SlideShare a Scribd company logo

Business Case for InfoSec Program

William Godwin
William Godwin

This document presents a business case for establishing an information security program. It outlines the background, value, scope, and components of the program. The program aims to safeguard corporate information assets, establish security standards, comply with regulations, and align IT services with business needs. It involves categorizing data, determining risk appetite, analyzing business impacts, developing a security strategy and plans, and implementing controls. The goal is to effectively manage risks and threats, drive process maturity over time, and provide continuous improvements.

1 of 12
Download to read offline
BUSINESS CASE FOR INFORMATION SECURITY PROGRAM Developed and Presented by: William Godwin3/12/2014 © 2014
Background  Safeguards the company’s most important asset: CORPORATE INFORMATION  Establishes a formal program and standard to:  Safeguard Confidentiality, Integrity, and Availability of information  Determine the company’s risk appetite  Categorize data and information assets  Establish appropriate security control baseline  Assess risk of compromise  Comply with governing regulations and corporate governance
Value  Identify IT Operations as a business enabler  Establish security benchmarks and determine assessment targets capable of maturing as threats evolve and become more sophisticated  Aligns IT Services with the company’s mission  Delivers long-term information security strategy  Effectively mitigate threats and risks and reduce incidents  Drive scalable processes and IT solutions  Provides insight to…  Optimize IT operations budget management  Promote organizational structure to integrate program  Conducive to organizational maturity
Scope  Organization Position/Posture  Data categorization of critical departments  Risk Appetite  Determine company’s tolerance to risk exposure  Business Impact Analysis  Determine criticality of departments and supporting resources  Develop Strategy, Plan, Implement and Execute  Cultivate Continuous Improvement Opportunities
Organization Position/Posture  Develop strategy for implementation. Reference output from Data Categorization & Risk Appetite exercise (Ref. slide #6 & slide #7)  Garner support from organization leadership  Large/Enterprise organizations may have multiple executives  Obtain operational leadership buy-in  Operational Managers will need to be made aware of their roles and expectations  Develop & establish corporate standards and requirements for information security
Data Categorization  Defines broad classes of information created, stored, and/or delivered by the company  Allows for logical groupings based on criticality to the business  Determines data sensitivity levels to unauthorized access, modification or loss of availability  Aids to …  Establish security baseline for protecting sensitive data  Identify business exposure  Determine impact on company should data become compromised  Permit executives to organize priority based on criticality of data
Determine & Establish Risk Appetite  Company may implement appropriate level of information security control based on the risk appetite.  Risk Appetite is determined by establishing the sensitivity of data stored, processed or transmitted by an information system. (Ref. slide #6)  Sensitivity is determined by understanding the criticality of the data to the company’s mission or regulatory requirements.
Business Impact Analysis  Categorize and analyze critical business departments/divisions  Create priority list of most sensitive business functions  Create priority list of support resources  Human Resources  Information Technology Resources  Establish information security requirements  Identify and implement baseline security controls to reduce risk
Strategy, Plan, Implement & Execute  Strategy  Identify desired service capability and control coverage – (Ref. slide #10)  Identify and gather regulatory requirements and corporate governance  Develop and execute strategic plan for program implementation  Planning for critical IT assets  Establish operation authority (typically an executive authorizes system to operate)  Document system Security Plan  Develop system IT Contingency Plan  Develop Configuration Management & Control Plan  Develop system Incident Response Plan  Implement security controls as specified within the security plan  Execute  Conduct threat assessment  Conduct initial Risk Assessment  Mitigate security exposure to acceptable levels  Conduct final security test to validate control implementation
Information Security Model Model Terms & Glossary Capability: Defines “what” information security process or process areas or disciplines. Coverage: Defines the “amount” of control and timeline coverage should be applied. Control: Managing obligations to the business, stakeholders, customers and demonstrating it. Info Security Mission & Goals 2 3 4 5 100% 50% 75% 25% Capability Coverage Optimal Path (Timeline) ROI & Cost- efficiency 1 Risk & Compliance Objectives Control 0% Capability Processes are … Coverage 1 Ad Hoc & Disorganized 0% 2 Repeatable (generally consistent pattern) 25% 3 Documented and communicated 50% 4 Monitored and measured 75% 5 Measured and improved 100% Maturing to Proactive Posture Capability: Process Discovery and Re-engineering to support Information Security program alignment with business and security requirements. Coverage: Integrate required regulations and observe areas for control enhancement. Control: Risk and Compliance based categorization and priority of information assets and processes. The Degree and complexity of controls are driven by the enterprises risk appetite and applicable compliance requirements. SEI, Carnegie Mellon 2008 Primary Drivers
Continuous Improvement Opportunities  Identify success/fail requirements  Identify metrics applicable to the organization. Examples such as…  Total vulnerabilities  Residual risk  Total incidents  Change in vulnerabilities and incidents  IT system operational budget change
Conclusion  Aids organization leaders to identify and assign priority to business units and supporting IT systems based on criticality  Enables effective financial planning for IT Operations and Security  Ensures compliance with regulatory requirements and governance  Enables effective management of risk to IT systems  Improve IT service capabilities through process maturity

