Making Executives Accountable for IT Security

1,921 views

Published on

How do we make executives accountable for IT Security?

Michael outlines the general challenges, details key items of concern and discusses the focus areas that can be taken to improve the daily governance of IT security in your organization.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,921
On SlideShare
0
From Embeds
0
Number of Embeds
26
Actions
Shares
0
Downloads
5
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Making Executives Accountable for IT Security

  1. 1. Making Executives Accountable Building security into the organization
  2. 2. What we continue to see… • Information Security Programs lacks support • Policies poorly monitored & enforced • Organizations are consistently reacting to point-in-time issues regarding security, privacy & asset protection Copyright 2007 – Seccuris Inc.
  3. 3. Executives are not accountable The issues: • Executives are busy • Communication Barriers • Unknown accountability • Executives are not engaged Copyright 2007 – Seccuris Inc.
  4. 4. Executives are not accountable The issues: • The missing “Tone from the Top” • C-Level relationships often poorly aligned • Executive involvement not defined • The “Super CISO” misconception Copyright 2007 – Seccuris Inc.
  5. 5. Executives are not accountable The issues: • Relevance of Information Security to business not seen daily • Business objectives / goals seldom communicated in an aligned fashion to information security • Critical attributes that the company requires are seldom defined in terms information security understands Copyright 2007 – Seccuris Inc.
  6. 6. Executives are not accountable The issues: • Information Security is not industry specific • Not seen as business requirement • Roles / Practices / Language inconsistent • Information Security continues to press best practice, Without considering what the organizations minimum practice should be Copyright 2007 – Seccuris Inc.
  7. 7. Why do we want to make Executives Accountable? The wrong reasons • Misunderstanding responsibility and accountability • Deferring the tough decisions to others • Dealing with poor visibility or respect of information security (from business units) by hiding behind executive • Gaining leverage to continue poorly understood FUD campaigns • Using unwitting executives to drive your poorly justified security “improvements” Copyright 2007 – Seccuris Inc.
  8. 8. Why do we want to make Executives Accountable? The right reasons • Improving understanding of information security within the business • Improving communication of the business needs around security and what priorities exist • Ensuring consensus of business and asset stakeholders Copyright 2007 – Seccuris Inc.
  9. 9. Why do we want to make Executives Accountable? Focusing on the right reasons • Security should be understood by the business • Security should align and support the business • Security program should be defined and agreed to by executive Make executives “want” accountability for information security Copyright 2007 – Seccuris Inc.
  10. 10. How do we make Executives Accountable? What executive involvement do we need in our Information Security Program? Program Area Requirement • Strategy Visibility • Gap Analysis Minimum Practices • Action Plan Commitment • Performance Measurement Acknowledgement Copyright 2007 – Seccuris Inc.
  11. 11. Where do we need executive involvement? Information Security Scorecard should align with the business Organizational Information Systems Balanced Scorecard Information Security Balanced Scorecard Balanced Scorecard The Learning & The Business Information Information Growth Process Critical System Technology Security Perspective Perspective Business Development Applications Security Management Computer Networks Business Risk Installations The Customer The Financial Management Continuity Perspective Perspective Copyright 2007 – Seccuris Inc.
  12. 12. Where do we need executive involvement? Information Security Policy Information Security Balanced Scorecard Security Management Dashboard* Critical System Business Development Applications High-Level Security Security Secure Direction Organization Requirements Environment Security Management Management Malicious Risk Special Topics Review Attack Acceptances Computer Networks Installations *Includes KPIs from each aspect of Security Management Copyright 2007 – Seccuris Inc.
  13. 13. How do we make Executives Accountable? How does Information Security want to be involved with executives? Role of Security in Management Activities Planning Security at table Directing Security Encouraging / Supporting Doing Involved / Aware Reporting Facilitating Refining Involved Information security should be “built-in” to the organization… Copyright 2007 – Seccuris Inc.
  14. 14. How do we make Executives Accountable? Our focus should be on building information security directly into the business Alignment of: • Governance structure & Organizational models • Common business & security language • Visibility of Information Security in the organization Copyright 2007 – Seccuris Inc.
  15. 15. Building Information Security In Why does alignment help? • Communication of intent, plans & actions • Consensus of short term goals and controls • Visibility and understanding of long term strategy Copyright 2007 – Seccuris Inc.
  16. 16. Building Information Security In Why does alignment help? • Creates awareness of information security requirements in business terms • Involves Information Security in the business • Creates accountability & responsibility for information security outside of traditional InfoSec roles Copyright 2007 – Seccuris Inc.
  17. 17. Improving the situation How do we approach alignment? In general: • Education Executive Workshops • Requirements gathering Working with BUs • Dialog On-going 7 minute meetings • Long Term Planning Defining plans over time Copyright 2007 – Seccuris Inc.
  18. 18. Improving the situation Governance Structure & Organizational Models • Defining Accountability & Responsibility of IT Security • Development of good governance structures Copyright 2007 – Seccuris Inc.
  19. 19. Governance Structure & Organizational Models Defining Accountability & Responsibility for IT Security Ensure: • Asset owners are involved & accountable • Practices exist for defining & accepting minimum practices • Policy exception & Risk Acceptance processes exist Copyright 2007 – Seccuris Inc.
  20. 20. Governance Structure & Organizational Models Development of good governance structures Council CEO Plans Initiates Monitors COO CRO CFO CIO Reports BU CISO Manager Dept Security Manager Manager Dept Security Manager Manager Dept Manager Copyright 2007 – Seccuris Inc.
