The document discusses the roles and responsibilities of an Information Security Manager (ISM). It explains that an ISM is responsible for developing, implementing, and managing an information security program to align with the organization's information security strategy and business objectives. This involves directing people, processes, and policies to identify controls, create control activities, and monitor control points. It also requires the ISM to ensure commitment from senior management and cooperation across organizational units. Effective information security programs require balancing security, cost, and business needs.
Understand and apply concepts of confidentiality, integrity and availability, Apply security governance principles,
Understand legal and regulatory issues that pertain to information security in a global context, Develop and implement documented security policy, standards, procedures, and guidelines, Understand business continuity requirements
Contribute to personnel security policies, Understand and apply risk management concepts, Understand and apply threat modeling, Integrate security risk considerations into acquisition strategy and practice, Establish and manage information security education, training, and awareness
Information Security assessment of companies in Germany, Austria and Switzerland, February 2015.
Every day critical security incidents show the drastic extent of "successful" cyber attacks for organizations in terms of monetary and material loss. With increasing use of digital technologies and the growing spread of mobile and IoT cyber security is becoming a key factor for companies’ successful digital transformation. To analyze current challenges, trends and maturity of companies state of information security, Capgemini Consulting DACH conducted a survey in Germany, Austria and Switzerland. The 2014 Information Security Benchmarking Study shows that information security is insufficiently embedded in most companies‘ business strategy and operations to effectively safeguard organizations against current cyber threats.
https://www.de.capgemini-consulting.com/resources/information-security-benchmarking
Security Framework for Digital Risk ManagmentSecurestorm
A cyber security governance framework and digital risk management process for OFFICIAL environments in UK Government. A pragmatic and proportional information risk management process which can be used at speed, and is compatible with Agile projects. This is released under a Creative Commons; Attribution-Non Commercial-Share Alike 4.0 International License.
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
Implementing Business Aligned Security Strategy Dane Warren LiDaneWarren
This was presented at the AISA national seminar day. It is a helicopter view on how to implement a security strategy that is aligned with the business.
The growing costs of security breaches and manual compliance efforts have given rise to new data security solutions specifically designed to prevent data breaches and deliver automated compliance. This paper examines the drivers for adopting a strategic approach to data security, compares and contrasts current approaches, and presents the Return on Security Investment (ROSI) of viable data security solutions.
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
This paper discusses the emerging issue of Board of Directors Governance and Cybersecurity. Originally presented to the Boards of Directors of the IRC http://www.isorto.org/Pages/Home in May 2014. The paper is in a continuous improvement mode ultimately targeting being a resource for Boards of Directors in the energy (electricity and natural gas) industry. Suggested updates and improvements are welcome at PaulFeldman@Gmail.com The current copy is always at http://www.EnergyCollection.us/456.pdf
A to Z of Information Security ManagementMark Conway
The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software.
Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
Understand and apply concepts of confidentiality, integrity and availability, Apply security governance principles,
Understand legal and regulatory issues that pertain to information security in a global context, Develop and implement documented security policy, standards, procedures, and guidelines, Understand business continuity requirements
Contribute to personnel security policies, Understand and apply risk management concepts, Understand and apply threat modeling, Integrate security risk considerations into acquisition strategy and practice, Establish and manage information security education, training, and awareness
Information Security assessment of companies in Germany, Austria and Switzerland, February 2015.
Every day critical security incidents show the drastic extent of "successful" cyber attacks for organizations in terms of monetary and material loss. With increasing use of digital technologies and the growing spread of mobile and IoT cyber security is becoming a key factor for companies’ successful digital transformation. To analyze current challenges, trends and maturity of companies state of information security, Capgemini Consulting DACH conducted a survey in Germany, Austria and Switzerland. The 2014 Information Security Benchmarking Study shows that information security is insufficiently embedded in most companies‘ business strategy and operations to effectively safeguard organizations against current cyber threats.
https://www.de.capgemini-consulting.com/resources/information-security-benchmarking
Security Framework for Digital Risk ManagmentSecurestorm
A cyber security governance framework and digital risk management process for OFFICIAL environments in UK Government. A pragmatic and proportional information risk management process which can be used at speed, and is compatible with Agile projects. This is released under a Creative Commons; Attribution-Non Commercial-Share Alike 4.0 International License.
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
Implementing Business Aligned Security Strategy Dane Warren LiDaneWarren
This was presented at the AISA national seminar day. It is a helicopter view on how to implement a security strategy that is aligned with the business.
The growing costs of security breaches and manual compliance efforts have given rise to new data security solutions specifically designed to prevent data breaches and deliver automated compliance. This paper examines the drivers for adopting a strategic approach to data security, compares and contrasts current approaches, and presents the Return on Security Investment (ROSI) of viable data security solutions.
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
This paper discusses the emerging issue of Board of Directors Governance and Cybersecurity. Originally presented to the Boards of Directors of the IRC http://www.isorto.org/Pages/Home in May 2014. The paper is in a continuous improvement mode ultimately targeting being a resource for Boards of Directors in the energy (electricity and natural gas) industry. Suggested updates and improvements are welcome at PaulFeldman@Gmail.com The current copy is always at http://www.EnergyCollection.us/456.pdf
A to Z of Information Security ManagementMark Conway
The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software.
Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
vertical in CISA certification and Five Domains are in CISAarjunnegi34
CISA certification validates expertise in auditing, controlling, and ensuring IT systems. Its five domains cover auditing, governance, risk management, information security, control assurance, ensuring comprehensive knowledge.
Protecting business interests with policies for it asset management it-tool...IT-Toolkits.org
Where is that laptop? Who has that printer? Do we have sufficient software licenses for every user? These are the types of questions IT asset management is meant to answer. As an operational practice, IT asset management serves multiple purposes, as reflected in the list below:
Asset management practices are used to minimize the risk that investments made in technology (hardware, software and training) will be lost due to theft, destruction or other damage.
Asset management practices are used to ensure that technology assets are properly allocated to end-users to optimize usage and workplace productivity.
Asset management practices are used to simplify technical support and maintenance requirements.
Asset management practices are used to lower IT “cost of ownership” and maximize IT ROI.
Asset management practices are used to ensure that software licensing is in full compliance, minimizing the risk of legal and regulatory problems.
Asset management practices are used to support “sister” policies for disaster recovery, email usage, data security, and technology standards.
Fundamentals of data security policy in i.t. management it-toolkitsIT-Toolkits.org
We all know that I.T. stands for “information technology” and that’s no accident. In fact, it’s a reflection of the primary mission of every I.T. organization – to provide the means and methods for creating, storing, transmitting, printing and retrieving business related information. By design, this operational mission is driven by the need to “protect”, which also includes preventing unauthorized access, uncontrolled modification and unwarranted destruction. The priorities are self evident – data integrity is vital, and vital needs must be met with purpose and committment. The tricky part is to balance vital interests with the associated costs and operational overhead. This is the higher purpose of data security and the goal of related policy development.
This is a presentation template if someone is interested in making a case for a web-based security awareness and training program within your company. It is free for all to use and change accordingly.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
2. 27-Feb-14
2
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Introduction
Information Security Program Development Overview
Roles and Responsibilities
Scope and Charter
Information Security Program Development Objectives
Defining an Information Security Program Roadmap
Information Security Program Resources
Implementing Information Security Program
Information Infrastructure and Architecture
Physical and Environmental Controls
Information Security Program Metrics
Summary
3. 27-Feb-14
3
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Establish and manage the information security
program in alignment with the information
security strategy.
The content area in this chapter will represent
approximately 25% of the CISM examination.
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Establish and maintain the information security program in
alignment with the information security strategy.
Ensure alignment between the information security
program and other business functions (for example,
human resources [HR], accounting, procurement and IT) to
support integration with business processes.
Identify, acquire, manage and define requirements for
internal and external resources to execute the information
security program.
Establish and maintain information security architectures
(people, process, technology) to execute the information
security program.
4. 27-Feb-14
4
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Establish, communicate and maintain organizational information
security standards, procedures, guidelines and other documentation to
support and guide compliance with information security policies.
