May 2011
There is no single universal model for organizational structure to ensure thatthe Information Security requirements for th...
17% of Organizations Globally have a person responsible for Information Security. 33% inthe Middle East40% of the CISOs Gl...
Corporate governance is the set of processes, customs, policies, laws, andinstitutions affecting the way a corporation (or...
The structure, oversight and managementprocesses which ensure the delivery of                                            C...
―Information Security governance―, ―Information Security Management" and―Information Security Operations" are broad terms,...
Information Security Steering Commitee                                                           3rd Party Service        ...
Prudent CISOs are building their Security Governance Strategies based on the currenteconomic climate, changes in the techn...
The following 4 domains must be considered when establishing an Information SecurityGovernance Program                    ...
Culture                                                                                                Controls           ...
Culture                                                                                          Controls                 ...
Culture                                                                                               Controls            ...
Culture                                                                                                               Cont...
Culture                                                                                              Controls             ...
Culture                                                                                                                  C...
Culture                                                                                                                   ...
Strategic Alignment of information security with business strategy to supportorganizational objectivesRisk Management by e...
Leader, Security & Privacy – Middle EastFadi Mutlak+971 4 369 8999fmutlak@deloitte.com                                    ...
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its net...
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
Upcoming SlideShare
Loading in...5
×

Fadi Mutlak - Information security governance

1,458

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,458
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
62
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Fadi Mutlak - Information security governance

