Information security governance is a relative new area it doesn't always receive the required attention such as business support, management support and eventually the necessary budgets to keep Mr Evil out. The reasons why information security is not receiving the required attention are plenty, but a main issue that it is failing to get on the agenda could be that the upper levels of an organisational structure do not receive the information required to get their attention, or that companies are risk taking instead of risk averse or it seems impossible to identify value for the business. Security is about avoiding something, where a new application is about adding functionality in order to increase efficiency, production etc… Unfortunately, security is still seen as a business disabler.
Cybersecurity Incident Management Powerpoint Presentation Slides are designed for information technology experts. Our data security PowerPoint theme combines high-quality design with info accumulated by industry experts. Represent the present situation of the target organization’s information security management using our patterned PPT slideshow. The innovative data visualizations aid in compiling data such as the analysis of the current IT department with considerable convenience. Communicate the cybersecurity framework roadmap and kinds of cyber threats with the help of this PowerPoint layout. Demonstrate the cybersecurity risk management action plan through the tabular format included in this PPT presentation. Illustrate the cybersecurity contingency plan. Our information security management system PowerPoint templates deck helps you in defining risk handling responsibilities of your personnel. Elucidate the role of the management in successful information security governance. Our PPT deck also outlines the costs involved in cybersecurity management and staff training. Showcase an impact analysis with a dash of visual brilliance. Smash the download button and start designing. Our Cybersecurity Incident Management Powerpoint Presentation Slides are topically designed to provide an attractive backdrop to any subject. Use them to look like a presentation pro. https://bit.ly/3zWo1hb
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
This document provides recommendations to the Department of Homeland Security on cybersecurity priorities and a roadmap. It outlines a phased approach over several years to improve the overall cybersecurity posture. Phase I focuses on establishing a baseline of security across government systems through mandates and best practices. Phase II enhances security controls and expands training and collaboration. The roadmap calls for securing infrastructure, changing culture, improving the IT business model, developing the workforce, and advancing technologies over time to reduce vulnerabilities and attacks on critical systems.
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
Denise Tawwab's presentation on "Understanding the NIST Risk Management Framework" given at the Techno Security & Digital Forensics Conference on June 3, 2019 in Myrtle Beach, SC.
Strategy considerations for building a security operations centerCMR WORLD TECH
This document discusses considerations for building a security operations center (SOC) to better manage security threats. It describes the evolving threat landscape and increasing attacks faced by organizations. An enterprise SOC provides centralized monitoring, investigation of incidents, and reporting to improve protection of critical data assets. It assesses existing security capabilities, outlines five essential SOC functions, and discusses capacity management and moving forward with development. Consulting partners can assist with strategy and implementation of an enterprise SOC.
1) Employee training and awareness is a critical element for cybersecurity resilience. Successful programs focus on changing employee behavior and aligning security practices both inside and outside of work.
2) Traditional awareness programs often fail because they are not engaging for employees and do not lead to real behavior change. Effective programs treat security messaging like marketing and use multiple channels, contexts, and reminders to reinforce the message.
3) Measuring outcomes is important for security awareness programs. Objectives should be clearly defined and focused on discrete, measurable goals rather than vague concepts like "increasing awareness."
The document discusses building a security operations center (SOC) and provides information on why an organization would build a SOC, how to establish the necessary skills and processes, and technology solutions like HP ArcSight that can be used. It describes how HP consultants have experience building SOCs for major companies and can help customers establish an effective SOC to monitor for security events, ensure compliance, and protect the organization. It provides details on how to structure a SOC, including defining roles and processes, implementing a security information and event management (SIEM) system, and establishing performance metrics to improve over time.
Review of Enterprise Security Risk ManagementRand W. Hirt
The document discusses enterprise security risk management and provides details on the risk assessment process. It defines risk as the likelihood of an adverse event occurring multiplied by the impact. Risk management aims to identify and mitigate risks to acceptable levels. The risk assessment process involves determining scope, gathering information, assessing risks, recommending controls, and determining residual risk. Controls can reduce risk through preventative, detective or corrective measures. Ongoing monitoring ensures the organization's risk posture remains consistent over time.
Cybersecurity Incident Management Powerpoint Presentation Slides are designed for information technology experts. Our data security PowerPoint theme combines high-quality design with info accumulated by industry experts. Represent the present situation of the target organization’s information security management using our patterned PPT slideshow. The innovative data visualizations aid in compiling data such as the analysis of the current IT department with considerable convenience. Communicate the cybersecurity framework roadmap and kinds of cyber threats with the help of this PowerPoint layout. Demonstrate the cybersecurity risk management action plan through the tabular format included in this PPT presentation. Illustrate the cybersecurity contingency plan. Our information security management system PowerPoint templates deck helps you in defining risk handling responsibilities of your personnel. Elucidate the role of the management in successful information security governance. Our PPT deck also outlines the costs involved in cybersecurity management and staff training. Showcase an impact analysis with a dash of visual brilliance. Smash the download button and start designing. Our Cybersecurity Incident Management Powerpoint Presentation Slides are topically designed to provide an attractive backdrop to any subject. Use them to look like a presentation pro. https://bit.ly/3zWo1hb
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
This document provides recommendations to the Department of Homeland Security on cybersecurity priorities and a roadmap. It outlines a phased approach over several years to improve the overall cybersecurity posture. Phase I focuses on establishing a baseline of security across government systems through mandates and best practices. Phase II enhances security controls and expands training and collaboration. The roadmap calls for securing infrastructure, changing culture, improving the IT business model, developing the workforce, and advancing technologies over time to reduce vulnerabilities and attacks on critical systems.
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
Denise Tawwab's presentation on "Understanding the NIST Risk Management Framework" given at the Techno Security & Digital Forensics Conference on June 3, 2019 in Myrtle Beach, SC.
Strategy considerations for building a security operations centerCMR WORLD TECH
This document discusses considerations for building a security operations center (SOC) to better manage security threats. It describes the evolving threat landscape and increasing attacks faced by organizations. An enterprise SOC provides centralized monitoring, investigation of incidents, and reporting to improve protection of critical data assets. It assesses existing security capabilities, outlines five essential SOC functions, and discusses capacity management and moving forward with development. Consulting partners can assist with strategy and implementation of an enterprise SOC.
1) Employee training and awareness is a critical element for cybersecurity resilience. Successful programs focus on changing employee behavior and aligning security practices both inside and outside of work.
2) Traditional awareness programs often fail because they are not engaging for employees and do not lead to real behavior change. Effective programs treat security messaging like marketing and use multiple channels, contexts, and reminders to reinforce the message.
3) Measuring outcomes is important for security awareness programs. Objectives should be clearly defined and focused on discrete, measurable goals rather than vague concepts like "increasing awareness."
The document discusses building a security operations center (SOC) and provides information on why an organization would build a SOC, how to establish the necessary skills and processes, and technology solutions like HP ArcSight that can be used. It describes how HP consultants have experience building SOCs for major companies and can help customers establish an effective SOC to monitor for security events, ensure compliance, and protect the organization. It provides details on how to structure a SOC, including defining roles and processes, implementing a security information and event management (SIEM) system, and establishing performance metrics to improve over time.
Review of Enterprise Security Risk ManagementRand W. Hirt
The document discusses enterprise security risk management and provides details on the risk assessment process. It defines risk as the likelihood of an adverse event occurring multiplied by the impact. Risk management aims to identify and mitigate risks to acceptable levels. The risk assessment process involves determining scope, gathering information, assessing risks, recommending controls, and determining residual risk. Controls can reduce risk through preventative, detective or corrective measures. Ongoing monitoring ensures the organization's risk posture remains consistent over time.
A loose coalition of hacktivists with an anti-globalization agenda launched a massive computer virus attack against the University of Southern Mississippi's (USM) cyber systems. The hacktivists aimed to cause disruptions through cyber attacks in order to make political statements and protest actions. Their goal was to maximize economic harm and undermine public trust in big business and government. USM officials were warned of nonspecific cyber threats by intelligence and cybersecurity agencies.
The document outlines the risk assessment process recommended by NIST, which includes 9 steps: 1) system characterization, 2) threat identification, 3) vulnerability identification, 4) control analysis, 5) likelihood determination, 6) impact analysis, 7) risk determination, 8) control recommendations, and 9) results documentation. The goal is to identify risks, determine their likelihood and impact, and recommend controls to mitigate risks to protect the organization's mission.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
Risk Management and Security in Strategic PlanningKeyaan Williams
This content was originally presented to the DFW chapter of the Society for Information Management. The presentation evaluates the role of risk management and security in the strategic planning process that defines the direction and prioritization of resources used by an organization.
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
This document discusses building a cyber security operations center (CSOC). It covers the need for a CSOC, its core components including security information and event management (SIEM), and integrating components like monitoring, alerting, and reporting. Key aspects that are important for a successful CSOC are people, processes, and technology. The roles and skills required for people in the CSOC and training needs are outlined. Developing standardized processes, procedures and workflows that align with frameworks like ISO are also discussed.
Improve Cybersecurity posture by using ISO/IEC 27032PECB
Cybersecurity is a universal concern across today’s enterprise and the need for strategic approach is required for appropriate mitigation.
Adopting ISO 27032 will help to:
• Understanding the nature of Cyberspace and Cybersecurity
• Explore Cybersecurity Ecosystem – Roles & Responsibilities
• Achieve Cyber Resilience through implementing defensive and detective cybersecurity controls
Presenter:
Obadare Peter Adewale is a first generation and visionary cyberpreneur. He is a PECB certified Trainer, Fellow Chartered Information Technology Professional, the First Licensed Penetration Tester in Nigeria, second COBIT 5 Assessor in Africa and PCI DSS QSA. He is also an alumnus of Harvard Business School and MIT Sloan School of Management Executive Education.
Link of the recorded session published on YouTube: https://youtu.be/NX5RMGOcyBM
This document discusses risk assessments and managing third-party risk. It provides an overview of Optiv, a security consulting firm, and their services including risk management, security operations, and security technology. It then covers topics like the evolution of the CISO role, enterprise risk management, assessing assets, threats, vulnerabilities, and controls. The document provides methods for evaluating risk like the risk equation and risk register. It also discusses managing risk from third parties and cloud providers through due diligence and risk tiers based on the relationship and inherent risks.
Insight is one of the best security operation center that influences all the necessary things that reduce the advanced threats and security risk all over your company and protects your network infrastructure across the organization. https://insightmsp.co.in/soc-as-service.php
This document discusses strategies for implementing the National Institute of Standards and Technology's (NIST) cybersecurity control families. It recommends prioritizing the top six critical control families in Phase 1, which include configuration management, access control, awareness and training, media protection, and risk assessment. Phase 2 involves following up on the remaining NIST control families. The document also discusses balancing cybersecurity with business goals, gaining cross-organizational buy-in, and juggling priorities by leveraging different organizational teams.
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
After the last 2020 Global Leading voices webinar, comparing ISO27001 with CCPA and NYC Shield Act, we're taking a look at the next level of information and cybersecurity management.
