*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor,CISSP, CISM, S...
 GOVERNANCE FRAMEWORK ENTERPRISE SECURITY VISION GOALS BUSINESS BENEFITS CRITICAL SSUCESS FACTORS KEY PERFORMANCE I...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Governance Framework Defined A Vision is a broadly defined, clear and compelling statementabout the Enterprise’s purpose ...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
“We will build and implement an information security programwhich will identify threats and risks to the Enterprise’sinfor...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
 Develop an innovative Information Security Program that identifies risks andimplements safeguards to mitigate those risk...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
 Reduce risks and threats to the Confidentiality, Integrity and Availability of the Enterprise’sInformation Assets and Sy...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
 Information security policy, objectives, and activities that reflect business objectives An approach and framework to i...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Strategic Alignment Enterprise Security Office activities do not materially hinder business The Enterprise Security Offi...
Business Process Assurance• No gaps exist in information asset protection• All assurance activities are demonstrably integ...
Resource Management The frequency of problem rediscovery The effectiveness of knowledge capture and dissemination Clear...
 Adopt Information Security framework Implement Enterprise Security Governance Facilitate adoption of Risk Management M...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
ManagementLevelStrategicAlignmentRiskManagementValueDeliveryPerformanceMeasurementResourceManagementProcessAssuranceBoard ...
Purpose: Management shall review the Enterprise’s ISMS at planned intervals (at leastonce a year) to ensure its continuing...
Committee Functions: Review input (ISO27k clause 7.2)The input to a management review shall include:a). results of ISMS au...
Review output (ISO27k clause 7.3)The output from the management review shall include any decisions and actions related tot...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***For more information contactSkype; Mark_E_S_BernardTwitter; @MESB_Tec...
Upcoming SlideShare
Loading in...5
×

Iso 27001 isms program governance with Mark E.S. Bernard

2,822

Published on

GOVERNANCE FRAMEWORK, ENTERPRISE SECURITY, VISION, GOALS, BUSINESS BENEFITS, CRITICAL SSUCESS FACTORS, KEY PERFORMANCE INDICATORS,
ROLES & RESPONSIBILITIES

Published in: Business, Technology
4 Comments
6 Likes
Statistics
Notes
No Downloads
Views
Total Views
2,822
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
128
Comments
4
Likes
6
Embeds 0
No embeds

