Security governance involves three key elements: 1) Evaluating an organization's security risks and ensuring investments in security controls align with business needs. 2) Improving the organization's overall security level and optimizing resource management of security technologies and personnel. 3) Measuring compliance of security practices with industry standards and business strategies.

1. Security Governance as IT Governance Internal Process Maurizio Milazzo Business Development A Methodological Automated Approach for an effective IT Security Management

2. SECURITY GOVERNANCE Plan and Organize Company internal Processes consistently with Business Needs Evaluate the real Security Risks of Company Infrastructures Make right Investments in agreement with Business Needs Improve Organization Security Level Optimize Resource Management (Technologies and People) Measure Compliance of Results obtained Security Governance: is a mix of operations and activities used to have the best Security Information Process Management Industry Compliant and Company Business Strategies Compliant. A Global Security Governance Approach allow to :

3. SECURITY GOVERNANCE: The Vision Information Security Plan Guidelines Security Plan & Design Policy & Procedure Security Control KPI Indicators Events Collection DashBoarding Process Definition Security Audit Security Implementation Security Check Security Report Security Strategies Security Infrastructures Security Countermeasures Security Monitoring Security Projects Compliance & Business Strategies

4. SECURITY GOVERNANCE: Information Security Plan Security Plan is an important Tool to have a right Plan and Security Governance Organization Process. In particular it is possible to: Define a Risk Management Process repeateable and structured Use a Tool supporting the Analysis & Risk Management Methodology Define and Analize Systems & Applications Security Requirements Highlight eventual critical situations or not accordance with expectations, sharing risks and security controls beetween Governance and IT Operations Company Units

5. System Description Data Classification Impact Analysis Risks Identification Effectiveness level Controls (as is) Solutions Identification (to be) Types of Informations Managed Threats Vulnerabilty Controls Actually Implemented Systems Scope and Functionality Data and Informations Users HW & SW Architecture Communications Flow Systems Functionalities and Technologies Data Treated Boundaries and Interactions Users Typologies Access Way Data Criticism (RID) Risk Class (C1, C2, C3) Risk Scenario List and Controls Evaluation Actually Implemented Counteractions phisical, logical and of oranization Controls Effectiveness Hardening SECURITY GOVERNANCE: ISP Manager Risk Scenario

6. Filter Categories Counteractions User Input List of Possible Counteractions – Classification via Domain Criticalities vs List Selection of Existing Counteractions Methodological Automation User Input IT & Data Assessment Counteractions ISP MANAGER: RID, Counteractions  AS-IS Application Owner Application Owner Data Classification and Informations Scope and System Functionality Users HW & SW Architecture Flow Configuration MACRODATA TYPOLOGY Data & Informations Effectiveness of Controls (AS-IS) R, I, D (C1, C2, C3) Dashboard

7. Identification of Counteraction Needs User Input AS – IS Definition and Print GAP ANALYSIS TO BE Select & Match Cx level ISP MANAGER: Risk Scenarios  TO BE Methodological Automation Methodological Automation Security Manager Effectiveness of Controls (AS-IS) Categories/Events Errors Crime Use Failure Sabotage Unfitness for use …… Mapping Domain/Security: Identification-Authentication Authorization Data Controls Communications Protection Business Continuity …… . Risk Scenarios Security Plan Reconciling Plan

8. ISP MANAGER: Plan Automatic Make up

9. Roma, 22 settembre 2009 Maurizio Milazzo Business Development [email_address] Thank You Security Governance as IT Governance Internal Process