2. Are you a roadblock to progress?
Information security must evolve from just an IT
project to the core of critical business decisions.
As an Information Security Leader:
You must protect enterprise data from compromise
AND drive innovation at the same time
Gartner, Inc. (2014). Information Security. Retrieved from Gartner:
http://www.gartner.com/technology/topics/information-security.jsp
3. Are you supporting
your organization’s
outcomes or inhibiting
them?
What do your peers think?
4. How do other executives see our jobs?
To the average senior executive, security seems easy
– lock the doors and post a guard.
“Use all of that money that has been allocated to IT
and come up with the entirely safe computer.”
“Stop talking about risks and vulnerabilities and solve
the problem.”
Information security is complex and simple
solutions are often the best for non-practitioners.
Sherizen, S. (2000). The Business Case for Information Security: Selling
Management on the Protection of Vital Secrets and Products. Retrieved from IT
Today: http://www.ittoday.info/AIMS/DSM/82-01-32.pdf
5. Compliance enforcer and advisor
As our IT environment grows, so do the legalities to be
considered to comply with laws and regulations.
We assist management in making sure that the
organization is in compliance with the law.
What can we offer?
Sherizen, S. (2000). The Business Case for Information Security: Selling Management on
the Protection of Vital Secrets and Products. Retrieved from IT Today:
http://www.ittoday.info/AIMS/DSM/82-01-32.pdf
Business enabler and company differentiator
The internet has changed how organizations offer goods
and services. Information security must provide a value-
added way of providing ease of interaction as well as
security and privacy of customer activities.
We provide security to differentiate our organization
by including security for free alongside the goods and
services offered by our organization. This can boost
customer satisfaction and encourage further use of
online activities.
Total quality management contributor
Quality is directly related to information security. CIA
allows an organization to offer customer service that is
protected, personal, and convenient.
We combine proper controls over processes, machines,
and personnel, balancing our organization’s needs for
production and protection. Our information security
programs boost online transactions by helping
customers see them as safe and reliable.
“Peopleware” controller
Information security helps control the unauthorized
behavior of people through need-to-know and
segregation-of-duties policies.
We translate managerial decisions into information
security policies, programs, and practices. We
structure authorized usage and detect unauthorized
usage.
6. How can we quickly
and strategically
become more
proactive?
The answer is not a technology, product, or vendor
8. My Situation
Mid-sized business unit
Less than 1000 people
Multiple countries with varied regulatory requirements
Relatively consolidated IT team
Enormous change throughout our organization
Security had a reputation for being disruptive and
a bottleneck
New staff carry over their expectations from prior roles
Proactive security is a recent way of thought
9. The Tool: A Questionnaire
Organizations may conduct an information security review before
changing their systems
Often informal and poorly documented
Reviews are rarely built into a change process
Still appropriate for today's business and regulatory environment?
Develop a standard questionnaire to be completed as part of the
change process
Complete the questionnaire as early in the process as possible
Responsibility for the change
Technical security impacts
Physical security considerations
Logical security requirements
Disaster recovery and business continuity
Overly, M. R., Howell, C. T., & Scarano, R. M. (2012, February 1). A Proactive
Approach to Information Security in Health Information Technology Procurements.
(Foley & Lardner LLP) Retrieved from Association of Corporate Counsel:
http://www.acc.com/legalresources/quickcounsel/apatisihit.cfm
Questionnaire
Availability
Integrity
Confidentiality
10. Privacy & Security Impact Assessment
Decision-making tool used to identify and mitigate risks associated
with new or changing systems
Helps us understand how sensitive data is to be collected, used, shared,
accessed, and stored
Required
Before sending business requirements for development
Before operationalizing new systems
As part of the change process
Completed by those who best understand the change
Reviewed by those who best understand privacy & security
implications
Approved PSIAs available for review within the organization
United States Department of Homeland Security. (2014, January 30). Privacy
Compliance. Retrieved from Homeland Security: http://www.dhs.gov/privacy-
compliance
11. I didn’t invent this.
Recommended by
leading information
security organizations
ISACA
SANS
United Kingdom
National Health Service
United States
Securities and Exchange
Commission
United States
Department of Defense
United States
Department of Health
and Human Services
12. My Approach
Easy to understand
Completed in minutes
Addresses
confidentiality, integrity,
and availability
Captures only basic info
Qualitative assessment;
not a quantitative risk
analysis
Advantages Disadvantages
Requires short training and expert review
13. 1 Page, 2 Sections, 10 Questions
1. How sensitive is the information (how is it classified)?
2. What Personally Identifiable Information is used?
3. Which types of Protected Health Information are used?
4. Which critical systems are affected?
5. How will the information be used (a summary of the
requirements)?
6. Are any third parties involved? If so, which ones?
7. If database changes are needed, what kinds?
8. Where is the production equipment physically located?
9. What is the business continuity impact?
10. What access rights will be needed and for whom?
14. Review
Weekly review w/ interested parties
If we have questions, we reach out to the person
who completed the PSIA and/or the project sponsor
Formal signoff on approval
Otherwise, new requirements or controls communicated
15. Results
Integrate security into processes
Security is now considered when business requirements are
documented
Build a culture of security
Over time, security requirements are thought of by other staff
throughout the organization
Address issues before they become threats
Reviewing and discussing issues before work begins helps to
control costs, deliver on time, and position security as a friend to
the organization
Provide assurance to your executive team
Addressing issues before they become threats allows us to focus
on reacting to external threats