Keys to Success for the Information Security Offic

Information about Keys to Success for the Information Security Offic

Published on January 12, 2008

Author: Marcell

Source: authorstream.com

Content

DTS Introduction - Housekeeping:  DTS Introduction - Housekeeping Welcome! Kelvin Pye, Assistant Director Office of Business Development & Innovation DTS Technology Days Partnering with Gartner Services and others Chris Byrnes discussion Structuring and managing an IT security program. Appropriate metrics for an IT security program. How an IT security program fits into your overall governance model. How to manage risk assessment processes in an IT security program. Keys to Success for the Information Security Officer:  Keys to Success for the Information Security Officer Chris Byrnes The Top Five Issues:  The Top Five Issues Where does the CISO report? How does governance affect the CISO? How do regulatory compliance issues affect the CISO? What role does the CISO play in the budget process? How does security architecture affect security program management? 1. Where does the CISO report?:  1. Where does the CISO report? It depends on: The maturity level of your security program The maturity level of risk management by the rest of your organization. You can report directly to the CIO only after you have proven your trustworthiness, professionalism and business focus to the CIO. You can report outside of the CIO only after the CIO has proven to the executive team that you are successful Information Security Maturity:  50% 15% 5% Design Awareness Phase Corrective Phase Operations Excellence Phase Maturity Blissful Ignorance 30% Time NOTE: Population distributions represent typical, large Global 2000-type organizations Develop New Policy Set Initiate Strategic Program Architecture Institute Processes Conclude "Catch-Up" Projects Track Technology and Business Change Continuous Process Improvement Assess Current State Establish (or Re-Establish) Security Team Information Security Maturity Over 30% of Organizations say Infosec is not part of IT department:  Over 30% of Organizations say Infosec is not part of IT department Corporate decision to separate risk control from risk management Usually for compliance reasons A suitable reporting point exists Chief Risk Officer Head of Security (i.e. physical security or criminal investigation) Business model is subject to high levels of cybercrime IT department is already very large and specialized Political Wasteland The Fragmentation of the Infosec Team?:  The Fragmentation of the Infosec Team? Governance Administration Monitor & Response Enterprise Risk Management Operations 2. How does governance affect the CISO?:  2. How does governance affect the CISO? Enterprise Risk Mgt Corporate & Operational Governance Regulatory Compliance Requirements Authorities Accountabilities Policies Controls Corporate Governance Strategy Policy Architecture Apps 3. How do regulatory compliance issues affect the CISO?:  3. How do regulatory compliance issues affect the CISO? Enterprise Risk Mgt Corporate & Operational Governance Regulatory Compliance Requirements Authorities Accountabilities Corporate Governance Strategy Policy Architecture Apps Legal Counsel 4. What role does the CISO play in the budget process?:  Security Budget $ Risk Management Organization Business Unit Operations $ $ $ Translate Into Security Requirements Express Risk in Technical Terms Express Acceptable Risk Explain Risk Without Technical Terms $ 4. What role does the CISO play in the budget process? $ The 4I Model for Security Value:  The 4I Model for Security Value Issue 2 Regulatory and Stakeholder Exposure INTEGRITY INVESTMENT INDEMNITY INSURANCE Reliability of Business Operations Expected Return Risk Management Expected financial return Brand enhancement Competitive differentiation Future agility Stakeholder support Increased accountability Compliance Improved awareness Business process integrity: confidentiality, availability, and accuracy Continuous improvement Understanding of risk Appropriate risk mitigation 5. How does security architecture affect security program management?:  5. How does security architecture affect security program management? Security architecture provides a defined level of security (baseline, trust level) to a defined set of resources (trust domain). Multiple baseline/multiple trust domain architectures are demanded by many (most?) businesses. Security architecture may be a responsibility of the enterprise architecture team – WITH SUPERVISION! The Activity Cycle of the CISO:  The Activity Cycle of the CISO Information Security is maturing Enterprise Risk Management is emergent The role of the CISO is becoming clear. Let’s start by analyzing the audience: Who is looking at the information security function? What are they looking for? Strategic Planning Assumption:  Strategic Planning Assumption As a result of pressure from their value chain partners and regulatory demands for transparency and privacy, 80% of large organizations (90% of