Establish and maintain a program for information security awareness
and training to promote a secure environment and an effective security
culture.
Integrate information security requirements into organizational
processes (for example, change control, mergers and acquisitions,
development, business continuity, disaster recovery) to maintain the
organization’s security baseline.
Integrate information security requirements into contracts and activities
of third parties (for example, joint ventures, outsourced providers,
business partners, customers) to maintain the organization’s security
baseline.
Establish, monitor and periodically report program management and
operational metrics to evaluate the effectiveness and efficiency of the
information security program.
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Methods to align information security program
requirements with those of other business functions
Methods to identify, acquire, manage and define
requirements for internal and external resources
Information security technologies, emerging trends, (for
example, cloud computing, mobile computing) and
underlying concepts
Methods to design information security controls
Information security architectures (for example, people,
process, technology) and methods to apply them
Methods to develop information security standards,
procedures and guidelines
5. 27-Feb-14
5
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Methods to implement and communicate information
security policies, standards, procedures and guidelines
Methods to establish and maintain effective information
security awareness and training programs
Methods to integrate information security requirements
into organizational processes
Methods to incorporate information security requirements
into contracts and third-party management processes
Methods to design, implement and report operational
information security metrics
Methods for testing the effectiveness and applicability of
information security controls
6. 27-Feb-14
6
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The creation and maintenance of a program to
implement the information security strategy.
The strategy is the approach to achieving the
objectives of information security that support
the business goals of the organization.
Information security program management
includes directing, overseeing and monitoring
information-security-related activities in support
of organizational activities.
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
In most organizations information security
management is seen as a technology-related
function, usually under IT
Privacy and security of information is now a
significant market pressure within many industries
Legal requirements in many countries now demand
The protection of personal information
Specific retention policies for certain types of information
Public disclosure of diligence activities
7. 27-Feb-14
7
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Achieving adequate levels of information security at
a reasonable cost requires thorough, efficient and
effective management.
Properly designed, implemented and managed;
information security provides critical support for
many business functions that would not be feasible
without it.
Provides executive management with:
Ways to mitigate information risks
A method to achieve organization goals and objectives
related to information security
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Many risk underwriters now value effective security
management programs so highly that they offer
discounts on insurance premiums if they find an
organization’s security program to be highly effective
The importance of information security is broadly
recognized, but it is not ubiquitously supported
The ISM should educate senior officers concerning
best practices in information security management
Information risk control objectives, risk tolerance, mission-
critical functions and baseline security should be clearly
identified
8. 27-Feb-14
8
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Security objectives must align with business
objectives and constraints
Appropriate and sustainable baseline security
controls should be established and supported by
management
Understanding that outstanding risk or threat situations,
at times, may create the need for additional control
investments
The ISM should try hard to use information security
metrics that concisely demonstrate to management
the importance of information security
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Level 1 Control objectives have been documented in
a policy
Level 2 Security control processes have been
documented in procedures
Level 3 Supporting procedures have been
implemented (stakeholders have been made aware
and trained)
Level 4 Policies, procedures and controls are tested
and reviewed to ensure continued adequacy
Level 5 Procedures and controls are fully integrated
into the culture of the organization
9. 27-Feb-14
9
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Strategic alignment
Risk management
Value delivery
Resource management
Performance
management
Business process
assurance
Strategic alignment
Risk management
Value delivery
Resource
management
Assurance process
integration
Performance
measurement
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Long Term Goals (Strategic)
Governance
risk management
Compliance
Short Term Goals (Tactical)
Short-term risk
Threat intelligence
Loss prevention
Support of organizational initiatives
10. 27-Feb-14
10
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The program adds tactical and strategic value to the
organization
The program is being operated efficiently and with
concern to cost issues
Management has a clear understanding of information
security drivers, activities, benefits and needs
Information security knowledge and capabilities are
growing as a result of the program
The program fosters cooperation and goodwill between
organizational units
There is facilitation of information security stakeholder
and provider understanding of their roles, responsibilities
and expectations
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
To ensure that the ISM understands the broad
requirements and activities required to create
and maintain a program to implement the
information security strategy to achieve business
objectives through a number of tasks utilizing the
ISM’s knowledge of people, process and
technology
11. 27-Feb-14
11
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
System Development Life Cycles (SDLC)
Requirements development
Specification development
Control objectives
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Control design and
development
Control implementation
and testing
Control monitoring and
metrics
Architectures
Business Process
reengineering
Documentation
Risk assessment
Risk management
Quality assurance
Project management
Budgeting
Deployment and
integration strategies
Training needs
assessments and
approaches
Communications
Problem resolution
Variance and
noncompliance resolution
12. 27-Feb-14
12
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Technology itself is not a control—technology is used to
implement controls:
It is important for an ISM to recognize where a given
technology fits into the basic prevention, detection and
recovery scheme
There are numerous technologies relevant to security that
the ISM should be familiar with including:
Firewalls
Routers & switches
IDS, NIDS, HIDS
Cryptographic techniques (PKI, DES)
Digital signatures
Smart cards
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
An information security program must execute
the information security strategy and mitigate
information and IT risk at a cost that does not
outweigh benefit
Since IT security is an important component of
information security governance the goals of
information security and IT security must be
aligned
13. 27-Feb-14
13
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM must understand the governance
philosophy and strategic direction of the
organization to align information security
activities with business objectives
14. 27-Feb-14
14
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
High level of previously defined outcomes:
Strategic alignment
Risk management
Value delivery
Resource management
Assurance process integration
Performance measurement
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Building an information security program is often
a process of comparing existing organizational
activity to that which will accomplish
organizational security goals
Setting up processes and projects that close the
gap is thus essential
The basic work of an ISM is to
Identify controls
Create control activity
Monitor control points in support of control objectives
15. 27-Feb-14
15
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Residual risk is risk that remains after controls
have been implemented
There will always be some residual risk because:
There is no way to anticipate every event that may
cause damage
Resources are limited
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The end goal of the ISM’s work is a state where
all KGIs have corresponding control objectives
that are supported by control activity that is
managed and measurable
KPIs should also indicate value delivery, resource
management and performance measurement
16. 27-Feb-14
16
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Programs are comprised of people, processes
and policies (PPP)
Individuals whose activities impact the achievement
of objectives (people)
The activity of those individuals and that of others
whose actions provide constraints on the activity
(process)
The influences over the individual in the form of
legislative and ethical environment that affects their
decision making (policy)
17. 27-Feb-14
17
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
An ISM must attempt to integrate information
security policy into existing sets of people
following established processes and policies
using existing systems
The ISM must also identify the technologies in
use that process the information covered by the
information security policy
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
It is critical that an ISM understands that
effective security goes far beyond the scope of
information security activities
Activities, disciplines and functions of other
departments have implications for information
security
18. 27-Feb-14
18
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The process of setting a program in place and
measuring its results involves a great deal of
cooperation among everyone in an organization
who handles data
Information security program development is not
usually hampered by technology choices
available, but rather by PPP issues that conflict
with program objectives
19. 27-Feb-14
19
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Organizational resistance due to changes in areas
of responsibility introduced by the program
A perception that increased security will reduce
access required for job functions
Over reliance on subjective metrics
Assumptions that procedures are followed
without confirming oversight
Ineffective project management, delaying
security initiatives
Previously undetected, broken or buggy software
20. 27-Feb-14
20
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM generally directs people, process and policy
to implement the information security program.
The commitment and involvement of senior
management is necessary for any security program
to be successful.
Senior manager commitment is vital:
Must assign willing participants within their organizations
who can integrate the information security program into
their day-to-day operations
A program in which senior managers simply rubber stamp
plans of the ISM is not effective because the program lacks
senior management oversight
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Acceptance and support for the strategy and the
objectives of the security program is the
responsibility of executive management –
without it success is unlikely
21. 27-Feb-14
21
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Usually charged with security program development,
implementation and management.
