SlideShare a Scribd company logo

Making Executives Accountable for IT Security

Seccuris Inc.
Seccuris Inc.

How do we make executives accountable for IT Security? Michael outlines the general challenges, details key items of concern and discusses the focus areas that can be taken to improve the daily governance of IT security in your organization.

Technology
1 of 35
Making Executives Accountable Building security into the organization
What we continue to see… • Information Security Programs lacks support • Policies poorly monitored & enforced • Organizations are consistently reacting to point-in-time issues regarding security, privacy & asset protection Copyright 2007 – Seccuris Inc.
Executives are not accountable The issues: • Executives are busy • Communication Barriers • Unknown accountability • Executives are not engaged Copyright 2007 – Seccuris Inc.
Executives are not accountable The issues: • The missing “Tone from the Top” • C-Level relationships often poorly aligned • Executive involvement not defined • The “Super CISO” misconception Copyright 2007 – Seccuris Inc.
Executives are not accountable The issues: • Relevance of Information Security to business not seen daily • Business objectives / goals seldom communicated in an aligned fashion to information security • Critical attributes that the company requires are seldom defined in terms information security understands Copyright 2007 – Seccuris Inc.
Executives are not accountable The issues: • Information Security is not industry specific • Not seen as business requirement • Roles / Practices / Language inconsistent • Information Security continues to press best practice, Without considering what the organizations minimum practice should be Copyright 2007 – Seccuris Inc.
Why do we want to make Executives Accountable? The wrong reasons • Misunderstanding responsibility and accountability • Deferring the tough decisions to others • Dealing with poor visibility or respect of information security (from business units) by hiding behind executive • Gaining leverage to continue poorly understood FUD campaigns • Using unwitting executives to drive your poorly justified security “improvements” Copyright 2007 – Seccuris Inc.
Why do we want to make Executives Accountable? The right reasons • Improving understanding of information security within the business • Improving communication of the business needs around security and what priorities exist • Ensuring consensus of business and asset stakeholders Copyright 2007 – Seccuris Inc.
Why do we want to make Executives Accountable? Focusing on the right reasons • Security should be understood by the business • Security should align and support the business • Security program should be defined and agreed to by executive Make executives “want” accountability for information security Copyright 2007 – Seccuris Inc.
How do we make Executives Accountable? What executive involvement do we need in our Information Security Program? Program Area Requirement • Strategy Visibility • Gap Analysis Minimum Practices • Action Plan Commitment • Performance Measurement Acknowledgement Copyright 2007 – Seccuris Inc.
Where do we need executive involvement? Information Security Scorecard should align with the business Organizational Information Systems Balanced Scorecard Information Security Balanced Scorecard Balanced Scorecard The Learning & The Business Information Information Growth Process Critical System Technology Security Perspective Perspective Business Development Applications Security Management Computer Networks Business Risk Installations The Customer The Financial Management Continuity Perspective Perspective Copyright 2007 – Seccuris Inc.
Where do we need executive involvement? Information Security Policy Information Security Balanced Scorecard Security Management Dashboard* Critical System Business Development Applications High-Level Security Security Secure Direction Organization Requirements Environment Security Management Management Malicious Risk Special Topics Review Attack Acceptances Computer Networks Installations *Includes KPIs from each aspect of Security Management Copyright 2007 – Seccuris Inc.
