The document discusses information security governance. It notes that there is no single model for organizational structure to ensure information security requirements are met, and there is uncertainty around what information security governance consists of. It also states that information security governance does not function in isolation. The document then provides statistics on how organizations globally and in the Middle East operate in regards to information security governance.
Information Security Governance and Strategy Dam Frank
The document discusses information security governance and strategy based on ISO 38500:2008. It covers key aspects of IT governance including evaluating who makes IT decisions, directing the implementation of decisions, and monitoring conformance. The six principles of IT governance outlined are responsibility, strategy, acquisition, performance, conformance, and human behavior. An IT governance model is illustrated showing how the principles relate to evaluating, directing, and monitoring IT processes.
1. The document presents a five point incident response model shown as a swim lane diagram with five stages: prevention, detection, classification, control & eradication, and follow up & recovery.
2. It shows the flow of an incident from end users and detection capabilities to various response teams like the help desk, CSIRT, ITS department, and management.
3. The diagram is meant to coordinate cross-functional response across different departments and silos to improve performance, resiliency, and systems in response to incidents.
Business Continuity, Data Privacy, and Information Security: How do they link?PECB
Considering the increased number of cyberattacks and the significant damage caused to the IT infrastructure, organizations should ensure that their efforts to secure IT operations are linked with efforts to maintain resiliency within organizations.
The webinar covers
• Cybersecurity during pandemic through statistics
• Attack trends during pandemic
• Mitigating steps to take
• Relevance of IT Disaster Recovery in the time of Cloud computing
• Achieving optimal alignment and efficiency regarding your ISMS, BCP, BIA and Risk Management efforts
• Post-pandemic cyber and privacy considerations
• BCP and pandemic scenario planning 'beyond COVID'
• How to keep your privacy policy and incident response plan actionable
• How to keep your BCP short, sharp, up-to-date and user-friendly during an actual invocation
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Youtube video: https://youtu.be/0AbrywA5oic
Iso iec 27001 foundation training course by interpromMart Rovers
What is involved with the ISO/IEC 27001 Foundation certification training course? Learn about the course curriculum, target audience, duration, formats, exam, fees and much more.
Thanks to the cloud and open source tools, DevOps teams have access to unprecedented infrastructure and scale. But that also means they can be approached by some of the most nefarious actors on the Internet, as they risk the security of their business with every application deployment. Perimeter-class security is no longer viable in such a distributed environment, so now companies need to adapt to more micro-level security. This merging of DevOps and security operations – a concept called DevSecOps – is one of the most important new developments in security and IT deployment. In this session, our expert will discuss how teams are now collaborating as peers to achieve optimal security.
ISO 27001:2013 is the international standard that provides a framework for Information Security Management Systems (ISMS) to provide continued confidentiality, integrity and availability of information as well as legal compliance.
ISO 27001 certification is essential for protecting your most vital assets like employee and client information, brand image and other private information. The ISO standard includes a process-based approach to initiating, implementing, operating and maintaining your ISMS.
This implementation guide will help you run through the benefits, PDCA Cycle and Annex SL structure in detail for implementing ISO 27001.
Find out more or get a quote for certification here – https://www.nqa.com/en-gb/certification/standards/iso-27001
Este documento presenta una guía para la implementación exitosa de ISO 27001. Explica que la planeación incluye el desarrollo de consultores, la administración del proyecto, la integración de sistemas de gestión y la identificación de responsabilidades. Recomienda un enfoque estructurado que incluye planear, hacer, verificar y actuar, con pasos como definir el alcance, realizar una evaluación de riesgos y seleccionar controles. También enfatiza la importancia de integrar con sistemas de seguridad existentes y
Information Security Governance and Strategy Dam Frank
The document discusses information security governance and strategy based on ISO 38500:2008. It covers key aspects of IT governance including evaluating who makes IT decisions, directing the implementation of decisions, and monitoring conformance. The six principles of IT governance outlined are responsibility, strategy, acquisition, performance, conformance, and human behavior. An IT governance model is illustrated showing how the principles relate to evaluating, directing, and monitoring IT processes.
1. The document presents a five point incident response model shown as a swim lane diagram with five stages: prevention, detection, classification, control & eradication, and follow up & recovery.
2. It shows the flow of an incident from end users and detection capabilities to various response teams like the help desk, CSIRT, ITS department, and management.
3. The diagram is meant to coordinate cross-functional response across different departments and silos to improve performance, resiliency, and systems in response to incidents.
Business Continuity, Data Privacy, and Information Security: How do they link?PECB
Considering the increased number of cyberattacks and the significant damage caused to the IT infrastructure, organizations should ensure that their efforts to secure IT operations are linked with efforts to maintain resiliency within organizations.
The webinar covers
• Cybersecurity during pandemic through statistics
• Attack trends during pandemic
• Mitigating steps to take
• Relevance of IT Disaster Recovery in the time of Cloud computing
• Achieving optimal alignment and efficiency regarding your ISMS, BCP, BIA and Risk Management efforts
• Post-pandemic cyber and privacy considerations
• BCP and pandemic scenario planning 'beyond COVID'
• How to keep your privacy policy and incident response plan actionable
• How to keep your BCP short, sharp, up-to-date and user-friendly during an actual invocation
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Youtube video: https://youtu.be/0AbrywA5oic
Iso iec 27001 foundation training course by interpromMart Rovers
What is involved with the ISO/IEC 27001 Foundation certification training course? Learn about the course curriculum, target audience, duration, formats, exam, fees and much more.
Thanks to the cloud and open source tools, DevOps teams have access to unprecedented infrastructure and scale. But that also means they can be approached by some of the most nefarious actors on the Internet, as they risk the security of their business with every application deployment. Perimeter-class security is no longer viable in such a distributed environment, so now companies need to adapt to more micro-level security. This merging of DevOps and security operations – a concept called DevSecOps – is one of the most important new developments in security and IT deployment. In this session, our expert will discuss how teams are now collaborating as peers to achieve optimal security.
ISO 27001:2013 is the international standard that provides a framework for Information Security Management Systems (ISMS) to provide continued confidentiality, integrity and availability of information as well as legal compliance.
ISO 27001 certification is essential for protecting your most vital assets like employee and client information, brand image and other private information. The ISO standard includes a process-based approach to initiating, implementing, operating and maintaining your ISMS.
This implementation guide will help you run through the benefits, PDCA Cycle and Annex SL structure in detail for implementing ISO 27001.