Ensure information security objectives are clearly stated
and those who are assigned security activities’
responsibilities understand their roles, and capable of
performing them and are accountable for results
Develop information security program objectives
Ensure accountability and responsibility for completing
each objective is assigned and understood
Direct People, Processes and Policy (PPP) to affect the
information security program
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
22. 27-Feb-14
22
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Information security responsibilities must be
distributed over a variety of job functions
Almost everyone in an organization must have access
to the information that is required to perform their
job
The ISM can set clear policy and assist in process
coordination, but management in all areas must
assist in providing oversight
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
23. 27-Feb-14
23
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The main, overarching COBIT 5 product
Contains the executive summary and the full
description of all of the COBIT 5 framework
components:
The five COBIT 5 principles
The seven COBIT 5 enablers plus
An introduction to the implementation guidance provided
by ISACA (COBIT 5 Implementation)
An introduction to the COBIT Assessment Programme (not
specific to COBIT 5) and the process capability approach
being adopted by ISACA for COBIT
46
24. 27-Feb-14
24
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC 47
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Meeting Stakeholder Needs
Covering the Enterprise End-to-end
Applying a Single Integrated Framework
Enabling a Holistic Approach
Separating Governance From Management
48
25. 27-Feb-14
25
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Enterprises exist to
create value for their
stakeholders.
49
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Enterprises have many stakeholders, and ‘creating value’
means different—and sometimes conflicting—things to
each of them.
Governance is about negotiating and deciding amongst
different stakeholders’ value interests.
The governance system should consider all stakeholders
when making benefit, resource and risk assessment
decisions.
For each decision, the following can and should be asked:
Who receives the benefits?
Who bears the risk?
What resources are required?
50
26. 27-Feb-14
26
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Stakeholder needs have to
be transformed into an
enterprise’s practical
strategy.
The COBIT 5 goals cascade
translates stakeholder
needs into specific,
practical and customised
goals within the context of
the enterprise,
IT-related goals and
enabler goals.
51
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Benefits of the COBIT 5 goals cascade:
It allows the definition of priorities for implementation,
improvement and assurance of enterprise governance of IT
based on (strategic) objectives of the enterprise and the related
risk.
In practice, the goals cascade:
Defines relevant and tangible goals and objectives at various
levels of responsibility.
Filters the knowledge base of COBIT 5, based on enterprise
goals to extract relevant guidance for inclusion in specific
implementation, improvement or assurance projects.
Clearly identifies and communicates how (sometimes very
operational) enablers are important to achieve enterprise
goals.
52
27. 27-Feb-14
27
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
COBIT 5 addresses the governance and management of
information and related technology from an enterprise-
wide, end-to-end perspective.
This means that COBIT 5:
Integrates governance of enterprise IT into enterprise
governance, i.e., the governance system for enterprise IT
proposed by COBIT 5 integrates seamlessly in any governance
system because COBIT 5 aligns with the latest views on
governance.
Covers all functions and processes within the enterprise; COBIT
5 does not focus only on the ‘IT function’, but treats
information and related technologies as assets that need to be
dealt with just like any other asset by everyone in the
enterprise.
53
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Key components of a
governance system
54
28. 27-Feb-14
28
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
COBIT 5 aligns with the latest relevant other
standards and frameworks used by enterprises:
Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC
31000
IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series,
TOGAF, PMBOK/PRINCE2, CMMI
This allows the enterprise to use COBIT 5 as the
overarching governance and management
framework integrator.
ISACA plans a capability to facilitate COBIT user
mapping of practices and activities to third-party
references.
55
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
COBIT 5 enablers are:
Factors that, individually and collectively, influence
whether something will work—in the case of COBIT,
governance and management over enterprise IT
Driven by the goals cascade, i.e., higher-level IT-
related goals define what the different enablers
should achieve
Described by the COBIT 5 framework in seven
categories
56
29. 27-Feb-14
29
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC 57
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The COBIT 5 framework makes a clear distinction
between governance and management.
These two disciplines:
Encompass different types of activities
Require different organisational structures
Serve different purposes
Governance—In most enterprises, governance is the
responsibility of the board of directors under the
leadership of the chairperson.
Management—In most enterprises, management is
the responsibility of the executive management
under the leadership of the CEO.
58
30. 27-Feb-14
30
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Governance
Ensures that stakeholders
needs, conditions and options
are evaluated to determine
balanced, agreed-on
enterprise objectives to be
achieved; setting direction
through prioritisation and
decision making; and
monitoring performance and
compliance against agreed-on
direction and objectives
(EDM).
Management
Plans, builds, runs and
monitors activities in
alignment with the direction
set by the governance body to
achieve the enterprise
objectives (PBRM).
59
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
COBIT 5 is not
prescriptive, but it
advocates that
organisations
implement governance
and management
processes such that the
key areas are covered,
as shown.
60
31. 27-Feb-14
31
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Leverages the comprehensive view of COBIT 5 while
focusing on providing guidance for professionals involved
in maintaining the confidentiality, availability and integrity
of enterprise information.
The framework provides tools to help understand, utilize,
implement and direct core information security related
activities and make more informed decisions.
It enables information security professionals to effectively
communicate with business and IT leaders and manage
risk associated with information, including those related to
compliance, continuity, security and privacy.
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Updated in 2013
4 Context of the organization
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the information security management
system
4.4 Information security management system
5 Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 Organizational roles, responsibilities and authorities
6 Planning
6.1 Actions to address risks and opportunities
6.2 Information security objectives and planning to achieve them
32. 27-Feb-14
32
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
8 Operation
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10 Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement
33. 27-Feb-14
33
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Conceptual representation of an information
security management structure that describes the
combination of technical, operational, management
and physical security controls in relation to the
organization’s technical and operational
environments
Should fundamentally describe the information
security management components:
Roles, policies, standard operating procedures,
management procedures, security architectures) and their
interactions
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Ongoing activities that must be completed to ensure
information security assurance
Items:
Standard operating procedures
Business operations security practices
Maintenance and administration of security technologies
(e.g., identity management, access control administration,
and security event monitoring and analysis)
The ISM should determine the operational
components that are needed to implement policies
and standards
Should subsequently plan for deployment, monitoring and
management of operational components
34. 27-Feb-14
34
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Because many operational components to fall
outside of the information security domain (e.g.,
patching procedures), the ISM should leverage IT,
business units and other resources to ensure that
operational needs are thoroughly covered
For each operational component, the ISM
should:
Identify the component owner
Collaborate to document key information needed for
effective fulfillment of the component
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Components:
Requirement and policy establishment
Strategic implementation activities
Oversight of execution
These are generally activities that take place less
frequently than operational components:
Most often the responsibility of middle and senior
management
Some issues, particularly those around oversight, can
escalate to the board level
35. 27-Feb-14
35
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
High-level management requirements and
policies are critical in shaping the rest of the
information security program
The ISM must ensure that this process is executed
with appropriate consideration to legal, regulatory,
risk and resource issues
Analysis of assets, threats, risks and organizational
impacts should inform the process of developing
policies and requirements
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM should be flexible in making adjustments
to policies and objectives during the initial stages
of the program
After requirements are established, the ISM must
develop strategies that
Ensure that strategic decisions are made in support of
operational and technical implementation
Address needs such as financial support, personnel
hiring, and establishing realistic timelines
36. 27-Feb-14
36
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM must ensure that these strategies
remain at a high enough level to avoid
unnecessarily constraining implementation
options while effectively communicating enough
detail to permit understanding of direction, goals
and constraints during implementation
During development of operational and technical
program components, management oversight
ensuring fulfillment of requirements and
adhesion to strategic direction must occur
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Depending on the components involved,
management oversight forums might occur
monthly, quarterly or annually
The ISM must establish:
An appropriate frequency for oversight activities that
is driven by the rate of change in the involved program
Channels outside of the established management
oversight process in the event that an issue is too
significant to wait
37. 27-Feb-14
37
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Ensure that financial, HR and all management functions
are effective.
