Improving Your Information Security Program

2,100 views

Published on

Michael walks the audience through the key focus areas in the creation of information security dashboards and discuss topics such as: What about our Information Security Program is important?
How can I represent my Information Security Program in a dashboard? What elements of my program should I measure and report on? What must happen with the output?

Published in: Technology, News & Politics

Improving Your Information Security Program

  1. 1. Improving your Information Security Program Building your Security Dashboard
  2. 2. Our on-going challenge Identifying success and measuring performance is difficult within the information security program • Security Managers lack an effective way to monitor current state and track improvement within their programs • Security staff lack guidance on program priorities • Management and executive need awareness of how the program supports the organization • Business units do not understand their role in information security Copyright 2007 – Seccuris Inc.
  3. 3. Our on-going challenge How do we align, manage and communicate our program in an effective manner? By creating an Information Security Program Dashboard Copyright 2007 – Seccuris Inc.
  4. 4. Agenda • Introduction to dashboards • The role of the dashboard • Building a dashboard for your security program • Using your Dashboard Copyright 2007 – Seccuris Inc.
  5. 5. Introduction to Dashboards What is a dashboard? • A summary view of relevant performance information • Visualization of up-to-date Key Performance Indicators (KPIs) • KPIs are displayed though a collection of Performance Maps • Can be manual, automated or “digital” Copyright 2007 – Seccuris Inc.
  6. 6. Introduction to Dashboards What isn’t a dashboard? • Driving your car • Security Information Management (SIM) Copyright 2007 – Seccuris Inc.
  7. 7. Poor Example of Dashboard Copyright 2007 – Seccuris Inc.
  8. 8. Better example of Dashboard Copyright 2007 – Seccuris Inc.
  9. 9. Good Example of Dashboard Security Management Dashboard* High-Level Direction Malicious Attack Special Topics Security Organization Security Committee E-mail Privacy Serer Virus Infections Approvals for Security Incidents Initiatives Identified Contained Cleaned SubmittedReviewed Approved Identified Contained Investigated Closed 36 30 33 16 12 9 45 30 544 311 Monthly Annual Monthly R e mo t e O f f i c e P o l i c y V i o l a t i o n s Information Security Intrusion Prevention Remote Office Security Department Policies Signature Updates Policy Violations Initiatives Created Revised Approved Low Med High Low Identified Tested Approved Implemented Defined Scheduled Active Completed 8 3 11 M ed 89 69 54 34 6 5 44 177 67 Hi h g 774 122 Annual Annual Annual Monthly S t a f f A g r e e me n t s Se c u r i t y A u d i t s Incident Response Security Awareness Staff Agreements Security Audits Engagements Initiatives 1 N/A Current Expired N/ A Compl t ed e Identified In-progress Re-Opened Closed 0 . 5Defined Scheduled Active Defined Scheduled Active Completed Completed 2 Cur r en t Act ve i 699 455 4 1 4 4 1 0 4 43 12 2 30 12 Expi ed r Schedul d e 0 Compl t ed e Def n ed i Annual Annual Annual Annual Copyright 2007 – Seccuris Inc.
  10. 10. Malicious Attack Serer Virus Infections Identified Contained Cleaned 36 30 33 Monthly Intrusion Prevention Signature Updates Identified Tested Approved Implemented 89 69 54 177 Monthly Incident Response Engagements Identified In-progress Re-Opened Closed 43 12 2 30 Annual Copyright 2007 – Seccuris Inc.
  11. 11. Introduction to Dashboards What are the benefits of a dashboard? • Demonstration of compliance • Elimination of duplicate data entry / gathering • Identify poor performance within the program • Allows for measurement of current action plans and implementations • Allows for immediate awareness and alerting • Provides supporting information for the IT Security Scorecard Copyright 2007 – Seccuris Inc.
  12. 12. The role of the dashboard? Where does the dashboard fit in organizational management? Security Information Management Copyright 2007 – Seccuris Inc.
  13. 13. The role of the dashboard? Information Security Policy Information Security Balanced Scorecard Security Management Dashboard* Critical System Business Development Applications High-Level Security Security Secure Direction Organization Requirements Environment Security Management Management Malicious Risk Special Topics Review Attack Acceptances Computer Networks Installations *Includes KPIs from each aspect of Security Management Copyright 2007 – Seccuris Inc.