Find out more or get a quote for certification here – https://www.nqa.com/en-gb/certification/standards/iso-27001
Este documento presenta una guía para la implementación exitosa de ISO 27001. Explica que la planeación incluye el desarrollo de consultores, la administración del proyecto, la integración de sistemas de gestión y la identificación de responsabilidades. Recomienda un enfoque estructurado que incluye planear, hacer, verificar y actuar, con pasos como definir el alcance, realizar una evaluación de riesgos y seleccionar controles. También enfatiza la importancia de integrar con sistemas de seguridad existentes y
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...himalya sharma
ISO 27001 Internal Auditor Taining is done by Industry Experts, customized for you & connected with relevance to your Industry, products, services & Processes
This document provides an overview of security metrics and how to develop an effective security metrics program. It discusses that metrics should be based on security goals and objectives, quantifiable, and useful for improving performance. The document outlines key steps for developing a metrics program including determining goals and baselines, selecting relevant metrics, gathering and analyzing metrics data, and using metrics for decision making and resource allocation. Examples of common security metrics and guidelines for effective metrics are also provided.
The underlying premise of enterprise risk management is that the Company exists to provide value for its stakeholders – customers, employees, and shareholders. Like any business, every Company faces some uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables senior management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. These capabilities inherent in enterprise risk management help management achieve the Company’s performance and profitability targets, and minimize loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the Company’s reputation and associated consequences. In sum, enterprise risk management helps the Company get to where it wants to go and avoid pitfalls and surprises along the way. Enterprise risk management encompasses:
• Aligning Risk Appetite and Strategy
• Enhancing Risk Response Decisions
• Reducing Operational Surprises and Losses
• Identifying and Managing Multiple and Cross-Enterprise Risks
• Seizing Opportunities
• Improving Deployment of Capital
• Leveraging Talent, Structure, Process, and Capital
Cybersecurity Incident Management Powerpoint Presentation Slides are designed for information technology experts. Our data security PowerPoint theme combines high-quality design with info accumulated by industry experts. Represent the present situation of the target organization’s information security management using our patterned PPT slideshow. The innovative data visualizations aid in compiling data such as the analysis of the current IT department with considerable convenience. Communicate the cybersecurity framework roadmap and kinds of cyber threats with the help of this PowerPoint layout. Demonstrate the cybersecurity risk management action plan through the tabular format included in this PPT presentation. Illustrate the cybersecurity contingency plan. Our information security management system PowerPoint templates deck helps you in defining risk handling responsibilities of your personnel. Elucidate the role of the management in successful information security governance. Our PPT deck also outlines the costs involved in cybersecurity management and staff training. Showcase an impact analysis with a dash of visual brilliance. Smash the download button and start designing. Our Cybersecurity Incident Management Powerpoint Presentation Slides are topically designed to provide an attractive backdrop to any subject. Use them to look like a presentation pro. https://bit.ly/3zWo1hb
What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.
This document provides an overview of ISO 27001, which establishes requirements for an Information Security Management System (ISMS). It discusses the requirements to establish, implement, maintain, and continually improve the ISMS. The key requirements include establishing the scope and policy of the ISMS, conducting a risk assessment, selecting controls, implementing controls, monitoring and reviewing the system, taking corrective and preventive actions, and conducting management reviews. The purpose is to introduce a systematic approach to managing information security risks and ensure the confidentiality, integrity and availability of information assets.
Vulnerability and patch management tools allow organizations to assess and remediate security vulnerabilities across their IT infrastructure. By automating vulnerability scans, patch deployment, and compliance reporting, these tools can help audit 100% of systems on a regular basis, speed remediation times, and reduce business risks and costs associated with security breaches. While native OS tools provide some patching and management capabilities, dedicated vulnerability and patch management solutions offer more comprehensive vulnerability assessments, centralized administration and reporting, and scalability needed for large enterprise environments.
An Introduction to IT Management with COBIT 2019Gregor Polančič
This document provides an overview of key concepts from COBIT 2019, an enterprise governance of IT framework. It begins with an introduction to IT management and governance, explaining that IT management involves planning, building, running and monitoring IT activities in alignment with governance. Effective enterprise governance of IT (EGIT) helps realize benefits, optimize risks and resources, and improve business/IT alignment. Frameworks like COBIT provide best practices to assist with understanding, designing and implementing EGIT. COBIT 2019 builds on over 25 years of development and aligns with major standards. It defines six principles for effective governance systems and three principles for governance frameworks. The document concludes with an introduction to COBIT 2019 concepts.
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
Due to an increase in the collection of consumer data, high-profile data breaches have become common.
Currently, there are 128 countries all over the world that have already put in place regulations to secure the protection of data and privacy.
The webinar covers:
Data protection, a global development
Introduction to the GDPR, ePrivacy & ISO/IEC 27701
GDPR & ISO/IEC 27701mapping
ePrivacy & ISO/IEC 27701 mapping
Recorded Webinar: https://youtu.be/oVhIoHAGGwk
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
This whitepaper provides some meaningful examples on metrics along with purposes of metrics (targets).
The whitepaper focuses on metrics in relation to the status of the ISMS and its output. These are also the outputs, which feeds into the management reporting.
What is a secure enterprise architecture roadmap?Ulf Mattsson
Webcast title : What is a Secure Enterprise Architecture Roadmap?
Description : This session will cover the following topics:
* What is a Secure Enterprise Architecture roadmap (SEA)?
* Are there different Roadmaps for different industries?
* How does compliance fit in with a SEA?
* Does blockchain, GDPR, Cloud, and IoT conflict with compliance regulations complicating your SEA?
* How will quantum computing impact SEA roadmap?
Presenters : Juanita Koilpillai, Bob Flores, Mark Rasch, Ulf Mattsson, David Morris
Duration : 68 min
Date & Time : Sep 20 2018 8:00 am
Timezone : United States - New York
Webcast URL : https://www.brighttalk.com/webinar/what-is-a-secure-enterprise-architecture-roadmap
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
The document discusses examples of security metrics and reports that can be used to measure the effectiveness of a security program and communicate progress to stakeholders. It provides examples of operational reports that include metrics on information security audit issues, antivirus coverage, patching status, and vulnerability management. It also shows examples of executive discussions on risk metrics and program maturity. The document advises applying the examples by identifying the audience and their concerns, determining accountability for metrics, starting with some initial metrics and improving over time, and developing a package of reports for senior leadership within six months.
The document summarizes the journey of the NIST Cybersecurity Framework from version 1.1 to the upcoming version 2.0. It provides an overview of the key components of version 1.1 and the motivation for an update. Version 2.0 includes significant updates like a new "Govern" function, changes to categories and subcategories, more implementation guidance, and an emphasis on supply chain risk management. The draft of version 2.0 is available for public comment through November 2023, with the final version planned for early 2024.