How do we make Executives Accountable? How does Information Security want to be involved with executives? Role of Security in Management Activities Planning Security at table Directing Security Encouraging / Supporting Doing Involved / Aware Reporting Facilitating Refining Involved Information security should be “built-in” to the organization… Copyright 2007 – Seccuris Inc.
How do we make Executives Accountable? Our focus should be on building information security directly into the business Alignment of: • Governance structure & Organizational models • Common business & security language • Visibility of Information Security in the organization Copyright 2007 – Seccuris Inc.
Building Information Security In Why does alignment help? • Communication of intent, plans & actions • Consensus of short term goals and controls • Visibility and understanding of long term strategy Copyright 2007 – Seccuris Inc.
Building Information Security In Why does alignment help? • Creates awareness of information security requirements in business terms • Involves Information Security in the business • Creates accountability & responsibility for information security outside of traditional InfoSec roles Copyright 2007 – Seccuris Inc.
Improving the situation How do we approach alignment? In general: • Education Executive Workshops • Requirements gathering Working with BUs • Dialog On-going 7 minute meetings • Long Term Planning Defining plans over time Copyright 2007 – Seccuris Inc.
Improving the situation Governance Structure & Organizational Models • Defining Accountability & Responsibility of IT Security • Development of good governance structures Copyright 2007 – Seccuris Inc.
Governance Structure & Organizational Models Defining Accountability & Responsibility for IT Security Ensure: • Asset owners are involved & accountable • Practices exist for defining & accepting minimum practices • Policy exception & Risk Acceptance processes exist Copyright 2007 – Seccuris Inc.
Governance Structure & Organizational Models Development of good governance structures Council CEO Plans Initiates Monitors COO CRO CFO CIO Reports BU CISO Manager Dept Security Manager Manager Dept Security Manager Manager Dept Manager Copyright 2007 – Seccuris Inc.
Improving the situation Translating business goals & objectives into common attributes • Defining common attributes for business drivers • Using attributes to map business goals to security controls Copyright 2007 – Seccuris Inc.
Translating business goals & objectives into core attributes for protection Defining common attributes for business drivers Copyright 2007 – Seccuris Inc.
Copyright 2007 – Seccuris Inc.
Business Attributes © SABSA Institute Management Operational Risk Management Legal / Regulatory Technical Strategy Business Strategy User Attributes Attributes Attributes Attributes Attributes Attributes Attributes Accessible Automated Available Admissible Brand Enhancing Access-Controlled Architecturally Open Accurate Detectable Accountable Compliant COTS / GOTS Change-Managed Business Enabled Consistent Controlled Error-Free Assurable Enforceable Extendible Competent Current Cost-Effective Inter-Operable Assuring Honesty Insurable Confident Flexible / Adaptable Duty-Segregated Efficient Productive Auditable Liability Managed Future-Proof Credible Educated & Aware Maintainable Recoverable Authenticated Resolvable Legacy-Sensative Governable Providing Good Informed Measured Authorized Legal Migratable Stewardship and Custody Providing Investment Motivated Supportable Regulated Multi-Sourced Capturing New Risks Reuse Protected Continuous Confidential Time Bound Scalable Reputable Reliable Monitored Crime-Free Simple Culture-Sensitive Enabling Time to Supported Flexibly Secure Standards Compliant Market Providing Return on Timely Identified Traceable Investment Usable Up gradable Independently Secure Anonymous In Our Sole Possession Responsive Integrity-Assured Transparent Non-reputable Owned Private Trustworthy Copyright 2007 – Seccuris Inc.