  14. 14. The role of the dashboard? What is the intended audience for an Information Security dashboard? • Primary • CISO • Information Security Manager • Information Security Staff • Secondary • Accountable Business Unit Management • Business Executive • Audit Copyright 2007 – Seccuris Inc.
  15. 15. The role of the dashboard? The dashboard allows us to: • Visualize the focus areas for our program • Facilitate awareness of organizations accountability within the security program • Create distinction between failure of the program and failure of the security department Copyright 2007 – Seccuris Inc.
  16. 16. Building a security dashboard What are the components of a dashboard? • Performance Maps • Business Logic • Visualization Rules • Data Sources • Critical Success Factors (CSF) • Key Performance Indicators (KPI) Copyright 2007 – Seccuris Inc.
  17. 17. Building a security dashboard What are the components of a dashboard? Security Management Dashboard* High-Level Security Security Secure Direction Organization Requirements Environment Management Malicious Risk Special Topics Review Attack Acceptances *Includes KPIs from each aspect of Security Management High-Level Direction Security Organization Security Committee Board Level Approvals Approvals for Security for Security Initiatives Initiatives SubmittedReviewed Approved SubmittedReviewed Approved 12 4 1 16 12 9 Annual Annual Information Security Security Department Policies Initiatives Created Revised Approved Defined Scheduled Active Completed 8 3 11 34 6 5 44 Annual Annual Security Awareness Staff Agreements Initiatives N/A Current Expired Defined Scheduled Active Completed 2 699 455 4 1 0 4 Annual Annual Copyright 2007 – Seccuris Inc.
  18. 18. Building a security dashboard The inputs & data sources of a dashboard Information Security Gap Analysis Information Security Policy Information Security Balanced Scorecard Security Management Dashboard* Critical System Business Development Applications High-Level Security Security Secure Direction Organization Requirements Environment Security Management Management Malicious Risk Special Topics Review Attack Acceptances Computer Networks Installations *Includes KPIs from each aspect of Security Management Information Security Action Plan Information Security Action Plan Status Report Copyright 2007 – Seccuris Inc.
  19. 19. Building a security dashboard The inputs & data sources of a dashboard Information Security Balanced Scorecard •Defines the goals of the program Critical System Business Development •Challenging to start due to limited Applications access to true corporate business drivers Security Management •Often difficult to separate into manageable, visual pieces Computer Networks Installations •How do we define CSFs for our program? Copyright 2007 – Seccuris Inc.
  20. 20. Building a security dashboard The inputs & data sources of a dashboard Information Security Balanced Scorecard Information Security Forum Critical System Business Development Applications Security Management •16+ years in the making •Industry Recognized Computer Networks Installations •Management Focused •Primary source for CSFs Copyright 2007 – Seccuris Inc.
  21. 21. Building a security dashboard The inputs & data sources of a dashboard Information Security Policy •Mapped to Business Drivers •Influenced by compliance & legislation •Based on Best Practices •Primary source of relevant KPIs Example Policy: All security incidents relating to critical business functions must be investigated and documented. Example KPI: Number of Identified, In-Progress, Re-opened and Closed Incident Response Engagements. Copyright 2007 – Seccuris Inc.
  22. 22. Building a security dashboard The inputs & data sources of a dashboard Information Security Gap Analysis SABSA •Business driven approach •True architecture focus •Aligns with any best practice •Good source of relevant KPIs Copyright 2007 – Seccuris Inc.
  23. 23. Building a security dashboard The inputs & data sources of a dashboard Information Security Action Plan •Details security program improvements •Highlights what KPIs should be monitored •Specifies CSF and KPI target goals •Good source of relevant KPIs Copyright 2007 – Seccuris Inc.
  24. 24. Building a security dashboard The inputs & data sources of a dashboard Information Security Gap Analysis Information Security Policy Information Security Balanced Scorecard Security Management Dashboard* Critical System Business Development Applications High-Level Security Security Secure Direction Organization Requirements Environment Security Management Management Malicious Risk Special Topics Review Attack Acceptances Computer Networks Installations *Includes KPIs from each aspect of Security Management Information Security Action Plan Information Security Action Plan Status Report Copyright 2007 – Seccuris Inc.