No notes for slide

Iso 27001 isms program governance with Mark E.S. Bernard

  1. 1. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor,CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
  2. 2.  GOVERNANCE FRAMEWORK ENTERPRISE SECURITY VISION GOALS BUSINESS BENEFITS CRITICAL SSUCESS FACTORS KEY PERFORMANCE INDICATORS ROLES & RESPONSIBILITIES*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  3. 3. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  4. 4. Governance Framework Defined A Vision is a broadly defined, clear and compelling statementabout the Enterprise’s purpose for Enterprise Security. Strategic Objectives are a set of goals that are necessary andsufficient to move the Enterprise towards its vision forEnterprise Security. Critical Success Factors (CSF) are a set of outcomes that arenecessary to achieve the strategic objectives for EnterpriseSecurity. Key Performance Indicators (KPI) are concrete metricstracked to ensure that Enterprise Security’s critical successfactors are being achieved. Key actions and business changes are the initiatives to bedelivered in order to achieve the Enterprise Vision andStrategic Objectives for Enterprise Security.Strategicobjectives CSFs KPIs / targetsKey actions /business changesVision*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  5. 5. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  6. 6. “We will build and implement an information security programwhich will identify threats and risks to the Enterprise’sinformation assets, systems resources including human assetsbefore they become an employee or management concern.”*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  7. 7. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  8. 8.  Develop an innovative Information Security Program that identifies risks andimplements safeguards to mitigate those risks. The Information Security Program must meet all of the Enterprise’s expectationswhile having little impact on existing budgets and/or schedules. Develop an effective, efficient Information Security Program that will enhance allservices provided by the Enterprise while not impeding existing services to ourclients. Isolate and mitigate potential risks and/or threats prior to an issue developing into anemployee, or management concern or problem. Enhance the Enterprise’s ability to attract and maintain customers, investors andpartners because of its ability to efficiently and effectively protect information.*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  9. 9. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  10. 10.  Reduce risks and threats to the Confidentiality, Integrity and Availability of the Enterprise’sInformation Assets and System Resources by providing policies, practices and standards designed tomitigate or eliminate all known risks and threat. Improve the effectiveness and efficiency of Information Security Management by implementing aworld class best practice and framework for consistent, concise security administration. Improve effectiveness and efficiencies of existing security mechanisms by formalizing new practicesto monitor compliance and maintain sensitive data awareness. Improve reassurance testing and validation outcomes by Internal Audit and External Auditors tofurther assure the Enterprise’s Investors, Board of Directors and Executive Management Team thatthe Enterprise’s Information Assets and System Resources are secure. Reduce the likelihood that an accidental incident caused by Enterprise staff potentially resulting inan adverse affect on the Enterprise’s reputation or liabilities potentially leading to financial losses, byproviding an ongoing information security education and awareness program.*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  11. 11. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  12. 12.  Information security policy, objectives, and activities that reflect business objectives An approach and framework to implementing, maintaining, monitoring, and improvinginformation security that is consistent with the Enterprise’s culture Visible support and commitment from all levels of management, especially Executives A good understandingof the information security requirements, risk assessment, and riskmanagement Effective marketing of information security to all managers, employees, and other partiesto achieve awareness Distribution of guidance on information security policy and standards to all managers,employees and other parties Provision to fund information security management activities Providing appropriate awareness, training, and education Establishing an effective information security incident management process Implementation of a measurement system that is used to evaluate performance ininformation security managementand feedback suggestions for improvement.*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  13. 13. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  14. 14. Strategic Alignment Enterprise Security Office activities do not materially hinder business The Enterprise Security Office program enables business activities Enterprise Security Office activities have provided predictable, robust operations Enterprise Security Office incidents have not significantly impacted business operations Trends for adverse impacts are continuously improving The Enterprise Security Office organization is responsive to business requirements The cost of Enterprise Security Office measurers are appropriate and generally track the degree of risk and value ofassets The Enterprise Security Office group understands the business objectivesRisk Management Cost effectiveness of risk mitigation Reduction in residual risk Reduction in open vulnerabilities Reduction of significant risks Reduction in adverse impacts Improved response time to new risks Systematic, continuous risk management Periodic risk assessments Tested business continuity planning (BCP) , disaster recovery (DR) Completeness of asset valuation and assignment of ownership Meeting RTO objectives during testing*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  15. 15. Business Process Assurance• No gaps exist in information asset protection• All assurance activities are demonstrably integrated• Roles and responsibilities that are well defined with concise interface• Responsibility and accountability are clearly defined• The steering committee has representatives of all assurance functionsValue Delivery• Enterprise Security Office activities achieve strategic objectives on budget• The cost of Enterprise Security Office is proportional to the value of assets• Enterprise Security Office resources are allocated by degree of assessed risk• Aggregate protection costs that are a function of revenues or asset valuation• Utilization of controls – rarely used controls are not likely to be cost-effective• The number of controls to achieve acceptable risk and impact levels. Fewer effective controls can be expected to bemore cost-effective than less effective-controls• The effectiveness of controls as determined by testing. Marginal controls are not likely to be cost-effective*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  16. 