Translating business goals & objectives into core attributes for protection Defining common attributes for business drivers © SABSA Institute Business Drivers Attributes # Protecting the reputation of the organization, ensuring it is BD1 Credible / Reputable perceived as competent in its sector Ensuring the organization is at all times compliant with relevant BD16 Compliant laws and regulations Maintain the privacy of personal and business information that BD17 Private is stored, processed and communicated BD30 Minimizing the risk of loss of key customer relationships Non-Reputable BD41 Ensuring accurate information is available when needed Available / Error-Free Enabling Time to Market / BD42 Minimizing the risk of loss of key customer relationships Trustworthy Copyright 2007 – Seccuris Inc.
Translating business goals & objectives into core attributes for protection Using attributes to map business goals to security controls Business Business Driver Metric Type Measurement Approach Performance Target Attribute Zero successful attempts at unauthorized disclosure. Reporting of all unauthorized Alerts of unauthorized access attempts, produced and delivered to systems disclosure incidents, including manager and business owner within 30 minutes. Hard number of incidents per period, severity and type of disclosure Summary reports of number, severity and type of unauthorized access attempts to private data produced and delivered to systems manager and business owner monthly Private BD17 Independent audit and review with respect to the prevention System passes review by audit team to a degree deemed acceptable by the Soft of unauthorized disclosure of legal department to prevent prosecution under Canadian privacy law. private information Copyright 2007 – Seccuris Inc.
Improving the situation Visibility of Information Security in the organization • Visualization of the Security program • Alignment of program with management activities • Provision of on-going education & dialog Copyright 2007 – Seccuris Inc.
Visibility of Information Security Visualization of the Security program Copyright 2007 – Seccuris Inc.
Visibility of Information Security Alignment of program with management activities Business Attribute(s) – Identified KPI CSF: Maintain the privacy of E-mail Privacy personal and business information Incidents that is stored, processed and communicated (BD17) Unauthorized Identified Investigated Reported Disclosure KPI: The number of E-mail privacy 45 30 544 311 incidents identified, contained, investigated or closed on an Monthly monthly basis. E-Mail Privacy Incidents Business Logic: If the number of 80 E-mail privacy incidents that 70 60 resulted in disclosure is more then 1 50 Identified a month then show as critical. Inspected 40 Reported 30 Unauthorized Disclosure (cont) 20 10 0 Jan Feb Mar April May June July Aug Sept Oct Nov Dec Copyright 2007 – Seccuris Inc.
Visibility of Information Security Provision of on-going education & dialog • Continuous refining of business attributes • Discussion of information security action plans • Assessment of changes to companies priorities and potential impact to security program • Awareness of Incidents, Short term and Long term activities Copyright 2007 – Seccuris Inc.
Improving the situation Improvements in executive involvement can be made by alignment of these areas • Governance Structure & Organizational Models • Specific business & security language • Visibility of Information Security in the organization Copyright 2007 – Seccuris Inc.
Moving forward Enabling Actionable Improvement plans How do I tell we are improving? • Action plans involve Security & Business • Initiatives are reviewed by Executive • Improvements to Action Plans are described in Business Terms • Action Plans have increasing number of Business Unit initiated activities Copyright 2007 – Seccuris Inc.
Moving forward Integration of security management in business cycles How do I tell we are improving? Specialists Designers Advisors Reviewers Copyright 2007 – Seccuris Inc.
Summary We can build security into our organizations by aligning Governance, Language and Visibility By building security in, we involve security directly in the business By involving information security in the business we ensure effective accountability in our executives Copyright 2007 – Seccuris Inc.
Thanks Michael Legary, CSA, CISSP, CISM, CISA, CCSA, CPP, GCIH, PCI-QSA Founder & CIO Seccuris Inc. Email: Michael.Legary@seccuris.com Direct: 204-255-4490 Main: 204-255-4136 Fax: 204-942-6705 Copyright 2007 – Seccuris Inc.

