250 likes | 401 Views
JANUS Associates. Information Security Governance (A Comprehensive Approach to Information Security). Presented by: Patricia A. P. Fisher, CEO. What is the State of Information Security Today?. Phishing breaches were 4 times higher in 2012 than in 2011
E N D
JANUS Associates Information Security Governance (A Comprehensive Approach to Information Security) Presented by: Patricia A. P. Fisher, CEO
What is the State of Information Security Today? • Phishing breaches were 4 times higher in 2012 than in 2011 • Cost of breaches has increased from $214 to $222 per breach • Cyberattacks – 102 successful attacks per week, compared to 72 in 2011, 50 in 2010 (RSA) • By January 2013, cyber crime had grown to 46% of all attacks (Hackmageddon.com) • Symantec reports that over $114bn in cash losses was reported worldwide
National Information Security Governance • What is information security governance? • Leadership • Framework established to ensure that all the security elements put in place to protect your data environment work efficiently, accomplish what is intended, and do so cost effectively • Processes to carry out what is intended by the leadership‘ • Why is it important? • Provides a framework for secure business operations in an interconnected world • Ensures the Country’s security resources are well spent
National Information Security Governance • Why is it important? • Provides ability to conduct secure business operations in an interconnected world • Ensures the Country’s security resources are well spent • Gains international respect
National Information Security Governance • What does it need to include? • Alignment with the information security strategy of the Nation • Management of risks • Efficient and effective management • Verification of results
National Information Security Governance • What benefits can be gained from a security governance program? • International recognition • Fewer breaches to deal with/increased efficiency • More effective use of resources
Governance Model Organizational Governance Security Governance IT Governance Financial Governance • Policies • & • Procedures Verification Reporting
Who Does What In Governance? Governance Responsibility Country Government Level Organization Strategy Risk Management Ministry A Ministry B Policies Function Function Function Procedures ……...Departments……..
Existing Problems • Governments are often working at the tactical level without a strategic framework • Examples: • Security tools • Incident response • Lack of regular feedback to executive management • Examples: • Ad hoc testing occurs without a pre-defined structure • Few requirements for action plans to provide solutions
Security of Operations Stove-pipe management Ministry of Finance Ministry of Agriculture Ministry of Education Ministry for Resources
Make Security Strategic Stove-pipe management leads to gaps GAP GAP GAP Ministry of Finance Ministry of Agriculture Ministry of Education Ministry for Resources
A Holistic Approach to Governance Ministry of Finance Ministry of Agriculture Ministry of Education Ministry for Resources Security Risk Management
Governance Implementation • The Role of Government Executive Management - Strategic • Commit To Holistic Security Excellence • Set a common vision • Establish principles to guide the program Security
Governance Implementation • The Role of Ministry Executive Management - Strategic • Commit To a Program • Create the security program plan • Apply the necessary resources • Manage Change • Drive transformation through organization • Measure Success • Internal testing and measurement • Audit improvement Security
Governance Implementation • Governance Requirements • Centralized leadership • Scalability and agility • Comprehensive planning • Management of risk • Continuous improvement in quality
Best Practices Security Governance Approve Define Interpret Implement
Tiered Security Process Ministry Management Drive the Program Risks Audit Results Vulnerability Assessments Continuous Monitoring Security Awareness Policies Guidelines Standards Feedback Page 12
Likelihood X Impact = RISK Drive to the left Page 14
Risk Management Plan Risk Analysis Audits DO Plan of Action and Milestones Act Revise Policy & Program Redirect Risk Analysis Check Continuous Monitoring “After-Action” Reports Page 16
Vendor Risk Management • Risk Can Not Be Outsourced • Boundaries of ownership for security controls must be crystal clear • Continuous security monitoring and reporting back • Integration of incident response between the vendor and your organizations Page 17
The Role of Executives • Set Example: • “Tone from the Top” • Role Model Accountability • Set Expectations: • Security expectations must be explicit in vendor agreements • Establish Oversight: • Vendors should submit to independent security assessments and audits Page 17
Information Security Measures of Performance • Program is Effective • Investment reduces the number of findings in audit reports • Success rate in closing items in the Plan of Action and Milestones • Impacts from security incidents trend lower • Policies Are Followed and Effective • Procedures should generate evidence of performance • Continuous monitoring: antivirus, intrusion detection • Vulnerability assessments • After action reports on disaster recovery, incident response Page 18
In Summary • Security Governance • Set information security vision – Country level • Establish strategy – Ministry level • Bring in experienced employees/advisors • Drive the vision • Verify • Improve security and lower levels of risk • Become best in class to improve • quality, lower costs