How can you assess your security management? The CMMI model (using the 1 to 5 grading) is a well-known system. Early 2020 the US DOD launched the CMMC, Cybersecurity Maturity Model Certification which matches the same levels for cybersecurity. This session we'll discuss the maturity evaluation principles for information security, cybersecurity and application security and how you can use it in practice.
The webinar covers:
- What's the CMMI?
- What's the CMMC?
- Maturity in security governance (ISMS, cyber, application)
- Security maturity vs audit cycles
Recorded Webinar: https://youtu.be/9BpETh_nAOw
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
1. The document discusses the objectives, methodologies, and phases of performing an information systems audit.
2. Key methodologies discussed include the top-down and bottom-up approaches, with the top-down being business and risk focused and the bottom-up focusing on control objectives.
3. The phases of an audit include pre-engagement work, data collection through testing, interviews and documentation, data analysis to identify findings and risks, developing recommendations, and reporting results.
This document outlines a project plan for implementing an Information Security Management System (ISMS) compliant with ISO 27001 in an organization. The plan defines the project goals as obtaining ISO 27001 certification by a target date, identifies key results and risks, and provides a schedule and roles. It also describes tools and documents that will be used, such as a shared folder for all project materials and regular reporting from the project manager.
Techserv is an IT security consulting firm that helps organizations achieve and maintain ISO 27001 certification. They take a holistic, goal-oriented approach to IT security that considers business goals, laws and regulations, and key information security principles of effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability. Their methodology involves assessing needs, risks, and existing controls; designing improved controls; implementing solutions; training; auditing; and continuously measuring and improving security performance.
National Cybersecurity - Roadmap and Action PlanDr David Probert
Analysis, strategies and practical action plans for National Government Cybersecurity based upon the United Nations - International Telecommunications Union - UN/ITU Cybersecurity Framework and their Global Cybersecurity Agenda - GCA.
Cyber Threat Intelligence (CTI) primarily focuses on analysing raw data gathered from recent and past events to monitor, detect and prevent threats to an organisation, shifting the focus from reactive to preventive intelligent security measures.
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
This introductory session will cover the basic steps of the Risk Management Framework (RMF) and the transition away from the previous Certification and Accreditation approach to information systems security and assurance. This will also cover the benefits of the RMF for organizations, local, state, and federal governments.
Transforming Information Security: Designing a State-of-the-Art Extended TeamEMC
This paper from the Security for Business Innovation Council (SBIC), sponsored by RSA, can help your organization build a state-of-the-art extended security team through seven actionable recommendations.
The document provides guidelines for IT security. It discusses how IT security is becoming increasingly important as organizations' business and work processes rely more on IT solutions. The guidelines provide a compact overview of the most important organizational, infrastructural, and technical IT security safeguards. They are aimed at helping small and medium-sized companies and public agencies establish a reliable level of IT security without needing a large IT budget. The guidelines illustrate security risks and necessary safeguards through practical examples and checklists.
A loose coalition of hacktivists with an anti-globalization agenda launched a massive computer virus attack against the University of Southern Mississippi's (USM) cyber systems. The hacktivists aimed to cause disruptions through cyber attacks in order to make political statements and protest actions. Their goal was to maximize economic harm and undermine public trust in big business and government. USM officials were warned of nonspecific cyber threats by intelligence and cybersecurity agencies.
The document outlines the risk assessment process recommended by NIST, which includes 9 steps: 1) system characterization, 2) threat identification, 3) vulnerability identification, 4) control analysis, 5) likelihood determination, 6) impact analysis, 7) risk determination, 8) control recommendations, and 9) results documentation. The goal is to identify risks, determine their likelihood and impact, and recommend controls to mitigate risks to protect the organization's mission.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
Risk Management and Security in Strategic PlanningKeyaan Williams
This content was originally presented to the DFW chapter of the Society for Information Management. The presentation evaluates the role of risk management and security in the strategic planning process that defines the direction and prioritization of resources used by an organization.
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
This document discusses building a cyber security operations center (CSOC). It covers the need for a CSOC, its core components including security information and event management (SIEM), and integrating components like monitoring, alerting, and reporting. Key aspects that are important for a successful CSOC are people, processes, and technology. The roles and skills required for people in the CSOC and training needs are outlined. Developing standardized processes, procedures and workflows that align with frameworks like ISO are also discussed.
Improve Cybersecurity posture by using ISO/IEC 27032PECB
Cybersecurity is a universal concern across today’s enterprise and the need for strategic approach is required for appropriate mitigation.
Adopting ISO 27032 will help to:
• Understanding the nature of Cyberspace and Cybersecurity
• Explore Cybersecurity Ecosystem – Roles & Responsibilities
• Achieve Cyber Resilience through implementing defensive and detective cybersecurity controls
Presenter:
Obadare Peter Adewale is a first generation and visionary cyberpreneur. He is a PECB certified Trainer, Fellow Chartered Information Technology Professional, the First Licensed Penetration Tester in Nigeria, second COBIT 5 Assessor in Africa and PCI DSS QSA. He is also an alumnus of Harvard Business School and MIT Sloan School of Management Executive Education.
Link of the recorded session published on YouTube: https://youtu.be/NX5RMGOcyBM
This document discusses risk assessments and managing third-party risk. It provides an overview of Optiv, a security consulting firm, and their services including risk management, security operations, and security technology. It then covers topics like the evolution of the CISO role, enterprise risk management, assessing assets, threats, vulnerabilities, and controls. The document provides methods for evaluating risk like the risk equation and risk register. It also discusses managing risk from third parties and cloud providers through due diligence and risk tiers based on the relationship and inherent risks.
Insight is one of the best security operation center that influences all the necessary things that reduce the advanced threats and security risk all over your company and protects your network infrastructure across the organization. https://insightmsp.co.in/soc-as-service.php
This document discusses strategies for implementing the National Institute of Standards and Technology's (NIST) cybersecurity control families. It recommends prioritizing the top six critical control families in Phase 1, which include configuration management, access control, awareness and training, media protection, and risk assessment. Phase 2 involves following up on the remaining NIST control families. The document also discusses balancing cybersecurity with business goals, gaining cross-organizational buy-in, and juggling priorities by leveraging different organizational teams.
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
After the last 2020 Global Leading voices webinar, comparing ISO27001 with CCPA and NYC Shield Act, we're taking a look at the next level of information and cybersecurity management.
How can you assess your security management? The CMMI model (using the 1 to 5 grading) is a well-known system. Early 2020 the US DOD launched the CMMC, Cybersecurity Maturity Model Certification which matches the same levels for cybersecurity. This session we'll discuss the maturity evaluation principles for information security, cybersecurity and application security and how you can use it in practice.
The webinar covers:
- What's the CMMI?
- What's the CMMC?
- Maturity in security governance (ISMS, cyber, application)
- Security maturity vs audit cycles
Recorded Webinar: https://youtu.be/9BpETh_nAOw
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
1. The document discusses the objectives, methodologies, and phases of performing an information systems audit.
2. Key methodologies discussed include the top-down and bottom-up approaches, with the top-down being business and risk focused and the bottom-up focusing on control objectives.
3. The phases of an audit include pre-engagement work, data collection through testing, interviews and documentation, data analysis to identify findings and risks, developing recommendations, and reporting results.
This document outlines a project plan for implementing an Information Security Management System (ISMS) compliant with ISO 27001 in an organization. The plan defines the project goals as obtaining ISO 27001 certification by a target date, identifies key results and risks, and provides a schedule and roles. It also describes tools and documents that will be used, such as a shared folder for all project materials and regular reporting from the project manager.
Techserv is an IT security consulting firm that helps organizations achieve and maintain ISO 27001 certification. They take a holistic, goal-oriented approach to IT security that considers business goals, laws and regulations, and key information security principles of effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability. Their methodology involves assessing needs, risks, and existing controls; designing improved controls; implementing solutions; training; auditing; and continuously measuring and improving security performance.
National Cybersecurity - Roadmap and Action PlanDr David Probert
Analysis, strategies and practical action plans for National Government Cybersecurity based upon the United Nations - International Telecommunications Union - UN/ITU Cybersecurity Framework and their Global Cybersecurity Agenda - GCA.
Cyber Threat Intelligence (CTI) primarily focuses on analysing raw data gathered from recent and past events to monitor, detect and prevent threats to an organisation, shifting the focus from reactive to preventive intelligent security measures.
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
This introductory session will cover the basic steps of the Risk Management Framework (RMF) and the transition away from the previous Certification and Accreditation approach to information systems security and assurance. This will also cover the benefits of the RMF for organizations, local, state, and federal governments.
Transforming Information Security: Designing a State-of-the-Art Extended TeamEMC
This paper from the Security for Business Innovation Council (SBIC), sponsored by RSA, can help your organization build a state-of-the-art extended security team through seven actionable recommendations.
The document provides guidelines for IT security. It discusses how IT security is becoming increasingly important as organizations' business and work processes rely more on IT solutions. The guidelines provide a compact overview of the most important organizational, infrastructural, and technical IT security safeguards. They are aimed at helping small and medium-sized companies and public agencies establish a reliable level of IT security without needing a large IT budget. The guidelines illustrate security risks and necessary safeguards through practical examples and checklists.
This document provides an overview of network security for small to medium sized companies. It discusses how network security has evolved over time in response to growing cyber threats. A layered defense strategy is recommended, with a centralized security policy and access control model. Key elements of a security program are identified, including security plans and policies, risk management, access control, intrusion detection systems, and disaster recovery. Centralized governance of both physical and network security is advised to close gaps between different security teams.
Secure by design building id based securityArun Gopinath
This document discusses building identity-based security into information systems. It argues that organizations need to shift from adding security tools to building security in from the start. Identity and access management technologies can integrate security throughout modern IT architectures by authenticating users, enforcing access policies, and managing user sessions and transactions. These technologies provide both security benefits and opportunities to optimize business performance through personalization. The document advocates a comprehensive approach using these and other security tools.
This document discusses building identity-based security into information systems. It argues that most organizations have focused on adding security after the fact, rather than building it in from the start. Today's identity and access management technologies allow building security directly into systems through features like real-time authentication, fine-grained access controls, and linking identity to transactions and information. This approach provides both security benefits and opportunities to optimize business performance. The document examines IBM's identity and access management capabilities as an example of a vendor that can help organizations take a comprehensive, built-in approach to security.
This document discusses best practices for cybersecurity policy and governance in government organizations. It emphasizes the importance of aligning security policies with business objectives to enable operations rather than hinder them. Effective risk management requires identifying critical assets, analyzing threats and vulnerabilities, and understanding breach implications. It also stresses the need for strong executive support of security policies and constant policy refreshment as technologies change.
This document provides an overview of network security for small to medium sized companies. It discusses how the nature of threats has evolved with increased connectivity, requiring companies to implement layered security strategies. The document outlines key aspects of a security program, including security plans and policies, operations, risk management, access control, and disaster recovery. It emphasizes the importance of a centralized security policy and identity management system to efficiently govern security across all company locations and domains. Overall, the document presents concepts and processes for protecting company assets and maintaining business continuity through a unified security approach.
