This document discusses assessing and improving IT security processes through a systematic process. It involves continually assessing existing processes, monitoring security programs, and adapting to evolving threats. Key steps include: assessing security processes and rating their effectiveness; identifying gaps; defining a strategy to close gaps; and executing a plan for improvement. Process improvement should be an ongoing cycle to reduce organizational risk over time.

1. Assessing Your IT Security Processes By Peter Chronis, CISSP, PMP

2. Systematic IT Risk Reduction Enterprise Risk Management requires a thoughtful analysis of the people, processes and technologies used to manage IT risk and your organization’s risk tolerance. Creating a system that: Continually assesses processes and mitigation strategies Monitors security programs at the operational and program level Adapts to evolving threats Focus on reducing risk profile over the next 6-24 months

3. Tailoring Your Approach No correct “one size fits all” approach to managing risk. Assess risk tolerance Align with organizational strategy and SLAs Evaluate organizational talent Avoidance, acceptance, transfer Incorporate thought leaders Aligning with the right standard

4. Security Process Assessment IT security process analysis Effectiveness/maturity Program level management Assessing the gaps Defining the security strategy for your organization Very few corporations know what what kind of data resides on their network, where it is, who has access to it and the cost associated with its theft.

5. Process Improvement Cycle Assess Security Processes Rate Process Effectiveness Group & Identify Gaps Define Strategy Execute Plan

6. Security Process Identification Assess your IT security process footprint ensuring wide coverage of all processes used to reduce your enterprise IT risk. ISO 27002: Policy Access Control Application Development BC/DR Cryptography Governance Physical Network/Telcom. Others

7. Process Improvement Strategy Assess Security Processes Rate Process Effectiveness Group & Identify Gaps Define Remediation Execute Plan

8. Maturity Assessment Rate the effectiveness of your existing security processes using a maturity model. Interviewing your security and business stakeholders to identify organizational needs and identify process gaps. Level 0 – Not preformed Level 1 –Ad hoc and reactive. Level 2 – Repeatable, possibly with consistent results but not rigorous. Level 3 - Managed to a documented standard (SLA) and subject to some degree of improvement over time. Level 4 – Actively managed operationally using metrics that maximize efficiency and effectiveness. Level 5 - Focus on continually improving process performance through incremental and innovative technological improvements.

9. Process Improvement Strategy Assess Security Processes Rate Process Effectiveness Group & Identify Gaps Define Remediation Execute Plan

10. Program Gap Analysis Example Processes A-D require a mitigation strategy to close the gap between the existing processes and what is required to reduce risk

11. Real Life Threat – Operation Aurora Access to source code repositories IE configurations Local admin. privileges Logging and event correlation Bot C&C communication Security awareness for offshore employees/partners Much, much more

12. Be Watchful of Security Trends Annual/Quarterly Security Reports Top security blogs Industry sites Conferences Networking Vendor presentations

13. Process Improvement Strategy Assess Security Processes Rate Process Effectiveness Group & Identify Gaps Define Remediation Execute Plan

14. Mitigation Guidance IT risk mitigation strategies must: balance business impact with cost be operationally supportable explore technology, process innovation, resource reallocation adapt as threats evolve define success using operational metrics

15. Process Improvement Strategy Assess Security Processes Rate Process Effectiveness Group & Identify Gaps Define Remediation Execute Plan