SlideShare uma empresa Scribd logo

A Global Info Sec Policy Strategy

H Contrex
H Contrex
1 de 13
Baixar para ler offline
x Company Global Information Security Policy and Standards Strategy for global enterprise adoption Harry Contreras CISSP - Phoenix, AZ
Global Information Security Global Information Security Policy Presentation Date - Agenda Global Information Security Policy Development and Adoption Strategy • Policy program overview and strategy • Review present state of X-Co InfoSec Policy • Intranet site presence and relationships • Interdependencies to negotiate and maintain • Concurrence on stated future direction & strategy
Global Information Security Information Security Policy – Program Lifecycle Collaborate Converge Adopt Govern With stakeholders define Unify divergent policy Authorize, endorse the Initiate policy governance required policy, into the corporate body corporate policy & body to oversee and standards and of works. standards for global underwrite policy actions processes to protect X- Focus business unit implementation. to maintain currency and Co interests and meet policy reference sites to Communicate via relevancy for the global X- business needs. point to corporate site. compliance & security Co enterprise. awareness programs. Content delivery via Intranet site vehicle. Key Benefits - Key Benefits - Key Benefits - Key Benefits • Corporate policy meets • Multiple policies are • Recognized as • Policy council oversight global X-Co business now one authoritative policy • Annual review addresses requirements • OpCos can focus on • Translated for global changes in business • Regulatory requirements business issues employee population climate, risks and new met in corporate program regulatory issues Collaborate Converge Adopt Govern
Global Information Security Information Security Policy – Program Timeline Policy Program Delivery Milestones For a “C-Level” audience (In the format or your choice) Layout of “high-level” timeline with Milestones Key events over time Q1-Year Q4-Year Milestones Collaborate Converge Adopt Govern
Global Information Security Information Security Policy – Program Timeline Milestone TimeLine Entry Description / Forecast Policy Finalization Activity for Initial review period and vetting of policy content by X-Co & OpCo Mm/Dd/Yyyy Version 1.0 stakeholders and authorizers Policy Authorization and InfoSec Policy Version 1.0 is endorsed by C-Level Officers. CISO and Mm/Dd/Yyyy Endorsement CCO of X-Co sign off on InfoSec policy for the enterprise Policy Communication Plan Communications to All X-Co, OpCo Management and IT leadership with Mm/Dd/Yyyy Launch announcement of “Compliance by Date” for the company Global InfoSec Governance Global InfoSec council formed to represent corporate and OpCo IT Mm/Dd/Yyyy Council Formed security interests for the enterprise Develop “high-level” Project Plan Develop policy revision changes Compilation period begins to assimilate changes to present policy in Mm/Dd/Yyyy WBS for presentation of developing plan milestones. for Policy v1.0 preparation of the InfoSec Policy Version 2.0 Proposed Policy Changes for Period ends for accepting proposed policy changes to developing InfoSec Mm/Dd/Yyyy Policy V2 - Freeze Policy version 2.0 Proposed Compliance Date for Company-wide compliance by date for InfoSec Policies from version 1.0 Mm/Dd/Yyyy Policy V1.0 (1 Mm/Dd/Yyyy) Annual Policy Review Cycle for Global InfoSec Governance council reviews and assesses proposed Mm/Dd/Yyyy Version 2.0 changes to Policy version 1.0 in preparation for delivering Version 2.0 InfoSec Governance Council Global InfoSec Governance council approves InfoSec Policy version 2.0 Mm/Dd/Yyyy Accept Policy Version 2.0 and forecasts future compliance by date Collaborate Converge Adopt Govern
Global Information Security Information Security Policy Development & Strategy Approach for Collaboration and Convergence Establish top-level Intranet presence for InfoSec Policy • Utilize corporate intranet site: intra.X-Co.com • Serve up policy & standards in document repository • Distribute linkage to other OpCos Integrate cross-linkages with existing OpCos policy sites • As corporate body of content increases • Converge OpCo policies & remove site references Collaborate Converge
Global Information Security Information Security Policy – Site Relationships Intranet.X-Co.com Corporate Intranet Site Opco Opco Opco Opco Opco Intranet Intranet Intranet Intranet Intranet Site Site Site Site Site OpCo A OpCo B OpCo C OpCo D OpCo E Collaborate Converge
Global Information Security Converged - Information Security “Portal” Page X Company Intranet Site Corporate Security Page - Policy Hosting Location Corporate Global Global Information Security Policy & Standards Library • Information Security Policy • Security Position Statements • Security Standards • Code of Business Conduct Overview & Introduction Security Awareness • CISO quarterly remarks Content Policy & Standards Repository • Today’s Hot Topics Security Topic– Quick Reference • Awareness Library •Tools & Resources Security Awareness Section Links to OpCo policy content Links to Policy sites • Marsh • Mercer • Guy Carpenter Content and presentation format to • Oliver Wyman • Kroll be collaboratively developed with Communications. Incident Reporting • Report an Incident here Collaborate Converge
Global Information Security Information Security Policy & Standards - Framework Overarching Global Policy (Core) Authorized & Endorsed (AUP) Acceptable Use Policy Acceptable Use Privacy and Data endorsed by Human Resources, IT Security Policy Manual Protection Legal and Compliance Implementation policy details Policy Security Position Statements (Core) Collaborate on preexisting Addresses new technologies & Mitigating immediate business risks content from OpCos for AUP convergence into these two Subordinate Security Standards Detailed technology specs categories Required compliance controls Security Awareness Content Awareness Library of Tools & Resources Security IT Security IT Security IT Security Position Policy Standards Awareness Statements Manual Materials Converge Adopt
Global Information Security Strategy for Adoption and Governance within X-Co Obtain Authority and Endorsements • CISO – Chief Information Security Officer • CCO – Chief Compliance Officer acknowledgement • CIOs of the Operating Companies • Global InfoSec Council (Governance over InfoSec policy) • Legal, Human Resources and Compliance stakeholders Partnerships and Socialization • Corporate Communications • Internal Audit • Compliance Organizations (e.g. SOX, HIPAA) Communicate • Promotion through Communications functions • Security Awareness Campaign (Year) Adopt Govern
Global Information Security Information Security Policy Governance IT Security Policy Development • Global InfoSec Council – Governance participation • IT Security Policy Content Review Cycle (Annual) Communications • Intranet Content Publication • IT Security Bulletins and Alerts • User Awareness Campaign Development Govern
Global Information Security Critical Success Factors Build Relationships with All OpCos and include in the Governance body Define & ‘converge” Information Security Processes • Set up GIS Intranet Policy Service Page • Automate policy services and support Deploy Updated Security Policy and Standards • IT Security Policy Education with Business Units Govern
Global Information Security Information Security Policy - Summary Collaborate, Converge, Adopt and Govern - Sustaining Objectives - Security - Be recognized as the visionary security leaders that collaboratively consults with the business. Security –Enable the business with compliant and consistent security policy and controls focused on secure future computing within the X-Co environment. Security - Ensure governed, integrated protection for entire X-Co enterprise and resources. Protecting Colleagues, Clients and Corporate Assets of X-Co, Inc. Collaborate Converge Adopt Govern