Establish a working rapport with the organization’s:
Finance department (because of changes in financial realities)
HR (e.g., in adhering to established procedures)
Larger information security management programs must
also develop efficient organizational structure with
appropriate layers of management and supervisory
personnel
Effort management functions require the ISM to balance
project efforts and ongoing operational overhead with
staff headcount, utilization levels and external resources
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Because the optimal number of resources is
almost never available, efforts must be
prioritized
The ISM should work with the steering committee and
executive management to determine priorities and to
establish consensus on what project items to delay
because of resource constraints
Spikes in activity or unexpected project efforts can
often be addressed with third-party resources
38. 27-Feb-14
38
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Document and ensure that executive management
understands the risk implications of moving an
initiative ahead without full security diligence
It is up to executive management to decide if the initiative
is important enough to warrant the risk
When occurs, the ISM should utilize the first available
opportunity to revisit uncertified systems or initiatives
To ensure that the existing security environment
operates as needed, security operational resources
should only be diverted to project efforts if they are
not fully utilized
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Employee education and awareness regarding
security threats and practices that pertain to
employee responsibilities
General organizational policies and procedures,
such as appropriate use policies and employee
monitoring policies, should be communicated
and administered at the organization’s HR level
Collaborate with HR and business units to
identify information security education needs
39. 27-Feb-14
39
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Though the key goals of strategic alignment, risk
management, value deliver, resource
management, assurance process integration and
performance measurement are universal, what
each means to a given organization needs to be
defined. To help in this process a roadmap can be
developed.
40. 27-Feb-14
40
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Roles and responsibilities matrix
An ISM must understand the general risk appetite of
an organization to determine whether gaps in an
information security program exist have reached
acceptable levels
The Systems Development Life Cycle process that
allows a security “tollgate” review.
Key criteria in selecting technical elements:
Adoption of a security architecture
The ability to formally delegate responsibility for operating
within it
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
41. 27-Feb-14
41
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
It is rare that an ISM begins information security
program development with a blank slate so it is
critical that the Ism be able to evaluate the security
level of the existing data, applications, systems,
facilities and processes
All security reviews need to have:
An objective
A scope
Constraints
An approach
A result
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Basis for an Action Plan
Once organizational roles and responsibilities
appropriately established and inventory taken of
the required vs. existing technology and
processes, identify where control objectives are
not adequately supported by control activities
The procedure for continuously monitoring
achievement of control objectives is established
An initial information security program should evolve
and mature
42. 27-Feb-14
42
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Infrastructure:
the underlying base or foundation upon which information
systems are deployed
Security infrastructure:
the foundation that enables security resources to be
deployed
When infrastructure is designed and implemented
consistent with policies and standards, the
infrastructure is said to be secure
Information security architecture should be used to
achieve information security control objectives
43. 27-Feb-14
43
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Providing a Framework and roadmap
Architecture acts as a roadmap for projects and services
that must be integrated
Simplicity and Clarity through Layering and
Modularization
Information Systems architecture must take account of
▪ The goals that are to be achieved through the systems
▪ The environment in which the systems will be built and used
▪ The technical capabilities of the people to construct and operate
the systems and their component subsystems
Business Focus Beyond the Technical Domain
Architecture is concerned with more than technology.
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Objectives of complex systems must be
comprehensively defined, precise specifications
developed
Their structures engineered and tested for form,
fit and function
Their performance monitored and measured in
terms of the original design objectives and
specifications.
44. 27-Feb-14
44
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
SABSA
Developed to address the need for overall comprehensive
model for information systems.
Can utilize COBIT, ITIL and ISO/IEC 27001
SABSA Six layers
Contextual Security Architecture
Conceptual Security Architecture
Logical Security Architecture
Physical Security Architecture
Component Security Architecture
Operational Security Architecture
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Given that input is the major source of damage to
most systems, all systems should have security
mechanisms to validate input
Preventing harm due to unauthorized access is
fundamental to the security program
Most system configurations have some type of access
control lists
Information systems should be monitorable and
recoverable
They should have logs that produce alerts
Security mechanisms must result in ”defense in
depth”
45. 27-Feb-14
45
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
When gathering information used to make
architecture decisions, the ISM must constantly
shift focus between:
Business requirements
The infrastructure engineer’s perspective
Operations support
End users
Financial planner
Engineer
Operations support manager
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Must also maintain a sharp focus on
Security requirements
How security features of platforms can be used to
provide layered security
Security architecture requires
Balancing requirements
Finding a way to meet requirements with available
47. 27-Feb-14
47
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
What are you trying to do at this layer?
The assets to be protected by your security architecture.
Why are you doing it?
The motivation for wanting to apply security, expressed in the terms
of this layer.
How are you trying to do it?
The functions needed to achieve security at this layer.
Who is involved?
The people and organizational aspects of security at this layer.
Where are you doing it?
The locations where you apply your security, relevant to this layer.
When are you doing it?
The time-related aspects of security relevant to this layer.
48. 27-Feb-14
48
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM must plan personnel resources around the
needed technical and administrative skills required
to effectively operate the program. Roles include:
Security engineers
Policy specialists
Access administrators
Project managers
Compliance liaisons
Security architects
Awareness coordinators
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM must ensure that personnel within the security
organization as well as other responsible organizations
maintain the appropriate skills needed to carry out
program functions
Each organization’s skill requirements vary, generally
revolving around the existing information systems and
security technologies implemented
Skills that are only rarely needed are best acquired
through service providers such as integrators or consulting
firms.
When faced with the need for a specialized skill, the ISM
should analyze the cost, timing and intellectual capital
implications of hiring staff vs. using an external service
provider
49. 27-Feb-14
49
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
An active security awareness program can greatly
reduce risks by addressing the behavioral element of
security through education
Focus on common user security concerns such as
password selection, appropriate use of computing
resources, e-mail and web browsing safety, and
social engineering
Users are the front line for the detection of threats
that may not be detectable by automated means
Employees should be educated on recognizing and
escalating such events
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Simple quizzes
Reminders such as posters, newsletters, or
screen savers
A regular schedule of refresher training
In larger organizations, special management-
level training on information security awareness
and operations issues is desirable
50. 27-Feb-14
50
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Computer-based security awareness & training programs
E-mail reminders and security tips
Written security policies and procedures (and updates)
Nondisclosure statements signed by the employee
Use of different media in promulgating security
Visible enforcement of security rules
Simulated security incidents for improving security
procedures
Rewarding employees who report suspicious events
Periodic reviews
Job descriptions
Performance reviews
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
All employees of an organization and, where
relevant, third-party users must receive
appropriate training and regular updates on the
importance of security policies, standards and
procedures in the organization
For new employees, this should occur before access
to information or services is granted and be a part of
new employee orientation
51. 27-Feb-14
51
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM must be methodical in developing and
implementing the education and awareness program and
needs to consider various aspects including:
Who is the intended audience (management, business
managers, IT staff, users)?
What is the intended message (policies, procedures, recent
events)?
What is the intended result (improved policy compliance,
behavioral change, better practices)?
What communication method will be used (computer-based
training (CBT), all-hands meeting, intranet, newsletters, etc.)?
What is the organizational structure and culture?
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Some of the documentation required will typically include:
Program objectives
Roadmaps
Business cases
Resources required
Documentation
Controls
Budgets
Systems designs/architectures
Policies, standards, procedures, guidelines
Project plan milestones, time lines
KGIs, KPIs, CSFs, other metrics
Training and awareness requirements
52. 27-Feb-14
52
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Gap Analysis
Prioritization
Budgetary aspects
Portfolio management
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The purpose is to capture the reasoning for initiating a
project or task, and the business case should include all
the factors that can materially affect the project’s success
or failure
Must persuasively encompass benefits, costs and risk.
The benefits must be tangible, supportable and relevant to
the organization.
Particular attention must be given to the financial aspects
of the proposal.
The TCO and risk must be realistically represented for the
full life cycle of the project.
It is important to avoid overconfidence, overly optimistic
projections and excessive precision for what are likely to be
somewhat speculative results.