  1. 1. May 2011
  2. 2. There is no single universal model for organizational structure to ensure thatthe Information Security requirements for the organization are adequatelymet.There is still some uncertainty regarding what such Information SecurityGovernance actually consists ofInformation Security Governance does not function in isolationInformation Security Governance, Management and Operations have very differentfunctions, and clarity among them is fundamental to the performance ofeach.How do Organizations currently operate Globally & in the Middle East?3 Information Security Governance @ 2011 Deloitte & Touche
  3. 3. 17% of Organizations Globally have a person responsible for Information Security. 33% inthe Middle East40% of the CISOs Globally report directly to IT related positions (CIO, IT executive andCTO). 31% in the Middle EastOnly 67% of respondents indicate that have a security governance structure. 49% in theMiddle EastOnly 56% of respondents indicate they have a documented and approved informationsecurity strategy. 38% in the Middle EastOnly 18% of respondents have established metrics that have been aligned to businessvalue and report on a scheduled basis. 15% in the Middle EastOnly 30% of respondents state that there is appropriate alignment between the businessand information security initiatives. 32% in the Middle East4 Information Security Governance @ 2011 Deloitte & Touche
  4. 4. Corporate governance is the set of processes, customs, policies, laws, andinstitutions affecting the way a corporation (or company) is directed, administered orcontrolled. includes the relationships among the manyCorporate governance alsostakeholders involved and the goals for which the corporation isgoverned.Subsets of Corporate Governance include:• Financial Governance• Information Technology Governance• Enterprise Risk Governance• Information Security Governance6 Information Security Governance @ 2011 Deloitte & Touche
  5. 5. The structure, oversight and managementprocesses which ensure the delivery of Corporatethe of overall corporate governance Governancerequires integration between the differentsubsets of the Corporate GovernanceModel Enterprise Information Legal Risk Technology GovernanceAn organization’s Information Governance GovernanceSecurity Governance can be definedas "the processes that ensure thatreasonable and appropriate actions aretaken to protect the organizations Informationinformation resources, in the most Security Governanceeffective and efficient manner, in pursuitof its business goals“ Information Information Security Security Management Operations Information Security Organization @ 2011 Deloitte & Touche 7 Information Security Governance
  6. 6. ―Information Security governance―, ―Information Security Management" and―Information Security Operations" are broad terms, and we must bring these topics intofocus. Members of governance committees must understand the difference betweenthem in order to avoid dysfunction and meet Business, Risk and IT goalsVery Broadly,Information Security Governance: Exists to ensure that the security program adequatelymeets the strategic needs of the business.Information Security Management: Implements that program.Information Security Operations: executes or manages security-related processesrelating to current infrastructure on a day-to-day basis.Each of these layers must engage with corresponding layers throughoutthe enterprise.8 Information Security Governance @ 2011 Deloitte & Touche
  7. 7. Information Security Steering Commitee 3rd Party Service Corporate Risk Providers Management Chief Infromation Officer (CIO) Lines of Business IT Operations Management Information Security GovernanceInformation Security Information Security Communication Advisory Board Forum 3rd Party Service Information Security Information Security 3rd Party Service Providers Management Operations Providers 9 Information Security Governance @ 2011 Deloitte & Touche
  8. 8. Prudent CISOs are building their Security Governance Strategies based on the currenteconomic climate, changes in the technology landscape, and most importantly, to meetand exceed the business expectations. Yet despite their best intentions, many are stillstruggling to improve relationships with the business that they operate in.Without alignment, Information CultureSecurity Governance operates ina vacuum and will implementsecurity controls that are Controls 1. Plan Processinvariably either too strong —and thus, is expensive andrestrictive — or too weak, 3. Manageresulting in too much residual 2. Implement 4. Monitorrisk. People Security Governance Integration Technology11 Information Security Governance @ 2011 Deloitte & Touche
  9. 9. The following 4 domains must be considered when establishing an Information SecurityGovernance Program Plan Implement Manage Monitor Security Program Develop Governance Accountabilities Project Oversight Strategy Processes Institute Governance Security Architecture Funding Value Assessments Forums Security Policy Conflict Conciliation Operational Security Budget Review and and Arbitration Oversight Development Governance Policy Program and Project Metrics and Management Oversight Measurement12 Information Security Governance @ 2011 Deloitte & Touche
  10. 10. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Plan Security Program Strategy Security Program 1. Current State Strategy 2. Desired State 3. Gap AnalysisSecurity Architecture 4. Project and Initiatives Derived from the Gap Analysis 5. A Reporting Framework Security Budget Governance Policy Management13 Information Security Governance @ 2011 Deloitte & Touche
  11. 11. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Plan Security Architecture Security architecture is the planning discipline that provides the Security Program foundational models, templates and principles that support the Strategy program strategy. These artifacts are used to develop security technology and process solutions that match business requirements while maximizing standardization and reuseSecurity Architecture • Security Operations • Security Monitoring and Review • User Management Security Budget • User Awareness • Application Security • Database / Metadata Security • Host Security Governance Policy • Internal Network Security Management • Network Perimeter Security • Physical and Environmental Security14 Information Security Governance @ 2011 Deloitte & Touche
  12. 12. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Plan Security Budget Planning The process of allocating financial resources to information Security Program security projects and operational Strategy activitiesSecurity Architecture Governance Policy Management Sets the principles for policy management, specifically regarding issues such as: Security Budget • Ownership • Documentation standards • Approval and formalization procedures Governance Policy • Enforcement regimes Management • Review and exception procedures15 Information Security Governance @ 2011 Deloitte & Touche
  13. 13. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Implement Develop Governance Processes Design the governance processes:Develop Governance • The goal of the process Processes • The action steps to be taken and in what sequence • The responsibilities associated with the process • The process flowInstitute Governance Forums Integrate the security governance framework with existing IT frameworks and Information Security Management frameworks in order to leverage the commonalities between the frameworks Security Policy Review and Development Institute Governance Forums Establish Governance forums and steering committee • Establish the accountabilities and responsibilities for information security within the organization. • Oversee the governance processes. • Commission and sponsor the corporate information security program.16 Information Security Governance @ 2011 Deloitte & Touche
  14. 14. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Implement Security Policy Review and Development Assess the (1) completeness (2) effectiveness and (3) practicality ofDevelop Governance enforcement of your organization’s information security policy. Processes Identify major strengths and weaknesses of the policy and provide recommendations for improvement.Institute Governance Forums Security Policy Review and Development17 Information Security Governance @ 2011 Deloitte & Touche
  15. 15. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Manage Design and explain management processes to the respective stakeholders for implementation: Accountabilities Process Process Description Accountabilities and responsibilities for information security are Accountabilities executed effectively. Manage effective allocation of financial resources for security Funding Funding initiatives as decided in the budget process. Facilitate assessment of conflicting security requirements Conflict Conciliation between different stakeholders. Ensure specific policy andConflict Conciliation and Arbitration controls decisions are based on adequate consideration of and Arbitration individual and collective requirements. Program and Project Track security program and projects, deliverables, and costs toProgram and Project Oversight ensure they remain within acceptable tolerances. Oversight18 Information Security Governance @ 2011 Deloitte & Touche
  16. 16. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Monitor Design and explain monitoring processes to the respective stakeholders for implementation: Project Oversight Process Process Description Assess project results. Report on objectives achieved and Project Oversight missed, as well as unexpected results and consequences. Value Assessments Periodically assess the value of information security Value Assessments investments. Is the organization getting the anticipated benefits from investments involving information security? Operational Ensure that the execution of the information security Oversight program, and all its associated processes and activities, is Operational Oversight done within the parameters set out by the program strategy, architecture, and policy strategy. Measuring and reporting on the impact of the information Metrics and Metrics and Measurement security program on overall IT governance and Corporate Measurement Governance.19 Information Security Governance @ 2011 Deloitte & Touche
  17. 17. Strategic Alignment of information security with business strategy to supportorganizational objectivesRisk Management by executing appropriate measures to manage and mitigate risksand reduce potential impacts on information resources to an acceptable levelResource Management by utilizing information security knowledge and infrastructureefficiently and effectivelyPerformance Measurement by measuring, monitoring and reporting informationsecurity governance metrics to ensure that organizational objectives are achievedValue Delivery by optimizing information security investments in support oforganizational objectives 21 Information Security Governance @ 2011 Deloitte & Touche
  18. 18. Leader, Security & Privacy – Middle EastFadi Mutlak+971 4 369 8999fmutlak@deloitte.com @ 2011 Deloitte & Touche
  19. 19. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of whichis a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche TohmatsuLimited and its member firms.Member of Deloitte Touche Tohmatsu Limited
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×