Recomendados

Measures and metrics in corporate security
Measures and metrics in corporate securityMeasures and metrics in corporate security
Measures and metrics in corporate securityPLN9 Security Services Pvt. Ltd.
 
Information security kpi
Information security kpiInformation security kpi
Information security kpibambusaharris
 
Security kpi examples
Security kpi examplesSecurity kpi examples
Security kpi examplesbichuklejones
 
Airport security officer kpi
Airport security officer kpiAirport security officer kpi
Airport security officer kpirichanfer
 
Measuring Success - Security KPIs
Measuring Success - Security KPIsMeasuring Success - Security KPIs
Measuring Success - Security KPIsH Contrex
 
Bi in telecom through kpi’s
Bi in telecom through kpi’sBi in telecom through kpi’s
Bi in telecom through kpi’sSai Venkatesh
 
My view on Lean IT
My view on Lean ITMy view on Lean IT
My view on Lean ITEvgeny Nedelko
 
Predictive Analytics: Extending asset management framework for multi-industry...
Predictive Analytics: Extending asset management framework for multi-industry...Predictive Analytics: Extending asset management framework for multi-industry...
Predictive Analytics: Extending asset management framework for multi-industry...Capgemini
 

Recomendados

Measures and metrics in corporate security
Measures and metrics in corporate securityMeasures and metrics in corporate security
Measures and metrics in corporate securityPLN9 Security Services Pvt. Ltd.
 