53. 27-Feb-14
53
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Should include some or all of the following:
Reference
▪ Project name/reference, origins/background/ current state
Context
▪ Business objectives/opportunities, business strategic alignment (priority)
Value Proposition
▪ Desired business outcomes, outcomes road map, business benefits (by
outcome), quantified benefits value, costs/ROI financial scenarios, risk/costs
of not proceeding, project risk (to project, benefits and business)
Focus
▪ Problem/solution scope, assumptions/constraints, options
identified/evaluated, size, scale and complexity assessment
Deliverables
▪ Outcomes, deliverables and benefits planned; organizational areas impacted
(internally and externally); key stakeholders
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Dependencies
▪ CSFs
Project metrics
▪ KGIs, KPIs
Workload
▪ Approach, phase/stage definitions (project change] activities,
technical delivery activities, workload estimate/breakdown, project
plan and schedule, critical path analysis)
Required resources
▪ Project leadership team, project governance team, team resources,
funding
Commitments (required)
▪ Project controls, review schedule, reporting processes, deliverables
schedule, financial budget/schedule
54. 27-Feb-14
54
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Evaluation:
The investment has value and importance.
The project will be properly managed.
The enterprise has the capability to deliver the
benefits.
The enterprise’s dedicated resources are working on
the highest value opportunities.
Projects with interdependencies are undertaken in the
optimal sequence.
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Elements of each project that should be
considered include:
Employee time
Contractor and consultant fees
Equipment (hardware, software) costs
Space requirements (data center rack space, etc.)
Testing resources (personnel, system time, etc.)
Creation of supporting documentation
Ongoing maintenance
Contingencies for unexpected costs
55. 27-Feb-14
55
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Acceptable use policy:
User-friendly summary of what should and should not
be done to comply with policy
Detail in everyday terms the obligations of all users
Must be communicated to all users
Must be read and understood by all users
Should be provided to new personnel
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Rules of use for all personnel include the policies
and standards for:
Access control
Classification
Marking and handling of documents
Reporting requirements and disclosure constraints
Rules regarding email and internet use
56. 27-Feb-14
56
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Problem management typically requires a systematic
approach to understanding the various aspects of the
issue, defining the problem and designing an action
program along with assigning responsibility and assigning
due dates for resolution.
A reporting process should also be implemented for
tracking the results and ensuring that the problem is
resolved
As the information systems environment is continually
going through changes via updates and additions, it is not
unusual for the security controls in place to occasionally
develop a problem and not work as intended.
It is at this point that the ISM must identify the problem
and assign a priority to it.
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Benefits:
Specialist skills as needed
Longer-term staff augmentation while recruiting for
open positions
Offloading of routine daily tasks
Outsourced security service providers can deliver
a range of services (e.g., assessment and audit,
engineering, operational support, security
architecture and design, advisory services)
57. 27-Feb-14
57
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Evaluation of program management components
will reveal the extent of management support
and the overall depth of the program
Very technical, tactically-driven programs are weak in
management components
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Thorough documentation of the program itself
Key guidelines and procedures been reduced to
accessible guidelines and distributed to responsible
parties
Responsible individuals understand their roles and
responsibilities
Roles and responsibilities defined for members of
senior management, boards, etc.
Organization understand and engage their
responsibilities
Business unit managers involved in guiding and
supporting information security program activities
Formal steering committee
58. 27-Feb-14
58
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Policies and standards defined, formally approved, and
distributed
How is the program positioned within the organization? To
whom is the program accountable? Does this positioning
impart an appropriate level of authority and visibility for the
objectives that the program must fulfill?
Does the program implement effective administration
functions, e.g., budgeting, financial management, human
resources management, knowledge management?
Are metrics used to evaluate program performance? Are these
metrics regularly collected and reported?
Are there forums and mechanisms for regular management
oversight of program activities? Does management regularly
reassess program effectiveness?
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Total Quality Management (TQM) system
Based on four primary processes, Plan-Do-Check-Act (PDCA)
Combined with a governance methodology that focuses on strategic program
alignment with organizational goals, will provide the ISM with tools can be used to
implement and maintain a highly effective, efficient security program
Elements
Vision
▪ A broadly defined, clear and compelling statement about the organization’s purpose. This should
include the desired outcomes of the information security program.
Strategic objectives
▪ A set of goals that are necessary and sufficient to move the organization toward its vision. These
goals should be reflected in KGIs.
CSFs
▪ A set of circumstances or events that are necessary to achieve the strategic objectives.
KPIs
▪ Concrete metrics tracked to ensure that the CSFs are being achieved.
Key actions
▪ including tactical and annual action plans are the initiatives to be delivered in order to achieve the
strategic objectives and KGIs.
59. 27-Feb-14
59
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The level of security that hardware and software
controls provide should depend on the:
Sensitivity of data that can be accessed
Significance of applications processed
Cost of equipment and availability of backup equipment
A wide range of physical security controls are
available to the ISM to implement physical security
some include:
Electronic locks
Cameras
Motion Detectors
60. 27-Feb-14
60
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Physical security policies and control devices are
needed
Access should be provided on an as-needed basis
Unrelated equipment and supplies (e.g., paper
and printing supplies) should not be stored along
with sensitive computing infrastructure
Computing environments must implement
systems to monitor and control environmental
factors such as temperature and humidity
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Personal computers used in open areas may
need special controls
Laptops and portable devices must also be
protected against theft or loss
Electronic and print media should also be
protected
Geographical concerns also need to be
considered
61. 27-Feb-14
61
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Many organizations have implemented ethics
training to provide guidance on what the
organization considers appropriate and legal
behavior.
This approach is common when individuals are
required to engage in activities of sensitive nature
such as monitoring user activities, penetration
testing and having access to sensitive data.
Information security personnel must be sensitive to
potential conflicts of interest or activities that may
be perceived as detrimental to the organization.
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM should be aware of differences in
perceptions, customs and appropriate behaviors
across different regions and cultures.
Policies, controls and procedures should be
developed and implemented with respect to these
differences.
Elements that might be culturally offensive to others
should be avoided.
If in doubt, the ISM should work with HR to develop
strategies for addressing differences across the
regions and cultures represented within the
organization.
62. 27-Feb-14
62
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Logistic issues that an ISM needs to be able to
manage include:
Cross-organizational strategic planning and execution
Project and task management
Coordination of committee meetings and activities
Developing schedules of regularly performed
procedures
Resource prioritization
Coordination of security resources and activities with
larger projects and operations
63. 27-Feb-14
63
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Physical/Corporate Security
It Audit
Information Technology Unit
Business Unit Managers
Human Resources
Legal Department
Employees
Procurement
Compliance
Privacy
Training
Quality Assurance
Insurance
Third Party Management
Project Management Office
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
As each phase of a security program is developed,
executive management, managers with risk management
responsibilities and department management should be
made aware of the content of the information security
program so that activities can be coordinated and specific
areas of responsibility confirmed.
Information security programs typically cross numerous
department boundaries; therefore, fostering awareness
and getting consensus early in the process is important.
The role of the information security manager itself often
becomes that of “ambassador” for the information
security program
64. 27-Feb-14
64
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Typically an operational requirement for the
information security department.
The incident response capability provides first
responders to the inevitable security incidents
experienced in virtually all organizations.
Objectives:
Quickly identify and contain incidents to prevent
significant interruptions to business activities;
Restore affected services
Determine root causes so that improvements can be
implemented to prevent recurrence.
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Security audits have objectives, scope,
constraints, approach and results
Effectiveness is judged on the basis of whether or
not controls in place meet a given set of control
objectives
An information security program should have
established policies and standards
65. 27-Feb-14
65
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Extremely useful in identifying whether those
policies and standards have been fully
implemented
Where an information security program is under
development, the ISM may
Select externally published standards
Engage an audit team to determine the extent to
which his/her own organization is in compliance
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Different standards publications focus on one or
more of these types of items:
COBIT lists control objectives
The Standard of Good Practice for Information Security
SANS Institute
International Organization for Standardization Code of
Practice for Information Security Management, ISO/IEC
17799:2005, and corresponding Information Security
Management Systems Requirements, ISO/IEC 27001:2005
The Center for Internet Security (CIS)
66. 27-Feb-14
66
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
CISO may not require hands-on technical skills, but should
be knowledgeable about the information technologies
implemented by their organization from architectural and
data flow perspectives.
Regardless of operating level, all information systems
managers should have a thorough understanding of
security architecture, control implementation principles,
and commonly implemented security processes and
mechanisms.