Recommended

COBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKCOBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyEryk Budi Pratama
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information SecurityJohn Macasio
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0Maganathin Veeraragaloo
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
 
Modern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL IndonesiaModern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL IndonesiaEryk Budi Pratama
 

Recommended

COBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKCOBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyEryk Budi Pratama
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information SecurityJohn Macasio
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0Maganathin Veeraragaloo
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
 
Modern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL IndonesiaModern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL IndonesiaEryk Budi Pratama
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSAMaganathin Veeraragaloo
 
Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1pk4
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykEryk Budi Pratama
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Apoorva Ajmani
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance TemplateFlevy.com Best Practices
 
Cisa 2013 ch2
Cisa 2013 ch2Cisa 2013 ch2
Cisa 2013 ch2Aladdin Dandis
 
Introduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber ResilienceIntroduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber ResilienceChristian F. Nissen
 
task 1
task 1task 1
task 1BIBEKCHAUDHARYBScHon
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Aladdin Dandis
 
Cisa 2013 ch4
Cisa 2013 ch4Cisa 2013 ch4
Cisa 2013 ch4Aladdin Dandis
 
Cisa 2013 ch3
Cisa 2013 ch3Cisa 2013 ch3
Cisa 2013 ch3Aladdin Dandis
 
IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?Eryk Budi Pratama
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Aladdin Dandis
 
IT Risk Management & Compliance
IT Risk Management & ComplianceIT Risk Management & Compliance
IT Risk Management & Compliancerhanna11
 
Ascent overview deck_sep_25_2013
Ascent overview deck_sep_25_2013Ascent overview deck_sep_25_2013
Ascent overview deck_sep_25_2013Bindu Rathore
 
Task 2
Task 2Task 2
Task 2BIBEKCHAUDHARYBScHon
 
Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014Aladdin Dandis
 
2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework 2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework Raleigh ISSA
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 
SABSA white paper
SABSA white paperSABSA white paper
SABSA white paperSABSAcourses
 
Building security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO SeriesBuilding security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO SeriesAaron Carpenter
 

More Related Content

What's hot

Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1pk4
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykEryk Budi Pratama
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Apoorva Ajmani
 
Introduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber ResilienceIntroduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber ResilienceChristian F. Nissen
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Aladdin Dandis
 
IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?Eryk Budi Pratama
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Aladdin Dandis
 
IT Risk Management & Compliance
IT Risk Management & ComplianceIT Risk Management & Compliance
IT Risk Management & Compliancerhanna11
 
Ascent overview deck_sep_25_2013
Ascent overview deck_sep_25_2013Ascent overview deck_sep_25_2013
Ascent overview deck_sep_25_2013Bindu Rathore
 
Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
 
2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework 2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework Raleigh ISSA
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 

What's hot (20)

Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSA
 
Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance Template
 
Cisa 2013 ch2
Cisa 2013 ch2Cisa 2013 ch2
Cisa 2013 ch2
 
Introduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber ResilienceIntroduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber Resilience
 
task 1
task 1task 1
task 1
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0
 
Cisa 2013 ch4
Cisa 2013 ch4Cisa 2013 ch4
Cisa 2013 ch4
 
Cisa 2013 ch3
Cisa 2013 ch3Cisa 2013 ch3
Cisa 2013 ch3
 
IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0
 
IT Risk Management & Compliance
IT Risk Management & ComplianceIT Risk Management & Compliance
IT Risk Management & Compliance
 
Ascent overview deck_sep_25_2013
Ascent overview deck_sep_25_2013Ascent overview deck_sep_25_2013
Ascent overview deck_sep_25_2013
 
Task 2
Task 2Task 2
Task 2
 
Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014
 
2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework 2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 

Viewers also liked

Building security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO SeriesBuilding security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO SeriesAaron Carpenter
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning warsRafal Los
 
II Security At Microsoft
II Security At MicrosoftII Security At Microsoft
II Security At MicrosoftMark J. Feldman
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Health IT Conference – iHT2
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationPECB
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesJorge Sebastiao
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResiliencePriyanka Aash
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSAcourses
 
ORGANIZING-DELEGATION OF AUTHORITY
ORGANIZING-DELEGATION OF AUTHORITYORGANIZING-DELEGATION OF AUTHORITY
ORGANIZING-DELEGATION OF AUTHORITYShivam Bharti
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security ProgramSeccuris Inc.
 