16. Resource Management The frequency of problem rediscovery The effectiveness of knowledge capture and dissemination Clearly defined roles and responsibilities for IT security functions IT security functions are incorporated into every project plan Information assets and related threats that are covered by security resourcesPerformance Management The time it takes to detect and report incidents The number and frequency of unreported incidents Benchmarking security costs against comparable organizations Effectiveness and efficiency of controls Trends in audit findings Compliance metrics Time for variance resolutions Trends in impacts Downtime for critical systems*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  17. 17.  Adopt Information Security framework Implement Enterprise Security Governance Facilitate adoption of Risk Management Methodology Implement Security Monitoring System Facilitate harmonization of Access Control and Identity processes Led Implementation of Continuous Improvement process Develop and implement Communications Strategy including AwarenessTraining*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  18. 18. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  19. 19. ManagementLevelStrategicAlignmentRiskManagementValueDeliveryPerformanceMeasurementResourceManagementProcessAssuranceBoard ofDirectorsRequire demonstrableAlignmentInstitute a policy ofrisk management inall activities andensure regulatorycomplianceRequirereporting ofEnterpriseSecurity activitycostsRequire reportingof EnterpriseSecurity activityeffectivenessInstitute a policyof knowledgemanagementand resourceutilizationInstitute a policy ofassurance processIntegrationExecutiveManagementInstitute processes toIntegrate EnterpriseSecurity With businessobjectivesEnsure roles andresponsibilitiesinclude riskmanagement inall activities andmonitorregulatorycomplianceRequirebusiness casestudies ofEnterpriseSecurityInitiativesRequire monitoringand metrics forEnterprise SecurityActivitiesEnsureprocesses forknowledgecapture andefficiencymetricsProvide oversight ofall assurancefunctions and plansfor integrationManagementReviewCommitteeReview EnterpriseSecurity strategy andintegration efforts,and ensure businessowners supportintegrationIdentify emergingrisks, promotebusiness unitEnterprise & Securitypractices and identifycompliance issuesReviewAccuracy ofEnterpriseSecurityinitiativesto servebusinessfunctionsReview and adviseaccording toEnterprise SecurityInitiatives andensure they meetbusinessobjectivesReviewprocesses forknowledgecapture anddisseminationIdentify criticalbusiness processesand assuranceproviders, and directintegrationassurance effortsEnterpriseSecurityOfficeDevelop EnterpriseSecurity strategy,oversee theEnterprise Securityprogram and initiatives,and liaise withbusiness processowners for ongoingalignmentsEnsure risk andbusiness impactassessments,developrisk mitigationstrategies, andenforce policyand regulatorycomplianceMonitorutilizationandeffectivenessof EnterpriseSecurityresourcesDevelop andimplementmonitoring andmetricsapproaches,anddirect and monitorEnterprise SecurityactivitiesDevelopmethodsfor knowledgecapture anddissemination,and metrics foreffectivenessand efficiencyLiaise with otherassuranceproviders, andensure that gapsand overlaps areidentified andAddressed*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  20. 20. Purpose: Management shall review the Enterprise’s ISMS at planned intervals (at leastonce a year) to ensure its continuing suitability, adequacy and effectiveness. This reviewshall include assessing opportunities for improvement and the need for changes to theISMS, including the information security policy and information security objectives. Theresults of the reviews shall be clearly documented and records shall be maintained, (ISO27kclause 4.3.3).Goals: The ISMS Management Review Committee has been formed to provide aneffective joint forum which will contribute to the following goals:• Decision making which supports the Enterprise Security Program• Balanced and informed review and advisory services contributing to a range ofEnterprise Security Office (ESO) planning, service delivery and issue resolutionactivities• Proactive ESO alignment with higher level joint governance functions to improve theeffectiveness and efficiency within the ESO domain*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  21. 21. Committee Functions: Review input (ISO27k clause 7.2)The input to a management review shall include:a). results of ISMS audits and reviews;b). feedback from interested parties;c). techniques, products or procedures, which could be used in theorganization to improve the ISMS performance and effectiveness;d). status of preventive and corrective actions;e). vulnerabilities or threats not adequately addressed in the previous riskassessment;f). results from effectiveness measurements;g). follow-up actions from previous management reviews;h). any changes that could affect the ISMS; andi). recommendations for improvement.*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  22. 22. Review output (ISO27k clause 7.3)The output from the management review shall include any decisions and actions related tothe following.a). Improvement of the effectiveness of the ISMS.b). Update of the risk assessment and risk treatment plan.c). Modification of procedures and controls that effect information security, as necessary,to respond to internal or external events that may impact on the ISMS, including changesto: 1). business requirements;2). security requirements;3). business processes effecting the existing business requirements;4). regulatory or legal requirements;5). contractual obligations; and6). levels of risk and/or criteria for accepting risks.d). Resource needs.e). Improvement on how the effectiveness of controls is being measured*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  23. 23. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  24. 24. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***For more information contactSkype; Mark_E_S_BernardTwitter; @MESB_TechSecureLinkedIn; http://ca.linkedin.com/in/markesbernard
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×