Information security kpi
Information security kpiInformation security kpi
Information security kpibambusaharris
 
Security kpi examples
Security kpi examplesSecurity kpi examples
Security kpi examplesbichuklejones
 
Airport security officer kpi
Airport security officer kpiAirport security officer kpi
Airport security officer kpirichanfer
 
Measuring Success - Security KPIs
Measuring Success - Security KPIsMeasuring Success - Security KPIs
Measuring Success - Security KPIsH Contrex
 
Bi in telecom through kpi’s
Bi in telecom through kpi’sBi in telecom through kpi’s
Bi in telecom through kpi’sSai Venkatesh
 
My view on Lean IT
My view on Lean ITMy view on Lean IT
My view on Lean ITEvgeny Nedelko
 
Predictive Analytics: Extending asset management framework for multi-industry...
Predictive Analytics: Extending asset management framework for multi-industry...Predictive Analytics: Extending asset management framework for multi-industry...
Predictive Analytics: Extending asset management framework for multi-industry...Capgemini
 
HP Software - The Bto Solution
HP Software - The Bto SolutionHP Software - The Bto Solution
HP Software - The Bto SolutionHPDutchWorld
 
Tpm all you need v1.2
Tpm all you need v1.2Tpm all you need v1.2
Tpm all you need v1.2RastinKenarsari
 
Asset Performance Management I Maintain 2012
Asset Performance Management I Maintain 2012Asset Performance Management I Maintain 2012
Asset Performance Management I Maintain 2012marc_hoppenbrouwers
 
Responsible Rationalization: Reducing the Cost of IT Operations
Responsible Rationalization: Reducing the Cost of IT OperationsResponsible Rationalization: Reducing the Cost of IT Operations
Responsible Rationalization: Reducing the Cost of IT OperationsEnterprise Management Associates
 
Build vs Buy Strategy
Build vs Buy StrategyBuild vs Buy Strategy
Build vs Buy StrategyChris Halton
 
In-house or Outsource? Evaluating the Make vs. Buy Decision
In-house or Outsource? Evaluating the Make vs. Buy DecisionIn-house or Outsource? Evaluating the Make vs. Buy Decision
In-house or Outsource? Evaluating the Make vs. Buy DecisionContinuous Computing
 
Empowering the CIO: Enabling smarter decisions with application portfolio man...
Empowering the CIO: Enabling smarter decisions with application portfolio man...Empowering the CIO: Enabling smarter decisions with application portfolio man...
Empowering the CIO: Enabling smarter decisions with application portfolio man...IBM Rational software
 
IT governance by Erik Guldentops
IT governance by Erik Guldentops IT governance by Erik Guldentops
IT governance by Erik Guldentops CONFENIS 2012
 
Cio buy versus build
Cio buy versus buildCio buy versus build
Cio buy versus buildSayantani D R
 
BPM From Project To Program
BPM From Project To ProgramBPM From Project To Program
BPM From Project To ProgramSandy Kemsley
 
Rsasecurity1003a
Rsasecurity1003aRsasecurity1003a
Rsasecurity1003adstack
 
Espinosas Functional Resume Financial Planning & Investments And Busine...
Espinosas Functional Resume Financial Planning & Investments And Busine...Espinosas Functional Resume Financial Planning & Investments And Busine...
Espinosas Functional Resume Financial Planning & Investments And Busine...Manuel Espinosa, PPC™
 
Optimizing DevOps Initiatives: The View from Both Sides of the DevOps Divide
Optimizing DevOps Initiatives: The View from Both Sides of the DevOps DivideOptimizing DevOps Initiatives: The View from Both Sides of the DevOps Divide
Optimizing DevOps Initiatives: The View from Both Sides of the DevOps DivideEnterprise Management Associates
 
Introducing KRI model know your customers
Introducing KRI model know your customersIntroducing KRI model know your customers
Introducing KRI model know your customersBaby Sirota
 
Best practices in BPM adoption and establishing Centre of Excellence
Best practices in BPM adoption and establishing Centre of ExcellenceBest practices in BPM adoption and establishing Centre of Excellence
Best practices in BPM adoption and establishing Centre of ExcellenceSM007
 
Intelligent finance operations provide competitive edge to enterprises
Intelligent finance operations provide competitive edge to enterprisesIntelligent finance operations provide competitive edge to enterprises
Intelligent finance operations provide competitive edge to enterprisesGenpact Ltd
 