These are slides from local security chapters meetup, Here I tried to explain the challenges in appsec and complete framework for different life cycle of secure software development cycle
This document is a presentation on information security and business continuity. It covers topics such as ISO 27001 on information security, risk management, laws relating to information security in Qatar, and examples of product recalls due to incidents. The presentation provides an overview of ISO 27001, including its structure following the PDCA model and the roles of internal and external interested parties. It also discusses why information needs protection due to threats and vulnerabilities, and the principles of information security management systems.
The document discusses IT governance and provides an overview of key frameworks for IT governance, including ISO 38500 and COBIT. It begins by defining governance and describing how governance applies to IT. It then discusses why IT governance is important for organizations, noting benefits like ensuring strategic alignment between IT and business goals. The document also provides a detailed overview of the ISO 38500 standard for IT governance, describing its scope, framework and principles. It explains the standard's six principles of IT governance and provides examples. Overall, the document serves to introduce the topic of IT governance and some of the most relevant frameworks.
ISO/IEC 27001 is a global standard that provides guidelines for establishing, implementing, maintaining, and improving an Information Security Management System (ISMS). It does not provide a one-size-fits-all blueprint but rather a framework of required methods. Building an ISO/IEC 27001-compliant ISMS involves establishing management support, governance, policy, risk assessment, controls implementation, monitoring, review, and continuous improvement. Certification involves staged audits to assess the documentation and implementation of the ISMS.
This document provides an introduction to ISO/IEC 27000, which is a family of standards related to information security management systems (ISMS). It discusses why organizations implement ISO 27001 and become certified. Key points covered include how ISO 27001 provides a framework to manage information security risks, helps comply with legal/regulatory requirements, and can provide a competitive advantage for organizations. The document also distinguishes between IT security and information security, and covers basic concepts such as how ISO 27001 relates to asset management and risk assessment.
Information Security is becoming a focus for the entire enterprise, not just IT. This need to align both business and technology is forcing IT to move Information Security from afterthought to forethought. Architects now ponder how Information Security can be integrated into the broader topic of Enterprise Architecture. This session shows how to make the integration happen. You will learn how to integrate assets and define trusts and threat models as a part of your overall EA plan. You will also understand how Information Security is traced all the way from business architecture to the technology implementation. Participants will understand the components of an Integrated EA and Information Security framework and ensuring the traceability between business goals and IT security solutions delivered from the framework.
Key Issues:
-Understand the need to think early about Information Security
-Learn to incorporate Information Security into your EA blueprint and roadmap
-Integrate Informatoin Security Goals, objectives and capabilities with your EA view of strategy
-Integrate security policies, services and mechanisms with your EA view of solutions
-Integrate security mechanisms, standards, and guidelines into your implementations
The document discusses information governance and information security. It defines information as an important business asset that needs protection. There are different types of information like internal, customer, and outsourced information. IT governance is the process of making decisions about and monitoring IT performance. Information security protects the availability, privacy, and integrity of information using methods like access controls, security policies, asset management, and more. Information security aims to achieve the 4 Ps of security - preventative, protective, corrective and detective measures. Risk is highest during the conception and development periods of a project.
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...himalya sharma
ISO 27001 Internal Auditor Taining is done by Industry Experts, customized for you & connected with relevance to your Industry, products, services & Processes
This document provides an overview of security metrics and how to develop an effective security metrics program. It discusses that metrics should be based on security goals and objectives, quantifiable, and useful for improving performance. The document outlines key steps for developing a metrics program including determining goals and baselines, selecting relevant metrics, gathering and analyzing metrics data, and using metrics for decision making and resource allocation. Examples of common security metrics and guidelines for effective metrics are also provided.
The underlying premise of enterprise risk management is that the Company exists to provide value for its stakeholders – customers, employees, and shareholders. Like any business, every Company faces some uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables senior management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. These capabilities inherent in enterprise risk management help management achieve the Company’s performance and profitability targets, and minimize loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the Company’s reputation and associated consequences. In sum, enterprise risk management helps the Company get to where it wants to go and avoid pitfalls and surprises along the way. Enterprise risk management encompasses:
• Aligning Risk Appetite and Strategy
• Enhancing Risk Response Decisions
• Reducing Operational Surprises and Losses
• Identifying and Managing Multiple and Cross-Enterprise Risks
• Seizing Opportunities
• Improving Deployment of Capital
• Leveraging Talent, Structure, Process, and Capital
Cybersecurity Incident Management Powerpoint Presentation Slides are designed for information technology experts. Our data security PowerPoint theme combines high-quality design with info accumulated by industry experts. Represent the present situation of the target organization’s information security management using our patterned PPT slideshow. The innovative data visualizations aid in compiling data such as the analysis of the current IT department with considerable convenience. Communicate the cybersecurity framework roadmap and kinds of cyber threats with the help of this PowerPoint layout. Demonstrate the cybersecurity risk management action plan through the tabular format included in this PPT presentation. Illustrate the cybersecurity contingency plan. Our information security management system PowerPoint templates deck helps you in defining risk handling responsibilities of your personnel. Elucidate the role of the management in successful information security governance. Our PPT deck also outlines the costs involved in cybersecurity management and staff training. Showcase an impact analysis with a dash of visual brilliance. Smash the download button and start designing. Our Cybersecurity Incident Management Powerpoint Presentation Slides are topically designed to provide an attractive backdrop to any subject. Use them to look like a presentation pro. https://bit.ly/3zWo1hb
What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.
This document provides an overview of ISO 27001, which establishes requirements for an Information Security Management System (ISMS). It discusses the requirements to establish, implement, maintain, and continually improve the ISMS. The key requirements include establishing the scope and policy of the ISMS, conducting a risk assessment, selecting controls, implementing controls, monitoring and reviewing the system, taking corrective and preventive actions, and conducting management reviews. The purpose is to introduce a systematic approach to managing information security risks and ensure the confidentiality, integrity and availability of information assets.
Vulnerability and patch management tools allow organizations to assess and remediate security vulnerabilities across their IT infrastructure. By automating vulnerability scans, patch deployment, and compliance reporting, these tools can help audit 100% of systems on a regular basis, speed remediation times, and reduce business risks and costs associated with security breaches. While native OS tools provide some patching and management capabilities, dedicated vulnerability and patch management solutions offer more comprehensive vulnerability assessments, centralized administration and reporting, and scalability needed for large enterprise environments.
