Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building an Information Security Policy Framework

222 views

Published on

This presentation covers an overview of what a Policy Framework is, and why it is an essential part of any Information Security program; the various existing frameworks used across the industry, their strengths and limitations; a methodology to create a flexible framework, supported by a risk assessment and a strong understanding of the assets owned by the institution and the threats they are exposed to; and an approach to define an adequate control set and how to prioritise its implementation.

Visit https://www.jbbres.com/files/20190605-security-framework.html for the full transcript of this presentation.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Building an Information Security Policy Framework

  1. 1. Jean-Baptiste Bres May 3rd, 2019 Building an Information Security Policy Framework
  2. 2. “An APRA-regulated entity must maintain an information security policy framework commensurate with its exposures to vulnerabilities and threats” CPS 234 (#18)
  3. 3. WHAT IS A POLICY FRAMEWORK? “Information security policy framework means the totality of policies, standards, guidelines and procedures pertaining to information security” CPS 234 (#12.i)
  4. 4. WHAT IS A POLICY FRAMEWORK? A set of practices, policies and procedures The details of the Information Security Strategy A calculated approach to determine risk and reduce it through controls A measurable and repeatable methodology
  5. 5. PURPOSE OF THE POLICY FRAMEWORK Educate people about Information Security Facilitate secure implementation and maintenance of technology Ensure processes are secured and auditable Create a common language Provide a reference for designing security mechanism Ensure measurement and benchmarking
  6. 6. WHY HAVE A POLICY FRAMEWORK? It is a regulatory requirement For public safety To protect physical assets, digital assets and information To create a differentiation
  7. 7. A POLICY FRAMEWORK • Provide the foundation for a security program • Require compliance from all employees • Is approved at a higher level • Should stand the test of time POLICIES • Provide details of security controls • Derive their authority from policies • Require compliance from all employees STANDARDS • Step-by-step instructions to perform a security task • May required compliance, depending upon the organisation and circumstances PROCEDURES • Provide security advice • Align with industry good practices • Are optional practices, not mandatory GUIDELINES
  8. 8. CREATING A FRAMEWORK Compliance requirements Area of focus Certification objectives Current maturity
  9. 9. CPS 234 IS NOT A FRAMEWORK
  10. 10. INFORMATION SECURITY FRAMEWORKS Source: Dimensional Research, 2017 PCI-DSS, 40% ISO 27K, 38% CIS, 22% NIST, 19% Other, 24% None, 20%
  11. 11. GLOBAL AND LOCAL REGULATIONS Australia APRA CPS 234 European Union GDPR USA GLBA, SOX Global PCI-DSS (Credit Card)
  12. 12. A HYBRID FRAMEWORK IS AN ACCEPTABLE SOLUTION
  13. 13. HYBRID FRAMEWORKAreasofFocus Controls Identify Protect Detect Respond Recover People Processes Technology • Evacuation procedure • Incident report channels • Awareness program • ID cards • Recovery Site • Succession Plan • Business Continuity Plan • Business Impact Analysis • Identity and Access Management • Incident response • Crisis management • Vulnerability assessment • Firewall • Data encryption • SIEM • IDS • SOC • Threat responses • Backup • Disaster recovery • 4-eyes verification • Background check
  14. 14. RISK ASSESSMENT RISK = IMPACT x LIKELIHOOD ThreatsAssets
  15. 15. UNDERSTANDING THE ASSETS Products and Services Critical functions Processes Assets  Identify the products and services offered by the organisation  Understand the processes required within the critical functions, and prioritise them  Determine the resources and assets required to perform the processes  Identify the critical functions needed to deliver the products and services
  16. 16. UNDERSTANDING THE ASSETS People Data Building and facilities IT Systems Finance Partners and Suppliers Confidential / Private Sensitive Public Asset Classification IMPACT
  17. 17. UNDERSTANDING THE THREATS THREATS PROPERTIES Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorisation
  18. 18. RISK ASSESSMENT CONTINGENCY RISKS SIGNIFICANT RISKS MINOR RISKS HIGH INCIDENCE RISKS IMPACT (resultingbusinessimpact) LIKELIHOOD (probability of occurrence)
  19. 19. THE CORE SECURITY CONTROL SET 1. Give priority to common controls, that can support multiple system efficiently and effectively as a common capability 2. Use the result of the risk assessment to identify controls that cover higher risks 3. Gather feedback from stakeholders Measurable UnderstoodAuditable
  20. 20. Jean-Baptiste Bres is Chief Information Security Officer at StatePlus (formerly State Super Financial Services). As the former Head of GPI at BNP Paribas CIB Australia and New Zealand, he led the Security, Operational Risk and Governance teams of the Bank. His career in Financial Institutions spans over 15 years and two continents, delivering excellence and driving risk management in Information Technology. Jean-Baptiste holds a Master in Computer Science from the University of Belfort- Montbeliard in France. https://www.linkedin.com/in/jbbres/  https://www.jbbres.com Jean-Baptiste Bres ABOUT THE SPEAKER

×