1 / 56

Information Security Governance: What Is It And How Can We ...

elina
Download Presentation

Information Security Governance: What Is It And How Can We ...

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Information Security Governance: What Is It And How Can We Accomplish It ? Todd Fitzgerald, CISM, CISA, CISSP, ITILV3 ISO27000 Certified National Government Services Medicare Systems Security Officer ISACA Kettle-Moraine Chapter Meeting December 4, 2008 Milwaukee, WI

    3. Today’s Objectives… To Discuss Security Governance Definition Why We Need Security Governance 13 Questions Leadership Core Competencies Vehicles For Communication Security Control Structures Achieving Security Compliance Effectively Working With Internal/External Auditors

    4. Security Governance Defined “Information Security governance is a subset of enterprise governance that provides strategic direction, ensures objectives are achieved, manages risk appropriately, uses organizational resources responsibility, and monitors the success or failure of the enterprise security programme.” - IT Governance Institute

    5. And Wikipedia Says… Governance relates to decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems. In the case of a business or of a non-profit organization, governance relates to consistent management, cohesive policies, processes and decision-rights for a given area of responsibility. For example, managing at a corporate level might involve evolving policies on privacy, on internal investment, and on the use of data.

    6. Governance Derived From Latin Origins To denote “Steering” Steering Vs “Power Over” Defines expectations Grants power Verifies performance Avoids undesirable consequences Coordinates and controls activity Provides processes to control an activity

    7. Risks Are Increasing Cybercrime Malware Identity Theft Lost Laptops Targeted Financial Gain Personal information Sharing Slowing of security investment Dissipation of security message Competitive pressures

    8. News Items Continue To Gain Attention of Board of Directors

    9. A Who’s Who of Fortune 500 Companies.. And The List Is Growing

    10. Leading Organizations Adhere To This Model

    11. Leading Organizations Adhere To This Model

    12. Information Security Strategy Must Align With Business Objectives Top-down process Linkages to business process and strategy Information in oral, paper, and electronic forms Transcends physical boundaries Establish acceptable practices, policies, and procedures

    13. An Information Security Program With Governance Provides Increased Assurance Risk management Resource management of critical skills and infrastructure Performance measurement Providing value-add in delivery of services and products Specific Organizational accountability for security

    14. Can Organizations Survive Without …?

    15. Few Organizations Can Survive Without Customer Information Knowledge of processes Accounting and financial reporting information

    16. However, Information Security Importance Varies Amongst Senior Executives

    17. However, Information Security Importance Varies Amongst Senior Executives

    18. However, Information Security Importance Varies Amongst Senior Executives

    19. However, Information Security Importance Varies Amongst Senior Executives

    20. However, Information Security Importance Varies Amongst Senior Executives

    21. However, Information Security Importance Varies Amongst Senior Executives

    22. Fear Uncertainty Doubt Gets Investment $$$

    23. However, The Next Time The Event Happens

    24. The Governance Answer…

    25. Security Needs Involvement From The Board of Directors/Executive Management Strategic Oversight Review alignment with organization strategy Determine Risk profile for organization Endorse security program Require regular reporting on effectiveness Review investment return Potential new technologies to add value, reduce costs

    26. “Techie” Core Competencies

    27. Shift To Leadership Competencies

    28. Security Officer Core Competencies

    29. (The Detail)

    30. (The Detail)

    31. (The Detail)

    32. (The Detail)

    33. (The Detail)

    34. (The Detail)

    35. Now The C-Level People Understand The Security Guy Behind The Mask and The Security Team’s Role, But…

    36. Multiple Groups Must Understand Security At The Appropriate Level Competitive Disadvantage Fraud Loss due to disclosure, destruction of information Reputation/Public Confidence Bad decisions Business disruption Legal Liability Safety risks Loss of productivity Low Morale Corporate Espionage, loss of contracts