An Introduction to IT Management with COBIT 2019Gregor Polančič
This document provides an overview of key concepts from COBIT 2019, an enterprise governance of IT framework. It begins with an introduction to IT management and governance, explaining that IT management involves planning, building, running and monitoring IT activities in alignment with governance. Effective enterprise governance of IT (EGIT) helps realize benefits, optimize risks and resources, and improve business/IT alignment. Frameworks like COBIT provide best practices to assist with understanding, designing and implementing EGIT. COBIT 2019 builds on over 25 years of development and aligns with major standards. It defines six principles for effective governance systems and three principles for governance frameworks. The document concludes with an introduction to COBIT 2019 concepts.
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
Due to an increase in the collection of consumer data, high-profile data breaches have become common.
Currently, there are 128 countries all over the world that have already put in place regulations to secure the protection of data and privacy.
The webinar covers:
Data protection, a global development
Introduction to the GDPR, ePrivacy & ISO/IEC 27701
GDPR & ISO/IEC 27701mapping
ePrivacy & ISO/IEC 27701 mapping
Recorded Webinar: https://youtu.be/oVhIoHAGGwk
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
This whitepaper provides some meaningful examples on metrics along with purposes of metrics (targets).
The whitepaper focuses on metrics in relation to the status of the ISMS and its output. These are also the outputs, which feeds into the management reporting.
What is a secure enterprise architecture roadmap?Ulf Mattsson
Webcast title : What is a Secure Enterprise Architecture Roadmap?
Description : This session will cover the following topics:
* What is a Secure Enterprise Architecture roadmap (SEA)?
* Are there different Roadmaps for different industries?
* How does compliance fit in with a SEA?
* Does blockchain, GDPR, Cloud, and IoT conflict with compliance regulations complicating your SEA?
* How will quantum computing impact SEA roadmap?
Presenters : Juanita Koilpillai, Bob Flores, Mark Rasch, Ulf Mattsson, David Morris
Duration : 68 min
Date & Time : Sep 20 2018 8:00 am
Timezone : United States - New York
Webcast URL : https://www.brighttalk.com/webinar/what-is-a-secure-enterprise-architecture-roadmap
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
The document discusses examples of security metrics and reports that can be used to measure the effectiveness of a security program and communicate progress to stakeholders. It provides examples of operational reports that include metrics on information security audit issues, antivirus coverage, patching status, and vulnerability management. It also shows examples of executive discussions on risk metrics and program maturity. The document advises applying the examples by identifying the audience and their concerns, determining accountability for metrics, starting with some initial metrics and improving over time, and developing a package of reports for senior leadership within six months.
The document summarizes the journey of the NIST Cybersecurity Framework from version 1.1 to the upcoming version 2.0. It provides an overview of the key components of version 1.1 and the motivation for an update. Version 2.0 includes significant updates like a new "Govern" function, changes to categories and subcategories, more implementation guidance, and an emphasis on supply chain risk management. The draft of version 2.0 is available for public comment through November 2023, with the final version planned for early 2024.
These are slides from local security chapters meetup, Here I tried to explain the challenges in appsec and complete framework for different life cycle of secure software development cycle
This document is a presentation on information security and business continuity. It covers topics such as ISO 27001 on information security, risk management, laws relating to information security in Qatar, and examples of product recalls due to incidents. The presentation provides an overview of ISO 27001, including its structure following the PDCA model and the roles of internal and external interested parties. It also discusses why information needs protection due to threats and vulnerabilities, and the principles of information security management systems.
The document discusses IT governance and provides an overview of key frameworks for IT governance, including ISO 38500 and COBIT. It begins by defining governance and describing how governance applies to IT. It then discusses why IT governance is important for organizations, noting benefits like ensuring strategic alignment between IT and business goals. The document also provides a detailed overview of the ISO 38500 standard for IT governance, describing its scope, framework and principles. It explains the standard's six principles of IT governance and provides examples. Overall, the document serves to introduce the topic of IT governance and some of the most relevant frameworks.
ISO/IEC 27001 is a global standard that provides guidelines for establishing, implementing, maintaining, and improving an Information Security Management System (ISMS). It does not provide a one-size-fits-all blueprint but rather a framework of required methods. Building an ISO/IEC 27001-compliant ISMS involves establishing management support, governance, policy, risk assessment, controls implementation, monitoring, review, and continuous improvement. Certification involves staged audits to assess the documentation and implementation of the ISMS.
This document provides an introduction to ISO/IEC 27000, which is a family of standards related to information security management systems (ISMS). It discusses why organizations implement ISO 27001 and become certified. Key points covered include how ISO 27001 provides a framework to manage information security risks, helps comply with legal/regulatory requirements, and can provide a competitive advantage for organizations. The document also distinguishes between IT security and information security, and covers basic concepts such as how ISO 27001 relates to asset management and risk assessment.
Information Security is becoming a focus for the entire enterprise, not just IT. This need to align both business and technology is forcing IT to move Information Security from afterthought to forethought. Architects now ponder how Information Security can be integrated into the broader topic of Enterprise Architecture. This session shows how to make the integration happen. You will learn how to integrate assets and define trusts and threat models as a part of your overall EA plan. You will also understand how Information Security is traced all the way from business architecture to the technology implementation. Participants will understand the components of an Integrated EA and Information Security framework and ensuring the traceability between business goals and IT security solutions delivered from the framework.
Key Issues:
-Understand the need to think early about Information Security
-Learn to incorporate Information Security into your EA blueprint and roadmap
-Integrate Informatoin Security Goals, objectives and capabilities with your EA view of strategy
-Integrate security policies, services and mechanisms with your EA view of solutions
-Integrate security mechanisms, standards, and guidelines into your implementations
The document discusses information governance and information security. It defines information as an important business asset that needs protection. There are different types of information like internal, customer, and outsourced information. IT governance is the process of making decisions about and monitoring IT performance. Information security protects the availability, privacy, and integrity of information using methods like access controls, security policies, asset management, and more. Information security aims to achieve the 4 Ps of security - preventative, protective, corrective and detective measures. Risk is highest during the conception and development periods of a project.
Techserv is an IT security consulting firm that helps organizations achieve and maintain ISO 27001 certification. They take a holistic, goal-oriented approach to IT security that considers business goals, laws and regulations, and key information security principles of effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability. Their methodology involves assessing needs, risks, and existing controls; designing improved controls; implementing solutions; training; auditing; and continuously measuring and improving security performance.
This paper describes how a continuous improvement IT Security Governance process provides effective planning and decision making capabilities for a cybersecurity program. Governance can be thought of “doing the right things” while management is “doing things right”. IT Security Governance focuses on doing the right things to protect organizations and agencies.
