SlideShare a Scribd company logo

CNIT 160 Ch 4a: Information Security Programs

Sam Bowne
Sam Bowne

Slides for a college class by Sam Bowne. More information at https://samsclass.info/160/160_F19.shtml

Education
1 of 55
Download to read offline
CNIT 160: Cybersecurity Responsibilities 4. Information Security Program Development Part 1 Pages 158 - 182
Chapter Topics • Information Security Programs • Security Program Management • Security Program Operations • IT Service Management • Controls • Metrics and Monitoring • Continuous Improvement
Information Security Programs
Information Security Programs • Outcomes • Charter • Scope • Information Security Management Frameworks • Defining a Road Map • Information Security Architecture • The Open Group Architecture Framework • The Zachman Framework • Implementing a Security Architecture
Developing an Information Security Program • Four steps • Developing a security strategy • Gap analysis • Developing a road map • Developing a security program
Information Security Programs • The collection of activities to identify, communicate, and address risks • Consists of controls, processes, and practices • To increase resilience of computing environment, and • Ensure that risks are known and handled effectively
Enabling Business • Security program acts as a business enabler • Allowing it to consider new business ventures • While being aware of risks that can be mitigated • Like the brakes on a race car • Allowing it to move faster and stay on the road
Outcomes • Strategic alignment • Risk management • Value delivery • Resource management • Performance management • Assurance process integration
Strategic Alignment • Program must work in harmony with the rest of the organization • Being aware of new initiatives • Developing risk tolerance criteria that business leaders agree with • Establishing mutual trust • Use a security council or governance committee • With stakeholders across the business
Risk Management and Value Delivery • Risk Management • Identifies risks • Facilitates desired outcomes • Through appropriate risk treatment • Value Delivery • Reducing risk in critical activities • To an acceptable level
Resource Management • Permanent and temporary staff, external service providers, and tools • Must be managed so they are effectively used • To reduce risks in alignment with the risk management program • "Rightsizing" information security program budget • Assist with resource requests from security manager
Performance Management • Measure key activities • To ensure the are operating as planned • Security metrics
Assurance Process Integration • Information security program aligns with other assurance programs and processes • HR, finance, legal, audit, enterprise risk management, IT, and operations • Influences those activities to protect them from harm
Charter • Formal written definition of • Objectives of the program • Main timelines • Sources of funding • Names of principal leaders and managers • Business executives who are sponsoring the program • Gives security manager authority, shows support from leadership team
Security Manager Functions • Develop and • Enforce security policy • Risk management process • Security governance • Controls across business unit boundaries
Security Manager Functions • Develop and direct implementation of key security processes • Vulnerability management • Incident management • Third-party risk • Security architecture • Business continuity planning • Security awareness training
Team Sport • Security charter is ratified by executive management • Security manager can't dictate the program to others • Must lead and guide program through collaboration and consensus by stakeholders • Executive leaders and board of directors hold the ultimate responsibility or ownership for protecting information 