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
The report recommends that security teams shift their focus from technical assets to protecting critical business processes. It also suggests instituting methods for describing cybersecurity risks to businesses in financial terms and establishing automated, business-centric risk assessment processes. Additionally, the report advises developing the capability to continuously evaluate the effectiveness of security controls through evidence-based methods and informed data collection.
Metrics & Reporting - A Failure in CommunicationChris Ross
Wisegate recently conducted a research initiative to assess the current state of security risks and controls in business today. One of the key takeaways? A concerning lack of metrics and reporting on the subject. While CISOs claim to be improving corporate security all the time, there is little ability to measure that success. In this Drill-Down report, Wisegate uncovers where most organizations stand when it comes to metrics and reporting, and how it is affecting their businesses on the whole.
This document provides information about Module 002 of the course IT 411 - Information Assurance and Security 2. The module aims to examine fundamental computer security techniques and identify potential security issues. It covers topics like cryptography, application security, incident response, risk assessment, and compliance with regulations. The module outlines learning objectives, outcomes, resources, tasks, content items, and assessments. It also includes detailed lessons on topics like the financial impacts of cybercrime, developing a security strategy using the 10 steps approach, techniques for protecting against attacks like examining the perimeter and network segregation, and methods for detecting attacks through logging.
SBIC Enterprise Information Security Strategic TechnologiesEMC
This report from the Security for Business Innovation Council describes next generation technologies that support an Information-Driven Security strategy.
Assessing and Managing IT Security RisksChris Ross
Data privacy and protection has become the gold standard in IT. Scale Venture Partners and Wisegate share what they learned from over 100 IT professionals questioned about the risks and technology trends driving their security programs. Read about the move towards data centric security and the need for improvement in automated security controls and metrics reporting.
Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013drewz lin
The document discusses how the era of big data security analytics has arrived. It outlines obstacles that are impeding security maturity like an increasingly hazardous threat landscape, demands to secure new technologies, and a shortage of security skills. Legacy security tools are also no longer adequate to deal with these challenges. The era of big data security analytics requires continuous monitoring and data analysis for real-time awareness and data-driven security decisions in large organizations.
This paper discusses the question of optimizing security decisions in an organization, based on the information provided by the technical security infrastructure.
In this exclusive Security Leadership Series eBook, Citrix chief information security officer Stan Black and chief security strategist Kurt Roemer share best practices for leading meaningful security discussions with the board of directors; engaging end users to protect business information; and meeting security-related compliance requirements.
Who is responsible for security in the enterprise? Every company takes a different approach, but in many cases, accountability and authority do not reside in the same role. When this happens, it’s hard to tell who is responsible for securing digital assets. No wonder executives are worried.
Industry Overview: Big Data Fuels Intelligence-Driven SecurityEMC
This industry overview describes how Big Data will be a driver for change across the security industry, reshaping security approaches, solutions, and spending. It presents six guidelines to help organizations plan for the Big Data-driven transformation of their security toolsets and operations as part of an intelligence-driven security program.
Information Security Governance: Concepts, Security Management & MetricsMarius FAILLOT DEVARRE
The document discusses information security governance concepts. It defines information security governance as a job practice area that establishes policies and procedures to align information security strategies with business goals. The key tasks within this area include establishing an information security strategy and governance framework, developing security policies, and defining roles and responsibilities. Effective information security governance provides benefits such as reducing security risks and incidents, enhancing customer trust, and ensuring policy compliance. Senior management support is important for information security governance to be implemented successfully.
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
The goal of information security governance is to establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
The document discusses trends in corporate security in the 21st century. Three major trends are the need to integrate security and privacy, converge information and physical security, and adopt new technologies like biometrics. It emphasizes taking a holistic approach to security planning by establishing standards, processes, and educating employees on roles and responsibilities. Security should aim to prevent intrusions rather than just detect them after the fact. It also discusses balancing security needs with individual privacy rights.
Similar to Information Security Governance at Board and Executive Level (20)
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Information Security Governance at Board and Executive Level
1. 1
Master Project
Information Security Governance: Awareness at the Board of
Directors and Executive Committee
Author: Koen Maris
Promotor(s): Wim Van Grembergen, Steven De Haes
2. 2
Table of Content
Table of Content......................................................................................................................... 2
Abstract ...................................................................................................................................... 4
Definitions.................................................................................................................................. 5
Problem statement and research questions................................................................................. 6
Methodology .............................................................................................................................. 8
Identification process.............................................................................................................. 8
Awareness survey:.................................................................................................................. 8
Third party surveys:................................................................................................................ 9
Literature: ............................................................................................................................. 10
Frameworks, methodologies and models ............................................................................. 11
ISO 2700x ......................................................................................................................... 11
COBIT 5............................................................................................................................ 11
ISACA, Business model for Information Security ........................................................... 12
ISC2, Common Body of Knowledge................................................................................ 13
NIST 800-53 ..................................................................................................................... 13
Background on master project.................................................................................................. 14
Information security governance definitions............................................................................ 16
Definition from NIST on information security governance :............................................... 16
Definition from ISACA (2006) ............................................................................................ 17
Information Security Governance at the Board of Directors ................................................... 18
Leadership, strategy and value ............................................................................................. 19
Leadership......................................................................................................................... 21
Strategy ............................................................................................................................. 23
Enabling value .................................................................................................................. 24
Measurement, monitoring and audit..................................................................................... 25
Risk management ................................................................................................................. 27
Identify information security leaders.................................................................................... 29
Information Security governance practices at the Executive Committee ................................ 31
Information Security framework .......................................................................................... 33
Chief Security Officer/Chief Information Security Officer ................................................. 35
Information Security Steering Committee............................................................................ 36
Implementation of information security............................................................................... 39
Monitoring and assessments................................................................................................. 41
Awareness and communication............................................................................................ 42
Conclusion................................................................................................................................ 46
3. 3
Board members..................................................................................................................... 47
Executive management......................................................................................................... 48
End note.................................................................................................................................... 50
Table of Figures ....................................................................................................................... 51
Bibliography............................................................................................................................. 53
4. 4
Abstract
Corporate governance and in more specific governance of enterprise IT are important factors
in building solid companies that require agile strategies. Difficulties in alignment remain
present as not every boardroom recognises the importance of its information technology
infrastructure in place at the company.
The rapid growth of emerging Internet technologies forced companies to address information
security. In the early days companies looked at information security as a solely technical
matter, different complex technologies that came with high expenses were available to
mitigate risk factors related to the use of the Internet. In a second era, security management
practices were integrated in the company structure. The objective of this function is mostly
about setting a formal statement by means of policies, standards, procedures and guidelines in
order to maintain an adequate level of security. It provides a structured way of organising the
information security landscape and monitors the enterprise to keep it in compliance with the
integrated policies. Such a formal statement expresses the importance on information security
by the executive management and/or the board.
Since information security governance is a relative new area it doesn't always receive the
required attention such as business support, management support and eventually the necessary
budgets to keep Mr Evil out. The reasons why information security is not receiving the
required attention are plenty, but a main issue that it is failing to get on the agenda could be
that the upper levels of an organisational structure do not receive the information required to
get their attention, or that companies are risk taking instead of risk averse or it seems
impossible to identify value for the business. Security is about avoiding something, where a
new application is about adding functionality in order to increase efficiency, production etc…
Unfortunately, security is still seen as a business disabler.
5. 5
Definitions
This chapter explains the terms and definitions used that could cause doubt or
misinterpretation.
Awareness: knowledge or perception of a situation or fact (Oxford dictionary)
Security awareness: Security awareness is the extent to which staff understands the
importance of information security, the level of security required by the organisation and their
individual security responsibilities. (Standard of Good Practices for Information Security,
ISF)
Risk appetite: The amount and type of risk an organization is willing to accept in pursuit of
its business objectives.
Risk tolerance: The specific maximum risk that an organization is willing to take regarding
each relevant risk.
ISMS (information security management system): "An information security management
system (ISMS) is a set of policies concerned with information security management or IT
related risks. The idioms arose primarily out of BS 7799."(Wikipedia, 2013)
CRO: Chief Risk Officer
CSO: Chief Security Officer, covers all security aspects those outside IT as well
CISO: Chief Information Security Officer, in charge of information related security, not
physical aspects
6. 6
Problem statement and research questions
Information security is often associated with technology, which makes it difficult to get it on
the radar of the executives and board members. Anything that is technology related is by
default classified as boring, not interesting, expensive and never works for exec's and board
members. The omnipresence of information technology makes it the lifeblood of most
organisations. It would difficult to imagine a company not relying on information technology,
perhaps for a short period of time it could survive, but in the long run it would not be
sustainable. And in the most recent years it would be even more difficult to think in business
terms without being connected to the Internet. Imagine that your company would not have a
working email system for a few days, or no possibility to connect to a branch office because
the Internet service is not working properly. This dependence on technology and the Internet
will only increase in the upcoming years due to cloud technologies, VOIP, BYOD etc…
Julia H. Allen (2007) states, that the interest of the decision makers in today's organisations is
not proportional with the dependence on technology and their related information security
issues. Executive managers, business managers and even the members of the board do not
necessarily understand the complex nature of information security. As a result little interest is
shown in the matter and in a worst case security is considered an expense or a discretionary
budget-line item. Worthwhile to see how companies' board and executive management have
the knowledge or import the knowledge in their working environment to cope with
complexity and rapid changing information security technology.
It appears that information security staff and business managers are too far out of sync in
order to define appropriate solutions offering a balance between risk and business value. In
any case risk based management has still its merits, but like information technology, the
information security needs to align with business requirements and the risk appetite business
7. 7
is willing to take. Those benefitting from security and those responsible for security have
different interests and different goals. Higher risk appetite becomes the reason to deny
additional budgets to information security which indirectly contributes to the idea that
management knows they need to address security but they don't for various reasons.
Research questions:
Which level of information security governance “awareness” is present at the level of Board
of Directors and executive management in a contemporary enterprise?
Which practices (structures, procedures) have been identified?
To what extent are these practices considered effective?
Which practices are well adopted in today's enterprise?
What are the main drivers for implementing these practices?
Conceptual model:
8. 8
Assumptions:
In today's contemporary enterprises there is some awareness level at the Board of Directors
and Executive Committee. However a clear enterprise wide strategy on information security is
often not present and in the best case immature if present. Resulting in limited financial
support, lower budgets and an ad-hoc approach when it comes down to information security.
Methodology
The research in this paper is performed on available literature, both academic and from the
business environment, survey's publically available done by academics and consultancy firms
and a survey I've performed among a small number of board of directors and executive
managers. The empirical findings come from public available reports and surveys performed
by mayor consultancy firms and some renowned academic institutions.
Identification process
In all consulted literature there were common practices present which one might expect from
board members and executive management when it comes down to information security, these
are used as the basis in the identification process.
Board of Directors have some tasks, such as leadership, which are not a one to one mapping
against a well-known procedure and/or structure as found in most literature. In such a case
there are multiple parts to explain the practice with the relevant information and statistics in
order to have some insight on how well it is adopted and how effective its usage is.