The document discusses implementing the ISO 27001 standard for information security management. It notes that many organizations take a siloed approach to complying with various regulations, which increases costs and complexity. ISO 27001 provides a single, comprehensive framework that can help organizations reduce redundant efforts by covering controls required by multiple regulations. Implementing ISO 27001 can help balance security, compliance, and cost by establishing a strategic, holistic approach rather than addressing each compliance individually.
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking
IBM automation systems, such as e-discovery and auto-classification, help financial firms achieve transparency and meet compliance requirements while maximizing the value of your existing content management architecture.
The document discusses the eDiscovery market and opportunities for emerging eDiscovery vendors. It notes that the market is shifting from a reactive, case-driven model to a more proactive approach focused on enterprise compliance. For emerging vendors to succeed, they need scalable technology and the ability to integrate with broader content management and information governance initiatives. The document also analyzes acquisition trends that see global software firms acquiring specialized eDiscovery vendors to fill gaps and gain expertise in this growing market segment.
Making Executives Accountable for IT SecuritySeccuris Inc.
How do we make executives accountable for IT Security?
Michael outlines the general challenges, details key items of concern and discusses the focus areas that can be taken to improve the daily governance of IT security in your organization.
Secure by design building id based securityArun Gopinath
This document discusses building identity-based security into information systems. It argues that organizations need to shift from adding security tools to building security in from the start. Identity and access management technologies can integrate security throughout modern IT architectures by authenticating users, enforcing access policies, and managing user sessions and transactions. These technologies provide both security benefits and opportunities to optimize business performance through personalization. The document advocates a comprehensive approach using these and other security tools.
This document discusses building identity-based security into information systems. It argues that most organizations have focused on adding security after the fact, rather than building it in from the start. Today's identity and access management technologies allow building security directly into systems through features like real-time authentication, fine-grained access controls, and linking identity to transactions and information. This approach provides both security benefits and opportunities to optimize business performance. The document examines IBM's identity and access management capabilities as an example of a vendor that can help organizations take a comprehensive, built-in approach to security.
This document introduces a presentation on the direct and indirect advantages of implementing ISO 27001:2005 for an organization. It provides background on ISO 27001, including that it was published in 2005 and replaced BS7799-2. It also describes what an Information Security Management System (ISMS) is and the risks and challenges of information security.
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
Enterprise IT Governance if properly supported eventually becomes embedded in the culture and
decision making process. The larger and more diverse the enterprise, the slower the evolutionary
process becomes. Digité Enterprise helps maintain a shared vision by allowing talent, skills
and knowledge to collaborate to achieve common goal, share ownership, and foster collective
communication with complete focus on the results.
The document discusses how ITIL (Information Technology Infrastructure Library) principles are important for IT security management. While ITIL was not traditionally seen as related to security, the core ITIL processes like configuration management, change management, incident management and service desk management are crucial to minimizing security risks. When organizations properly implement repeatable ITIL processes, they experience fewer security incidents and better overall IT performance. Defining and adhering to IT management disciplines through an approach like ITIL can significantly improve security outcomes.
ITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docxvrickens
ITS 833 – INFORMATION GOVERNANCE
Chapter 1 – The Onslaught of Big Data and Information Governance Imperative
Dr. Omar Mohamed
Copyright Omar Mohamed 2019
1
1
CHAPTER GOALS AND OBJECTIVES
Define or identify what is meant by “Big Data”
What is the practical effects and problems associated with Big Data
Solution
to the Big Data problem
Defining Information Governance (“IG”)
Why we do not incorporate IG into everyday business
Advantage of IG
Effects of not incorporating IG
General approach to implementing IG
Copyright Omar Mohamed 2019
2
2
What is “Big Data”?
It is a business asset capable of being leveraged.
“High-volume, high-velocity and high-variety information that demands cost-effective innovative forms of information processing for enhanced insight and decision making”
A combination of both structured and unstructured data that is so massive that it cannot be processed using today’s database tools and analytical software techniques.
Copyright Omar Mohamed 2019
3
3
What is the practical effect of “Big Data”?
Whether or not a business enterprise will be able to sustain a competitive advantage will depend on the business’ ability to manipulate the large amount of data in a way that it to differentiate itself.
Estimates are that 90% of the data existing today was created over the pat two years.
Big Data and related technology and services are projected to grow at a compound annual rate of approximately 27% - leading to new opportunities for data mining and business intelligence.
Copyright Omar Mohamed 2019
4
4
Issues Related to Big Data
Expense –Only about 25% of data stored has real business value, 5% more is required to be maintained for legal reasons, 1% retained due to litigation hold, leaving about 69% with no real value.
A great deal of irrelevant information
Increased storage costs
System failures
Legal costs
Conversion costs
Copyright Omar Mohamed 2019
5
5
SOLUTION TO BIG DATA PROBLEMS?
Information Governance
Rigid
Enforced
Creates a smaller “information footprint”
Allows business to more easily find what they need and derive business value from it
Copyright Omar Mohamed 2019
6
6
So…What is “Information Governance”?
It is discipline that emerged out of necessity…
Subset of corporate governance
Merged from records management, content management, information technology, data governance, information security, data privacy, risk management, litigation readiness, regulatory compliance, data preservation and business intelligence
It is the way by which an organization manages the totality of its information
A strategic framework composed of standards, processes, roles, and metrics that hold organizations and individuals accountable to create, organize, secure, maintain, use and dispose of information in ways that align with and contribute to the organizations goals. (Association of Records Management and Administrators)Glossary of Records and Information Management Terms, 4th Ed., 2012, TR 22-201 ...
This document discusses IT governance and provides an overview of key concepts. It defines IT governance as consisting of leadership, structures, and processes to ensure IT supports business strategies and objectives. The document outlines five areas of focus for IT governance: strategic alignment, value delivery, resource management, risk management, and performance measurement. It also discusses why IT governance is important, who benefits, common frameworks that can be used, as well as advantages and disadvantages.
Management of the IT infrastructure begins at its Foundation. Better Understand how that is defined, implemented and leveraged beyond traditional IT management solutions but in an accreative way.
An information security governance frameworkAnne ndolo
This document discusses information security governance frameworks. It evaluates four existing approaches: ISO 17799, PROTECT, the Capability Maturity Model, and the Information Security Architecture. Based on the components of these approaches, the document compiles a comprehensive list of information security components. It then uses these components to construct a new Information Security Governance Framework, which considers technical, procedural, and human behavioral components to holistically govern information security and cultivate an appropriate security culture.
Mike2.0 Information Governance Overviewsean.mcclowry
This document introduces the MIKE2.0 methodology for information governance. MIKE2.0 is an open source methodology that provides a comprehensive framework for enterprise information management. It addresses the growing complexity of managing exponential data growth across increasingly federated organizations. The methodology promotes standards and transparency to improve data quality and business insights while increasing efficiency.