1 K E Y K P I Design Plan
1 K E Y K P I Design Plan1 K E Y K P I Design Plan
1 K E Y K P I Design PlanSanjay Mehta
 
Im Workshop 06 05 2009
Im Workshop 06 05 2009Im Workshop 06 05 2009
Im Workshop 06 05 2009aturner_eTeam
 
Critical Incident Response: Why Good Enough is Just Not Good Enough
Critical Incident Response: Why Good Enough is Just Not Good EnoughCritical Incident Response: Why Good Enough is Just Not Good Enough
Critical Incident Response: Why Good Enough is Just Not Good EnoughEnterprise Management Associates
 
[Process Day 2011] Architecting bpm through_a_center_of_excellence
[Process Day 2011] Architecting bpm through_a_center_of_excellence[Process Day 2011] Architecting bpm through_a_center_of_excellence
[Process Day 2011] Architecting bpm through_a_center_of_excellenceEloGroup
 
Perrier
PerrierPerrier
Perrierchadames0180
 
Fiji water environmental nightmare
Fiji water environmental nightmareFiji water environmental nightmare
Fiji water environmental nightmareTri Nguyen
 

Mais conteúdo relacionado

Mais procurados

HP Software - The Bto Solution
HP Software - The Bto SolutionHP Software - The Bto Solution
HP Software - The Bto SolutionHPDutchWorld
 
Asset Performance Management I Maintain 2012
Asset Performance Management I Maintain 2012Asset Performance Management I Maintain 2012
Asset Performance Management I Maintain 2012marc_hoppenbrouwers
 
Responsible Rationalization: Reducing the Cost of IT Operations
Responsible Rationalization: Reducing the Cost of IT OperationsResponsible Rationalization: Reducing the Cost of IT Operations
Responsible Rationalization: Reducing the Cost of IT OperationsEnterprise Management Associates
 
Build vs Buy Strategy
Build vs Buy StrategyBuild vs Buy Strategy
Build vs Buy StrategyChris Halton
 
In-house or Outsource? Evaluating the Make vs. Buy Decision
In-house or Outsource? Evaluating the Make vs. Buy DecisionIn-house or Outsource? Evaluating the Make vs. Buy Decision
In-house or Outsource? Evaluating the Make vs. Buy DecisionContinuous Computing
 
Empowering the CIO: Enabling smarter decisions with application portfolio man...
Empowering the CIO: Enabling smarter decisions with application portfolio man...Empowering the CIO: Enabling smarter decisions with application portfolio man...
Empowering the CIO: Enabling smarter decisions with application portfolio man...IBM Rational software
 
IT governance by Erik Guldentops
IT governance by Erik Guldentops IT governance by Erik Guldentops
IT governance by Erik Guldentops CONFENIS 2012
 
Cio buy versus build
Cio buy versus buildCio buy versus build
Cio buy versus buildSayantani D R
 
BPM From Project To Program
BPM From Project To ProgramBPM From Project To Program
BPM From Project To ProgramSandy Kemsley
 
Rsasecurity1003a
Rsasecurity1003aRsasecurity1003a
Rsasecurity1003adstack
 
Espinosas Functional Resume Financial Planning & Investments And Busine...
Espinosas Functional Resume Financial Planning & Investments And Busine...Espinosas Functional Resume Financial Planning & Investments And Busine...
Espinosas Functional Resume Financial Planning & Investments And Busine...Manuel Espinosa, PPC™
 
Optimizing DevOps Initiatives: The View from Both Sides of the DevOps Divide
Optimizing DevOps Initiatives: The View from Both Sides of the DevOps DivideOptimizing DevOps Initiatives: The View from Both Sides of the DevOps Divide
Optimizing DevOps Initiatives: The View from Both Sides of the DevOps DivideEnterprise Management Associates
 
Introducing KRI model know your customers
Introducing KRI model know your customersIntroducing KRI model know your customers
Introducing KRI model know your customersBaby Sirota
 
Best practices in BPM adoption and establishing Centre of Excellence
Best practices in BPM adoption and establishing Centre of ExcellenceBest practices in BPM adoption and establishing Centre of Excellence
Best practices in BPM adoption and establishing Centre of ExcellenceSM007
 
Intelligent finance operations provide competitive edge to enterprises
Intelligent finance operations provide competitive edge to enterprisesIntelligent finance operations provide competitive edge to enterprises
Intelligent finance operations provide competitive edge to enterprisesGenpact Ltd
 