Ownership Accountability Training for mid level staff
Ownership Accountability Training for mid level staffOwnership Accountability Training for mid level staff
Ownership Accountability Training for mid level staffNeetu Maltiar
 

Viewers also liked (20)

SABSA white paper
SABSA white paperSABSA white paper
SABSA white paper
 
Building security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO SeriesBuilding security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO Series
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning wars
 
II Security At Microsoft
II Security At MicrosoftII Security At Microsoft
II Security At Microsoft
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
 
The New Security - Post "9/11"
The New Security - Post "9/11"The New Security - Post "9/11"
The New Security - Post "9/11"
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 
SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes Profiling
 
ORGANIZING-DELEGATION OF AUTHORITY
ORGANIZING-DELEGATION OF AUTHORITYORGANIZING-DELEGATION OF AUTHORITY
ORGANIZING-DELEGATION OF AUTHORITY
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security Program
 
SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0
 
Ownership Accountability Training for mid level staff
Ownership Accountability Training for mid level staffOwnership Accountability Training for mid level staff
Ownership Accountability Training for mid level staff
 
Indonesia National Cyber Security Strategy
Indonesia National Cyber Security StrategyIndonesia National Cyber Security Strategy
Indonesia National Cyber Security Strategy
 

Similar to Making Executives Accountable for IT Security

Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGArul Nambi
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochureguest8a430d
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governancenooralmousa
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFLABS SRL
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Briefmageeb
 
Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...xKinAnx
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architectureVladimir Jirasek
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016Prime Infoserv
 
Microsoft Power Point Information Security And Risk Managementv2
Microsoft Power Point Information Security And Risk Managementv2Microsoft Power Point Information Security And Risk Managementv2
Microsoft Power Point Information Security And Risk Managementv2Graeme Payne
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIskcon Ahmedabad
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
 
IDBI Intech - Information security consulting
IDBI Intech - Information security consultingIDBI Intech - Information security consulting
IDBI Intech - Information security consultingIDBI Intech
 

Similar to Making Executives Accountable for IT Security (20)

Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochure
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Brief
 
Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
SYMCAnnual
SYMCAnnualSYMCAnnual
SYMCAnnual
 
Agama Profile
Agama ProfileAgama Profile
Agama Profile
 
Agam Profile
Agam ProfileAgam Profile
Agam Profile
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 
Sap risk advisory presentation
Sap risk advisory presentationSap risk advisory presentation
Sap risk advisory presentation
 
Sap Risk Advisory Presentation
Sap Risk Advisory PresentationSap Risk Advisory Presentation
Sap Risk Advisory Presentation
 
Microsoft Power Point Information Security And Risk Managementv2
Microsoft Power Point Information Security And Risk Managementv2Microsoft Power Point Information Security And Risk Managementv2
Microsoft Power Point Information Security And Risk Managementv2
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consulting
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your Organziation
 
IDBI Intech - Information security consulting
IDBI Intech - Information security consultingIDBI Intech - Information security consulting
IDBI Intech - Information security consulting
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 

More from Seccuris Inc.

Building an enterprise forensics response service
Building an enterprise forensics response serviceBuilding an enterprise forensics response service
Building an enterprise forensics response serviceSeccuris Inc.
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesSeccuris Inc.
 
Compliance in Virtualized Environments
Compliance in Virtualized EnvironmentsCompliance in Virtualized Environments
Compliance in Virtualized EnvironmentsSeccuris Inc.
 
Outsourcing: A Security Perspective
Outsourcing: A Security PerspectiveOutsourcing: A Security Perspective
Outsourcing: A Security PerspectiveSeccuris Inc.
 
Security Information Management: An introduction
Security Information Management: An introductionSecurity Information Management: An introduction
Security Information Management: An introductionSeccuris Inc.
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesData Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesSeccuris Inc.
 
Building Critical Infrastructure For Business Recovery
Building Critical Infrastructure For Business RecoveryBuilding Critical Infrastructure For Business Recovery
Building Critical Infrastructure For Business RecoverySeccuris Inc.
 
Virtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualizationVirtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualizationSeccuris Inc.
 