Awareness survey:
A custom developed survey containing some basic governance practices inspired on the 33
practices from De Haes & Van Grembergen (2008) and the most important ones are
9. 9
confirmed by a group of security professionals that responded on a survey. The target
audience for the survey enquiry is based on:
Board members with different backgrounds (different industries)
Executive management, with different job functions
Mid management, typical team leaders, project manager non-executive management
Administration, consultants, business architects, administrative personnel
Together with peers from the information security field we decided to limit the survey to the
most important practices. Peers are asked to identify at least 3 practices that are key in
establishing a successful information security program.
We concluded that the most important practices to measure are( in order of importance):
An information security responsible in the company
A formal information security policy in place
Communication of information security across the company
Risk appetite statement
Third party surveys:
A collection of surveys conducted by mayor consultancy firms is used addressing information
security management/governance, risk management/governance, security reporting on
breaches etc… These reports contain surveys conducted by these large consultancy firms,
with a large respondent's base varying different types of industries, different levels of
hierarchy and different types of job functions. Most of the surveys come in a form of official
report where statistics are used to underpin the end conclusion present in the report.
PriceWaterhouseCoopers: Global Internet Ssecurity Ssurvey 2014
Respondents: 9600 executives from 115 countries, cross industry
10. 10
PriceWaterhouseCoopers: Information Security Breaches Survey 2012
Respondents: 447 organisations, 46% >500 employees
Ernst & Young: Fighting to close the gap, 2012, cross industry
Respondents: 1836 executives from 64 countries, cross industry
Jody R. Westby Carnegie Mellon, Governance of Enterprise Security 2012
Respondents: 108 board or senior executives from Forbes Global 2000 companies
Half of the respondents are board members, and the other half are non-director senior
executives. Twenty-four percent (24%) of the respondents are board chairs and 44%
are on Audit, Governance or Risk committees. Jody R. Westby (2012)
Deloitte: Global Risk Management Survey 2011
Respondents:131 financial institutions
Deloitte: State governments at risk: a call for collaboration and compliance 2012
Respondents: 50 CISOs (48 states and two territories) USA only
Tripwire-Ponemon: The state of risk based security 2013
Respondents: 1,320 professionals in IT security, information risk management and IT
operations in the United States and the United Kingdom
Literature:
Academic publications, books and papers released by consultancy firms, vendors of security
products and information security related organisations are included to gather information on
information security governance practices, the drivers behind information security
governance, the practices used and to see how effectiveness is measured.
11. 11
Frameworks, methodologies and models
The frameworks, methodologies and models used in this paper have similar approaches in
addressing information security. The similar approaches, practices and structures, identified
are used as the starting point to identify the practices described in this paper.
ISO 2700x
The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for
short) comprises information security standards published jointly by the International
Organization for Standardization (ISO) and the International Electrotechnical Commission
(IEC). The series provides best practice recommendations on information security
management, risks and controls within the context of an overall information security
management system (ISMS), similar in design to management systems for quality assurance
(the ISO 9000 series) and environmental protection (the ISO 14000 series).
The series is deliberately broad in scope, covering more than just privacy, confidentiality and
IT or technical security issues. It is applicable to organizations of all shapes and sizes. All
organizations are encouraged to assess their information security risks, then implement
appropriate information security controls according to their needs, using the guidance and
suggestions where relevant. Given the dynamic nature of information security, the ISMS
concept incorporates continuous feedback and improvement activities, summarized by
Deming's "plan-do-check-act" approach, that seek to address changes in the threats,
vulnerabilities or impacts of information security incidents. (Wikipedia, 2014)
COBIT 5
COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between
realizing benefits and optimizing risk levels and resource use. The framework addresses both
business and IT functional areas across an enterprise and considers the IT-related interests of
12. 12
internal and external stakeholders. Enterprises of all sizes, whether commercial, not-for- profit
or in the public sector, can benefit from COBIT 5.
In this paper the emphasis of COBIT is put on risk and information security, in parallel to the
standard COBIT enabler processes guide I've consulted COBIT 5 for Information Security
and COBIT 5 for Risk Management.
ISACA, Business model for Information Security
The Business Model for Information Security provides an in-depth explanation to a holistic
business model which examines security issues from a systems perspective. Explore various
media, including journal articles, webcasts and podcasts, to delve into the Business Model for
Information Security and to learn more about how to have success in the IS field in today's
market. (ISACA, 2010)
13. 13
ISC2, Common Body of Knowledge
The (ISC)² Common Body of Knowledge is a taxonomy - a collection of topics relevant to
information security professionals around the world. The (ISC)² Common Body of
Knowledge establishes a common framework of information security terms and principles
which allows information security professionals worldwide to discuss, debate, and resolve
matters pertaining to the profession with a common understanding, from Shon Harris (2003).
I've not used this book actively but a great deal of my knowledge on information security
management started by getting the CISSP credential that I've obtained in 2004. Therefore I
consider it as important in this paper.
NIST 800-53
NIST Special Publication 800-53, "Recommended Security Controls for Federal Information
Systems and Organizations," catalogs security controls for all U.S. federal information
systems except those related to national security. It is published by the National Institute of
Standards and Technology, which is a non-regulatory agency of the United States Department
of Commerce. NIST develops and issues standards, guidelines, and other publications to assist
federal agencies in implementing the Federal Information Security Management Act of 2002
(FISMA) and to help with managing cost effective programs to protect their information and
information systems.(Wikipedia, 2013)
14. 14
Background on master project
Information security and cyber security are since a few years hot news items, it is impossible
to think that a day goes by without a high profile security incident in the news. These
incidents contributed to an information security approach that is addressed in an ad-hoc
modus. The information security people of today are the firemen of your network boundaries
and systems. They keep your house in an acceptable shape when the fire breaks loose. But
these firemen should be the last resort to rely on. In our society we try to avoid calling these
firemen and we do not rely on them to monitor and warn us when something happens since
this is a shared responsibility between the government, society (you and me) and the firemen.
Information security in the corporate world requires to be treated as a shared responsibility
too in order to obtain an adequate level of acceptance, success and financial support. The
board and executive management have to keep oversight and implement rules and policies.
Staff should apply the rules and inform, whenever required, the firemen upon detection of
anomaly. Like in our society controls have to be put in place to ensure the rules and policies
are lived by.
The biggest issue to achieve this yet so seemingly easy solution is that information security
and technology change at high velocity. Something secure today could suffer a zero-day
exploit by tomorrow and a day after it could be a gaping hole in your fortress. Preparedness is
key; therefore information security should be on the board agenda's and integrated into the
corporate governance process. The difficulty remains in aligning the triangle of business, IT
and information security.
15. 15
Some facts and figures from Kaspersky (2013)
Maintaining information security is the main issue faced by company’s it management
In past 12 months, year 2012, 91% of the responding companies had at least one
external incident and 85% have reported internal incidents
A serious incident can cost a large company an average of $649,000; for small and
medium-sized companies the bill averages at about $50,000.
A successful targeted attack on a large company can cost it $2.4 million in direct
financial losses and additional costs.
For a medium-sized or small company, a targeted attack can mean about $92,000 in
damages – almost twice as much as an average attack.
Information leaks committed using mobile devices – intentionally or accidentally –
constitute the main internal threat that companies are concerned about for the future.
The seriousness of threats, the costs and the high volume of attacks show that information
security is to be taken seriously by any organisation, whether small or big. Not speak about all
privacy and data related issues such as we experienced in 2013 by the leakage of confidential
data of Edward Snowden. It also pinpoints that the internal threat is becoming increasingly
more important.
16. 16
Information security governance definitions
Currently there is myriad of different definitions for an identical idea or concept.
Unfortunately there is no silver bullet that answers it all. This chapter outlines some
definitions taken from respectable bodies across the globe, though this list is not exhaustive.
Some of the key goals of an information security programme are to protect the company's
assets, reduce risk, set rules and provide compliance with law and regulation. In other words,
it protects assets against theft, misuse, unavailability, unauthorised disclosure, tampering,
legal liability etc...
A successful information security governance approach demands full integration into the
corporate strategy and enterprise governance, aligned with IT and contributes to the overall
success of the company from ISACA, guidance for board and directors (2006). The
omnipresence of information security in IT demands a new culture, transforming from the
buying a solution approach to a security aware culture in today's enterprises. By setting the
tone at the top, a company can transform its current culture into an information security aware
environment. There are a rife of frameworks and standards available to provide guidance in
this complex task to cover all information security related subjects a company has to deal with
such as the ISO 27001(2) ISMS framework, COBIT for security, NIST 800-53 publication
etc…
Definition from NIST on information security governance :
Information security governance can be defined as the process of establishing and
maintaining a framework and supporting management structure and processes to provide
assurance that information security strategies are aligned with and support business
objectives, are consistent with applicable laws and regulations through adherence to
policies and internal controls, and provide assignment of responsibility, all in an effort to
manage risk.(NIST,2006)
17. 17
Information security governance is more than just setting tone and strategy, to receive buy-in
from the Board of Directors and senior management one needs to be able to express some
potential benefits in apply good information security governance.
Definition from ISACA (2006)
An information security governance framework generally entails:
A comprehensive security strategy explicitly linked with business and IT objectives
An effective security organisational structure
A security strategy that talks about the value of information protected and delivered
Security policies that address each aspect of strategy, control and regulation
A complete set of security standards for each policy to ensure that procedures and
guidelines comply with policy
Institutionalised monitoring processes to ensure compliance and provide feedback on
effectiveness and mitigation of risk
A process to ensure continued evaluation and update of security policies, standards,
procedures and risks
18. 18
Information Security Governance at the Board of Directors
Understanding the role of the Board of Directors in information security governance requires
one to have a look on how it interacts with corporate governance and what tasks do the Board
of Directors exercise in that context.
The mandate of a director of the board is dual, from Stanford (2011):
Advisory: consult with management regarding strategic and operational direction of
the company.
Oversight: monitor company performance and reduce agency costs
This translates to a set of responsibilities and practices exercised by the board and executive
management with the
goal of providing
strategic direction,
ensuring that
objectives are
achieved,
ascertaining that
risks are managed
appropriately and
verifying that the
enterprise’s resources
are used responsibly, from ITGI/ISACA (2003).
Risk management is one of the key elements in Information Security Governance, defining
risk and setting the tone by defining the risk appetite level is one of the practices required.
Additionally, information security governance requires strategic direction and impetus. It
0%
20%
40%
60%
Regularly
Occasionaly
Rarely or never
Figure 1, Does your board regularly, occasionally, rarely or never complete the
following actions?
Jody R. Westby, 2012
19. 19
requires commitment, resources and assignment of responsibility for information security
management, as well as a means for the board to determine that its intent has been met.
ISACA (2006) states, experience has shown that the effectiveness of information security
governance is dependent on the involvement of senior management in approving policy, and
appropriate monitoring and metrics coupled with reporting and trend analysis.
The literature research results in the following list of responsibilities and/or tasks expected to
be taken up by the Board of Directors in the context of Information Security Governance.
Risk Management, setting the tone by defining the risk appetite
Identify information security leaders, provide resources and support
Direction, strategy and leadership, put information security on the board's agenda
Ensure effectiveness of the information security policy
Integrate a strategic committee
Staff awareness and training
Measurement, monitoring and audit
Are these practices also exercised by the board members, to what extent are these considered
effective?
