1 / 23

JANUS Associates

JANUS Associates. Information Security Governance (A Comprehensive Approach to Information Security). Presented by: Patricia A. P. Fisher, CEO. What is the State of Information Security Today?. Phishing breaches were 4 times higher in 2012 than in 2011

yepa
Download Presentation

JANUS Associates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. JANUS Associates Information Security Governance (A Comprehensive Approach to Information Security) Presented by: Patricia A. P. Fisher, CEO

  2. What is the State of Information Security Today? • Phishing breaches were 4 times higher in 2012 than in 2011 • Cost of breaches has increased from $214 to $222 per breach • Cyberattacks – 102 successful attacks per week, compared to 72 in 2011, 50 in 2010 (RSA) • By January 2013, cyber crime had grown to 46% of all attacks (Hackmageddon.com) • Symantec reports that over $114bn in cash losses was reported worldwide

  3. National Information Security Governance • What is information security governance? • Leadership • Framework established to ensure that all the security elements put in place to protect your data environment work efficiently, accomplish what is intended, and do so cost effectively • Processes to carry out what is intended by the leadership‘ • Why is it important? • Provides a framework for secure business operations in an interconnected world • Ensures the Country’s security resources are well spent

  4. National Information Security Governance • Why is it important? • Provides ability to conduct secure business operations in an interconnected world • Ensures the Country’s security resources are well spent • Gains international respect

  5. National Information Security Governance • What does it need to include? • Alignment with the information security strategy of the Nation • Management of risks • Efficient and effective management • Verification of results

  6. National Information Security Governance • What benefits can be gained from a security governance program? • International recognition • Fewer breaches to deal with/increased efficiency • More effective use of resources

  7. Governance Model Organizational Governance Security Governance IT Governance Financial Governance • Policies • & • Procedures Verification Reporting

  8. Who Does What In Governance? Governance Responsibility Country Government Level Organization Strategy Risk Management Ministry A Ministry B Policies Function Function Function Procedures ……...Departments……..

  9. Existing Problems • Governments are often working at the tactical level without a strategic framework • Examples: • Security tools • Incident response • Lack of regular feedback to executive management • Examples: • Ad hoc testing occurs without a pre-defined structure • Few requirements for action plans to provide solutions

  10. Security of Operations Stove-pipe management Ministry of Finance Ministry of Agriculture Ministry of Education Ministry for Resources

  11. Make Security Strategic Stove-pipe management leads to gaps GAP GAP GAP Ministry of Finance Ministry of Agriculture Ministry of Education Ministry for Resources

  12. A Holistic Approach to Governance Ministry of Finance Ministry of Agriculture Ministry of Education Ministry for Resources Security Risk Management

  13. Governance Implementation • The Role of Government Executive Management - Strategic • Commit To Holistic Security Excellence • Set a common vision • Establish principles to guide the program Security

  14. Governance Implementation • The Role of Ministry Executive Management - Strategic • Commit To a Program • Create the security program plan • Apply the necessary resources • Manage Change • Drive transformation through organization • Measure Success • Internal testing and measurement • Audit improvement Security

  15. Governance Implementation • Governance Requirements • Centralized leadership • Scalability and agility • Comprehensive planning • Management of risk • Continuous improvement in quality

  16. Best Practices Security Governance Approve Define Interpret Implement

  17. Tiered Security Process Ministry Management Drive the Program Risks Audit Results Vulnerability Assessments Continuous Monitoring Security Awareness Policies Guidelines Standards Feedback Page 12

  18. Likelihood X Impact = RISK Drive to the left Page 14

  19. Risk Management Plan Risk Analysis Audits DO Plan of Action and Milestones Act Revise Policy & Program Redirect Risk Analysis Check Continuous Monitoring “After-Action” Reports Page 16

  20. Vendor Risk Management • Risk Can Not Be Outsourced • Boundaries of ownership for security controls must be crystal clear • Continuous security monitoring and reporting back • Integration of incident response between the vendor and your organizations Page 17

  21. The Role of Executives • Set Example: • “Tone from the Top” • Role Model Accountability • Set Expectations: • Security expectations must be explicit in vendor agreements • Establish Oversight: • Vendors should submit to independent security assessments and audits Page 17

  22. Information Security Measures of Performance • Program is Effective • Investment reduces the number of findings in audit reports • Success rate in closing items in the Plan of Action and Milestones • Impacts from security incidents trend lower • Policies Are Followed and Effective • Procedures should generate evidence of performance • Continuous monitoring: antivirus, intrusion detection • Vulnerability assessments • After action reports on disaster recovery, incident response Page 18

  23. In Summary • Security Governance • Set information security vision – Country level • Establish strategy – Ministry level • Bring in experienced employees/advisors • Drive the vision • Verify • Improve security and lower levels of risk • Become best in class to improve • quality, lower costs

More Related