publicly held ones) will implement defined, documented security architectures and baselines for over 60% of their IT assets by 2009. (0.7 probability). By 2009 70% of large commercial organizations will have implemented coherent, consistent risk management processes across major classes of risk in response to Board and auditor demands. (0.7 probability). Who Looks for What?:  Who Looks for What? Slide17:  The Reality Is Three Views of the Same Object Priorities:  Priorities Business Policy Process Behavior Tools Melding Three Views:  Melding Three Views Business Policy Process Behavior Tools Controls Architecture Process Slide21:  Security Officer’s Activity Cycle RUN The Govern/Plan/Build/Run Structure:  The Govern/Plan/Build/Run Structure ISO/IEC 27001:2005 Information Security Management System (ISMS) Intro: Plan – Do – Check – Act Details: Establish – Implement – Monitor – Maintain Gartner: Govern – Plan – Build - Run These are cycles. All phases are iterative. In the Gartner AC the monitor function is explicit in Run phase. 27001 has no reference to governance It accepts that inputs (requirements and expectations) arrive somehow from “interested parties.” The Process Maturity Process:  The Process Maturity Process Same objectives as QA/SixSigma/ISO9000 Conceptually similar to ITIL Formal definition & maturity assessment of individual security-related processes SEI/CMM equivalent Maturation plan for low maturity processes RACI analysis & simplification Four (?) Run Functions :  Four (?) Run Functions Communications & Relationship Risk & Controls Assessment Management Identity & Access Management Threat & Vulnerability Management Controls View:  G RA Controls Controls View What Is A Control?:  What Is A Control? What Is A Control?:  CONTROL POLICY (accountability) PROCESS (Metrics, Accountability) Technology (Automation) What Is A Control? ISO/IEC 17799:2005:  ISO/IEC 17799:2005 Being renamed ISO/IEC 27002:2007 Explicitly a control structure Subset, map to COBIT 4.0 Eleven sections (up from 10) Architecture View:  Architecture View Security architecture provides a defined level of security (baseline, trust level) to a defined set of resources (trust domain). Multiple baseline/multiple trust domain architectures are demanded by many (most?) businesses. Security architecture may be a responsibility of the enterprise architecture team – WITH SUPERVISION! Typical Content and Structure:  Typical Content and Structure Vision Security Services Framework Process Model Roles & Responsibility Model Policy Framework Information Classification Framework Organization Models Security Information Flow Models Logical Design Models Trust Models Organizational Architecture Security Information Architecture Information Classification Register Technical Reference Models Security Infrastructure Architectures Security Services Architectures Application Security Architectures Business Viewpoint Information Viewpoint Technical Viewpoint Conceptual Level Logical Level Implementation Level Trust Level Definitions Conceptual Design Models Design Principles Requirements Templates Typical Contents – Security Architecture:  Typical Contents – Security Architecture Vision/strategy Services framework, process model, role model, policy framework, classification framework, trust level definitions, conceptual design models Organization models, security information flow models, design principles, logical design models, trust models, trust domain models, requirements templates Organization architecture, security information architecture, information classification register, technical reference models, security infrastructure architectures, security services architecture, application security architectures The Role of the CISO:  The Role of the CISO Translate business and regulatory requirements into policy, technical standards and controls Bring together process, architecture and controls perspectives into a single program Assure compliance to policy Measure compliance to policy Assure the sufficiency of policy The Role of the CISO Recommendations :  Recommendations Search for staff with good communications skills and an understanding of your business Develop a process-oriented security program. Assign ownership and accountability for the risk management function, minimizing conflicts of interest and separations of duties issues Develop a continuous risk assessment process. Continuously monitor, measure, and report security posture to management. Build greater levels of accountability, transparency and measurability into security controls. Q&A:  Q&A ? Department of Technology Services:  Department of Technology Services Thank you. Slides will be available on the DTS website, as well as a recording of this session. Please complete the evaluation form and leave your business card at the registration desk. Next Event – DTS Customer Forum at the GTC West 2006 Conference, May 18th 2:00 – 4:00 PM, Sacramento Convention Center, Room 311 Coming soon, “The Demystification of Identity Management”