Leadership, strategy and value
According to S.H von Solms/R. von Solms (2009), information security is a direct corporate
governance responsibility and lies squarely on the shoulders of the Board of a company. It
emphasizes the fact that everybody in the company has an information security responsibility
– from the Chairperson of the board to the newest junior secretary.
20. 20
ISACA (2006) states that information security is a top-down process requiring a
comprehensive security
strategy that is explicitly
linked to the
organisation’s business
processes and strategy.
Ana Dutra (2012) finds
that board composition is
a serious impediment, if
not done right. Today’s
challenges require new
perspectives and skills.
But boards often lack the
ability to objectively
evaluate their makeup to determine if they have the right people and skills at the table.
Jody R. Westby (2012) discovered in a recent study that boards still underestimate the
importance of the relatively new expertise domains such as Information technology and risk
and security. However the report indicates progress, 27% of the respondents indicated that
they their board had an outside director with cyber security experience, up from 18% in 2010.
And 64% of the respondents think it is very important to have risk and security experience
when hiring a new director.
Although the importance on risk and security knowledge seems fair it is still low compared to
skills like management and financial knowledge especially when looking on the importance
and the dependence on technology and the Internet.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Very important
or important
Somewhat
important
Not important
Don't know
Figure 2, How important is each type of experience when recruiting new
directors?
Jody R. Westby governance of Enterprise security
21. 21
Leadership
According to ISACA (2006) information security governance consists of the leadership,
organisational structures and processes that safeguard critical information assets. Though, in
this paper the focus lies on the outcomes expected by the ISACA report as they show results
of leadership. The expected results are:
Risk management by executing appropriate measures to manage and mitigate risks and
reduce potential impacts on information resources to an acceptable level
Resource management by utilising information security knowledge and infrastructure
efficiently and effectively
Performance measurement by measuring, monitoring and reporting information
security governance metrics to ensure organisational objectives are achieved
To achieve the outcomes a company requires some concrete practices. Some identified
practices are almost a one to one mapping with the outcomes where others are practices that
provide input to obtain the expected outcome.
Review of annual budgets
Fifty-three percent (53%) of respondents said their board rarely or never reviewed and
approved annual budgets for privacy and IT security programs, finding by Jody R.
Westby (2012).
Review roles and responsibilities
Fifty-six percent (56%) of respondents indicated their board rarely or never reviewed
and approved roles and responsibilities of personnel responsible for privacy and
security risks, finding by Jody R. Westby (2012).
Review of top level policies
Forty-one percent (41%) of respondents said their board rarely or never reviewed and
22. 22
approved top-level policies regarding privacy and security risks, finding by Jody R.
Westby (2012).
Leadership of CEO, president or board
23% of the respondents see the lack of leadership as an important obstacle in the
overall strategic effectiveness of their organisation's security function, from
PriceWaterhouseCoopers (2012)
Establish a risk committee of the board of directors
Only 28% of the respondents reply to have a risk committee with board members
included, according to Deloitte (2011)
Add board members with risk experience
19% of the respondents have risk experienced members added or present in their
current board according to Deloitte (2011)
Many boards across the world are starting to get information security governance into their
activities. However these practices are not widely adopted yet and there is limited or no
information on how well these are integrated and to what extent can these be considered
effective. Perhaps the only part of the practices that has a head start is by far risk management
and/or risk governance which is traditionally covered in order to protect a company from
financial risks etc… Boards are actively addressing risk management, but there is still a gap in
understanding the linkage between cyber security risks and enterprise risk management,
according to Carnegie Mellon Univeristy-Jody R. Westby (2012).
The leadership levels in a company regarding information security are still on the lower side.
The fact that almost half of the respondents do not even review budgets and that more than
40% of the respondents are not reviewing the official statement set in the form of a policy is
extremely cumbersome and worrying.
23. 23
Strategy
Defining a strategy and setting direction is a crucial aspect in any governance domain,
whether information security, risk or any other. The majority of the literature consulted for
this thesis states that any information security strategy needs to be aligned with the business
strategy in order to achieve some results, acceptance and the required budgets adequate to
execute the strategy. Similar to the leadership chapter, the results are focussed on the expected
outcomes according to the ISACA document "guidance for Board of Directors and Executive
management".
Strategic alignment of information security with business strategy to support
organisational objectives
Performance measurement by measuring, monitoring and reporting information
security governance metrics to ensure organisational objectives are achieved
Value delivery by optimising information security investments in support of
organisational objectives
Aligning the business strategy and the information security strategy are key factor in good
governance practices. A study conducted
by PriceWaterhouseCoopers (2014) states
that 68% of the respondents assume their
information security strategy is aligned
with the business needs. However a
similar survey conducted in 2012 by Ernst
& Young say that only 42% have their
information security strategy aligned with their business strategy.
About 54% of the respondents state that they discuss information security topics in the
boardroom on a quarterly basis or even more frequently. However the remaining 46% never
0% 20% 40% 60% 80%
Fully aligned
Partitially aligned
Figure 3, Does your function meets the organisational
requirements?
EY, Fighting to close the gap, 2012
24. 24
or almost never discuss the topic in the boardroom. Nonetheless, many respondents feel that
the information security function is not meeting up to the organisational need, a minority
thinks/feel they are fully aligned.
Note: there is in fact one year difference between both reports, the PriceWaterhouseCoopers
report is released in 2014 with data based on 2013, the EY report contains data and
conclusions from 2012.
According to Tripwire-Ponemen (2013) improvements in commitment to risk-based security
management haven’t translated to a wider acceptance for a strategic approach to risk
management among organizations. Nearly half of the respondents describe their risk-based
security management approach or strategy as ‘non-existent’ or ‘ad hoc’ (46% U.S. and 48%
U.K.) In contrast, only 29% (U.S.) and 27% (U.K.) have a risk-based security management
strategy applied consistently across the enterprise.
The fact that leadership practices regarding information security are relatively poor translates
into the strategy and alignment part. There is some level of alignment however there is a lot of
room for improvement.
Enabling value
It is no secret creating business value when it comes down to information security seems for
many information security practitioners an impossible task today. I will not go into detail on
the reasons why or why not, since there is
little to no academic information to be found.
However in order to create something that is
perceived as valuable to business there must
be some alignment or at least interest from
both groups to cooperate on the issue.
0% 20% 40% 60%
Significant…
Moderate…
Little involvement
No involvement
Figure 4, Organizational involvement in aligning risk-
based security management with business objectives
Tripwire,2013
25. 25
Undoubtedly one of the biggest challenges is to obtain some organisational involvement in
aligning risk based security management with business objectives as shown in Figure 4.
When measuring value in regard of information security it is mostly looked at in terms of
reduced negative consequences from security incidents generated from investments in control
objectives according to Royal Institute of Sweden (2011). In that regard it remains an almost
impossible task to convince business that security is a value enabler. Providing metrics is
often an argument used, however a study from Tripwire-Ponemon (2013) states the most
obvious remark in that respect, 50% of the respondents in the USA and UK say that the
information is too technical to be understood by non-technical management. The same study
reveals that 40% of the respondents only communicate with senior management when there is
an actual incident. This is by far the worst time frame to start a constructive and positive
dialogue with senior management.
Measurement, monitoring and audit
An important aspect in governance is monitoring and measuring performance, security, and
finance in fact any
topic deemed
important for the
good functioning of
the business. When
looking into COBIT
5 many processes
have an output to the
process MEA02
(Monitor, Evaluate
68%
64%
56%48%
35%
27%
19%
15%
15%
14%5%4%
Assessments
performedby internal
audit function
Internal self-
assessments by IT or
information security
function
Assessment by
external party
Monitoring and
evaluation of security
incidents and events
In conjunction with
the external financial
statement audit
Benchmarking against
peers/competition
Evaluation of
information security
operational
performance
Formal certification to
external security
standards
Figure 5, How does your organisation assess the efficiency and effectiveness of
information security?
EY, Fighting to close the gap, 2012
26. 26
and Assess the system of internal control) which defines the importance of good monitoring
capabilities to achieve governance. A company has an arsenal of possibilities to monitor and
assess. A well-known monitoring tool is audit, whether internal or external. Undoubtedly any
company that has a reputation to defend has some form of internal audit and performs on a
regular basis an external control; mostly these actions are driven by compliance standards,
industry regulations or by law. In the field of information security a company can add
additional controls such as self-assessments, monitoring incidents; monitoring costs etc…
these help a company in assessing the efficiency of their information security strategy.
Internal audit is by far the most important tool used to assess the performance and reporting
on progress to achieve the
organisational objectives. For
a board of a company audit
and an audit committee are
an important reporting line to
receive an objective status on
how the company is
performing and what the
status is on different aspects of governance. Though, only a limited number of companies
have a strict segregation
between the risk
committee and the audit
committee which creates a
conflict of interest. Only
8% of respondents said
their boards have a Risk
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
2008 2010 2012
Figure 7, Seperate risk committee and audit committee
Jody R. Westby, 2012
Figure 6, Subject actively addressed by the board
Jody R. Westby, 2012
0% 20% 40% 60% 80% 100%
Responsibilities of senior…
Risk management
IT operations
Computer and information…
Mergers and acquisitions
Long term strategy & operations
Vendor management
Compliance
68%
91%
29%
33%
92%
95%
13%
92%
27. 27
Committee that is separate from the Audit Committee, and of this 8%, only half of them
oversee privacy and security. Audit Committees should not be responsible for establishing
privacy and security programs and then also auditing them. This is an obvious segregation of
duties issue at the board level, according to Jody R. Westby (2008). But as shown in Figure 6
the situation is improving, companies are separating the duties into different committees. As a
consequence the Audit Committee responsibility for oversight of risk dropped from 65% in
2008 to 35% in 2012, from Carnegie Mellon University -Jody R. Westby, (2012).
Risk management
Boards play a crucial role in risk oversight. Directors at corporations are encouraged to
embrace entrepreneurial risk and
pursue risk-bearing strategic
operations, according to Matteo
Tonello (2008). Apart from
economical stance the main driver
for Enterprise Risk Management
is compliance with regulatory
bodies and legal constraints.
Though a useful risk approach delivers advantage for any company and avoids abrupt
business interruption. Information risk
management does not differ that much, it is
mostly driven due to regulations. As shown in
Figure 7, up to 91% of the companies have a
form of risk management. Sabarnes-Oxley
contributed to move companies to address risk
0% 20% 40% 60% 80%100%
Strongly Agree
Agree
Neutral
Disagree
Strongly disagree
Exec's
Board
Figure 8, I know the acceptable risk level in my daily
duties. (You know the acceptable risk level you're
allowed to take during your daily tasks.)
Koen Maris, 2013
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2008 2010 2012
Figure 9,Enterprise Risk Management program/structure in place
Jody R. Westby, 2012
28. 28
whether business or information related. Whether these approaches have been efficient
remains difficult to measure, the recent years showed that too many times companies have
taken too much entrepreneurial risk and jeopardising the entire enterprise and perhaps even
one of the causes of the economic turmoil the world is in. It might look a problem only within
the financial sector but other industries suffered as well because they did not take into account
the risk of bankruptcy for big institutions. When it comes down to information security we
can see similar events, the risk any enterprise faces when using the modern technologies seem
to be misjudged or the risk appetite set is insufficiently articulated and/or too high. This gives
attackers an edge and it gives them a great arsenal of attack vectors since outdated and well-
known attacks are still present and used.
