security Office measurers are appropriate and generally track the degree of risk and value of assets  The Enterprise Security Office group understands the business objectives Risk Management  Cost effectiveness of risk mitigation  Reduction in residual risk  Reduction in open vulnerabilities  Reduction of significant risks  Reduction in adverse impacts  Improved response time to new risks  Systematic, continuous risk management  Periodic risk assessments  Tested business continuity planning (BCP) , disaster recovery (DR)  Completeness of asset valuation and assignment of ownership  Meeting RTO objectives during testing *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  22. 22. Business Process Assurance • No gaps exist in information asset protection • All assurance activities are demonstrably integrated • Roles and responsibilities that are well defined with concise interface • Responsibility and accountability are clearly defined • The steering committee has representatives of all assurance functions Value Delivery • Enterprise Security Office activities achieve strategic objectives on budget • The cost of Enterprise Security Office is proportional to the value of assets • Enterprise Security Office resources are allocated by degree of assessed risk • Aggregate protection costs that are a function of revenues or asset valuation • Utilization of controls – rarely used controls are not likely to be cost-effective • The number of controls to achieve acceptable risk and impact levels. Fewer effective controls can be expected to be more cost-effective than less effective-controls • The effectiveness of controls as determined by testing. Marginal controls are not likely to be cost-effective *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  23. 23. Resource Management  The frequency of problem rediscovery  The effectiveness of knowledge capture and dissemination  Clearly defined roles and responsibilities for IT security functions  IT security functions are incorporated into every project plan  Information assets and related threats that are covered by security resources Performance Management  The time it takes to detect and report incidents  The number and frequency of unreported incidents  Benchmarking security costs against comparable organizations  Effectiveness and efficiency of controls  Trends in audit findings  Compliance metrics  Time for variance resolutions  Trends in impacts  Downtime for critical systems *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  24. 24.  Adopt Information Security framework  Implement Enterprise Security Governance  Facilitate adoption of Risk Management Methodology  Implement Security Monitoring System  Facilitate harmonization of Access Control and Identity processes  Led Implementation of Continuous Improvement process  Develop and implement Communications Strategy including Awareness Training *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  25. 25. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  26. 26. Risk Treatment Plans are defined by Corrective Action plans and Preventive Action plans. The RTP is basically a rolled up dashboard utilized for tracking and monitoring CAPA by Information security governance committee. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  27. 27. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** It is important for Information Security Governance to support and communicate with the Board of Directors and Executive Team on a common theme ‘Risk Management’ we accomplish this by reporting against the Enterprise Risk Management program.
  28. 28. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Information Security Governance has close linkages to compliance risk and environmental risks.
  29. 29. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** One of Information Security programs most obvious linkages to Enterprise Risk Management is operational risks.
  30. 30. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  31. 31. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The Information Security Program is driven by a Risk Management Methodology integrated within the organization and its Executive Portfolios. In addition, there are several processes within the program that provide services to the organization. In the following slide we take this to the next level so that you can see where the information security program fits into the overall organization.
  32. 32. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  33. 33. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** For more information contact Skype; Mark_E_S_Bernard Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard

×