This understanding should include the strengths,
limitations, opportunities and risk of common security
controls in addition to the financial and operational
implications of deployment.
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Due diligence = the “standard of due care”
Some due diligence components include:
Senior management support
Comprehensive policies, standards and procedure
Appropriate security education, training and awareness
Periodic risk assessments
Effective backup and recovery processes
Implementation of adequate security controls
Effective monitoring and metrics
Effective compliance
Testing business continuity and disaster recovery plans
Periodic independent reviews of the infrastructure
67. 27-Feb-14
67
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Maintaining daily monitoring of relevant entities
that publish vulnerability information.
CERT
MITRE’s Common Vulnerabilities and Exposures (CVE)
database
Security Focus’ BUGTRAQ mailing list
SANS Institute
Numerous software vendors
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Compliance enforcement has two connotations
To a regulatory environment
To internal policies, standards and procedures
Enforcement activities are management oversight
functions by which the control activities designed to
achieve an objective of compliance are supervised
Compliance enforcement is any activity within the
information security program designed to ensure
compliance with the organization’s control
objectives
68. 27-Feb-14
68
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Policy forms the basis for all accountability with
respect to security responsibilities throughout
the organization
In most large organizations the ISM designates
formal security roles that hold the department
head responsible for getting processes that
maintain security policy compliance for a given
set of information systems in place
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM must:
Ensure that, in the assignment process, there are no
“orphan” systems or systems without policy-
compliance owners
Further provide oversight to ensure that policy
compliance processes are properly designed
Where a policy document is deemed to have
such little benefit that it may be bypassed, an
ISM should use that feedback to effect change
being termed the Policy Exception Process
69. 27-Feb-14
69
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Standards must be designed to ensure that all
systems of the same type are configured and
operated in the same way.
As far as possible, compliance with standards should
be automated to ensure that system configurations
do not, through intentional or unintentional activity,
deviate from policy compliance.
Executive management signs off on policy, while
standards simply provide a standard method for
complying with policy.
If there are deviations, there should be no dispute among
executive management that the security program is intact.
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Background and training is necessary for execution of tasks
Training classes should be tailored for those with security
job responsibilities
Security awareness must also include end-user training:
Backing up work-related files
Choosing passwords wisely and protecting them from exposure
Avoiding e-mail and web-based viruses
Recognizing social engineers
Reporting security incidents
Securing electronic and paper media against theft and exposure
Spotting malware that could lead to identity theft and desktop
spying
70. 27-Feb-14
70
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Numerous threats exist that may impact security
program efforts and objectives.
Threats must be evaluated to determine:
If they are viable
The likelihood that they will materialize
Their potential magnitude
The potential impact
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Possible threats:
Unclear objectives
Carelessness
Mistakes
Deficient strategy
Poor planning
Inadequate resources
Incorrect specifications
Faulty execution
71. 27-Feb-14
71
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Designed to identify vulnerabilities in a given
information system or environment
ISMs need to perform a vulnerability analysis in
order to ascertain whether controls are adequate
Vulnerabilities can be characterized by whether:
They were intentionally maliciously created or not
Whether they exist in system development or
operations
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
BIA
Determines impact of losing support of a resource to an
organization
Establishes the escalation of that loss over time
Identifies the minimum resources needed to recover
Prioritizes the recovery of processes and supporting systems
BIAs are based on risk assessment results
Should have a process by which:
Business impact of damage to any information resource is
reassessed periodically
Assessment is used to determine requirements for security
measures with respect to that resource
72. 27-Feb-14
72
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Can, to a large extent, replace a BIA for the
purposes of developing business continuity
plans.
Based on determining the applications used by a
business operation in conducting its primary
activities and the resources (networks,
databases) needed to perform required functions
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Two types:
Outsourcing
Service contracting
Distinction is that when services are contracted for,
the ISM retains ownership of and responsibility for
the performance of the security service
Outsourced activity must be consistent with the
goals and objectives of the overall information
security program
Security program elements that monitor outsourced
security functions must not themselves be
outsourced
73. 27-Feb-14
73
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Advantage:
Cost
Scalability
Reliability
Performance
Agility
Security considerations:
The loss of control over sensitive data
The location of data: organizations may store and transmit data across state
or national boundaries, so the ISM may consider myriad laws, regulations
and compliance requirements of various jurisdictions.
Requirements for handling incidents may vary from one jurisdiction to
another, e.g., breach notification laws. Availability of audit logs may also be
limited or nonexistent from the cloud provider, and the actual level of
security may be difficult to ascertain.
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Integration
System lifecycle processes
Change management
Configuration management
Release management
74. 27-Feb-14
74
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Include risk and protection considerations in the
SDLC by:
Establishing requirements
Solution architecture and design
Proof of concept
Full development and coding
Integration testing, deployment
Quality and acceptance testing
Maintenance
Systems’ end-of-life
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Defined baseline security controls should be a
standing requirement for all new systems
development.
The ISM should refer to industry and regional
sources to determine a baseline set of
appropriate security functions.
Supplemental controls may be warranted based on
vulnerability, threat and risk analysis, and these
controls should be included in the requirements-
gathering process.
75. 27-Feb-14
75
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM should:
Communicate solution deficiencies and developing,
mitigating or compensating controls as required.
Employ internal or external resources to review
coding practices and security logic during
development to ensure that best practices are being
employed.
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
A key to policy compliance is having a policy-compliance
owner for each deployed information system
To maintain accountability for policy compliance through
frequent change, a security program must identify where
IT changes are initiated, funded, and deployed
The ISM must create hooks into processes so that those in
job functions that specify, purchase and deploy new
systems have policy compliance as part of their job
functions
Gives the ISM time to identify vulnerabilities in new
systems, identify new threats presented by systems &
assist the implementation team to develop policy-
compliant pre-approved standards for production
deployment
77. 27-Feb-14
77
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The key to risk management is the risk mitigation
process. After risks are identified existing
controls and countermeasures can be evaluated
or new ones designed to mitigate risk to
acceptable levels.
78. 27-Feb-14
78
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Based on today's regulatory environment, controls
and countermeasures are most efficiently
approached based on a top-down, risk-based
approach.
After applying industry-recognized frameworks such
as COBIT and ISO 27001, design of the controls
implemented must include measurability.
Effectiveness of controls cannot be evaluated unless
they can be tested and measured.
Further, confidence levels and sampling sizes for
testing the effectiveness of these controls closely
mirror audit and regulatory compliance objectives.
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Strength of controls can be measured by the type of
control being evaluated (preventive, detective, manual,
automated, etc.) and its quantitative and qualitative
compliance testing results.
As such, although an automated control is, by default,
stronger than a manual control, detailed analysis may
reveal that a manual control is better.
An automated control design may create alerts and
generate automatic reports.
However, after carefully looking at the process, one may
determine that a) no evidence of review can be produced,
and b) subsequent response actions up to and including
resolution cannot be measured.
79. 27-Feb-14
79
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Technical controls are safeguards that are
incorporated into computer hardware, software
or firmware.
Non technical methods include management and
operational controls such as policies, operational
procedures etc.
Once the risks facing an organization have been
identified and prioritized, the ISM can customize the
security strategies and prioritize the options to
mitigate those risks
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Deterrent controls
Preventative controls
Detective controls
Corrective controls
80. 27-Feb-14
80
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Existing controls are the policies, procedures,
practices and guidelines designed to provide
assurance
Countermeasures directly reduce a threat or
vulnerability and can be considered a targeted
control e.g.:
Segmenting a network
Having multiple ISPs
Stopping an activity that creates a risk
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Elements of controls
Preventative or detective
Manual or automated
Formal (documented in procedure manuals and evidence
of their operation is maintained) or ad hoc.
Considerations:
Effectiveness of recommended options
Legislation and regulation
Organizational policy
Operational impact
Safety and reliability
81. 27-Feb-14
81
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
A specialized set of general controls upon which all
computing facilities as well as personnel depend.
