230 likes | 351 Views
Robert Fullagar CISSP CISM CRISC Clas CEH. “Security is everyone’s responsibility”. Security Programme Structure and Methodology. Contents People Structure Key positions Roles of individuals Methodology/Approach Deliverables. People. Senior Manager/Board Member.
E N D
Robert Fullagar CISSP CISM CRISC Clas CEH “Security is everyone’s responsibility”
Security Programme Structure and Methodology Contents • People Structure • Key positions • Roles of individuals • Methodology/Approach • Deliverables
People Senior Manager/Board Member Business Representatives Business Representatives Business Representatives Business Representatives Programme Manager Project Managers Senior Security SME Delivery Teams External Resource Security SME
Delivery Team Structure Programme Manager Project Manager Security SME Infrastructure Lead External Resource Do’ers
Other People Security Architects Legal Specialist PMO Support Technical Architects Procurement HR Etc
Roles Senior Manager/Board Member • Influencer • Has a vested interest in improving security • Can keep the momentum going • Able to procure budget
Roles • Set/agree scope for the business area • Set priority based on risk for the business area • Monitor progress • They are decision makers Business Representatives Business Representatives Business Representatives Business Representatives
Roles Programme Manager Project Managers Senior Security SME • Action the decisions of the business representatives • Translate the business and technical requirements • Bring resource and structure to deliver the scope • Provide budgetary figures to the programme board • Select and evaluate solutions
Roles Delivery Teams External Resource Security SME • These are the do’ers, the engine room • The detail people, they bring to bear that detailed specific knowledge • They do the actual work, hands on work • They help make the projects boards scope a reality
Initiator • Legislative • Contractual • External standards • Business driver or direction • Infrastructure replacement project • Consolidate security in finished project • Because its “Best Practice”
What happens when Discovery 6-18 Months Risk Assessment provides Input to phase 1 Phase 0 Phase 0 – Eye on Phase 1 scope and long term strategy Foundation 18 months – 2 years Delivery phase 1 scope Phase 1 Phase 1 – Define long term strategy Leverage 2-5 Years + Phase 2 Delivery phase 2 scope BAU Security Cycle
Board Deliverables Senior Manager/Board Member Phase 0 - Scope • Business area • Drivers – why • Financial commitment • Time and resource commitment • Draft strategy Business Representatives Business Representatives Business Representatives Business Representatives
Programme Deliverables Programme Manager Project Managers Senior Security SME Delivery Teams External Resource Security SME Phase 0 • Plan – Resource and tasks • Budget +/- 100% • Approach • Quick wins • Minimal cost • Risk Assessment
Board Deliverables Senior Manager/Board Member Phase 1 • Priorities the items from the risk assessment • Financial support • Allocate and commit resource • Long term strategy Business Representatives Business Representatives Business Representatives Business Representatives
Programme Deliverables Programme Manager Project Managers Senior Security SME Delivery Teams External Resource Security SME Phase 1 • Risk assessment • Proposals to remediate • Accurate costs • Plan, time and resource • Deliver agreed scope
Summary Phase 0 Board Phase 0 • Business Driver • Vision • Initial Budget • Commitment Programme
Summary Phase 0 Board Phase 0 • Plan • Budget • Approach • Quick wins Programme
Summary Phase 1 Board GO
Summary Phase 1 Board Phase 1 • Risk Assessment • Remediation actions • Budget to remediate • Outline plan Programme
Summary Phase 1 Board Phase 1 • Priorities Risks • Financial support • Commitment • Agree plans Programme
Summary Phase 1 Board Long term strategy
BAU Security Plan Act Do Check
Thank You Questions