Recommended

SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesGreenway Health
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyNetwork Intelligence India
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 

Recommended

SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesGreenway Health
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyNetwork Intelligence India
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Security Transformation Services
Security Transformation ServicesSecurity Transformation Services
Security Transformation Servicesxband
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxChandanChandu928137
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Securing Information Servicesv1.0
Securing Information Servicesv1.0Securing Information Servicesv1.0
Securing Information Servicesv1.0Vibi Abraham
 
Testing
TestingTesting
Testinglorenceman
 

More Related Content

What's hot

Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Security Transformation Services
Security Transformation ServicesSecurity Transformation Services
Security Transformation Servicesxband
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 

What's hot (20)

Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against Them
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
Security Transformation Services
Security Transformation ServicesSecurity Transformation Services
Security Transformation Services
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 

Similar to Business Case for InfoSec Program

Securing Information Servicesv1.0
Securing Information Servicesv1.0Securing Information Servicesv1.0
Securing Information Servicesv1.0Vibi Abraham
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessmentpchronis
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramTammy Clark
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Business case for enterprise continuity planning
Business case for enterprise continuity planningBusiness case for enterprise continuity planning
Business case for enterprise continuity planningWilliam Godwin
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureSuresh Kanniappan
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Tammy Clark
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedkonchada
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedkonchada
 
2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnicalJack585826
 

Similar to Business Case for InfoSec Program (20)

Securing Information Servicesv1.0
Securing Information Servicesv1.0Securing Information Servicesv1.0
Securing Information Servicesv1.0
 
Testing
TestingTesting
Testing
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessment
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
Business case for enterprise continuity planning
Business case for enterprise continuity planningBusiness case for enterprise continuity planning
Business case for enterprise continuity planning
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updated
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updated
 
