560 likes | 1.09k Views
Information Security Program Management. Ramachandra Kulkarni. Agenda. Information security program Organization and budgeting Program components Staffing and career development Metrics and measurement. Organization and budgeting.
E N D
Information Security Program Management Ramachandra Kulkarni
Agenda • Information security program • Organization and budgeting • Program components • Staffing and career development • Metrics and measurement
Information security organization structure(How will I organize myself) • Business Unit Resilience • Technology Resilience • Crisis Response • Supports BCP Coordinators • BU Information Protection • Risk Monitoring • Incident/Investigations Response • Policies and Standards • Training and Awareness • Risk Measurement Systems • Incident Learning Architecture Program Office Policy and Risk Practices Investigations Business Continuity Planning • Strategy and Planning • Macro Risk Profiles • Threat Horizon • E-Discovery investigations • Forensic investigations Business Information Risk • Solutions Catalog • Security Architecture Application Risk • Infrastructure Security • Risk Monitoring • Incident Response • Supports IT Infra and LSCs Infrastructure Risk • Application Security • Risk Monitoring • Incident Response • Supports IT and LSCs Information security Operational services • Operational support to • Security streams • Acts as a service engine
Information security – Key activity streams • Consult with business groups on their projects with regards to info risk • Ability to develop / suggest and help implement controls around new systems Risk consulting Risk Monitoring • Ensure operational monitoring of events • Ensure implementation of defined policies • Ensure proper incident response mechanism effectiveness • Ensure control framework deployment • Ensure proper segregation of duties Risk Reporting • Reporting of external and internal threats and organization readiness • Provide analytics for prioritized investment in the protection program • Provide insight into resource allocation. • Provide inputs to the risk analysis process • Monitor and measure trends in the effectiveness of the security program
Planning and Funding • Define scope and alignment with business groups • Yearly planner with quarterly reviews • Determine the info. security model (centralized / de-centralized). • Determine the method of funding (stakeholder / IT budgets / independent) • Major cost components • Implementation of new security technologies • Reporting and tools • Staffing • Audits and assessment (Internal / External) • Compliance (Internal policies / Regulatory / Contractual) • Typically 4 – 7 % (up to 7 – 10 % in specific cases) of the total “IT” budget.
Working the interfaces Interface areas Divisions IT operations Information Security Buy-in, Tech Design, IT services, BCP, Capacity & perf Management. Business units BCP, Buy-in for policies, Customer requirements, New systems and apps and awareness Legal / compliance Compliance reporting, Legal requirements, Policy considerations. Physical security Physical controls, visitors Handling, differentiated access setup in the Buildings..
Building credibility – the infosec brand. • Be the “go-to” person for any issue involving security (build domain expertise) • Admit existence of issues if they are (do not defend). • Communicate appropriately (multiple levels of communication). • Accept and acknowledge solutions from any source (most common issue). • Build programs for effective communications (dashboards / scorecards). • Bring in risk transparency • Do not encourage the “differentiated security” culture (very difficult and sensitive). Ultimately different groups should feel that information security is acting as an enabler and is not a department which puts brakes on every initiative. The answer is communicate !!! communicate !!! communicate !!!
Program component framework Asset classification User classification Threat classification Risk Analysis Education Strategy identification Metrics Change management Security plan development Security architecture Source : Burton research
Program input components • Asset classification • Inventory of all information assets • Classification according to value to the organization • Feed into risk analysis • User classification • Categories of users • Not every user will require every bit of information, facilities • Key input to segregation of duties within user community • Threat classification • Value of consequences • Location of the operational elements
Program core components • Risk analysis • Most important component of information security strategy • Output will be key facts such as priority of resources to be protected, impact of the threats as well as resources to be made available. • Need not always be a very high analytical (tool / etc). • Strategy identification • Key inputs from the risk analysis • Strategy includes resource, technology, reporting and program • Security plan development • Details of the projects to be taken up • Details on organization chart and responsibilities • Details on the control environment • Security architecture • Technology architecture (technology biases, tool standardization) • Policy framework (adopted standard, policies and procedure • Control framework (baseline, project based controls)
Program support components • Change management • Structured approach to changes in the information environment • Analysis of security impact before a change is done • Education • Education during induction • On-going education initiatives • Educating users of new systems • Delivery channels – classroom, email, videos and articles • Metrics • Important barometer for protection standard • Key inputs in terms of improvement / decline in security levels • Operational and quantitative metrics
Information security – Staffing parameters • How big should be your team depends on • No of systems (IT infrastructure) • Percentage of critical business running on IT • Overlapping functions (BCP, Compliance) • No of locations • No of employees • Some pointers for staffing • 5 – 7 % of IT staff • In large organizations (> 4000) One info. Security staff for every 700 employees (where > 70 % data is based on systems).