The ISM should:
Validate technology choices in support of physical security
Ensure that formal roles and responsibilities and
accountabilities with respect to physical access controls
exist
Use the roles and responsibilities for interfacing with
various local physical security organizations if they are
geographically dispersed
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Intended to restrict access to facilities
Methods for keeping unauthorized individuals from
gaining access to tangible information resources
include
Smart cards or access controls based on biometrics
Security cameras
Security guards
Fences
Lighting
Locks
Sensors
82. 27-Feb-14
82
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Designed to ensure that the facilities in which
systems are stored are designed to compensate
for physical limitations of computer system
operations
Without environment controls to prevent, detect
and recover from physical damage to information
systems, control activities would be subject to
physical damage from a variety of sources (e.g.,
theft and weather)
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Because organizational departments also have a
responsibility for information security process
deployment, the ISM is not able to enforce all policy
requirements.
Personnel outside can be assigned security job
responsibilities, thus allowing the ISM to close gaps out of
his/her control
The ISM may also need to assist business application
owners in establishing procedures
An ISM must integrate security touchpoints into the life
cycle to ensure that the business is not surprised by last-
minute introduction of security requirements
83. 27-Feb-14
83
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Native control technologies:
Out of the box security features that are integrated with
business information systems.
Generally configured and operated by IT
Supplemental control technologies
Components that are added on to an information systems
environment
Usually provide some function that is not available in the
native components (network intrusion detection), or that
is more appropriate to implement outside of primary
business application systems
Tend to be more specialized than native control
technologies
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Management support technologies
Automate a security related procedure, provide
management information processing, or increase
management efficiency
Examples include security information management
(SIM) tools, compliance monitoring scanners and
security event analysis systems
Used by information security group independent of
information technology
84. 27-Feb-14
84
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Analysis of technical components and
architecture
When analyzing technical security architecture, the
ISM must use a clearly defined set of measurable
criteria to enable tracking of performance metrics
A few possible criteria for analyzing technical security
architecture and components:
▪ Control placement
▪ Control efficiency
▪ Control policy
▪ Control implementation
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Changes to the technical or operational
environment can often modify the protective effect
of controls or create new weaknesses that existing
controls are not designed to mitigate.
Periodic testing of controls should be implemented
to ensure that mechanisms continually enforce
policies and procedural controls are being carried
out consistently and effectively.
After implementation, acceptance testing must be
conducted to ensure that prescribed policies are
enforced by the mechanisms.
85. 27-Feb-14
85
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Changes to operational procedures should also undergo
review and approval by appropriate stakeholders.
Requisite changes to process inputs, activity steps,
approvals or reviews, and process results should be
considered and modifications to related processes and
technologies should be coordinated.
Workload considerations should also be taken into
consideration to ensure that changes to operational
controls do not overload resources and impact operational
quality.
If additional training is required to implement changes, it
should be coordinated and completed prior to
implementation of change.
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Defined baseline security controls should be a standing
requirement
for all new systems development:
Security requirements should be defined and documented as an
essential part of the system documentation.
Adequate traceability of the security requirements should be ensured
and supported across the different phases of the life cycle.
A few examples include authentication functions, logging, role-based
access control and data transmission confidentiality mechanisms.
ISM should refer to industry and regional sources to determine
a baseline set of security functions appropriate to their
organizational policies and other needs.
Supplemental controls may be warranted based on
vulnerability, threat and risk analysis, and these controls should
be included in the requirements-gathering process.
86. 27-Feb-14
86
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Information security program metrics corresponding
to control objectives provide senior management
with information needed to ascertain whether the
information security program is on track
Control objective metrics should correspond to
information security governance goals (covered in
chapter 1)
Must cover:
Strategic Level
Management Level
Operational Level
87. 27-Feb-14
87
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM must thoroughly know how to continually
monitor security programs and controls
Some monitoring is technical and quantitative—some by
necessity is imprecise and qualitative
Technical metrics can be used to provide quantitative
monitoring and can include elements such as:
Number of unremediated vulnerabilities
Number of closed audit items
Number or percentage of user accounts in compliance with
standards
Perimeter penetrations
Unresolved security variances
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Qualitative metrics:
CMM maturity levels at periodic intervals
Key performance indicators (KPIs)
Key goal indicators (KGIs)
Business balanced scorecard (BBS)
Six Sigma quality indicators
ISO 9001 quality indicators
Other relevant measures:
Cost-effectiveness of controls
The extent of control failures, etc.
88. 27-Feb-14
88
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
As information resources change over time, both the
security baseline and the resources must adapt to
changing threats and new vulnerabilities.
The ISM must develop a consistent, reliable method
to determine the overall ongoing effectiveness of
the program ways to do this can include:
Conduct and track risk assessments
Penetration testing
Regular vulnerability scans
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Effective metrics
Require that a baseline is established for each measurement
Should have SMART attributes (i.e., specific, measurable,
achievable, repeatable and time-dependent)
Should be used to chart progress
The organization’s change management activities also
should feed into the monitoring program
Metrics are important, but are little use if adverse trends are
not dealt with in a timely manner
Metrics must be regularly reviewed and any unusual
outcomes are reported
An action plan to react to the unusual activity should be
developed as well as a proactive plan to address trends in
activity that may lead to a security breach or failure
89. 27-Feb-14
89
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM must also monitor security activities in
infrastructure and business applications:
Since vulnerability to security breaches exists all the time,
continuous monitoring of security activities is a prudent
business process
Continuous monitoring of IDSs and firewalls can provide
real-time information of attempts to breach perimeter
defenses
Training help desk personnel must escalate suspicious
reports that may be the first signs of a breach or an attack
A variety of methods and techniques that are tailored to
the organization must be used
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Other after-the-fact monitoring techniques include:
Event logging
Log reviews
Compliance assessments
Network- and host-based IDS
Penetration testing
Should consolidate various security event-
monitoring techniques into a single console that the
security team monitors.
The ISM must have processes in place to determine
the overall effectiveness of security investments and
the extent to which objectives have been met.
90. 27-Feb-14
90
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Security program actual costs need to be accurately
determined to for cost-effectiveness.
In addition to initial procurement and
implementation costs, it is important to include.
The staff needed to administer controls
Maintenance fees
Update fees
Consultant or help desk fees
Fees associated with other interrelated systems that may
have been modified to accommodate security objectives
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Strategic Alignment
Extent to which business
areas are represented in the
information security
program
Percentage of those that
include data stewardship or
information protection in
their charter
Risk Management
Level at which risks are
formally addressed in various
business areas
Identifiable risk management
function in steering
committee
Periodic testing of the
communication lines to
escalate risks
91. 27-Feb-14
91
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Value delivery
Budgeted cost of work
scheduled verses budgeted
cost compared to the actual
cost of the project for that
period
Demonstrated effectiveness—
low cost and schedule
variances
Positive returns on investment
through reusable security tools
and techniques within the
infrastructure and security
review processes
Resource management
Resource deficiencies are
detected and corrected
before impact
Identify changing security
resource requirements
All personnel in lead roles in
critical security functions have
a backup
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Performance Management
Verification that control
activities are achieving
desired results
Performance measurement
with respect to security
activity designed to achieve
technical objectives
Security Baselines
To what extent do existing
processes conform to security
baselines?
92. 27-Feb-14
92
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM needs to understand how to implement processes
and mechanisms that provide for assessing the successes
and shortcomings of the information security
management program
Specific objectives of each organization’s information
security management program vary according to the scope
and operating level of the program
Should be conceptually and chronologically aligned with
business goals, leading to further diversity in program
goals
The ISM must lead the analysis of these areas along with
issues of information security governance requirements
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Information security management programs generally
include a core set of common objectives:
Minimize risk and loss related to information security issues
Support achievement of overall organizational objectives
Support organizational achievement of compliance
Maximize the program’s operational productivity
Maximize security cost-effectiveness
Establish and maintain organizational security awareness
Facilitate effective technical security architecture
Maximize effectiveness of program framework and resources
Measure and manage operational performance
93. 27-Feb-14
93
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The primary objective of most information
security programs is to ensure that organizational
information resources are not unduly impacted
by accidental or malicious threats
Most organizations experience security breaches
Any information security program must thus also
strive to detect and minimize the impact associated
with detrimental events
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The following are possible approaches to
periodically measuring the program’s success
against risk management and loss prevention
objectives
The technical vulnerability management approach—
focus on vulnerabilities and vulnerability management
Risk management approach - focus on risk severity
and annual loss expectancies (ALEs)
Loss prevention approach - focus on loss due to
incidents
94. 27-Feb-14
94
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The following qualitative measures can be reviewed
by the information security steering committee
and/or executive management:
Is there documented correlation between key
organizational milestones and the objectives of the
information security management program?