2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 

Business Case for InfoSec Program

  • 1. BUSINESS CASE FOR INFORMATION SECURITY PROGRAM Developed and Presented by: William Godwin3/12/2014 © 2014
  • 2. Background  Safeguards the company’s most important asset: CORPORATE INFORMATION  Establishes a formal program and standard to:  Safeguard Confidentiality, Integrity, and Availability of information  Determine the company’s risk appetite  Categorize data and information assets  Establish appropriate security control baseline  Assess risk of compromise  Comply with governing regulations and corporate governance
  • 3. Value  Identify IT Operations as a business enabler  Establish security benchmarks and determine assessment targets capable of maturing as threats evolve and become more sophisticated  Aligns IT Services with the company’s mission  Delivers long-term information security strategy  Effectively mitigate threats and risks and reduce incidents  Drive scalable processes and IT solutions  Provides insight to…  Optimize IT operations budget management  Promote organizational structure to integrate program  Conducive to organizational maturity
  • 4. Scope  Organization Position/Posture  Data categorization of critical departments  Risk Appetite  Determine company’s tolerance to risk exposure  Business Impact Analysis  Determine criticality of departments and supporting resources  Develop Strategy, Plan, Implement and Execute  Cultivate Continuous Improvement Opportunities
  • 5. Organization Position/Posture  Develop strategy for implementation. Reference output from Data Categorization & Risk Appetite exercise (Ref. slide #6 & slide #7)  Garner support from organization leadership  Large/Enterprise organizations may have multiple executives  Obtain operational leadership buy-in  Operational Managers will need to be made aware of their roles and expectations  Develop & establish corporate standards and requirements for information security
  • 6. Data Categorization  Defines broad classes of information created, stored, and/or delivered by the company  Allows for logical groupings based on criticality to the business  Determines data sensitivity levels to unauthorized access, modification or loss of availability  Aids to …  Establish security baseline for protecting sensitive data  Identify business exposure  Determine impact on company should data become compromised  Permit executives to organize priority based on criticality of data
  • 7. Determine & Establish Risk Appetite  Company may implement appropriate level of information security control based on the risk appetite.  Risk Appetite is determined by establishing the sensitivity of data stored, processed or transmitted by an information system. (Ref. slide #6)  Sensitivity is determined by understanding the criticality of the data to the company’s mission or regulatory requirements.
  • 8. Business Impact Analysis  Categorize and analyze critical business departments/divisions  Create priority list of most sensitive business functions  Create priority list of support resources  Human Resources  Information Technology Resources  Establish information security requirements  Identify and implement baseline security controls to reduce risk
  • 9. Strategy, Plan, Implement & Execute  Strategy  Identify desired service capability and control coverage – (Ref. slide #10)  Identify and gather regulatory requirements and corporate governance  Develop and execute strategic plan for program implementation  Planning for critical IT assets  Establish operation authority (typically an executive authorizes system to operate)  Document system Security Plan  Develop system IT Contingency Plan  Develop Configuration Management & Control Plan  Develop system Incident Response Plan  Implement security controls as specified within the security plan  Execute  Conduct threat assessment  Conduct initial Risk Assessment  Mitigate security exposure to acceptable levels  Conduct final security test to validate control implementation
  • 10. Information Security Model Model Terms & Glossary Capability: Defines “what” information security process or process areas or disciplines. Coverage: Defines the “amount” of control and timeline coverage should be applied. Control: Managing obligations to the business, stakeholders, customers and demonstrating it. Info Security Mission & Goals 2 3 4 5 100% 50% 75% 25% Capability Coverage Optimal Path (Timeline) ROI & Cost- efficiency 1 Risk & Compliance Objectives Control 0% Capability Processes are … Coverage 1 Ad Hoc & Disorganized 0% 2 Repeatable (generally consistent pattern) 25% 3 Documented and communicated 50% 4 Monitored and measured 75% 5 Measured and improved 100% Maturing to Proactive Posture Capability: Process Discovery and Re-engineering to support Information Security program alignment with business and security requirements. Coverage: Integrate required regulations and observe areas for control enhancement. Control: Risk and Compliance based categorization and priority of information assets and processes. The Degree and complexity of controls are driven by the enterprises risk appetite and applicable compliance requirements. SEI, Carnegie Mellon 2008 Primary Drivers
  • 11. Continuous Improvement Opportunities  Identify success/fail requirements  Identify metrics applicable to the organization. Examples such as…  Total vulnerabilities  Residual risk  Total incidents  Change in vulnerabilities and incidents  IT system operational budget change
  • 12. Conclusion  Aids organization leaders to identify and assign priority to business units and supporting IT systems based on criticality  Enables effective financial planning for IT Operations and Security  Ensures compliance with regulatory requirements and governance  Enables effective management of risk to IT systems  Improve IT service capabilities through process maturity