    37. Focus Different, Goals Ultimately The Same Increase shareholder value (stock price) Increase revenue Reduce administrative costs Increase market share Increase worker productivity Provide innovative products Provide quality products and customer service Attract and retain talented workforce Accept reasonable business risk

    38. Ensure Communication Plan Delivers Targeted Security Message

    39. Security Governance Depends Upon Clear Management Directives And Expected Outcomes

    40. Security Governance Depends Upon Clear Management Directives And Expected Outcomes

    41. Security Governance Depends Upon Clear Management Directives And Expected Outcomes

    42. Security Governance Depends Upon Clear Management Directives And Expected Outcomes

    43. Security Governance Depends Upon Clear Management Directives And Expected Outcomes

    44. Multiple “Best Practice” Standards Have Been Created To Provide Guidance For Our “Security Cultures” Control Objectives for Information and related Technology (COBIT 4.1) ISO27001/2 Information Security Management System (ISMS) Payment Card Industry Data Security Standard Graham-Leach-Bliley (GLBA) European Union Privacy Directives Recommended Controls For Federal Information Systems (NIST 800-53) Federal Information System Controls Audit Manual (FISCAM) DISA Security Technical Implementation Guides (STIGs) HIPAA Final Security Rule

    45. Each Control Framework/Set of Standards Has Their Governance Purpose COBIT ISO27001/27002 NIST 800-53 PCI Data Standard HIPAA DISA STIGS FISMA

    46. NIST 800-53 Recommended Controls For Federal Information Systems Is Very Useful For All Environments

    47. Attaining Compliance With These Regulations Is A Life Changing Event!

    48. Achieving Security Compliance Assurance Requires Specific Due Diligence Designate individual responsible for compliance assurance oversight Establish security management governing body Select control frameworks and controls Conduct awareness and training Research and apply technical controls Verify Compliance Implement formal remediation process Dedicate staff, automate compliance tasks Report on compliance metrics Enforce penalties for noncompliance to policy Collaborate and network externally

    49. Security Audits Necessary To Ensure Controls Are Functioning

    50. Controls Must Be Tested To Provide Adequate Assurance of Compliance To Policies Quarterly vulnerability assessments Annual penetration tests External/Internal Audits Random spot-checks Informal testing with security awareness training Security configuration reviews SDLC walkthroughs

    51. Let’s Agree On This Before We ‘Dump’ On The Auditors Auditors and Security Officers exist to ensure the business has: Documented policies Documented procedures/processes Documented evidence of implementation these controls Evidence of ongoing operations Periodically tested the controls

    52. What Do Security Officers LIKE about Auditors ? Internal Audit areas usually have organizational clout Controls-oriented Can identify previously unknown issues Provide ammunition/urgency for fixing issues quickly Provide knowledge of best practices and standards Internal Auditors find issues prior to external audits

    53. Adopting A “Reasonable” Approach To Auditing For Security Governance

    54. Final Thoughts Security Governance requires Top-Down Responsibility Sharing Ask the question – why am I involving this group? What is needed from them? Governance provides visibility to the effectiveness of the security program, and is the pathway to future security investments

    55. Further Reading “CISO Leadership: Essential Principles For Success”, 2008 Book by Todd Fitzgerald and Micki Krause, ISC2 Press/Auerbach Publications Available on Amazon.com, ISC2 Website “Security Governance: Taming the Compliance Beast”,T.Fitzgerald, 2008 Information Security Handbook (Tipton, Krause) “13 Questions the CISO, CEO, and CISO Should Ask Each Other”, T. Fitzgerald, ISC2 Journal, September/October 2007 “Security Governance”, 2007 Information Security Handbook , T.Fitzgerald (Tipton, Krause) NIST 800 series special publications (www.csrc.nist.gov/publications) IT Governance Institute, Information Security Governance: Guidance For Boards of Directors and Executive Management 2nd Edition, www.itgi.org

More Related