More from Seccuris Inc. (9)

Building an enterprise forensics response service
Building an enterprise forensics response serviceBuilding an enterprise forensics response service
Building an enterprise forensics response service
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniques
 
Compliance in Virtualized Environments
Compliance in Virtualized EnvironmentsCompliance in Virtualized Environments
Compliance in Virtualized Environments
 
Outsourcing: A Security Perspective
Outsourcing: A Security PerspectiveOutsourcing: A Security Perspective
Outsourcing: A Security Perspective
 
Security Information Management: An introduction
Security Information Management: An introductionSecurity Information Management: An introduction
Security Information Management: An introduction
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesData Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective Strategies
 
Building Critical Infrastructure For Business Recovery
Building Critical Infrastructure For Business RecoveryBuilding Critical Infrastructure For Business Recovery
Building Critical Infrastructure For Business Recovery
 
Virtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualizationVirtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualization
 

Recently uploaded

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Recently uploaded (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

Making Executives Accountable for IT Security

  • 1. Making Executives Accountable Building security into the organization
  • 2. What we continue to see… • Information Security Programs lacks support • Policies poorly monitored & enforced • Organizations are consistently reacting to point-in-time issues regarding security, privacy & asset protection Copyright 2007 – Seccuris Inc.
  • 3. Executives are not accountable The issues: • Executives are busy • Communication Barriers • Unknown accountability • Executives are not engaged Copyright 2007 – Seccuris Inc.
  • 4. Executives are not accountable The issues: • The missing “Tone from the Top” • C-Level relationships often poorly aligned • Executive involvement not defined • The “Super CISO” misconception Copyright 2007 – Seccuris Inc.
  • 5. Executives are not accountable The issues: • Relevance of Information Security to business not seen daily • Business objectives / goals seldom communicated in an aligned fashion to information security • Critical attributes that the company requires are seldom defined in terms information security understands Copyright 2007 – Seccuris Inc.
  • 6. Executives are not accountable The issues: • Information Security is not industry specific • Not seen as business requirement • Roles / Practices / Language inconsistent • Information Security continues to press best practice, Without considering what the organizations minimum practice should be Copyright 2007 – Seccuris Inc.
  • 7. Why do we want to make Executives Accountable? The wrong reasons • Misunderstanding responsibility and accountability • Deferring the tough decisions to others • Dealing with poor visibility or respect of information security (from business units) by hiding behind executive • Gaining leverage to continue poorly understood FUD campaigns • Using unwitting executives to drive your poorly justified security “improvements” Copyright 2007 – Seccuris Inc.
  • 8. Why do we want to make Executives Accountable? The right reasons • Improving understanding of information security within the business • Improving communication of the business needs around security and what priorities exist • Ensuring consensus of business and asset stakeholders Copyright 2007 – Seccuris Inc.
  • 9. Why do we want to make Executives Accountable? Focusing on the right reasons • Security should be understood by the business • Security should align and support the business • Security program should be defined and agreed to by executive Make executives “want” accountability for information security Copyright 2007 – Seccuris Inc.
  • 10. How do we make Executives Accountable? What executive involvement do we need in our Information Security Program? Program Area Requirement • Strategy Visibility • Gap Analysis Minimum Practices • Action Plan Commitment • Performance Measurement Acknowledgement Copyright 2007 – Seccuris Inc.
  • 11. Where do we need executive involvement? Information Security Scorecard should align with the business Organizational Information Systems Balanced Scorecard Information Security Balanced Scorecard Balanced Scorecard The Learning & The Business Information Information Growth Process Critical System Technology Security Perspective Perspective Business Development Applications Security Management Computer Networks Business Risk Installations The Customer The Financial Management Continuity Perspective Perspective Copyright 2007 – Seccuris Inc.