  25. 25. Building a security dashboard Steps to define the dashboard • Perform an Information Security Program Gap analysis • Confirm the CSFs for the security program • Choose and align relevant KPIs for the dashboard • Define business logic & visualization rules Copyright 2007 – Seccuris Inc.
  26. 26. Building a security dashboard Performing the information Security Gap analysis Copyright 2007 – Seccuris Inc.
  27. 27. Building a security dashboard Performing the information Security Gap analysis Maturity Goals Legend 0 – Non-Existent Architecture Area 1 – Initial Current State Required Goal 2 – Repeatable 0 3 – Defined 4 – Managed 5 - Optimized 0 Good Practice Copyright 2007 – Seccuris Inc.
  28. 28. Building a security dashboard Information Security Program Gap Analysis Assets Motivation Process People Location Time (What) (Why) (How) (Who) (Where) (When) Business Process Business Organization and Business Geography Business Risk Business Time The Business Model Relationships Model Dependencies Contextual 4 5 5 5 5 5 Control Security Strategies and Security Entity Model and Security Domain Security-Related Business Objectives Architectural Layering Trust Framework Model Lifetimes and Deadlines Attributes Profile Conceptual 4 4 4 4 4 4 Security Processing Cycle Entity Schema and Privilege Security Domain Definitions Business Information Model Security Policies Security Services Profiles and Associations Logical 4 4 4 4 4 4 Users, Applications and Platform and Network Business Data Model Security Mechanisms Control Structure Execution Security Rules, Practices and the User Interface Infrastructure Procedures Physical 3 3 3 3 3 3 Processes, Modes, Security Standards Security Products and Tools Identities, Functions, Actions Security Step Timing and Detailed Data Structures Addresses and Protocols and ACLs Sequencing Component 2 3 3 3 3 3 3 Application and User Security of Sites, Networks Assurance of Operational Operational Risk Security Service Management Security Operations Management Support and Platforms Continuity Management and Support Schedule Operational 3 3 3 3 3 3 Copyright 2007 – Seccuris Inc.
  29. 29. Building a security dashboard Information Security Program Gap Analysis Assets Motivation Process People Location Time (What) (Why) (How) (Who) (Where) (When) Business Process Business Organization and Business Geography Business Risk Business Time The Business Model Relationships Model Dependencies 4 4 4 4 4 4 Contextual 4 5 5 5 5 5 Control Security Strategies and Security Entity Model and Security Domain Security-Related Business Objectives Architectural Layering Trust Framework Model Lifetimes and Deadlines Attributes Profile 4 4 4 4 4 4 Conceptual 4 4 4 4 4 4 Security Processing Cycle Entity Schema and Privilege Security Domain Definitions Business Information Model Security Policies Security Services Profiles and Associations 3 3 3 3 3 3 Logical 4 4 4 4 4 4 Users, Applications and Platform and Network Business Data Model Security Mechanisms Control Structure Execution Security Rules, Practices and the User Interface Infrastructure Procedures 3 3 3 3 3 3 Physical 3 3 3 3 3 3 Processes, Modes, Security Standards Security Products and Tools Identities, Functions, Actions Security Step Timing and Detailed Data Structures Addresses and Protocols and ACLs Sequencing 4 4 4 4 4 3 Component 3 3 3 3 3 3 Application and User Security of Sites, Networks Assurance of Operational Operational Risk Security Service Management Security Operations Management Support and Platforms Continuity Management and Support Schedule 3 3 3 3 3 3 Operational 3 3 3 3 3 3 Copyright 2007 – Seccuris Inc.
  30. 30. Building a security dashboard Performing the information Security Gap analysis Maturity Goals Legend Above Requirement 0 – Non-Existent Architecture Area 1 – Initial Meets Requirement Current State Required Goal 2 – Repeatable 0 3 – Defined Below Requirement 0 4 – Managed Critically Below Requirement 5 - Optimized 0 Good Practice Copyright 2007 – Seccuris Inc.