Performing a risk assessment is important in mitigating risks but the success depends on other
important factors in the risk management approach such as defining risk appetite statement
and has it approved by the board of directors. In the context of Information Security very little
information is available. Risk appetite is known by the board and executive members, there is
a slight difference when looking at Figure 8. However it seems that the communication is
about it is trailing behind. If we look at the broader context of Enterprise Risk Management a
study of Deloitte (2011) shows that only 67% of the boards approved a risk appetite
statement. Designing risk management without defining your risk appetite is like designing a
bridge without knowing which river it needs to span. Your bridge will be too long or too
short, too high or too low, and certainly not the best solution to cross the river in question,
stated by E&Y (2012).
But judgement of risk and the risk appetite is subjective for each individual. When asking
board members if they’d take more risk if that could help them to achieve their goals and get
their bonuses about 16% would agree, in the executive ranks about 30% would agree to do so
according to my survey (2013). According to a report from the European Audit Committee
29. 29
Leadership Network (2012), good risk management does not imply avoiding all risks at all
cost. It does imply making informed and coherent choices regarding the risks the company
wants to take in pursuit of its objectives and regarding the measures to manage and mitigate
those risks. In an ERM system that lacks a well-articulated risk appetite framework, a
business unit that reports no risks requires no action.
Identify information security leaders
The CRO is the most senior official of the enterprise who is accountable for all aspects of risk
management across the
enterprise. An IT risk officer
function may be established
to oversee risk within the IT
departments. In some
enterprises the CEO will be
charged with chairing the
committee, per delegation
by the board to oversee the
day-to-day risk in the enterprise, when there is no specific CRO role (COBIT 5 for risk,
2013). The CRO title is being used by security savvy companies that understand the need to
integrate IT, physical, and personnel risks and manages them through one position. Less than
two thirds of the Forbes Global 2000 companies responding to the survey have full-time
personnel in key roles responsible for privacy and security in a manner that is consistent with
internationally accepted best practices and standards, according to Jody R. Westby (2012).
The CRO function undoubtedly has a crucial role in the overall risk setting of a company
especially if there is a direct connection between the CRO and the board. Other statistics show
that up to 68% of the CRO functions have a direct reporting line to the board where 33% of
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
CISO CSO CPO CRO
Yes
No
Don't know
Figure 10, Key role risk/security function in place
Jody R. Westby governance of Enterprise security
30. 30
the CRO's state that they meet the board when needed, in other words ad-hoc, 35% of the
respondents claim to have board meetings quarterly (executiveboard.com, 2008). Twenty-six
percent (26%) of respondents said their board rarely or never received reports from senior
management regarding privacy and IT security risks; an additional 33% said they occasionally
got such reports. Thirty-nine percent (39%) said they regularly received reports on privacy
and IT security risks.
Board members are risk aware, whether they are risk averse or risk taking they are used to
make decisions based on a risk report. Parts of the risks are translated into a strategy and are
put in place by a Chief Security Officer. I wasn’t able to find a study to underpin the fact if a
CISO/CSO should or should not report directly to a board either via a committee or during a
board meeting.
31. 31
Information Security governance practices at the Executive Committee
In today’s interconnected world in which companies conduct business it would be virtually
impossible to neglect and ignore the importance of information security across the
organisations. Many enterprises have a form of information security management and address
the technical issues related to protecting their information assets. Only a minority of
companies have a strategy in place, aligned with the company strategy. The lack of
information security strategy embedded into the corporate governance results in undercut
budgets, limited support and eventually ending up with a less or inefficient information
security programme leaving a
company vulnerable.
Many frameworks, models,
methodologies or best
practices are readily available
addressing the importance of
information security and how
it should be incorporated into
the overall structure of the
company. I’ve identified a set of practices and structures by searching the common parts in
the previously mentioned frameworks, methodologies, models and standards. As a starting
point I’ve used the 33 practices from De Haes & Van Grembergen (2008) since these cover a
wide range of practices recognised as important factors in achieving alignment between a
business strategy and an IT strategy of an enterprise. Since information security is closely
related to information technology hence the reason that I’ve opted to include these practices.
0%
20%
40%
Insufficient capital expenditures
Lack of vision on how future
business needs impact security
Lack of information security
strategy
Insufficient operational
expenditures
Figure 11,Greatest obstacles to improving information security
PriceWaterhouseCoopers, Global internet security survey 2014
32. 32
An important barometer to check whether information security can have a level of success is
to see if the budgets are in line with the expectations of business and with the risk exposure
and risk appetite a company is facing.
As with many new
technologies, being the
unknown in the group
does not help to gain
confidence. While most
security stakeholders
agree that action should
be taken to improve
information security,
there appears to be little consensus on the challenges to achieve it. We asked respondents to
identify the greatest obstacles to better security. The answers revealed a wide range of
diverging opinions and, in some cases, finger pointing, concluded by
PriceWaterhouseCoopers (2013).
0% 5% 10% 15% 20% 25% 30% 35%
Do not want to draw attention to
potential weaknesses
Are concerned that a competitor
would use such information to…
No one competitor is considerably
more advanced than others
Distrust our competitors
Large organisations with more
financial resources would use…
Figure 12, Reasons for not collaborating on information security
PriceWaterhouseCoopers, 2013
33. 33
Information Security framework
The information security framework provides a set of documents encompassing policies,
standards, guidelines and procedures, as defined in the ISO 27001:2013 standard. One of the
crucial parts in the formalisation process is the, approved by senior management, integration
of an information security policy in the entire organisation. The information security policy
typically outlines the rules on how
to conduct business in a secure
fashion the do’s and don’ts when it
comes down to the usage of the
company’s assets.
When looking in depth into the
COBIT5 framework, we can see a
shift from a merely operational
approach to a more management approach when it comes down to information security. And
we can see a clear top down approach since managing risk is considered at the governance
level within the COBIT5 framework. Information security is no longer considered a pure
operational part within your organisation. In COBIT5 it is represented in APO013 (Align,
Plan and Organise), this process requires an input from an external source which would be the
ISMS in place, for example
ISO2700x based but could also
be a proper set of policies,
standards and guidelines from a
company.
95%
63%
67%
0% 20% 40% 60% 80% 100%
2012 - large organisations
2012 - small organisations
2010 - small organisations
Figure 14,How many respondents have a formally documented
information security policy?
PriceWaterhouseCoopers, Information security breaches survey 2012
0%
20%
40%
60%
80%
Strongly
Agree
Agree Neutral Disagree Strongly
disagree
Board Exec Overall
Figure 13, I know the security policy of my company?
Koen Maris, 2013
34. 34
A survey executed by PriceWaterhouseCoopers (2012) shows a positive trend in the progress
of developing a formal statement such as an information security policy, at least for the large
organisations. It shows that companies, management and board, add importance to
information security. Though having a security policy in place says little about the maturity of
the processes required executing the security rules in a correct manner and it does not show
any level of assurance that it is kept up to date and reviewed on a regular basis. Another issue
that arises is that a policy can have many forms, one better than the other. Some companies
consider just an acceptable use policy as sufficient where others have a very detailed and
granular approach in addressing the information security issues of their company. Ideally a
clear strategy is set and communicated by senior management, such a statement provides a
clear message to all staff that information security is taken seriously in the organisation and
that it is part of day-to-day business.
The majority of the respondents agreed to know the security policy/strategy of their company,
a knowing or awareness level is present at the top level of the company. However a small
percentage disagreed, and there is some discrepancy between the fact that the majority of the
people replied and/or believe that there is an information security policy present in the
company and the fact that have some knowledge about its content. This trend is confirmed by
a survey performed on behalf of PriceWaterhouseCoopers (2012) stating:
Possession of a security policy by itself does not prevent breaches; employees need to
understand it and put it into practice. Only 26% of respondents with a security policy believe
their employees have a very good understanding of it; 21% think the level of staff
understanding is poor .
35. 35
Chief Security Officer/Chief Information Security Officer
Any company of a reasonable size requires in the today's corporate environment a designated
responsible for addressing the information security requirements, obligations, reporting etc…
In the majority of the today's companies
you'd be able to identify such a person;
however his title or position might be
anything from chief information
security officer to data/privacy officer
or even IT security officer. Immediately
one of the difficulties arises, attach
him/her to IT or to a business related
function. In addition the responsibility oftentimes arrives in the hands of a Chief Finance
Officer, Chief Information Officer or even the IT-manager. Though having an information
security function does not say anything on the success of this function and the quality of the
information security programme
carried out across the organisation.
An important aspect in the success
and acceptance of a good
information security programme is
the reporting line, there is a lot of
discussion on this topic and today
there is no prescriptive rule to
apply to. If the reporting line is too closely related to the IT function or direction such as with
a CIO it could create a separation of duty issue. The latter would give the CIO the possibility
to overrule an information security decision made by the security officer. But if the
0% 10% 20% 30% 40%
CEO/COO
CFO
CIO
General counsel
Chief Audit Officer
Other
Figure 16, To whom does your CSO/CISO report?
Jody R. Westby, 2012
0%
10%
20%
30%
40%
50%
60%
Board
Exec
Overall
Figure 15, , Any company should have an information security
responsible?
Koen Maris, 2013
36. 36
CISO/CSO is only responsible for IT related matters it would make sense to make him/her
report to a CIO instead to somebody else within the organisation.
In addition, the CIO may interfere with security procurements by favouring certain vendors or
products without understanding the technological differences between the products, states
Jody R. Westby (2012).
Michael Porter(1985) states that if you remove friction and solder smoother connections, you
are providing a basis for competitive advantage for your organization. When applying that
logic to a CSO/CISO role it should be a transversal role in the company. And according to
Derek Slater(2009) the CSO/CISO should be guiding the executives in detecting common
challenges in a way that facilitates cooperation between departments.
Information Security Steering Committee
An information security steering committee provides a means to ensure good practice and that
information security is applied effectively and consistently over the enterprise. (Cobit 5 for
security). The report Guidance for Boards of Directors from ISACA (2006) states that a
steering committee serves as an effective communication channel for management’s aims and
directions and provides an ongoing basis for ensuring alignment of the security programme
with organisational objectives. It is also instrumental in achieving behaviour change toward a
culture that promotes good security practices and policy compliance.
According to an article in Tom Scholtz(2003) an information security steering committee
must have a clear charter with a range of functions that should include but not be limited to
Managing the development and executive acceptance of an enterprise security charter.
Assessing and accepting corporate-wide security policy (e.g., the corporate policy on
security incident response, general behavioural policy). A major objective of this
37. 37
function is ensuring that business requirements are reflected in the security policy,
thus ensuring that the policy enables rather than restricts business operations.
Assessing any requests for policy exceptions from individual business units.