  21. 21. Improving the situation Translating business goals & objectives into common attributes • Defining common attributes for business drivers • Using attributes to map business goals to security controls Copyright 2007 – Seccuris Inc.
  22. 22. Translating business goals & objectives into core attributes for protection Defining common attributes for business drivers Copyright 2007 – Seccuris Inc.
  23. 23. Copyright 2007 – Seccuris Inc.
  24. 24. Business Attributes © SABSA Institute Management Operational Risk Management Legal / Regulatory Technical Strategy Business Strategy User Attributes Attributes Attributes Attributes Attributes Attributes Attributes Accessible Automated Available Admissible Brand Enhancing Access-Controlled Architecturally Open Accurate Detectable Accountable Compliant COTS / GOTS Change-Managed Business Enabled Consistent Controlled Error-Free Assurable Enforceable Extendible Competent Current Cost-Effective Inter-Operable Assuring Honesty Insurable Confident Flexible / Adaptable Duty-Segregated Efficient Productive Auditable Liability Managed Future-Proof Credible Educated & Aware Maintainable Recoverable Authenticated Resolvable Legacy-Sensative Governable Providing Good Informed Measured Authorized Legal Migratable Stewardship and Custody Providing Investment Motivated Supportable Regulated Multi-Sourced Capturing New Risks Reuse Protected Continuous Confidential Time Bound Scalable Reputable Reliable Monitored Crime-Free Simple Culture-Sensitive Enabling Time to Supported Flexibly Secure Standards Compliant Market Providing Return on Timely Identified Traceable Investment Usable Up gradable Independently Secure Anonymous In Our Sole Possession Responsive Integrity-Assured Transparent Non-reputable Owned Private Trustworthy Copyright 2007 – Seccuris Inc.
  25. 25. Translating business goals & objectives into core attributes for protection Defining common attributes for business drivers © SABSA Institute Business Drivers Attributes # Protecting the reputation of the organization, ensuring it is BD1 Credible / Reputable perceived as competent in its sector Ensuring the organization is at all times compliant with relevant BD16 Compliant laws and regulations Maintain the privacy of personal and business information that BD17 Private is stored, processed and communicated BD30 Minimizing the risk of loss of key customer relationships Non-Reputable BD41 Ensuring accurate information is available when needed Available / Error-Free Enabling Time to Market / BD42 Minimizing the risk of loss of key customer relationships Trustworthy Copyright 2007 – Seccuris Inc.
  26. 26. Translating business goals & objectives into core attributes for protection Using attributes to map business goals to security controls Business Business Driver Metric Type Measurement Approach Performance Target Attribute Zero successful attempts at unauthorized disclosure. Reporting of all unauthorized Alerts of unauthorized access attempts, produced and delivered to systems disclosure incidents, including manager and business owner within 30 minutes. Hard number of incidents per period, severity and type of disclosure Summary reports of number, severity and type of unauthorized access attempts to private data produced and delivered to systems manager and business owner monthly Private BD17 Independent audit and review with respect to the prevention System passes review by audit team to a degree deemed acceptable by the Soft of unauthorized disclosure of legal department to prevent prosecution under Canadian privacy law. private information Copyright 2007 – Seccuris Inc.
  27. 27. Improving the situation Visibility of Information Security in the organization • Visualization of the Security program • Alignment of program with management activities • Provision of on-going education & dialog Copyright 2007 – Seccuris Inc.
  28. 28. Visibility of Information Security Visualization of the Security program Copyright 2007 – Seccuris Inc.
  29. 29. Visibility of Information Security Alignment of program with management activities Business Attribute(s) – Identified KPI CSF: Maintain the privacy of E-mail Privacy personal and business information Incidents that is stored, processed and communicated (BD17) Unauthorized Identified Investigated Reported Disclosure KPI: The number of E-mail privacy 45 30 544 311 incidents identified, contained, investigated or closed on an Monthly monthly basis. E-Mail Privacy Incidents Business Logic: If the number of 80 E-mail privacy incidents that 70 60 resulted in disclosure is more then 1 50 Identified a month then show as critical. Inspected 40 Reported 30 Unauthorized Disclosure (cont) 20 10 0 Jan Feb Mar April May June July Aug Sept Oct Nov Dec Copyright 2007 – Seccuris Inc.
  30. 30. Visibility of Information Security Provision of on-going education & dialog • Continuous refining of business attributes • Discussion of information security action plans • Assessment of changes to companies priorities and potential impact to security program • Awareness of Incidents, Short term and Long term activities Copyright 2007 – Seccuris Inc.
  31. 31. Improving the situation Improvements in executive involvement can be made by alignment of these areas • Governance Structure & Organizational Models • Specific business & security language • Visibility of Information Security in the organization Copyright 2007 – Seccuris Inc.
  32. 32. Moving forward Enabling Actionable Improvement plans How do I tell we are improving? • Action plans involve Security & Business • Initiatives are reviewed by Executive • Improvements to Action Plans are described in Business Terms • Action Plans have increasing number of Business Unit initiated activities Copyright 2007 – Seccuris Inc.
  33. 33. Moving forward Integration of security management in business cycles How do I tell we are improving? Specialists Designers Advisors Reviewers Copyright 2007 – Seccuris Inc.
  34. 34. Summary We can build security into our organizations by aligning Governance, Language and Visibility By building security in, we involve security directly in the business By involving information security in the business we ensure effective accountability in our executives Copyright 2007 – Seccuris Inc.
  35. 35. Thanks Michael Legary, CSA, CISSP, CISM, CISA, CCSA, CPP, GCIH, PCI-QSA Founder & CIO Seccuris Inc. Email: Michael.Legary@seccuris.com Direct: 204-255-4490 Main: 204-255-4136 Fax: 204-942-6705 Copyright 2007 – Seccuris Inc.

×