ITS 833 – INFORMATION GOVERNANCEChapter 2 – Information Go.docxvrickens
ITS 833 – INFORMATION
GOVERNANCE
Chapter 2 – Information Governance, IT Governance, Data Governance: What’s the Difference?
Copyright Omar Mohamed 2019
1
1
CHAPTER GOALS AND OBJECTIVES
Distinguish between Data Governance, Information Governance and Information Technology Governance and be able to define or explain each
How to increase the likelihood of success of a data governance program
Identify IT Governance Frameworks
Identify the impact of a successful IG program
Copyright Omar Mohamed 2019
2
What is “Data Governance”?
Includes processes and controls to ensure that information at the data level – raw data- is true, accurate and unique.
Involves data cleansing and de-duplication
Focus is on information quality
Hybrid quality control discipline
Data quality
Data management
IG policy development
Business process improvement
Compliance
Risk Management
Copyright Omar Mohamed 2019
3
3
How can you improve data governance success ?
Identify a measurable impact
Assign accountability for data quality to a business unit
Recognize the uniqueness of data as an asset
Forget the past-use a forward going strategy
Management the Change
Copyright Omar Mohamed 2019
4
WHAT IS INFORMATION TECHNOLOGY GOVERNANCE?
Primary way that stakeholders can ensure that investments in IT create business value and contribute to business objectives
Function to improve IT performance and deliver optimum business value and ensure regulatory compliance
Focus is on making IT efficient and effective
Copyright Omar Mohamed 2019
5
5
IT Governance Framework(s)
CobiT® - Control Objective for Information and Related Technology
ValIT®
ITIL
ISO/IEC38500:2008
Copyright Omar Mohamed 2019
6
6
CobIT®
Three Basic Organizational Levels/Responsibilities
Board of Directors and Executive Management
IT and Business Management
Line-Level Governance
Divided into four (4) IT Domains
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate
Includes 34 processes and 210 Control Objectives
ISO 17799
Compatible with IT Infrastructure Library (ITIL)
Process oriented IT governance framework
Codeveloped by IT Governance Institute and ISACA
Focus on:
Business Risks
Control Requirements
Compliance
Technical Issues
Under continuous refinement
Copyright Omar Mohamed 2019
7
ValIT®
Value Oriented Framework
Compatible and complimentary with CobiT®
Focus is on leveraging IT investments for maximum value
40 Essential Management Practices (same as CobiT® control objectives)
Supports three processes:
Value Governance
Portfolio Management
Investment Management
Copyright Omar Mohamed 2019
8
8
ITIL – Information Technology Infrastructure Library
Process Oriented
Developed in United Kingdom
Applicable to both public and private sector
Most widely accepted approach to IT service management in the world
Focus is on providing guidance to organizations on how to use IT as a tool to facilitate business change, transformation and growth
Foundation for ISO/IEC ...
Similar to Fadi Mutlak - Information security governance (20)
Mr. Vivek Ramachandran - Advanced Wi-Fi Security Penetration Testingnooralmousa
This document discusses advanced Wi-Fi security and penetration testing. It provides an overview of the speaker, Vivek Ramachandran, and his background and expertise in wireless security. It then covers various topics related to wireless security challenges, common tools and software used for testing, and hands-on labs for sniffing wireless networks and manipulating beacon frames.
Mr. Bulent Teksoz - Security trends and innovationsnooralmousa
The document summarizes a presentation given by Bulent Teksoz at the Kuwait Info Security Conference in May 2012. It discusses key security trends such as targeted attacks increasing across various sectors, the rise of mobile threats and data breaches. It notes four main trends of targeted malware attacks expanding, the growing risks of mobile devices and cloud computing, and continued targeted attacks. The presentation concludes that security will need to focus on risk-based approaches that provide centralized visibility and activity monitoring across information and identities to better manage security risks and data exfiltration in the future.
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
This document discusses how Django, a Python web framework, provides security by default through various built-in features. Django protects against common vulnerabilities like SQL injection, cross-site scripting, and cross-site request forgery through features like automatic escaping of user input, CSRF tokens, and an ORM that avoids direct SQL queries. The document argues that Django makes it easier for developers with little security knowledge to write more secure code by handling many security tasks behind the scenes.
Mr. Khalid Shaikh - emerging trends in managing it securitynooralmousa
The document discusses emerging trends in managing IT security. It summarizes 5 key trends in IT security attacks including industrial threats, embedded hardware threats, hacktivism, web threats, and mobile threats. Recent security events are also covered. The presentation then discusses motives for attacks, how attack tools are freely available, and how security is an ongoing challenge due to increasing sophistication of attacks and complexity of managing security. It emphasizes the need for a holistic approach to IT security management.
Mr. Andrey Belenko - secure password managers and military-grade encryption o...nooralmousa
The document discusses authentication methods and threats on smartphones compared to PCs. It analyzes several free and paid password manager apps for BlackBerry and iOS, finding that most free iOS apps do not encrypt stored passwords and authentication is easily bypassed. The threats of physical access, backups, or database file access to extract stored passwords are realistic for smartphones.
This document summarizes a talk on secure software development. It discusses the three Ps of security: people, process, and persistence/practice. It outlines several published standards for secure development like SSE-CMM and SAMM. Practical best practices discussed include standardizing infrastructure, isolating development stages, peer reviews, centralized bug tracking, and using appropriate tools and frameworks. Common myths debunked are that complex passwords are secure, closed source is less secure than open source, and third party testing ensures security.
Sudarsan Jayaraman - Open information security management maturity modelnooralmousa
The document discusses the Open Information Security Management Maturity Model (O-ISM3) framework. O-ISM3 is a business-focused, process-oriented, and measurement-driven framework for managing information security. It aims to align security objectives with business objectives and allow organizations to prioritize security investments using defined maturity levels and metrics. The framework covers governance, processes, and an implementation approach to help organizations improve their information security management.
Meraj Ahmad - Information security in a borderless worldnooralmousa
The document discusses information security challenges in today's borderless world of increased mobile and cloud computing use. It notes that while organizations recognize new risks from these technologies, many are not adjusting policies or security awareness accordingly. The presentation recommends that organizations establish comprehensive risk management programs, conduct risk assessments, take an information-centric view of security, and increase security controls, awareness and outsourcing to address risks from mobile, cloud and social media use. It also provides a framework to transform security programs to better protect important data and enable business needs.
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsnooralmousa
The document discusses threats from hijacking web servers and clients, including keyloggers, browser compromise, cross-site scripting (XSS) attacks, and real-world examples of XSS exploitation. It also provides an overview of DenyAll, a French web application firewall vendor, including their clients, partners, and global presence.