  • 12. Where do we need executive involvement? Information Security Policy Information Security Balanced Scorecard Security Management Dashboard* Critical System Business Development Applications High-Level Security Security Secure Direction Organization Requirements Environment Security Management Management Malicious Risk Special Topics Review Attack Acceptances Computer Networks Installations *Includes KPIs from each aspect of Security Management Copyright 2007 – Seccuris Inc.
  • 13. How do we make Executives Accountable? How does Information Security want to be involved with executives? Role of Security in Management Activities Planning Security at table Directing Security Encouraging / Supporting Doing Involved / Aware Reporting Facilitating Refining Involved Information security should be “built-in” to the organization… Copyright 2007 – Seccuris Inc.
  • 14. How do we make Executives Accountable? Our focus should be on building information security directly into the business Alignment of: • Governance structure & Organizational models • Common business & security language • Visibility of Information Security in the organization Copyright 2007 – Seccuris Inc.
  • 15. Building Information Security In Why does alignment help? • Communication of intent, plans & actions • Consensus of short term goals and controls • Visibility and understanding of long term strategy Copyright 2007 – Seccuris Inc.
  • 16. Building Information Security In Why does alignment help? • Creates awareness of information security requirements in business terms • Involves Information Security in the business • Creates accountability & responsibility for information security outside of traditional InfoSec roles Copyright 2007 – Seccuris Inc.
  • 17. Improving the situation How do we approach alignment? In general: • Education Executive Workshops • Requirements gathering Working with BUs • Dialog On-going 7 minute meetings • Long Term Planning Defining plans over time Copyright 2007 – Seccuris Inc.
  • 18. Improving the situation Governance Structure & Organizational Models • Defining Accountability & Responsibility of IT Security • Development of good governance structures Copyright 2007 – Seccuris Inc.
  • 19. Governance Structure & Organizational Models Defining Accountability & Responsibility for IT Security Ensure: • Asset owners are involved & accountable • Practices exist for defining & accepting minimum practices • Policy exception & Risk Acceptance processes exist Copyright 2007 – Seccuris Inc.
  • 20. Governance Structure & Organizational Models Development of good governance structures Council CEO Plans Initiates Monitors COO CRO CFO CIO Reports BU CISO Manager Dept Security Manager Manager Dept Security Manager Manager Dept Manager Copyright 2007 – Seccuris Inc.
  • 21. Improving the situation Translating business goals & objectives into common attributes • Defining common attributes for business drivers • Using attributes to map business goals to security controls Copyright 2007 – Seccuris Inc.
  • 22. Translating business goals & objectives into core attributes for protection Defining common attributes for business drivers Copyright 2007 – Seccuris Inc.
  • 23. Copyright 2007 – Seccuris Inc.
  • 24. Business Attributes © SABSA Institute Management Operational Risk Management Legal / Regulatory Technical Strategy Business Strategy User Attributes Attributes Attributes Attributes Attributes Attributes Attributes Accessible Automated Available Admissible Brand Enhancing Access-Controlled Architecturally Open Accurate Detectable Accountable Compliant COTS / GOTS Change-Managed Business Enabled Consistent Controlled Error-Free Assurable Enforceable Extendible Competent Current Cost-Effective Inter-Operable Assuring Honesty Insurable Confident Flexible / Adaptable Duty-Segregated Efficient Productive Auditable Liability Managed Future-Proof Credible Educated & Aware Maintainable Recoverable Authenticated Resolvable Legacy-Sensative Governable Providing Good Informed Measured Authorized Legal Migratable Stewardship and Custody Providing Investment Motivated Supportable Regulated Multi-Sourced Capturing New Risks Reuse Protected Continuous Confidential Time Bound Scalable Reputable Reliable Monitored Crime-Free Simple Culture-Sensitive Enabling Time to Supported Flexibly Secure Standards Compliant Market Providing Return on Timely Identified Traceable Investment Usable Up gradable Independently Secure Anonymous In Our Sole Possession Responsive Integrity-Assured Transparent Non-reputable Owned Private Trustworthy Copyright 2007 – Seccuris Inc.
