The document outlines information security management certification topics, including laws, risk management, and various security frameworks such as NIST, OASIS, and HITRUST. It emphasizes the importance of linking business strategy to security programs and includes discussions on the security maturity model and guidelines for third-party management. Additionally, it provides a comprehensive overview of an information security program's structure, necessary documentation, and auditing practices.

1. Information Security
Management Certification
Dr. Kevin F. Streff
Founder and Managing Partner
605.270.4427 kevin.streff@americansecurityandprivacy.com 1

2. Agenda
1. Overview
2. Laws & Regulations
3. IT Exam Process
4. Information Security
Programs
5. Risk Management
6. Threats
7. Third Party
Management
8. SETA Programs
9.Incident Response
Programs
10.Business Continuity
Programs
11. Documentation
12. Auditing
13. Metrics
Information Security Management Certification
2

3. Section 4
Information Security Program
3

4. Learning Objectives
• Understand Security Maturity Model
• Understand Linking Business Strategy
to Security Program
• Understand Information Security
Program Options
• Understand ASP Information Security
Program Option
4

5. SP-CMM Security & Privacy
Maturity Model
• SP-CMM is an acronym for Security &
Privacy Capability Maturity Model.
Maintained by the Secure Controls
Framework Council, this framework
seeks to help organizations in the
establishment and evaluation of their
security and security controls.
5

6. SP-CMM Security & Security
Maturity Model
• On a high-level, it has three primary
objectives:
• Provide C-level executives with a well-defined
criterion for setting the expectations for an
organization’s cybersecurity and security
program;
• Provide internal security teams with a well-
defined criterion for planning and
implementing security practices; and
• Provide a baseline criterion for organizations
to evaluate third-party service providers.
6

7. Security Tied to Strategy
7

8. 8

9. Leading Security Frameworks
1. NIST Security Framework
2. OASIS Security Framework
3. APEC Security Framework
4. Nymity Security Management Accountability
Framework
5. HITRUST Security Framework
6. STREFF Security Framework
7. American Security and Privacy (ASP)
Information Security Framework (ISP)
9

10. NIST Security Framework
10

11. Oasis Security Framework
• The International Open Standards Consortium (OASIS) was founded under
the name "SGML Open" in 1993.
• The consortium changed its name to "OASIS" (Organization for the
Advancement of Structured Information Standards) in 1998 to reflect an
expanded scope of technical work.
• Later renamed to the International Open Standards Consortium,
announcements about creating security frameworks emerged (The OASIS
PMRM TC) that to assist business process engineers, IT analysts,
architects, and developers implement security and security policies in
their operations.
• PMRM extends broad security policies, as most policies describe fair
information practices and principles but offer little understanding into
how to operationalize or implement these practices.
11

12. Oasis Security Framework
• PMRM includes two phases: Use Case and High-Level Analysis.
• The first phase entails the scoping of the Use Case in which data is
associated.
• This includes drafting a complete description of the environment
following the definitions of “business environment” or “application” as
established by the Stakeholders using the PMRM within a particular Use
Case.
• The second phase is the analysis phase.
• This high-level analysis likely includes Security Impact Assessments,
previous security and security risk assessments, security maturity
assessments, compliance reviews, and security audits.
• PMRM can be used to examine an entire business environment to
develop Policies, Security Controls, Services and Functions, Mechanisms,
or a Security Architecture.
12

13. APEC Security Framework
1. Asian-Pacific Framework
2. Set of principles and implementation guidelines that were created in
order to establish effective security protections that avoid barriers to
information flows, and ensure continued trade and economic growth in
the Asia Pacific Economic Cooperation region of 27 countries.
• The APEC Security Framework set in motion the process of creating the APEC Cross-Border
Security Rules system.
• The CBPR system has now been formally joined by the United States, Canada, Japan and
Mexico,
1. The APEC CBPR system requires participating businesses like Apple, Box, HP, IBM, Lynda.com,
Merck, Rimini Street, Workday, and Intasect to develop and implement Information Security
policies consistent with the APEC Security Framework. These policies and practices must be
assessed as compliant with the minimum program requirements of the APEC CBPR system by
an accountability agent
13

14. Nymity Security Framework
1. Maintain Governance Structure
2. Maintain Personal Data Inventory
and Data Transfer Mechanisms
3. Maintain Internal Information
Security Policy
4. Embed Information Security into
Operations
5. Maintain Training and Awareness
Program
6. Manage Information Security
7. Manage Third Party Risk
8. Maintain Notices
9. Respond to Requests and Complaints
from Individuals
10. Monitor for New Operational Policies
11. Maintain Information Security
Breach Management Program
12. Monitor Data Handling Practices
13. Track External Criteria
14

15. HITRUST Security Framework
• Founded in 2007, Health Information Trust Alliance (HITRUST) was
launched with the idea that information protection should be a core pillar
of the broad adoption of health information systems.
• HITRUST brought together public and private healthcare professionals to
develop a common risk and compliance management framework.
• In 2015, HITRUST announced that their security framework was updated
with security controls.
• Over 84 percent of hospitals and health plans, as well as many other
healthcare organizations and business associates, use the CSF, making it
the most widely adopted security framework in the industry.
• CSF – Common Security and Security Framework
15

16. • The CSF contains 14 control categories, comprised of 49 control objectives
and 156 control specifications.
• The CSF control categories, accompanied with their respective number of
control objectives and control specifications for each category, are:
– 0. Information Security Management Program (1, 1)
– 1. Access Control (7, 25)
– 2. Human Resources Security (4, 9)
– 3. Risk Management (1, 4)
– 4. Security Policy (1, 2)
– 5. Organization of Information Security (2, 11)
– 6. Compliance (3, 10)
– 7. Asset Management (2, 5)
– 8. Physical and Environmental Security (2, 13)
– 9. Communications and Operations Management (10, 32)
– 10. Information Systems Acquisition, Development, and Maintenance (6, 13)
– 11. Information Security Incident Management (2, 5)
– 12. Business Continuity Management (1, 5)
– 13. Security Practices (7, 21)
HITRUST Security Framework
16

17. Information Security Program Blueprint
Inventories
Policies
Procedures
Standards
Guidelines
Plans
Audit/Test Results
Reports
SARS
Meeting Minutes
Committee Approvals
Previous Exams
Awareness/Training
Materials
Third Party Reports
Network Diagram
Organizational Chart
Process Flows
Incident Reports
Strategies
Budgets
Memos
FI
Processes
Documentation
Asset
Mgmt.
Physical
Security
Business
Continuity
Incident
Response
Developmen
t &
Acquisition
Operations
Security
Risk Mgmt. Network
Security
Auditing
Functions
Personnel
Security
Reporting
Remediation
Assessment Changes
Audit Recommendations
Exam Findings
Incident Reports
Policy Changes
Board
Committee
Operations
Third Party
Examiner
FI and
Technology
Strategy
ASP ISP v1.1
IT Audit
Soc. Eng.
Pen Test
Vul. Scanning
Third Party Mgmt.
Soft. Dev.
Customer
Employee
Systems Inventory
Technology
BIA
AUP
Roles & Resp.