Information Security Organization – Skills mapping Business understanding Ability to influence Metrics management Assurance mechanisms Program management Processes expertise Regulatory frameworks Technology CISO Program manager – Info. Security Senior Manager – Info. Security Defining and managing processes Verification and Validation Technology (specific areas) Business processes awareness Team leader / Managers Technology Team members / Security specialists Process Appreciation Technology certification Certifications Communication Skills Assessments and Reviews
Information Security Career Paths (broad level) Engineering Head (budgets, design validation, stakeholder Interface) Risk and Assurance Manager Risk Management and Assurance Security Manager (design, planning, Implementation and Roll-out) Risk and compliance Analyst Security Engineering Security Specialist (Firewall, VPN, IDS) Controls Analyst Security administrator (O/s, Network, DB) Process Consultant Information Security Program Management Office (CISO)
Staff challenges and strategies • Challenges • Security being equated to technologies (firewall, IDS, anti virus etc). • Lack of business understanding • Lack of appreciation towards processes • Inability to convince / influence stakeholders • Some of the possible solutions • Develop ability to interact in “business language” • Educate information security staff on the big picture (go beyond firewall, IDS etc). • Penalize for process failures through the appraisal system. • Staff Rotation • Within security team on different areas • Agreement with the IT team for rotation
Why measuring security is difficult • What do dictionaries say • Security – “freedom from risk or danger” • Security – “keeping from harm” • Inherently the definitions are pointing to a relative term • Some of the things difficult to measure • Employee morale • Opportunity cost due to outage caused from infosec • Statistics need to be blended with enterprise knowledge • A trader unable to access the application for 30 minutes (from 19:00 to 19:30 hours) is totally different from a trader unable to access the application from 11:00 to 11:30 As a result what gets measured is what can be visualized but unfortunately a large percentage of that is not meaningful
Measurement strategy • Possible options for measurement • Gap assessment (prioritization is a challenge) • Against previous performance (aligning with organization goals is not easy) • Measure against business criticality (ideal but very difficult to measure, and requires extensive enterprise knowledge) • ROI metrics ( There is hardly any robust method of computing ROI on security) • Comparing against other organization (Does not align with organization goals and sharing of information is a limitation) • Program management (top / down) metrics (Blending the details is a big challenge) None of the above methods give the required assurance independently however a combination of two or more of the above approaches will be a reasonable plan towards metrics
What information risk metrics should offer • Should provide fact based decision making • Provide resource allocation insight • Serve as a communication tool to influence organization. • Metrics should essentially throw up risk elements • Metrics should provide pointers on when to • Accept the risk • Avoid the risk • Mitigate the risk • Transfer the risk • Should provide trends of improvement or lack of it. • Should also provide pointers to investment areas
Design Principles for Information Risk Scorecard Each Metric Should… …Enable Decision Making: Metrics should translate technical security data into business risk implications that executives can leverage to drive mitigation trade-off decisions. …Articulate Future Readiness: Metrics should not only provide a view of current performance but also provide directional guidance on readiness to meet future threat scenarios. …Be Comparable Over Time: Each metric should capture historical trends to outline performance. …Require Minimal Resource Consumption: The data for each metric should be easily and cost-effectively captured. The Overall Scorecard Should… Be Simple: Performance measurement reports should be concise and quickly highlight areas of concern. Present Nontechnical Data: The scorecard should speak to an executive audience and focus on nontechnical data. Performance Measurement and Communication: In their efforts to create reporting processes that truly resonate with diverse audiences, Members cite a litany of obstacles, including a dearth of reliable key performance indicators, lack of consensus around what should be measured, and the perennial challenge of quantifying risk. • Start with the key decisions that need to be made and derive metrics that support those decisions, instead of a bottom-up aggregation of available metrics. • Include CISO risk assertions and concise summaries. • Include a CISO explanation of estimated future direction. • Develop metrics with longevity in-mind, considering the life of various systems and anticipated business changes that may diminish effectiveness and/or complicate collection in the future. • Identify both the upfront burden of putting collection process in place as well as the ongoing burden of regular data collection. • To draw audience attention to highest-priority issues, adopt an exception-based reporting approach instead of inundating the audience with reams of data. • Involve the audiences in the design by soliciting input prior and during scorecard creation. Source:IRECresearch.
Sample approach • Steps • Define categories • Define risk indicators • Define Tolerance levels • Input the current reporting period results • Measure against tolerance • Obtain trends
Quarterly data analysis Tolerance Levels 74 >= 80 < 80 =100 Infra 95 78 Event types Areas • Control Failure • External threats • Internal threats • Processing failure • Unauthorized activity Previous reporting period • Infrastructure • Applications • Management • Physical security • Data protection • Awareness • Change management One event per metric