  31. 31. Building a security dashboard Information Security Program Gap Analysis Assets Motivation Process People Location Time (What) (Why) (How) (Who) (Where) (When) Business Process Business Organization and Business Geography Business Risk Business Time The Business Model Relationships Model Dependencies 4 4 4 4 4 4 Contextual 3 2 4 4 5 2 4 5 5 5 5 5 Control Security Strategies and Security Entity Model and Security Domain Security-Related Business Objectives Architectural Layering Trust Framework Model Lifetimes and Deadlines Attributes Profile 4 4 4 4 4 4 Conceptual 3 4 4 3 4 2 4 4 4 4 4 4 Security Processing Cycle Entity Schema and Privilege Security Domain Definitions Business Information Model Security Policies Security Services Profiles and Associations 3 3 3 3 3 3 Logical 2 3 3 1 2 3 4 4 4 4 4 4 Users, Applications and Platform and Network Business Data Model Security Mechanisms Control Structure Execution Security Rules, Practices and the User Interface Infrastructure Procedures 3 3 3 3 3 3 Physical 1 4 2 3 1 1 3 3 3 3 3 3 Processes, Modes, Security Standards Security Products and Tools Identities, Functions, Actions Security Step Timing and Detailed Data Structures Addresses and Protocols and ACLs Sequencing 4 4 4 4 4 3 Component 0 2 1 2 1 3 2 3 3 3 3 3 3 Application and User Security of Sites, Networks Assurance of Operational Operational Risk Security Service Management Security Operations Management Support and Platforms Continuity Management and Support Schedule 3 3 3 3 3 3 Operational 0 1 2 1 1 2 3 3 3 3 3 3 Copyright 2007 – Seccuris Inc.
  32. 32. Building a security dashboard Performing an Information Security Program Gap analysis • Completion will highlight areas of your overall security that are: • Non-existent • Weak / Requiring Improvement • Over invested • Meeting the target Copyright 2007 – Seccuris Inc.
  33. 33. Building a security dashboard Performing an Information Security Program Gap analysis • Use this information to: • Identify gaps in your information security policy • Create action plans and improvement projects • Confirm goals & CSFs by ensuring areas that need investment have been appropriately defined at the strategic level • Select KPIs that will allow you to monitor focus areas of your program Copyright 2007 – Seccuris Inc.
  34. 34. Building a security dashboard Steps to define the dashboard • Perform an Information Security Program Gap analysis • Confirm the Goals & CSFs for the security program • Use the Gap Analysis to identify potential CSF misalignment • Review Information Security Program Components • Choose and align relevant KPIs for the dashboard • Define business logic & visualization rules Copyright 2007 – Seccuris Inc.
  35. 35. Building a security dashboard Where does the dashboard fit in organizational management? Copyright 2007 – Seccuris Inc.
  36. 36. Building a security dashboard Information Security Program Gap Analysis Assets Motivation Process People Location Time (What) (Why) (How) (Who) (Where) (When) Business Geography Business Risk Business Time Model Dependencies 4 4 4 Contextual 2 5 2 5 5 5 Security-Related Lifetimes and Deadlines 4 Conceptual 2 4 Security Processing Cycle 3 Logical 1 4 Users, Applications and Business Data Model Control Structure Execution Security Rules, Practices and the User Interface Procedures 3 3 3 3 Physical 1 4 1 1 3 3 3 3 Processes, Modes, Security Standards Security Products and Tools Security Step Timing and Detailed Data Structures Addresses and Protocols Sequencing 4 4 4 4 4 Component 0 2 1 2 1 2 3 3 3 3 3 Security of Sites, Networks Assurance of Operational Operational Risk Security Operations and Platforms Continuity Management Schedule 3 3 3 3 Operational 0 1 1 1 3 3 3 3 Copyright 2007 – Seccuris Inc.
  37. 37. Building a security dashboard Steps to define the dashboard • Perform an Information Security Program Gap analysis • Confirm the Goals & CSFs for the security program • Use the Gap Analysis to identify potential CSF misalignment • Review Information Security Program Components • Choose and align relevant KPIs for the dashboard • Define business logic & visualization rules Copyright 2007 – Seccuris Inc.
  38. 38. Building a security dashboard Confirm the Goals & CSFs for the security program • Review current security plan documentation • Does Gap analysis output align with the Security Program Scorecard? • Are there weaknesses that must be improved on? • Change Security Program documentation to include new goals and CSFs Copyright 2007 – Seccuris Inc.
  39. 39. Building a security dashboard Steps to define the dashboard • Perform an Information Security Program Gap analysis • Confirm the Goals & CSFs for the security program • Choose and align relevant KPIs for the dashboard • Define business logic & visualization rules Copyright 2007 – Seccuris Inc.
  40. 40. Building a security dashboard Choose and align relevant KPIs for the dashboard • Brainstorm using current security program as a starting point • Review Gap Analysis for potential new KPIs • Review “good practices” for relevant indicators • Choose KPIs that help influence your goals and visualize your CSFs Copyright 2007 – Seccuris Inc.
  41. 41. Using Standards to pick KPIs Critical System Business Development Applications Security Management Computer Networks Installations Copyright 2007 – Seccuris Inc.

×