Scope • Define departments, business units, affiliates, and locations • Included in information security program • More relevant in larger organizations
Information Security Management Frameworks • Business process models • Include essential processes and activities • Needed by most organizations • Risk-centric
Three Most Popular Security Management Frameworks • ISO/IEC 27001:2013 • COBIT 5 • NIST CSF
ISO/IEC 27001:2013 • International standard • "Information technology - Security techniques - Information security management systems - Requirements" • Processes used to • Assess risk • Develop controls • Manage typical processes such as vulnerability management and incident management
COBIT 5 • From ISACA • Controls and governance framework • For managing an IT organization • COBIT 5 for Information Security • Additional standard to extend COBIT 5
NIST CSF • US National Institute of Standards and Technology (NIST) • Cyber Security Framework (CSF) • Developed in 2014 to address rampant security breaches and identity theft in the US
Ch 4a-1
Defining a Road Map • Required steps to achieve an objective • In support of the business vision and mission • Consists of various tasks and projects • Creating and implementing capabilities • Reducing information risk
Enterprise Architecture • Both a business function and a technical model • Business function • Activities ensuring that important business needs are met by IT systems • Model • Mapping business systems into IT environment and systems
Information Security Architecture • A subset within Enterprise Architecture • Concerned with two things • Protective characteristics in components in the enterprise architecture • Specific components n the enterprise architecture that provide preventive or detective security functions
Enterprise Architecture Ensures:
Two Layers of Information Security Architecture • Policy • Necessary characteristics of overall environment • Ex: centralized authentication, 
 endpoint-based web filtering • Standards • Vendor standards • Protocol standards • Configuration or hardening standards
Centralized Functions • Operate more effectively than isolated, local instances • Amplify workforce • So a small staff can manage hundreds or thousands of devices
• Authentication • Microsoft Active Directory (AD) • Lightweight Directory Access Protocol (LDAP) • Monitoring • SIEMs like Splunk • Device Management • Consistency for servers, workstations, mobile devices, and network devices Centralized Functions
Two Enterprise Architecture Frameworks • The Open Group Architecture Framework (TOGAF) • Zachman Framework • These are Enterprise Architecture models, not Enterprise Security Architecture models
The Open Group Architecture Framework (TOGAF) • Life-cycle enterprise architecture framework • For designing, planning, implementing, and governing • An enterprise technology architecture • A high-level approach
Phases in TOGAF
TOGAF Components
Zachman Framework • Established in the 1980s • Still dominant today • Likens IT enterprise architecture to construction and maintenance of an office building
Zachman Framework
Implementing a Security Architecture • Both a big-picture and a detailed plan • At enterprise level • Policy and governance • Decisions about major aspects • Such as brands of servers, workstations, and network devices
• At detail level • Configuration and change management on devices or groups of devices • Ex: Upgrade to DNS infrastructure • Might increase number of name servers • Requiring updates to most or all devices Implementing a Security Architecture
Changes to Architecture Models • Software-Defined Networking (SDN) • Virtualization • Microservices • Small, independent services that communicate over networks • Often in containers
Security Program Management
Security Program Management Topics • Security Governance • Activities and Results • Risk Management • The Risk Management Program • The Risk Management Process • Identifying and Grouping Assets • Risk Analysis • Risk Treatment
Security Program Management Topics (continued) • Audits and Reviews • Control Self-Assessment • Security Reviews • Policy Development • Third-Party Risk Management • Administrative Activities
Security Governance • Assemblage of management activities that • Identify, analyze and treat risks to key assets • Establish key roles and responsibilities • Measure key security processes
• Board of Directors • Establishes tone for risk appetite and risk management • Information Steering Committee • Chief Information Security Officer (CISO) • Audit • Chief Information Officer (CIO) • Management • All employees Security Governance Personnel
Information Steering Committee • Establishes operational strategy • For security and risk management • Sets strategic and operational roles and responsibilities • Security strategy should align with strategy for IT and the business overall
Chief Information Security Officer (CISO) • Responsible for • Developing security policy • Conducting risk assessments • Developing processes for • Vulnerability management • Incident management • Identity and access management • Security awareness and training • Compliance management
Audit • Responsible for examining selected business processes and information systems • To verify that they are designed and operating properly
Chief Information Officer (CIO) • Responsible for overall management of the IT organization, including • IT strategy • Development • Operations • Service desk
Management • Every manager should be at least partially responsible for the conduct of their employees • This establishes a chain of accountability
All Employees • Required to comply with • Security policy • Security requirements and processes • All other policies • Compliance with policy is a condition of employment
Reasons for Security Governance • Organizations are completely dependent on their information systems • Ineffective security governance can lead to negligence, and breaches
Security Governance Activities and Results • Risk management • Process improvement • incident response • Improved compliance • Business continuity and disaster recovery planning • Effectiveness measurement • Resource management • Improved IT governance
Results of Security Governance • Increased trust • From customers, suppliers, and partners • Improved reputation
Ch 4a-2

Recommended

CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
Sam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life Cycle
Sam Bowne
 
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramCNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
Sam Bowne
 
CNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementCNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk Management
Sam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life Cycle
Sam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
Sam Bowne
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
Sam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
Sam Bowne
 

Recommended

CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
Sam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life Cycle
Sam Bowne
 
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramCNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
Sam Bowne
 
CNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementCNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk Management
Sam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life Cycle
Sam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
Sam Bowne
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
Sam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
Sam Bowne
 
CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security Governance
Sam Bowne
 
CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)
Sam Bowne
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)
Sam Bowne
 
CNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life CycleCNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life Cycle
Sam Bowne
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management Concepts
Sam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 
CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)
Sam Bowne
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)
Sam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: Introduction
Sam Bowne
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
Sam Bowne
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
Sam Bowne
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
Sam Bowne
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
7. Security Operations
7. Security Operations7. Security Operations
7. Security Operations
Sam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
Sam Bowne
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
Karthikeyan Dhayalan
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
Karthikeyan Dhayalan
 

More Related Content

What's hot

CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security Governance
Sam Bowne
 
CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)
Sam Bowne
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)
Sam Bowne
 
CNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life CycleCNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life Cycle
Sam Bowne
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management Concepts
Sam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 
CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)
Sam Bowne
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)
Sam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: Introduction
Sam Bowne
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
Sam Bowne
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
Sam Bowne
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
Sam Bowne
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
7. Security Operations
7. Security Operations7. Security Operations
7. Security Operations
Sam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
Sam Bowne
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
Karthikeyan Dhayalan
 

What's hot (20)

CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security Governance
 
CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)
 
CNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life CycleCNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life Cycle
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management Concepts
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: Introduction
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
 
7. Security Operations
7. Security Operations7. Security Operations
7. Security Operations
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
 

Similar to CNIT 160 Ch 4a: Information Security Programs

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Kumawat Dharmpal
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
it160320737038
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurancea3virani
 
project managmnet
project managmnetproject managmnet
project managmnet
darshan942
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
IGN MANTRA
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
Zefren Edior
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
HasnolAhmad2
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPScott Baron
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
randalje86
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
GRC– The Way Forward
GRC– The Way ForwardGRC– The Way Forward
GRC– The Way Forward
Rochester Security Summit
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
Jim Kaplan CIA CFE
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Resume-Amit 1.0
Resume-Amit 1.0Resume-Amit 1.0
Resume-Amit 1.0Amit Verma
 
UMASS-NISTCSF-October-2016-Presentation-rev2.pptx
UMASS-NISTCSF-October-2016-Presentation-rev2.pptxUMASS-NISTCSF-October-2016-Presentation-rev2.pptx
UMASS-NISTCSF-October-2016-Presentation-rev2.pptx
Abid Ur Rehman
 

Similar to CNIT 160 Ch 4a: Information Security Programs (20)

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurance
 
project managmnet
project managmnetproject managmnet
project managmnet
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
GRC– The Way Forward
GRC– The Way ForwardGRC– The Way Forward
GRC– The Way Forward
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Resume-Amit 1.0
Resume-Amit 1.0Resume-Amit 1.0
Resume-Amit 1.0
 
UMASS-NISTCSF-October-2016-Presentation-rev2.pptx
UMASS-NISTCSF-October-2016-Presentation-rev2.pptxUMASS-NISTCSF-October-2016-Presentation-rev2.pptx
UMASS-NISTCSF-October-2016-Presentation-rev2.pptx
 

More from Sam Bowne

Cyberwar
CyberwarCyberwar
Cyberwar
Sam Bowne
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
Sam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
Sam Bowne
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
Sam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
Sam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
10 RSA
10 RSA10 RSA
10 RSA
Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
Sam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
Sam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
Sam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
Sam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
Sam Bowne
 

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Recently uploaded

Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
The geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideasThe geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideas
GeoBlogs
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
Jisc
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Levi Shapiro
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
Thiyagu K
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
TechSoup
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
Celine George
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
Peter Windle
 
Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
joachimlavalley1
 
Polish students' mobility in the Czech Republic
Polish students' mobility in the Czech RepublicPolish students' mobility in the Czech Republic
Polish students' mobility in the Czech Republic
Anna Sz.
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
DeeptiGupta154
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
Delapenabediema
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
Nguyen Thanh Tu Collection
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
siemaillard
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
RaedMohamed3
 
678020731-Sumas-y-Restas-Para-Colorear.pdf
678020731-Sumas-y-Restas-Para-Colorear.pdf678020731-Sumas-y-Restas-Para-Colorear.pdf
678020731-Sumas-y-Restas-Para-Colorear.pdf
CarlosHernanMontoyab2
 

Recently uploaded (20)

Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
The geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideasThe geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideas
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
 
Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
 
Polish students' mobility in the Czech Republic
Polish students' mobility in the Czech RepublicPolish students' mobility in the Czech Republic
Polish students' mobility in the Czech Republic
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
 
678020731-Sumas-y-Restas-Para-Colorear.pdf
678020731-Sumas-y-Restas-Para-Colorear.pdf678020731-Sumas-y-Restas-Para-Colorear.pdf
678020731-Sumas-y-Restas-Para-Colorear.pdf
 

CNIT 160 Ch 4a: Information Security Programs

  • 1. CNIT 160: Cybersecurity Responsibilities 4. Information Security Program Development Part 1 Pages 158 - 182
  • 2. Chapter Topics • Information Security Programs • Security Program Management • Security Program Operations • IT Service Management • Controls • Metrics and Monitoring • Continuous Improvement
  • 4. Information Security Programs • Outcomes • Charter • Scope • Information Security Management Frameworks • Defining a Road Map • Information Security Architecture • The Open Group Architecture Framework • The Zachman Framework • Implementing a Security Architecture
  • 5. Developing an Information Security Program • Four steps • Developing a security strategy • Gap analysis • Developing a road map • Developing a security program
  • 6. Information Security Programs • The collection of activities to identify, communicate, and address risks • Consists of controls, processes, and practices • To increase resilience of computing environment, and • Ensure that risks are known and handled effectively
  • 7. Enabling Business • Security program acts as a business enabler • Allowing it to consider new business ventures • While being aware of risks that can be mitigated • Like the brakes on a race car • Allowing it to move faster and stay on the road
  • 8. Outcomes • Strategic alignment • Risk management • Value delivery • Resource management • Performance management • Assurance process integration
  • 9. Strategic Alignment • Program must work in harmony with the rest of the organization • Being aware of new initiatives • Developing risk tolerance criteria that business leaders agree with • Establishing mutual trust • Use a security council or governance committee • With stakeholders across the business
  • 10. Risk Management and Value Delivery • Risk Management • Identifies risks • Facilitates desired outcomes • Through appropriate risk treatment • Value Delivery • Reducing risk in critical activities • To an acceptable level
  • 11. Resource Management • Permanent and temporary staff, external service providers, and tools • Must be managed so they are effectively used • To reduce risks in alignment with the risk management program • "Rightsizing" information security program budget • Assist with resource requests from security manager
  • 12. Performance Management • Measure key activities • To ensure the are operating as planned • Security metrics
  • 13. Assurance Process Integration • Information security program aligns with other assurance programs and processes • HR, finance, legal, audit, enterprise risk management, IT, and operations • Influences those activities to protect them from harm
  • 14. Charter • Formal written definition of • Objectives of the program • Main timelines • Sources of funding • Names of principal leaders and managers • Business executives who are sponsoring the program • Gives security manager authority, shows support from leadership team
  • 15. Security Manager Functions • Develop and • Enforce security policy • Risk management process • Security governance • Controls across business unit boundaries
  • 16. Security Manager Functions • Develop and direct implementation of key security processes • Vulnerability management • Incident management • Third-party risk • Security architecture • Business continuity planning • Security awareness training
  • 17. Team Sport • Security charter is ratified by executive management • Security manager can't dictate the program to others • Must lead and guide program through collaboration and consensus by stakeholders • Executive leaders and board of directors hold the ultimate responsibility or ownership for protecting information 