  • 25. Translating business goals & objectives into core attributes for protection Defining common attributes for business drivers © SABSA Institute Business Drivers Attributes # Protecting the reputation of the organization, ensuring it is BD1 Credible / Reputable perceived as competent in its sector Ensuring the organization is at all times compliant with relevant BD16 Compliant laws and regulations Maintain the privacy of personal and business information that BD17 Private is stored, processed and communicated BD30 Minimizing the risk of loss of key customer relationships Non-Reputable BD41 Ensuring accurate information is available when needed Available / Error-Free Enabling Time to Market / BD42 Minimizing the risk of loss of key customer relationships Trustworthy Copyright 2007 – Seccuris Inc.
  • 26. Translating business goals & objectives into core attributes for protection Using attributes to map business goals to security controls Business Business Driver Metric Type Measurement Approach Performance Target Attribute Zero successful attempts at unauthorized disclosure. Reporting of all unauthorized Alerts of unauthorized access attempts, produced and delivered to systems disclosure incidents, including manager and business owner within 30 minutes. Hard number of incidents per period, severity and type of disclosure Summary reports of number, severity and type of unauthorized access attempts to private data produced and delivered to systems manager and business owner monthly Private BD17 Independent audit and review with respect to the prevention System passes review by audit team to a degree deemed acceptable by the Soft of unauthorized disclosure of legal department to prevent prosecution under Canadian privacy law. private information Copyright 2007 – Seccuris Inc.
  • 27. Improving the situation Visibility of Information Security in the organization • Visualization of the Security program • Alignment of program with management activities • Provision of on-going education & dialog Copyright 2007 – Seccuris Inc.
  • 28. Visibility of Information Security Visualization of the Security program Copyright 2007 – Seccuris Inc.
  • 29. Visibility of Information Security Alignment of program with management activities Business Attribute(s) – Identified KPI CSF: Maintain the privacy of E-mail Privacy personal and business information Incidents that is stored, processed and communicated (BD17) Unauthorized Identified Investigated Reported Disclosure KPI: The number of E-mail privacy 45 30 544 311 incidents identified, contained, investigated or closed on an Monthly monthly basis. E-Mail Privacy Incidents Business Logic: If the number of 80 E-mail privacy incidents that 70 60 resulted in disclosure is more then 1 50 Identified a month then show as critical. Inspected 40 Reported 30 Unauthorized Disclosure (cont) 20 10 0 Jan Feb Mar April May June July Aug Sept Oct Nov Dec Copyright 2007 – Seccuris Inc.
  • 30. Visibility of Information Security Provision of on-going education & dialog • Continuous refining of business attributes • Discussion of information security action plans • Assessment of changes to companies priorities and potential impact to security program • Awareness of Incidents, Short term and Long term activities Copyright 2007 – Seccuris Inc.
  • 31. Improving the situation Improvements in executive involvement can be made by alignment of these areas • Governance Structure & Organizational Models • Specific business & security language • Visibility of Information Security in the organization Copyright 2007 – Seccuris Inc.
  • 32. Moving forward Enabling Actionable Improvement plans How do I tell we are improving? • Action plans involve Security & Business • Initiatives are reviewed by Executive • Improvements to Action Plans are described in Business Terms • Action Plans have increasing number of Business Unit initiated activities Copyright 2007 – Seccuris Inc.
  • 33. Moving forward Integration of security management in business cycles How do I tell we are improving? Specialists Designers Advisors Reviewers Copyright 2007 – Seccuris Inc.
  • 34. Summary We can build security into our organizations by aligning Governance, Language and Visibility By building security in, we involve security directly in the business By involving information security in the business we ensure effective accountability in our executives Copyright 2007 – Seccuris Inc.
  • 35. Thanks Michael Legary, CSA, CISSP, CISM, CISA, CCSA, CPP, GCIH, PCI-QSA Founder & CIO Seccuris Inc. Email: Michael.Legary@seccuris.com Direct: 204-255-4490 Main: 204-255-4136 Fax: 204-942-6705 Copyright 2007 – Seccuris Inc.