1 K E Y K P I Design Plan
1 K E Y K P I Design Plan1 K E Y K P I Design Plan
1 K E Y K P I Design PlanSanjay Mehta
 
Im Workshop 06 05 2009
Im Workshop 06 05 2009Im Workshop 06 05 2009
Im Workshop 06 05 2009aturner_eTeam
 
Critical Incident Response: Why Good Enough is Just Not Good Enough
Critical Incident Response: Why Good Enough is Just Not Good EnoughCritical Incident Response: Why Good Enough is Just Not Good Enough
Critical Incident Response: Why Good Enough is Just Not Good EnoughEnterprise Management Associates
 
[Process Day 2011] Architecting bpm through_a_center_of_excellence
[Process Day 2011] Architecting bpm through_a_center_of_excellence[Process Day 2011] Architecting bpm through_a_center_of_excellence
[Process Day 2011] Architecting bpm through_a_center_of_excellenceEloGroup
 

Mais procurados (20)

HP Software - The Bto Solution
HP Software - The Bto SolutionHP Software - The Bto Solution
HP Software - The Bto Solution
 
Tpm all you need v1.2
Tpm all you need v1.2Tpm all you need v1.2
Tpm all you need v1.2
 
Asset Performance Management I Maintain 2012
Asset Performance Management I Maintain 2012Asset Performance Management I Maintain 2012
Asset Performance Management I Maintain 2012
 
Responsible Rationalization: Reducing the Cost of IT Operations
Responsible Rationalization: Reducing the Cost of IT OperationsResponsible Rationalization: Reducing the Cost of IT Operations
Responsible Rationalization: Reducing the Cost of IT Operations
 
Build vs Buy Strategy
Build vs Buy StrategyBuild vs Buy Strategy
Build vs Buy Strategy
 
In-house or Outsource? Evaluating the Make vs. Buy Decision
In-house or Outsource? Evaluating the Make vs. Buy DecisionIn-house or Outsource? Evaluating the Make vs. Buy Decision
In-house or Outsource? Evaluating the Make vs. Buy Decision
 
Empowering the CIO: Enabling smarter decisions with application portfolio man...
Empowering the CIO: Enabling smarter decisions with application portfolio man...Empowering the CIO: Enabling smarter decisions with application portfolio man...
Empowering the CIO: Enabling smarter decisions with application portfolio man...
 
IT governance by Erik Guldentops
IT governance by Erik Guldentops IT governance by Erik Guldentops
IT governance by Erik Guldentops
 
Cio buy versus build
Cio buy versus buildCio buy versus build
Cio buy versus build
 
BPM From Project To Program
BPM From Project To ProgramBPM From Project To Program
BPM From Project To Program
 
Rsasecurity1003a
Rsasecurity1003aRsasecurity1003a
Rsasecurity1003a
 
Espinosas Functional Resume Financial Planning & Investments And Busine...
Espinosas Functional Resume Financial Planning & Investments And Busine...Espinosas Functional Resume Financial Planning & Investments And Busine...
Espinosas Functional Resume Financial Planning & Investments And Busine...
 
Optimizing DevOps Initiatives: The View from Both Sides of the DevOps Divide
Optimizing DevOps Initiatives: The View from Both Sides of the DevOps DivideOptimizing DevOps Initiatives: The View from Both Sides of the DevOps Divide
Optimizing DevOps Initiatives: The View from Both Sides of the DevOps Divide
 
Introducing KRI model know your customers
Introducing KRI model know your customersIntroducing KRI model know your customers
Introducing KRI model know your customers
 
Best practices in BPM adoption and establishing Centre of Excellence
Best practices in BPM adoption and establishing Centre of ExcellenceBest practices in BPM adoption and establishing Centre of Excellence
Best practices in BPM adoption and establishing Centre of Excellence
 
Intelligent finance operations provide competitive edge to enterprises
Intelligent finance operations provide competitive edge to enterprisesIntelligent finance operations provide competitive edge to enterprises
Intelligent finance operations provide competitive edge to enterprises
 
1 K E Y K P I Design Plan
1 K E Y K P I Design Plan1 K E Y K P I Design Plan
1 K E Y K P I Design Plan
 
Im Workshop 06 05 2009
Im Workshop 06 05 2009Im Workshop 06 05 2009
Im Workshop 06 05 2009
 