Assessing, accepting, and sponsoring corporate-wide security investment (e.g.,
identity infrastructure deployment, remote access infrastructure), as well as requests to
be excluded from common investment.
Providing a forum for discussion and arbitration of any disputes or disagreements
regarding common policy or investment issues.
Acting as custodian and governance body of the enterprise security program by
ensuring visible executive support, as well as monitoring progress and achievements.
The role of a permanent governance structure reinforces the message that enterprise
security becomes an ongoing, long-term initiative.
Assessing and approving the outsourcing of common security services, as well as
coordinating investment in appropriate relationship management resources. As the
lack of skilled resources increases the need to outsource operational services,
executive due diligence, risk assessment, and ongoing effectiveness assessment must
be coordinated through the steering committee.
Initiating ad hoc projects to investigate the advantages, disadvantages, risks, and cost
of common security initiatives, and advising the committee with appropriate
recommendations.
Representing the executive (board of directors) or its nominated information
governance body (e.g., an information executive board) in all corporate security
matters. Reporting back to these forums on the activities and effectiveness of
corporate security programs and investments.
38. 38
Acting as custodian of corporate-wide strategic security processes (e.g., role analysis,
data classification) by validating process ownership, responsibilities, and stakeholders.
Acting as respondent to enterprise-level audit exceptions (i.e., those audit exceptions
where a specific individual cannot be found to be responsible).
Coordinating and validating any external, security-related corporate communications
plans and activities (e.g., in the event of a high-profile, publicized security breach).
Tracking major line-of-business IT initiatives to identify opportunities for synergy or
to leverage security investment.
Governing trust relationships with major e-business partners.
Nonetheless the importance of such a committee and the mandate it carries I can only
determine a low level of presence of such a committee according to the information found in
the surveys. According to the survey performed by Tripwire-Ponemon(2013) only 15% of the
companies have a meeting organised on a regular basis, which in this survey means annual,
quarterly or semi-annual.
In a PriceWaterhouseCoopers(2012) survey it was noted that only 47% of the respondents had
an information security
steering committee in
place. Jody R. Westby
(2012) her survey as
shown in Figure 17 is a
little more positive but
the fact that risk is
0% 20% 40% 60% 80% 100%
Audit committee
Governance/compliance…
Risk/Security committee
IT committee
Figure 17, Risk/Security committee are less rare
Jody R. Westby, 2012
39. 39
included could have an impact on the result. These results seem low especially when
considering the IT strategy committee regarded as an efficient practice and reasonably easy to
integrate in an organisation according to De haes & Van Grembergen(2008).
It remains difficult to identify a direct cause of why an information security steering
committee is only present in a limited number of companies. The reason might be found in the
bottom up approach of reporting since the majority of security professionals find that their
information is too technical and will not be understood by non-technical management
according a Tripwire-Ponemon(2013) study. The initiative of getting such a committee to
work is something that requires sponsorship from senior management and eventually board
members but if security professionals are not willing to take up the task in transforming their
reporting into comprehensible language it will be impossible to get information security on
the agenda.
Implementation of information security
Integrating or implementing information security across the organisation demands rigor and
focus since information technology and thus security issues arise at high velocity. The pace of
change is an aspect one has to take into account in order to follow up with the latest
technology, compliance and regulation. There is no doubt that the actual integration of the
controls occurs at the operational levels of a company, though it is the responsibility of the
executive management to ensure that sufficient resources and budgets are available and that
the priorities are respected as defined by that same management.
Regarding the budgets a PriceWaterhouseCoopers(2014) survey revealed that only 8%of the
IT budget is spent on security when we look into the IT aspect of information security. About
20% of those same respondents say they only spend about 1% of the total budget on
information security. To make matters worse, 80% of those respondents from large
40. 40
organisation claim not to evaluate the return on investment on their security expenditure
according to PriceWaterhouseCoopers(2012).
About 80% of the same respondents claim that their security spending is aligned with their
current business requirements,finds PriceWaterhouseCoopers(2012). When looking at a study
from Deloitte(2012), it shows that 44% of their respondents said that budgets (2010-2011)
stayed the same, and 34% claimed the budgets decreased. Prudence though is required when
analysing the results as studies show that information security budgets are often times only a
fraction of what spend on security across the entire enterprise. Today most companies apply
such a federated model, about 56% of the respondents claim. 74% of CISO respondents have
executive commitment—but that has not translated into adequate funding in the majority of
cases.
Information security does not only require an adequate budget, it relies on people with the
right skillset. These are
not readily available
and more over the
security technologies
are rapidly changing
requiring people to
adapt and training on a
continuous basis.
Blocking is not the
answer. In many studies
it is clear that
companies are adapting
to new ways of conducting business but often times it seems that they way to adapt is to
0% 10% 20% 30% 40% 50% 60%
Policy adjustments
Increased security awareness
activities
Encryption techniques
New mobile device management
software
Allow the use of company-owned
devices, but disallow use of…
Governance process to manage the
use of mobile applications
Architectural changes
Figure 18, Which of the following controls have you implemented to mitigate the new
or increased risks related to the use of mobile computing including tablets and
smartphones?
Ernst & Young, 2012
41. 41
block. When looking at social media 45% of the companies said blocking social media in
cooperation with adjusting the policy, according to the study from E&Y(2012) And with the
rise of BYOD we can see a similar attitude, 52% is considering blocking access are allowing
it in a very limited fashion. The way to mitigate new risks such as smartphones and tablets
looks focussed on the formal approach and less on the technical implications such technology
has. Could this mean that companies are willing to accept the risk, are tired of using
technology as a solution or perhaps lack of funding?
Monitoring and assessments
Executive management should monitor that the framework and its corresponding controls are
working effectively, that
security breaches are
contained, and incident
response is working
correctly and that the
company is in
compliance with
regulatory bodies.
In practice we see that
82% of the CSO/CISO
are responsible for
measuring and reporting
cyber security however
only 8% of these same
respondents currently
measuring the value and effectiveness of their enterprise cyber security organization’s
0% 10% 20% 30% 40% 50%
Measuring trend in security
incidents/costs
Benchmarking against other
organisations
Return on investment (ROI)
calculation
Measuring Staff awareness
Monitoring level of regulatory
compliance
Other formalised processes
Do not formally evaluate
Small
Large
Figure 19, How many respondents measure the effectiveness of their security
expenditure?
PriceWaterhouseCoopers, Information security breaches survey, 2012
42. 42
activities says Deloitte(2012). Figure 5 shows that only 48% of the respondents monitor and
evaluate security incidents and events, though more than 60% do internal audit assessments
and self-assessments by IT or information security. Top performing companies in regards to
information security use the top 4 approaches in order to evaluate and monitor their
information security practices in the organisation, according toE&Y(2012).
Awareness and communication
It is important to make a clear distinction between awareness and training. Awareness is
typically defining the "what", in order to influence the general behaviour of your targeted
audience. It prepares people to put things in perspective and open their eyes for aspects they
generally would not think about. Training however goes deeper into the details, for example
the technical details on how a virus or a control technique works. Training takes more into
consideration the “how” part and is mostly established for a specific audience or target group.
However security awareness remains one of the underfunded, most overlooked mechanisms
for improving your information security programme, says
Rebecca Herold (2005).
Have you've ever had any security training?
ESET, a popular anti-virus vendor asked this question whilst
studying the implications of the bring-your-own-device strategy
emerging in the corporate environment. The defined target audience are U.S. adults
employed at the time of the survey. The level of training received appears rather low
compared to the importance added on the subject by the top management. Only 32% of
employees say to have received training when taking up their new job according to a survey
performed by Cisco(2008).
32%
68%
Yes
No
Figure 20, Have you ever had a
any security training
ESET survey 2012
43. 43
A PriceWaterhouseCoopers (The global state of Internet Security Survey 2014) study remarks
that 21% of their respondents have a policy on security awareness training and about 59% of
those same respondents have a senior executive communicating on the importance of
information security. Cisco and ESET seem to draw up a similar result, and the
PriceWaterhouseCoopers(2014) survey shows that the policy itself does not guarantee the
execution of the task.
A consensus between board members and executives can be found in the approach on how to
communicate on information security. As shown in Table 1, a security awareness campaign is
considered the best way to share information security knowledge across an organisation. All
groups set the same criteria in regards to communication of information security. At first it is
a positive trend that awareness and security policies are receiving the same level of attention
from the top to bottom in an organisation though there is some kind of knowing and doing
gap. Everyone knows about the importance though as other surveys show, the level of doing
is relatively low when it comes down to awareness campaigns.
Board Executives Overall
1 Security awareness
campaign
Security awareness
campaign
Security awareness
campaign
2 Formal security policies Formal security policies Formal security policies
3 Email Official statements/reports Official statements/reports
4 Official statements/reports Email Intranet
5 Intranet Intranet Email
Each respondent has the choice of 5 answers and was asked to put them in order of importance where 1 was the most and 5 the least
important. All proposed answers were shown in random order.
Table 1, What is the best way to share security knowledge (policy, incident management, control procedures, etc…)?
Survey Koen Maris 2013
44. 44
While many agree and talk about the subject only few put the importance of it into practice.
Ernst & Young(2012) performed a survey that indicates that only 9% of the companies see
security awareness as a priority in the next 12 months.
Any security awareness programme should be a continuous effort, it is like we experience in
our daily lives. We have to be
reminded continuously about the
dangers when moving in traffic
whether we're a pedestrian, using a
bicycle or a car. Every year around
the Christmas holidays we are kindly
reminded about the dangers of
driving and drinking. There is no surprise in there that this is a deadly cocktail and even
though we've done a training program on during our induction, our driver's license, into traffic
we tend to forget this. It is no different with information security, the same techniques are
used or reused over and over again and still we are prone to these attacks. Hence the
importance on a recurrent approach, repetition is king.
0% 20% 40% 60% 80% 100%
Large organisations
Small organisations
62%
46%
27%
31%
Induction only
Ongoing
Figure 21, How do respondents ensure staff are aware of security
threats?
PriceWaterhouseCoopers, Information Security breaches survey,
2012
45. 45
According to a Tripwire-Ponemon(2013) study the reporting line from bottom to top is not
working properly ,
in about 60 percent
of the cases
reporting is not
happening or only
when a severe
security risk is
revealed. A more
serious issue is that
negative facts are
filtered before
disclosed to senior
management. This
dramatically limits
the opportunity for effective communication and reduces the organization’s visibility into the
urgency of security issues, according to the Tripwire-Ponemon(2013) report. About 12% of
the UK respondents in the Tripwire-Ponemon(2013) say that senior executives are not
interested, this is extremely worrying given the high volume of cyber security issues in the
media and perhaps it show more the lack of communication capabilities of some of the
security professionals.
0% 10% 20% 30% 40% 50% 60% 70%
Communications are contained in
only one department or line of business
The information is too technical to be
understand by non-technical management
Communications occur at too low a level
Negative facts are filtered before being
disclosed to senior executives and the CEO
We only communicate with senior executives
when there is an actual incident
It takes too much time and resources
to prepare reports to senior executives
The information can be ambiguous,
which may lead to poor decisions
Senior executives are not
interested in this information
Other
Figure 22,Why communication with senior executives is not considered effective?
