Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
BUSINESS CASE FOR INFORMATION
SECURITY PROGRAM
Developed and Presented by: William Godwin3/12/2014
© 2014
Background
 Safeguards the company’s most important asset:
CORPORATE INFORMATION
 Establishes a formal program and stand...
Value
 Identify IT Operations as a business enabler
 Establish security benchmarks and determine assessment targets capa...
Scope
 Organization Position/Posture
 Data categorization of critical departments
 Risk Appetite
 Determine company’s ...
Organization Position/Posture
 Develop strategy for implementation. Reference output from
Data Categorization & Risk Appe...
Data Categorization
 Defines broad classes of information created, stored, and/or
delivered by the company
 Allows for l...
Determine & Establish Risk Appetite
 Company may implement appropriate level of
information security control based on the...
Business Impact Analysis
 Categorize and analyze critical business
departments/divisions
 Create priority list of most s...
Strategy, Plan, Implement & Execute
 Strategy
 Identify desired service capability and control coverage – (Ref. slide #1...
Information Security Model
Model Terms & Glossary
Capability: Defines “what” information security process or process areas...
Continuous Improvement Opportunities
 Identify success/fail requirements
 Identify metrics applicable to the organizatio...
Conclusion
 Aids organization leaders to identify and assign priority to
business units and supporting IT systems based o...
Upcoming SlideShare
Loading in …5
×

Business case for information security program

1,471 views

Published on

  • Be the first to comment

  • Be the first to like this

Business case for information security program

  1. 1. BUSINESS CASE FOR INFORMATION SECURITY PROGRAM Developed and Presented by: William Godwin3/12/2014 © 2014
  2. 2. Background  Safeguards the company’s most important asset: CORPORATE INFORMATION  Establishes a formal program and standard to:  Safeguard Confidentiality, Integrity, and Availability of information  Determine the company’s risk appetite  Categorize data and information assets  Establish appropriate security control baseline  Assess risk of compromise  Comply with governing regulations and corporate governance
  3. 3. Value  Identify IT Operations as a business enabler  Establish security benchmarks and determine assessment targets capable of maturing as threats evolve and become more sophisticated  Aligns IT Services with the company’s mission  Delivers long-term information security strategy  Effectively mitigate threats and risks and reduce incidents  Drive scalable processes and IT solutions  Provides insight to…  Optimize IT operations budget management  Promote organizational structure to integrate program  Conducive to organizational maturity
  4. 4. Scope  Organization Position/Posture  Data categorization of critical departments  Risk Appetite  Determine company’s tolerance to risk exposure  Business Impact Analysis  Determine criticality of departments and supporting resources  Develop Strategy, Plan, Implement and Execute  Cultivate Continuous Improvement Opportunities
  5. 5. Organization Position/Posture  Develop strategy for implementation. Reference output from Data Categorization & Risk Appetite exercise (Ref. slide #6 & slide #7)  Garner support from organization leadership  Large/Enterprise organizations may have multiple executives  Obtain operational leadership buy-in  Operational Managers will need to be made aware of their roles and expectations  Develop & establish corporate standards and requirements for information security
  6. 6. Data Categorization  Defines broad classes of information created, stored, and/or delivered by the company  Allows for logical groupings based on criticality to the business  Determines data sensitivity levels to unauthorized access, modification or loss of availability  Aids to …  Establish security baseline for protecting sensitive data  Identify business exposure  Determine impact on company should data become compromised  Permit executives to organize priority based on criticality of data
  7. 7. Determine & Establish Risk Appetite  Company may implement appropriate level of information security control based on the risk appetite.  Risk Appetite is determined by establishing the sensitivity of data stored, processed or transmitted by an information system. (Ref. slide #6)  Sensitivity is determined by understanding the criticality of the data to the company’s mission or regulatory requirements.
  8. 8. Business Impact Analysis  Categorize and analyze critical business departments/divisions  Create priority list of most sensitive business functions  Create priority list of support resources  Human Resources  Information Technology Resources  Establish information security requirements  Identify and implement baseline security controls to reduce risk
  9. 9. Strategy, Plan, Implement & Execute  Strategy  Identify desired service capability and control coverage – (Ref. slide #10)  Identify and gather regulatory requirements and corporate governance  Develop and execute strategic plan for program implementation  Planning for critical IT assets  Establish operation authority (typically an executive authorizes system to operate)  Document system Security Plan  Develop system IT Contingency Plan  Develop Configuration Management & Control Plan  Develop system Incident Response Plan  Implement security controls as specified within the security plan  Execute  Conduct threat assessment  Conduct initial Risk Assessment  Mitigate security exposure to acceptable levels  Conduct final security test to validate control implementation
  10. 10. Information Security Model Model Terms & Glossary Capability: Defines “what” information security process or process areas or disciplines. Coverage: Defines the “amount” of control and timeline coverage should be applied. Control: Managing obligations to the business, stakeholders, customers and demonstrating it. Info Security Mission & Goals 2 3 4 5 100% 50% 75% 25% Capability Coverage Optimal Path (Timeline) ROI & Cost- efficiency 1 Risk & Compliance Objectives Control 0% Capability Processes are … Coverage 1 Ad Hoc & Disorganized 0% 2 Repeatable (generally consistent pattern) 25% 3 Documented and communicated 50% 4 Monitored and measured 75% 5 Measured and improved 100% Maturing to Proactive Posture Capability: Process Discovery and Re-engineering to support Information Security program alignment with business and security requirements. Coverage: Integrate required regulations and observe areas for control enhancement. Control: Risk and Compliance based categorization and priority of information assets and processes. The Degree and complexity of controls are driven by the enterprises risk appetite and applicable compliance requirements. SEI, Carnegie Mellon 2008 Primary Drivers
  11. 11. Continuous Improvement Opportunities  Identify success/fail requirements  Identify metrics applicable to the organization. Examples such as…  Total vulnerabilities  Residual risk  Total incidents  Change in vulnerabilities and incidents  IT system operational budget change
  12. 12. Conclusion  Aids organization leaders to identify and assign priority to business units and supporting IT systems based on criticality  Enables effective financial planning for IT Operations and Security  Ensures compliance with regulatory requirements and governance  Enables effective management of risk to IT systems  Improve IT service capabilities through process maturity

×