How many information security objectives were
successfully completed in support of organizational goals?
Were there organizational goals that were not fulfilled
because information security objectives were not met?
How strong is consensus among business units, executive
management and other information security stakeholders
that program objectives are complete and appropriate?
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM should recognize that much of a
successful measure’s value is in analyzing why an
objective was or was not met.
For missed objectives, the reasons why they were not
accomplished should be analyzed
Feedback should be used to guide ongoing
optimization of the information security management
program
95. 27-Feb-14
95
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
If the organization must comply with compulsory
or voluntary standards involving information
security, the ISM must ensure that program goals
are aligned with these requirements
Likewise, the policies, procedures and
technologies implemented by the program must
fulfill requirements of adopted standards
Measurements of compliance achievement are
often tied to the results of internal or external
audits
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM may also wish to implement automated
or manual compliance monitoring with higher
frequency and/or broader scope than achievable
with incremental audits
In addition to actual point-in-time compliance,
the program should be measured on the
effectiveness of resolving identified compliance
issues
96. 27-Feb-14
96
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM must maximize operational productivity
Productivity can be improved through:
Automation technologies
Outsourcing of low-value operational tasks
Leverage of other organizational units
The ISM should set periodic goals for increasing the
productivity of the information security management
program through specific initiatives:
Goals should be reviewed to determine the productivity gains
achieved
The ISM should analyze data such as hourly employee cost and
effort expended per task to demonstrate the value of
productivity improvement initiatives to senior management
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The information security program must be
financially sustainable
Otherwise, security controls degrade due to poor
maintenance and support
Financial constraints are a common reason for security
lapses, including failure to plan for ongoing
maintenance requirements
The ISM must work to maximize the value of each
security investment to control information security
expenses and ensure sustainable achievement of
objectives
97. 27-Feb-14
97
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
This process begins with accurate cost forecasting
and budgeting
The success of this activity is generally established by
monitoring budget utilization vs. original projections; can
help identify issues with security cost planning
The ISM should implement procedures to measure
the ongoing cost-effectiveness of security
components, most often accomplished by tracking
cost/result ratios
This approach establishes cost-efficiency goals for new
technologies and improvement goals for existing
technologies by measuring the total cost of producing a
specific result
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Ratios of result-units per currency-unit (e.g., 7,400
network packets analyzed per US dollar annually) or vice
versa (0.04 Euros per thousand e-mails scanned annually)
can be used to demonstrate cost efficiency and cost of
results, respectively.
Other examples include
Per-application costs of vulnerability assessment
Per-user costs for workstation security controls
Per-mailbox costs for e-mail spam and virus protection
ISM must regularly consider the total cost of technical
security components
Purchase and implementation costs are only part of the total
cost
98. 27-Feb-14
98
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Personnel actions can present threats that can
only be mitigated through education and
awareness
The ISM must implement processes to track the
ongoing effectiveness of awareness programs
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Tracking organizational awareness is most commonly
achieved at the employee level
As such, the ISM should work with their organization’s HR
department to implement metrics for tracking
organizational awareness success
Records of initial training, acceptance of policies and usage
agreements, and ongoing awareness updates are useful
metrics
In addition to identifying individuals in need of training,
this helps identify organizational units that may not be
fully engaged in the security awareness program
99. 27-Feb-14
99
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Employee testing can indicate awareness
program effectiveness
Conducting additional quizzing on a random sample of
employees several months after training will help
determine the longer-term effectiveness of awareness
training
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM must establish quantitative measures
that inform management about the effectiveness
of the technical security architecture
Technical security metrics can be categorized for
reporting and analysis purposes by protected
resource and geographic location
100. 27-Feb-14
100
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Qualitative measures apply to technical control
environment.
Individual technical mechanisms have been tested to
verify control objectives and policy enforcement
The security architecture is constructed of appropriate
controls in a layered fashion
Control mechanisms are properly configured and
monitored in real-time, self-protection implemented, and
information security personnel alerted to faults
All critical systems events are reported to information
security personnel or to event analysis automation tools
for real-time threat detection
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Methods of tracking the program’s success include:
Tracking the frequency of issue recurrence
Monitoring the level of operational knowledge capture and
dissemination
The degree to which process implementations are standardized
Clarity and completeness of documented information security roles
and responsibilities
Information security functions incorporated into every project plan
Efforts and results in making the program more productive and cost-
effective
The ISM should implement such mechanisms with the goal of
extracting additional “latent” value from the framework,
procedures and resources that make up the program
101. 27-Feb-14
101
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Measures of security operational performance
include:
Average time to detect, escalate, isolate and contain
incidents
Average time between vulnerability detection and
resolution
Quantity, frequency and severity of incidents discovered
post hoc
Average time between vendor release of vulnerability
patches and their application
Percentage of systems audited within a certain period
Number of changes released without full change control
approval
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM must determine the most appropriate
metrics for tracking security operations within all
responsible organizational units
Metrics should be regularly compiled, analyzed and
distributed to stakeholders and responsible
management
Performance issues should be analyzed for root cause
by the security steering committee
Solutions for improvement should be implemented
102. 27-Feb-14
102
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The ISM should consider the development of a
central monitoring environment that provides
analysts visibility into all enterprise information
resources.
Each organization needs to determine which
security events are the most pertinent in terms
of affected resource and event type.
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Some commonly monitored event types include:
Failed access attempts to resources
Processing faults that may indicate system tampering
Outages, race conditions and faults related to
insufficient resources
Changes to system configurations, particularly security
controls
Privileged system access and activities
Technical security component fault detection
103. 27-Feb-14
103
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Procedures for analyzing events and taking
appropriate responsive action must be developed.
Security monitoring analysts should be trained on
these procedures, and monitoring supervisors
should have procedures to address unknown
anomalies.
Response procedures involve:
analyzing related events and system states
capturing additional event-related information
investigating suspicious activity
escalating the issue to senior analysts or management
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The escalation path for security events and
incident initiation should be tested regularly.
In addition to real-time monitoring, the ISM
should periodically conduct analysis of trends in
security-related events such as attempted attack
types or most frequently targeted resources.
104. 27-Feb-14
104
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Information security is a relatively new function
within many organizations
Even for mature information security programs, the
requirements and demands are rapidly changing,
driven by technical and regulatory pressures
The ISM should be aware of
Common challenges to effective information security
management
The reasons behind those challenges
Strategies for addressing them
105. 27-Feb-14
105
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
The most common in smaller organizations and
those that are not in security-intensive industries
Misunderstanding of the organization’s dependence on
information systems and of the threat and risk
environment is common
The ISM must utilize resources, such as industry statistics,
organizational impact and dependency analyses, and
reviews of common threats to the organization’s
information resources
Management may need guidance concerning
What is expected of them
Information security approaches that industry peers are
taking
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Some funding-related issues that the ISM may need
to address include:
Management not recognizing the value of security
investments
Security being viewed as a low-value cost center
Management not conceptually understanding where
existing money is going
The organizational need for a security investment not
being understood
The need for more awareness of industry trends in
security investment
106. 27-Feb-14
106
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Inadequate funding extends to the challenge of
inadequate staff levels to meet security program
requirements
The ISM utilize workload management
procedures to generate personnel workload
analyses, utilization reports and other metrics
that demonstrate the level of effort currently
expended
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
Charts that associate specific information security
roles or teams with the protection that they provide
to enterprise information systems are helpful
Demonstrating high or growing levels of productivity
also help demonstrate that the information security
program is utilizing resources effectively and
efficiently
If all else fails, the ISM should work with the steering
committee to determine areas in which personnel
time allocations can be cut back