Tripwire-Ponemon, The state of risk based security, 2013
46. 46
Conclusion
Which level of information security governance “awareness” is present at the level of Board
of Directors and executive management in a contemporary enterprise?
In many cases board members and executive management are progressing on the path to
information security governance and many surveys that explore this path indicate that there is
a decent level of awareness present. A positive indicator is that a number of practices at the
board and on management level are following a positive trend. At the same time it also shows
that being aware about an issue does not guarantee that the issue is addressed accordingly.
If there is a general point that requires attention it must be communication, from top to bottom
and vice versa. It seems that the board and their members are looking at information security
as an important part of conducting business today but they aren't getting the required
information in order to do so. This is confirmed by the fact that the executive management is
not very well in the bottom-up reporting. The information is filtered and done at best when a
severe incident occurred which is by far the best way to start a constructive discussion on the
information security. Secondly it might be worth having an independent committee to take the
decisions, prepare the reports and provide the required feedback for the executive
management and the board members to have full transparency on information security
incidents, projects etc…
Such a communication channel might open the path to have executive management develop a
clear information security governance strategy aligned with the overall enterprise strategy and
have it approved by the board to get the required sponsorship.
47. 47
Board members
Which practices (structures, procedures) have been identified?
There have been a number of practices identified specifically related towards the board and its
members. The following practices have been identified:
Leadership, strategy and value
Measurement, audit and monitoring
Risk management
Identify security leaders
To what extent are these practices considered effective?
Measuring effectiveness of those practices is not always an easy goal to achieve. But
companies and more specific board members are well aware about managing risk and the
effectiveness can be deducted from the fact that the majority is aware about the risk appetite
set in their company. It was unclear if a company having thoughtful leadership and enterprise
risk management in place also had identified a security leader. Many companies have a
security leader, whether it is a Chief Risk Officer or any other information security related
function. But whether this is due to legal and compliance or because of good leadership and
high awareness remains unclear. The audit and monitoring parts are well in place but the
degree of effectiveness can be doubtful especially due to the fact that only half of the
companies have strict separation between the risk and audit committees.
Which practices are well adopted in today's enterprise?
The practices regarding leadership, alignment and value are the least adopted, all the others
have a fairly well adopted and have a positive trend for improvement. When it comes down to
leadership, most boards are still neglecting information security. This could explain the fact
48. 48
that business and information security are not well aligned and there is little or no value
creation for business when looking at information security. As an ultimate excuse the
technical complexity is used to justify this neglect.
What are the main drivers for implementing these practices?
In many cases the drivers are still legal and compliance related issues that drive for more
information security. A severe incident also triggers the attention of board members, whether
this is because of legal consequence of financial interest is unclear. In either case it remains an
ad-hoc modus operandi which is not a sustainable approach to address information security.
Executive management
Which practices (structures, procedures) have been identified?
Identifying the practices for the executive management regarding information security
provide more tangible results compared to those of the board members. The following
practices have been identified:
Information Security Framework
Chief Security Officer/Chief Information Security Officer
Information Security Steering Committee
Implementation of information security
Monitoring and assessment
Awareness and communication
To what extent are these practices considered effective?
The majority of companies today have a security framework/policy in place and the majority
of the people say they know about it. Though this says little about the level of understanding
regarding the policy and there the answers show an opposite direction. In most companies of a
49. 49
reasonable size there is a Security Officer. The effectiveness of such a role is heavily
dependent on the reporting line this person has and in some cases this is creating a problem
since the bottom up reporting does not occur at all or is biased.
The steering committee is only gaining ground slowly and it remains difficult to judge the
effectiveness. When such a committee is well integrated in a company it could be an ideal
leverage to address issues to management and board and it could improve the reporting line.
Implementing security is done to some extent; it is no secret that budgets are under pressure in
these difficult economic circumstances of today. The fact that only a small number of
companies is evaluating the return on investment on security spending could be a reason that
security budgets stay low. Having the support of your senior management is not the only
factor required to get adequate funding. At the same time this attitude is shown in the
monitoring part. Only less than 10% of the security officers say that they effectively measure
and evaluate the effectiveness of their controls and funding. Though there is a better level of
monitoring when it comes down to the monitoring of incidents and audit and self-assessment.
Which practices are well adopted in today's enterprise?
The two least adopted practices are the information security steering committee and
awareness. Regarding information security awareness, companies are conscious about the
importance but there is still a big gap between what they know and what they are effectively
doing. However there is positive trend and companies are recognising the value of spending
money and resources for awareness purposes. The steering committee is less adopted but it is
gaining ground.
50. 50
What are the main drivers for implementing these practices?
Legal and compliance remain a big motivator for implementing information security, the
interest from the senior levels of companies are relatively low since it remains a complex and
high technological subject. The fact that information security is put on agenda's whenever
there is a severe incident is not helping; this is a negative situation which makes it extremely
difficult to put information security into a positive light. Due to this and the fact that
reporting is often not done in a correct fashion, facts are changed, severity is lowered or
reporting does not occur at all are all factors that make it virtually impossible to get
information security on the agenda of the decision makers.
End note
The research revealed some aspects though a lot of questions remain open especially on the
effectiveness side. Many aspects are not measured for effectiveness and the links between the
structures and procedures and how the influence each other are not well researched. An
interesting point would be to see if companies with good Enterprise Risk Management have
also good information security governance. And if one has a good reporting line from bottom
to top if that would improve the strategy and give also a better top-down communication.
51. 51
Table of Figures
Figure 1, Does your board regularly, occasionally, rarely or never complete the following actions? Jody R.
Westby, 2012 ........................................................................................................................................................ 18
Figure 2, How important is each type of experience when recruiting new directors? Jody R. Westby governance
of Enterprise security............................................................................................................................................. 20
Figure 3, Does your function meets the organisational requirements? EY, Fighting to close the gap, 2012 ........ 23
Figure 4, Organizational involvement in aligning risk-based security management with business objectives
Tripwire,2013 ........................................................................................................................................................ 24
Figure 5, How does your organisation assess the efficiency and effectiveness of information security? EY,
Fighting to close the gap, 2012............................................................................................................................. 25
Figure 7, Subject actively addressed by the board Jody R. Westby, 2012 ............................................................. 26
Figure 6, Seperate risk committee and audit committee Jody R. Westby, 2012 ................................................... 26
Figure 8, I know the acceptable risk level in my daily duties. (You know the acceptable risk level you're allowed
to take during your daily tasks.) Koen Maris, 2013............................................................................................... 27
Figure 9,Enterprise Risk Management program/structure in place Jody R. Westby, 2012................................... 27
Figure 10, Key role risk/security function in place Jody R. Westby governance of Enterprise security ................ 29
Figure 11,Greatest obstacles to improving information security PriceWaterhouseCoopers, Global internet
security survey 2014.............................................................................................................................................. 31
Figure 12, Reasons for not collaborating on information security PriceWaterhouseCoopers, 2013..................... 32
Figure 13, I know the security policy of my company? Koen Maris, 2013............................................................. 33
Figure 14,How many respondents have a formally documented information security policy?
PriceWaterhouseCoopers, Information security breaches survey 2012................................................................ 33
Figure 15, , Any company should have an information security responsible? Koen Maris, 2013 ......................... 35
Figure 16, To whom does your CSO/CISO report? Jody R. Westby, 2012.............................................................. 35
Figure 17, Risk/Security committee are less rare Jody R. Westby, 2012 ............................................................... 38
Figure 18, Which of the following controls have you implemented to mitigate the new or increased risks related
to the use of mobile computing including tablets and smartphones? Ernst & Young, 2012................................. 40
52. 52
Figure 19, How many respondents measure the effectiveness of their security expenditure?
PriceWaterhouseCoopers, Information security breaches survey, 2012............................................................... 41
Figure 20, Have you ever had a any security training ESET survey 2012 .............................................................. 42
Figure 21, How do respondents ensure staff are aware of security threats? PriceWaterhouseCoopers,
Information Security breaches survey, 2012 ......................................................................................................... 44
Figure 22,Why communication with senior executives is not considered effective? Tripwire-Ponemon, The state
of risk based security, 2013................................................................................................................................... 45
53. 53
Bibliography
Allen, J. H. (2007). Governing for Enterprise Security. Carnegie Mellon Cylab, CERT.
CISCO. (2008). The Effectiveness of Security.
Deloitte. (2011). Global risk management survey, 7th edition.
Dutra, A. (2012). A more effective board of directors. Harvard Business Review, 2.
Ernst & Young. (2012). Risk-appetite : the strategic balancing act. Retrieved from
www.ey.com.
European Audit Committee Leadership Network. (2012). Strategy, risk appetite at the board.
Viewpoints.
Harris, S. (2003). CISSP all in one guide second edition.
ISACA. (2006). Information Security Governance: Guidance for boards of directors and
executive management. ISACA.
ISACA. (2010). Business Model for Information Security. ISACA.
ISACA. (2012). COBIT 5.
ISACA. (n.d.). COBIT 5: A Business Framework for the Governance and Management of
Enterprise IT. Retrieved from ISACA:
http://www.isaca.org/COBIT/Pages/default.aspx?cid=1003566&Appeal=PR
NIST. (2006). Information Security handbook: A guide for managers. Special publication
800-100.
Porter, M. (1985). Competitative advantage.
54. 54
PriceWaterhouseCoopers. (2012). Information Security Breaches Survey Technical Report.
PWC.
PriceWaterhouseCoopers. (2013). The Global State of Information Security Survey.
Royal institute of technology. (2011). Assessing Future Value of Investments in Security-
Related IT Governance Control Objectives.
Slater, D. (2009). What is a CSO. Retrieved from CSOonline:
http://www.csoonline.com/article/2124612/it-careers/what-is-a-cso--part-2.html
Solms, S. v. (2008). Information security governance. Springer.
Stanford Graduate School of Business. (2011). Board of Directors: Duties & Liabilities.
Steven De Haes, Ph.D. and Wim Van Grembergen, Ph.D. (2008). Practices in IT Governance
and Business/IT Alignment. ISACA journal, 6.
Tom Scholtz. (2003). The role of corporate information security steering committee.
Retrieved from SCmagazine: http://www.scmagazine.com/the-role-of-the-corporate-
information-security-steering-committee/article/30595/
Tonello, M. (2008). Corporate Governance Handbook: Legal standards and board practices
3rd edition. The conference board.
Tripwire-Ponemon. (2013). The state of risk based security.
University, C. M. (2012). Governance of Enterprise Security: Cylab 2012 Report.
Westby, J. R. (2012). Governance of Enterprise Security. Carnegie Mellon University Cylab.
Retrieved from CyLab Survey Reveals Gap in Board Governance of Cyber Security:
https://www.cylab.cmu.edu/news_events/news/2008/governance.html
55. 55
Wikipedia. (2013). NIST Special Publication 800-53. Retrieved from Wikipedia:
http://en.wikipedia.org/wiki/NIST_Special_Publication_800-53
Wikipedia. (2014). ISO/IEC 27000-series. Retrieved from Wikipedia:
http://en.wikipedia.org/wiki/ISO/IEC_27000-series