Ahmed Al Barrak - Staff information security practices - a latent threatnooralmousa
The document summarizes a presentation on information security threats from staff behaviors. It discusses how insider threats from authorized users are difficult to detect and manage. It then reviews several international studies that found issues like users sharing passwords, leaving computers unlocked, and being reluctant to change passwords regularly. The document concludes by outlining a security study conducted at King Saud University that examined breaches originating from staff practices and aimed to evaluate security behaviors across employee categories.
Mohammed Al Mulla - Best practices to secure working environmentsnooralmousa
This document discusses best practices for securing working environments in virtualized and cloud computing settings. It argues that traditional network-based security solutions are no longer sufficient, as more applications and databases are deployed within virtual machines and across dynamic cloud infrastructures. The document advocates for next-generation, distributed host-based security solutions that can provide visibility and protection at the application and database layer without compromising performance or system stability.
Pradeep menon how to influence people and win top management buy0in for cisonooralmousa
The role of the Chief Information Security Officer (CISO) is becoming more strategic in nature. Some key drivers for this include fraud, hacking, insider theft, lack of monitoring and controls, and the rapid adoption of new technologies. The CISO's role has evolved over the last 12 years from a more technical, project-managing role to one that involves marketing security, quantifying benefits, and representing security at the senior management level. While CISOs still face roadblocks, there are tips they can use to enhance their value and reach within an organization, such as branding security, gaining CEO involvement, conducting security awareness activities, and collaborating with external agencies and other CISOs.
Nabil Malik - Security performance metricsnooralmousa
This document discusses security performance metrics and measuring information security. It begins with providing background on information security and risk management. It then discusses the evolution of security from a technical function focused on controls to a broader assurance function centered around risk management. The document notes how current risk management processes focus more on identifying and fixing issues rather than quantifying and valuing risks. It stresses the importance of security metrics in answering business questions about security investments and performance over time. The remainder provides examples of technical security metrics in areas like perimeter defense and system availability, as well as metrics for measuring security programs based on frameworks involving controls and processes for activities like risk management, policy compliance, and incident response.
Khaled al amri using fingerprints as private and public keysnooralmousa
1) The document discusses Genkey's biometric authentication solution called Genkey Biocryptics which converts biometric data into cryptographic keys rather than storing biometric templates.
2) Genkey Biocryptics provides benefits like cost efficiency, offline authentication, privacy as biometric data is never stored, and ability to revoke keys if security is breached.
3) It also supports multimodal biometrics where multiple biometrics can be searched as quickly as a single biometric.
Hisham Dalle - Zero client computing - taking the desktop into the cloudnooralmousa
This document discusses zero client computing, which moves all client software and computing to the cloud. With zero clients, there is no processor, memory, or software at the desktop. All management, applications, operating systems, and drivers are centralized in the cloud. This eliminates costs associated with managing individual desktops and provides more secure, flexible access to desktops from any device. The document argues that zero clients are simpler than thin clients as they require no local management and provide complete centralization of the desktop computing environment in the cloud.
Ghassan farra it security a cio perspectivenooralmousa
The document discusses various IT security risks and mitigation strategies from a CIO perspective. It addresses risks and mitigations related to PST files, third party network access, wireless networks, laptop theft/damage, HR processes, removable media, clean desk policies, single sign-on, and IT asset management. The overall document provides an overview of common IT security issues and best practices for mitigating risks in various areas.
The document summarizes key points from a presentation on cloud computing security best practices. It discusses auditing practices from several organizations, including ENISA, CSA, and Microsoft. ENISA recommendations include personnel security practices, supply chain assurance, operational security controls like change management and logging, and software integrity protections. The presentation provides an overview of cloud computing concepts and case studies on government and commercial cloud users.
3. There is no single universal model for organizational structure to ensure that
the Information Security requirements for the organization are adequately
met.
There is still some uncertainty regarding what such Information Security
Governance actually consists of
Information Security Governance does not function in isolation
Information Security Governance, Management and Operations have very different
functions, and clarity among them is fundamental to the performance of
each.
How do Organizations currently operate Globally & in the Middle East?
3 Information Security Governance @ 2011 Deloitte & Touche
4. 17% of Organizations Globally have a person responsible for Information Security. 33% in
the Middle East
40% of the CISOs Globally report directly to IT related positions (CIO, IT executive and
CTO). 31% in the Middle East
Only 67% of respondents indicate that have a security governance structure. 49% in the
Middle East
Only 56% of respondents indicate they have a documented and approved information
security strategy. 38% in the Middle East
Only 18% of respondents have established metrics that have been aligned to business
value and report on a scheduled basis. 15% in the Middle East
Only 30% of respondents state that there is appropriate alignment between the business
and information security initiatives. 32% in the Middle East
4 Information Security Governance @ 2011 Deloitte & Touche
5.
6. Corporate governance is the set of processes, customs, policies, laws, and
institutions affecting the way a corporation (or company) is directed, administered or
controlled.
includes the relationships among the many
Corporate governance also
stakeholders involved and the goals for which the corporation is
governed.
Subsets of Corporate Governance include:
• Financial Governance
• Information Technology Governance
• Enterprise Risk Governance
• Information Security Governance
6 Information Security Governance @ 2011 Deloitte & Touche
7. The structure, oversight and management
processes which ensure the delivery of Corporate
the of overall corporate governance Governance
requires integration between the different
subsets of the Corporate Governance
Model
Enterprise Information
Legal
Risk Technology
Governance
An organization’s Information Governance Governance
Security Governance can be defined
as "the processes that ensure that
reasonable and appropriate actions are
taken to protect the organization's
Information
information resources, in the most Security
Governance
effective and efficient manner, in pursuit
of its business goals“
Information Information
Security Security
Management Operations
Information Security Organization @ 2011 Deloitte & Touche
7 Information Security Governance
8. ―Information Security governance―, ―Information Security Management" and
―Information Security Operations" are broad terms, and we must bring these topics into
focus. Members of governance committees must understand the difference between
them in order to avoid dysfunction and meet Business, Risk and IT goals
Very Broadly,
Information Security Governance: Exists to ensure that the security program adequately
meets the strategic needs of the business.
Information Security Management: Implements that program.
Information Security Operations: executes or manages security-related processes
relating to current infrastructure on a day-to-day basis.
Each of these layers must engage with corresponding layers throughout
the enterprise.