Related presentations


Other presentations created by Marcell

DEALING WITH COMPLAINTS
13. 01. 2008
0 views

DEALING WITH COMPLAINTS

Person perception
17. 01. 2008
0 views

Person perception

CCMP Dressler 11 10 06
08. 01. 2008
0 views

CCMP Dressler 11 10 06

Highlights of Ancient Technology
11. 01. 2008
0 views

Highlights of Ancient Technology

636884Ancient Greek Geography
14. 01. 2008
0 views

636884Ancient Greek Geography

Bringing up baby bilingual
14. 01. 2008
0 views

Bringing up baby bilingual

13b
15. 01. 2008
0 views

13b

comets and asteroids
16. 01. 2008
0 views

comets and asteroids

Mechanising Cryptography
12. 01. 2008
0 views

Mechanising Cryptography

26111
14. 01. 2008
0 views

26111

a hazwast transporters
18. 01. 2008
0 views

a hazwast transporters

cay nn ce
20. 01. 2008
0 views

cay nn ce

beyond10
23. 01. 2008
0 views

beyond10

petroleum slides
24. 01. 2008
0 views

petroleum slides

33053
04. 02. 2008
0 views

33053

What Is a Lyric Poem
05. 02. 2008
0 views

What Is a Lyric Poem

NRCClusteringModel
11. 02. 2008
0 views

NRCClusteringModel

A105 025 Cosmo
24. 01. 2008
0 views

A105 025 Cosmo

Bomer
25. 01. 2008
0 views

Bomer

TaxonMarkup
21. 01. 2008
0 views

TaxonMarkup

GothicArtPresentatio n05
29. 01. 2008
0 views

GothicArtPresentatio n05

NHSTA
05. 02. 2008
0 views

NHSTA

MITIme
07. 02. 2008
0 views

MITIme

ppt 37
14. 02. 2008
0 views

ppt 37

vmGmrg
14. 02. 2008
0 views

vmGmrg

MRCME HIV Associated Dementia
29. 02. 2008
0 views

MRCME HIV Associated Dementia

Easterly presentation
03. 03. 2008
0 views

Easterly presentation

The EU budget
07. 03. 2008
0 views

The EU budget

billionaire
24. 01. 2008
0 views

billionaire

NIDA Addiction as brain Disease
11. 03. 2008
0 views

NIDA Addiction as brain Disease

Ch94 NLP
12. 03. 2008
0 views

Ch94 NLP

Spring 05 set II
16. 03. 2008
0 views

Spring 05 set II

talking about famous people
19. 03. 2008
0 views

talking about famous people

California Geology
20. 03. 2008
0 views

California Geology

structure1
14. 04. 2008
0 views

structure1

oct 18 05 media orientation
16. 04. 2008
0 views

oct 18 05 media orientation

RegionalEventsStrate gy
18. 04. 2008
0 views

RegionalEventsStrate gy

tc english
21. 04. 2008
0 views

tc english

7674
22. 04. 2008
0 views

7674

Krems2
24. 04. 2008
0 views

Krems2

inttrade
08. 05. 2008
0 views

inttrade

cccarlos2
03. 03. 2008
0 views

cccarlos2

Ch9 twentieth century pess
30. 04. 2008
0 views

Ch9 twentieth century pess

pril
02. 05. 2008
0 views

pril

yr5 word probs
02. 05. 2008
0 views

yr5 word probs

1 4 Robin
06. 02. 2008
0 views

1 4 Robin

suesRakupots
12. 02. 2008
0 views

suesRakupots

Gynekologisk buksmÃrta ppt 2006
07. 02. 2008
0 views

Gynekologisk buksmÃrta ppt 2006

ESwindgeothermal07
17. 01. 2008
0 views

ESwindgeothermal07

NSSMIC2004 Ramello
24. 03. 2008
0 views

NSSMIC2004 Ramello

12455728
07. 02. 2008
0 views

12455728

Remix Movies1
18. 02. 2008
0 views

Remix Movies1

StephenKandDanielT DDay
07. 02. 2008
0 views

StephenKandDanielT DDay

attack revengecycle2
15. 01. 2008
0 views

attack revengecycle2