  • 18. Scope • Define departments, business units, affiliates, and locations • Included in information security program • More relevant in larger organizations
  • 19. Information Security Management Frameworks • Business process models • Include essential processes and activities • Needed by most organizations • Risk-centric
  • 20. Three Most Popular Security Management Frameworks • ISO/IEC 27001:2013 • COBIT 5 • NIST CSF
  • 21. ISO/IEC 27001:2013 • International standard • "Information technology - Security techniques - Information security management systems - Requirements" • Processes used to • Assess risk • Develop controls • Manage typical processes such as vulnerability management and incident management
  • 22. COBIT 5 • From ISACA • Controls and governance framework • For managing an IT organization • COBIT 5 for Information Security • Additional standard to extend COBIT 5
  • 23. NIST CSF • US National Institute of Standards and Technology (NIST) • Cyber Security Framework (CSF) • Developed in 2014 to address rampant security breaches and identity theft in the US
  • 25. Defining a Road Map • Required steps to achieve an objective • In support of the business vision and mission • Consists of various tasks and projects • Creating and implementing capabilities • Reducing information risk
  • 26. Enterprise Architecture • Both a business function and a technical model • Business function • Activities ensuring that important business needs are met by IT systems • Model • Mapping business systems into IT environment and systems
  • 27. Information Security Architecture • A subset within Enterprise Architecture • Concerned with two things • Protective characteristics in components in the enterprise architecture • Specific components n the enterprise architecture that provide preventive or detective security functions
  • 29. Two Layers of Information Security Architecture • Policy • Necessary characteristics of overall environment • Ex: centralized authentication, 
 endpoint-based web filtering • Standards • Vendor standards • Protocol standards • Configuration or hardening standards
  • 30. Centralized Functions • Operate more effectively than isolated, local instances • Amplify workforce • So a small staff can manage hundreds or thousands of devices
  • 31. • Authentication • Microsoft Active Directory (AD) • Lightweight Directory Access Protocol (LDAP) • Monitoring • SIEMs like Splunk • Device Management • Consistency for servers, workstations, mobile devices, and network devices Centralized Functions
  • 32. Two Enterprise Architecture Frameworks • The Open Group Architecture Framework (TOGAF) • Zachman Framework • These are Enterprise Architecture models, not Enterprise Security Architecture models
  • 33. The Open Group Architecture Framework (TOGAF) • Life-cycle enterprise architecture framework • For designing, planning, implementing, and governing • An enterprise technology architecture • A high-level approach
  • 36. Zachman Framework • Established in the 1980s • Still dominant today • Likens IT enterprise architecture to construction and maintenance of an office building
  • 38. Implementing a Security Architecture • Both a big-picture and a detailed plan • At enterprise level • Policy and governance • Decisions about major aspects • Such as brands of servers, workstations, and network devices
  • 39. • At detail level • Configuration and change management on devices or groups of devices • Ex: Upgrade to DNS infrastructure • Might increase number of name servers • Requiring updates to most or all devices Implementing a Security Architecture
  • 40. Changes to Architecture Models • Software-Defined Networking (SDN) • Virtualization • Microservices • Small, independent services that communicate over networks • Often in containers
  • 42. Security Program Management Topics • Security Governance • Activities and Results • Risk Management • The Risk Management Program • The Risk Management Process • Identifying and Grouping Assets • Risk Analysis • Risk Treatment
  • 43. Security Program Management Topics (continued) • Audits and Reviews • Control Self-Assessment • Security Reviews • Policy Development • Third-Party Risk Management • Administrative Activities
  • 44. Security Governance • Assemblage of management activities that • Identify, analyze and treat risks to key assets • Establish key roles and responsibilities • Measure key security processes
  • 45. • Board of Directors • Establishes tone for risk appetite and risk management • Information Steering Committee • Chief Information Security Officer (CISO) • Audit • Chief Information Officer (CIO) • Management • All employees Security Governance Personnel
  • 46. Information Steering Committee • Establishes operational strategy • For security and risk management • Sets strategic and operational roles and responsibilities • Security strategy should align with strategy for IT and the business overall
  • 47. Chief Information Security Officer (CISO) • Responsible for • Developing security policy • Conducting risk assessments • Developing processes for • Vulnerability management • Incident management • Identity and access management • Security awareness and training • Compliance management
  • 48. Audit • Responsible for examining selected business processes and information systems • To verify that they are designed and operating properly
  • 49. Chief Information Officer (CIO) • Responsible for overall management of the IT organization, including • IT strategy • Development • Operations • Service desk
  • 50. Management • Every manager should be at least partially responsible for the conduct of their employees • This establishes a chain of accountability
  • 51. All Employees • Required to comply with • Security policy • Security requirements and processes • All other policies • Compliance with policy is a condition of employment
  • 52. Reasons for Security Governance • Organizations are completely dependent on their information systems • Ineffective security governance can lead to negligence, and breaches
  • 53. Security Governance Activities and Results • Risk management • Process improvement • incident response • Improved compliance • Business continuity and disaster recovery planning • Effectiveness measurement • Resource management • Improved IT governance
  • 54. Results of Security Governance • Increased trust • From customers, suppliers, and partners • Improved reputation