This document discusses strategic planning for information security. It outlines the roles of key planning professionals like the CIO and CISO. The CIO translates strategic plans into security objectives while the CISO plans tactical and operational security measures. Effective planning requires defining values, vision, and mission statements. Strategic plans should then guide tactical and operational planning over multiple levels. The document contrasts top-down versus bottom-up approaches for implementing information security plans.
Introduction to IEEE STANDARDS and its different types.pptx
unit 3.pptx
1. Strategy and Strategic Planning:
Strategy, Strategic planning and security
strategy, the information security lifecycle
and Architecting the enterprise
2. The Role of Planning
Precursors to Planning
Values Statement
Vision Statement
Mission Statement
Strategic Planning
Creating a Strategic Plan
Planning Levels
Planning and the CISO(Chief Info Security Officer)
Planning for Information Security Implementation
3. Identify the roles in organizations that are active in the
planning process
Grasp the principal components of information security
system implementation planning in the organizational
planning scheme.
6. 6
Information Security Professionals
Professionals that support the information
security program
Chief Information Officer (CIO)
Chief Information Security Office (CISO)
Security Managers
Security Technicians
Data Owners
Data Custodians
Data Users
Slide 6
7. 7
Planning Definition
Planning is creating action steps toward goals
and then controlling them
Provides direction for the organization’s future
Allows managing resources
Optimizes the use of the resources
Coordinates the effort of independent
organizational units
9. 9
Values Statement
Principles
Qualities
Benchmarks
What your company is?
Microsoft: Integrity, honesty, passion, and
respectfulness are significant parts of
Microsoft’s corporate philosophy
10. 10
Vision Statement
Ambitious
Best-case scenario
Future goals
Where your company wants to be?
Microsoft: A personal computer in every
home running Microsoft software
11. 11
Mission Statement
Organization’s business
Areas of operation
Internal
External
How your company is going to get there?
Google: Organize the world's information and
make it universally accessible and useful.
12. 12
Strategic Planning
Strategy lays out the long-term direction to be
taken by organization
It guides organizational efforts, and focuses
resources toward specific, clearly defined
goals.
Strategic planning includes
Mission statement
Vision statement
Values statement
Coordinated plans for sub units
13. 13
Creating a Strategic Plan
Organization
Develops a general strategy
Creates specific strategic plans for major divisions
Each level of translates those objectives into
more specific objectives for the level below
15. 15
Creating a Strategic Plan
Strategic goals are translated into tasks
Specific
Measurable
Achievable
Realistic
Timely
16. 16
Planning Levels
Strategic Planning
Five or more year focus
Strategic plan separated into strategic goals for each
department
Tactical Planning
One to three year focus
Breaks strategic goals into a series of incremental
objectives
17. 17
Planning Levels
Operational Planning
Organize the ongoing, day-to-day performance of
tasks
Includes clearly identified coordination activities
across department boundaries
Communications requirements
Weekly meetings
Summaries
Progress reports
19. 19
Strategic Plan Elements
Introduction by senior executive
Executive Summary
Mission Statement and Vision Statement
Organizational Profile and History
Strategic Issues and Core Values
Program Goals and Objectives
Management/Operations Goals and Objectives
Appendices (optional)
Strengths, weaknesses, opportunities and threats (SWOT)
analyses, surveys, budgets &etc
20. 20
10 Tips For Strategic Planning
1. Create a compelling vision statement
2. Embrace the use of balanced scorecard approach
3. Deploy a draft high level plan early, and get input
from stakeholders
4. Make the evolving plan visible
21. 21
10 Tips For Planning (cont.)
5. Make the process invigorating for everyone
6. Be persistent
7. Make the process continuous
8. Provide meaning
9. Be yourself
10. Have fun
22. 22
Planning For InfoSec
Implementation
Commonly the CISO directly reports to the
CIO.
The CIO and CISO play important roles in
translating overall strategic planning into
tactical and operational information security
plans
CISO plays a more active role planning the
details
23. 23
CISO Job Description
Creates strategic information security plan with a vision
for the future of information security
Understands fundamental business activities performed
by the company
Suggests appropriate information security solutions that
uniquely protect these activities
Improves status of information security by developing
action plans
schedules
budgets
status reports
top management communications
24. 24
Planning for Information Security
CIO: translates strategic plan into departmental and
InfoSec objectives
CISO: translates InfoSec objectives into tactical and
operational objectives
Implementation can now begin
Implementation of information security can be
accomplished in two ways
Bottom-up
Top-down
25. 25
Bottom-Up Approach
Grass-roots effort
Individual administrators try to improve
security
No coordinated planning from upper
management
No coordination between departments
Unpredictable funding
26. 26
Top-Down Approach
Strong upper management support
A dedicated champion
Assured funding
Clear planning and implementation process
Ability to influence organizational culture