8 Information Security Governance @ 2011 Deloitte & Touche
9. Information Security Steering Commitee
3rd Party Service Corporate Risk
Providers Management
Chief Infromation
Officer (CIO)
Lines of Business
IT Operations
Management Information Security
Governance
Information Security
Information Security
Communication
Advisory Board
Forum
3rd Party Service Information Security Information Security 3rd Party Service
Providers Management Operations Providers
9 Information Security Governance @ 2011 Deloitte & Touche
10.
11. Prudent CISOs are building their Security Governance Strategies based on the current
economic climate, changes in the technology landscape, and most importantly, to meet
and exceed the business expectations. Yet despite their best intentions, many are still
struggling to improve relationships with the business that they operate in.
Without alignment, Information Culture
Security Governance operates in
a vacuum and will implement
security controls that are Controls
1. Plan
Process
invariably either too strong —
and thus, is expensive and
restrictive — or too weak, 3. Manage
resulting in too much residual 2. Implement 4. Monitor
risk. People Security Governance Integration
Technology
11 Information Security Governance @ 2011 Deloitte & Touche
12. The following 4 domains must be considered when establishing an Information Security
Governance Program
Plan Implement Manage Monitor
Security Program Develop Governance
Accountabilities Project Oversight
Strategy Processes
Institute Governance
Security Architecture Funding Value Assessments
Forums
Security Policy
Conflict Conciliation Operational
Security Budget Review and
and Arbitration Oversight
Development
Governance Policy Program and Project Metrics and
Management Oversight Measurement
12 Information Security Governance @ 2011 Deloitte & Touche
13. Culture
Controls Process
1. Plan
3. Manage
2. Implement 4. Monitor
People Security Governance Integration
Technology
Plan Security Program Strategy
Security Program 1. Current State
Strategy
2. Desired State
3. Gap Analysis
Security Architecture
4. Project and Initiatives Derived from the Gap Analysis
5. A Reporting Framework
Security Budget
Governance Policy
Management
13 Information Security Governance @ 2011 Deloitte & Touche
14. Culture
Controls Process
1. Plan
3. Manage
2. Implement 4. Monitor
People Security Governance Integration
Technology
Plan Security Architecture
Security architecture is the planning discipline that provides the
Security Program foundational models, templates and principles that support the
Strategy
program strategy. These artifacts are used to develop security
technology and process solutions that match business
requirements while maximizing standardization and reuse
Security Architecture
• Security Operations
• Security Monitoring and Review
• User Management
Security Budget • User Awareness
• Application Security
• Database / Metadata Security
• Host Security
Governance Policy • Internal Network Security
Management
• Network Perimeter Security
• Physical and Environmental Security
14 Information Security Governance @ 2011 Deloitte & Touche
15. Culture
Controls Process
1. Plan
3. Manage
2. Implement 4. Monitor
People Security Governance Integration
Technology
Plan Security Budget Planning
The process of allocating financial resources to information
Security Program security projects and operational
Strategy
activities
Security Architecture
Governance Policy Management
Sets the principles for policy management, specifically regarding issues
such as:
Security Budget
• Ownership
• Documentation standards
• Approval and formalization procedures
Governance Policy • Enforcement regimes
Management
• Review and exception procedures
15 Information Security Governance @ 2011 Deloitte & Touche
16. Culture
Controls Process
1. Plan
3. Manage
2. Implement 4. Monitor
People Security Governance Integration
Technology
Implement Develop Governance Processes
Design the governance processes:
Develop Governance • The goal of the process
Processes • The action steps to be taken and in what sequence
• The responsibilities associated with the process
• The process flow
Institute Governance
Forums
Integrate the security governance framework with existing IT
frameworks and Information Security Management frameworks in
order to leverage the commonalities between the frameworks
Security Policy
Review and
Development Institute Governance Forums
Establish Governance forums and steering committee
• Establish the accountabilities and responsibilities for information security
within the organization.
• Oversee the governance processes.
• Commission and sponsor the corporate information security program.
16 Information Security Governance @ 2011 Deloitte & Touche
17. Culture
Controls Process
1. Plan
3. Manage
2. Implement 4. Monitor
People Security Governance Integration
Technology
Implement Security Policy Review and Development
Assess the (1) completeness (2) effectiveness and (3) practicality of
Develop Governance enforcement of your organization’s information security policy.
Processes
Identify major strengths and weaknesses of the policy and provide
recommendations for improvement.
Institute Governance
Forums
Security Policy
Review and
Development
17 Information Security Governance @ 2011 Deloitte & Touche
18. Culture
Controls Process
1. Plan
3. Manage
2. Implement 4. Monitor
People Security Governance Integration
Technology
Manage Design and explain management processes to the respective
stakeholders for implementation:
Accountabilities Process Process Description
Accountabilities and responsibilities for information security are
Accountabilities
executed effectively.
Manage effective allocation of financial resources for security
Funding Funding
initiatives as decided in the budget process.
Facilitate assessment of conflicting security requirements
Conflict Conciliation between different stakeholders. Ensure specific policy and
Conflict Conciliation and Arbitration controls decisions are based on adequate consideration of
and Arbitration individual and collective requirements.
Program and Project Track security program and projects, deliverables, and costs to
Program and Project Oversight ensure they remain within acceptable tolerances.
Oversight
18 Information Security Governance @ 2011 Deloitte & Touche
19. Culture
Controls Process
1. Plan
3. Manage
2. Implement 4. Monitor
People Security Governance Integration
Technology
Monitor Design and explain monitoring processes to the respective
stakeholders for implementation:
Project Oversight Process Process Description
Assess project results. Report on objectives achieved and
Project Oversight
missed, as well as unexpected results and consequences.
Value Assessments Periodically assess the value of information security
Value Assessments investments. Is the organization getting the anticipated
benefits from investments involving information security?
Operational Ensure that the execution of the information security
Oversight program, and all its associated processes and activities, is
Operational Oversight
done within the parameters set out by the program strategy,
architecture, and policy strategy.
Measuring and reporting on the impact of the information
Metrics and Metrics and
Measurement security program on overall IT governance and Corporate
Measurement Governance.
19 Information Security Governance @ 2011 Deloitte & Touche
20.
21. Strategic Alignment of information security with business strategy to support
organizational objectives
Risk Management by executing appropriate measures to manage and mitigate risks
and reduce potential impacts on information resources to an acceptable level
Resource Management by utilizing information security knowledge and infrastructure
efficiently and effectively
Performance Measurement by measuring, monitoring and reporting information
security governance metrics to ensure that organizational objectives are achieved
Value Delivery by optimizing information security investments in support of
organizational objectives
21 Information Security Governance @ 2011 Deloitte & Touche
24. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which
is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu
Limited and its member firms.
Member of Deloitte Touche Tohmatsu Limited