Critical Incident Response: Why Good Enough is Just Not Good Enough
Critical Incident Response: Why Good Enough is Just Not Good EnoughCritical Incident Response: Why Good Enough is Just Not Good Enough
Critical Incident Response: Why Good Enough is Just Not Good Enough
 
[Process Day 2011] Architecting bpm through_a_center_of_excellence
[Process Day 2011] Architecting bpm through_a_center_of_excellence[Process Day 2011] Architecting bpm through_a_center_of_excellence
[Process Day 2011] Architecting bpm through_a_center_of_excellence
 

Destaque

Fiji water environmental nightmare
Fiji water environmental nightmareFiji water environmental nightmare
Fiji water environmental nightmareTri Nguyen
 
Fiji powerpoint
Fiji powerpointFiji powerpoint
Fiji powerpointsanjeevN
 
Marketing Research - Evian
Marketing Research - EvianMarketing Research - Evian
Marketing Research - EvianMarcelo Brescia
 
Strategic Marketing - Evian
Strategic Marketing - EvianStrategic Marketing - Evian
Strategic Marketing - EvianJackie Lee
 
Danone International Case Study
Danone International Case StudyDanone International Case Study
Danone International Case StudyJacob Hostetler
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 

Destaque (10)

Perrier
PerrierPerrier
Perrier
 
Fiji water environmental nightmare
Fiji water environmental nightmareFiji water environmental nightmare
Fiji water environmental nightmare
 
Fiji powerpoint
Fiji powerpointFiji powerpoint
Fiji powerpoint
 
Nestlé waters
Nestlé watersNestlé waters
Nestlé waters
 
Marketing Research - Evian
Marketing Research - EvianMarketing Research - Evian
Marketing Research - Evian
 
Evian
EvianEvian
Evian
 
Strategic Marketing - Evian
Strategic Marketing - EvianStrategic Marketing - Evian
Strategic Marketing - Evian
 
Danone International Case Study
Danone International Case StudyDanone International Case Study
Danone International Case Study
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 

Semelhante a A Global Info Sec Policy Strategy

Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...Health IT Conference – iHT2
 
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseThe Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseDenim Group
 
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...Paris Open Source Summit
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
Managing Projects in the Cloud
Managing Projects in the CloudManaging Projects in the Cloud
Managing Projects in the Cloudgconley
 
Using GDPR to Transform Customer Experience
Using GDPR to Transform Customer ExperienceUsing GDPR to Transform Customer Experience
Using GDPR to Transform Customer ExperienceMongoDB
 
Information governance process & technology
Information governance process & technologyInformation governance process & technology
Information governance process & technologyGNetadmin
 
Cloud - Everyone is doing it, But is it safe?
Cloud - Everyone is doing it, But is it safe?Cloud - Everyone is doing it, But is it safe?
Cloud - Everyone is doing it, But is it safe?Jean-Marie Abi-Ghanem
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Software Integrity Group
 
So You Established a Mobile Strategy….What’s Next?
So You Established a Mobile Strategy….What’s Next?So You Established a Mobile Strategy….What’s Next?
So You Established a Mobile Strategy….What’s Next?InnoTech
 
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...Cohesive Networks
 
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...Turja Narayan Chaudhuri
 
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...Turja Narayan Chaudhuri
 
Mobility Risk, Strategy and Policy
Mobility Risk, Strategy and PolicyMobility Risk, Strategy and Policy
Mobility Risk, Strategy and PolicyH Contrex
 
eAccess-12 roundtable: Case Studies of Implementing BS 88878
eAccess-12 roundtable: Case Studies of Implementing BS 88878eAccess-12 roundtable: Case Studies of Implementing BS 88878
eAccess-12 roundtable: Case Studies of Implementing BS 88878Jonathan Hassell
 
Forcepoint Raised the Bar: What's Next in the Cross Domain Community-george k...
Forcepoint Raised the Bar: What's Next in the Cross Domain Community-george k...Forcepoint Raised the Bar: What's Next in the Cross Domain Community-george k...
Forcepoint Raised the Bar: What's Next in the Cross Domain Community-george k...scoopnewsgroup
 
BayBio - Facilitating R&D Collaborations through the Cloud
BayBio - Facilitating R&D Collaborations through the CloudBayBio - Facilitating R&D Collaborations through the Cloud
BayBio - Facilitating R&D Collaborations through the CloudSri Chilukuri
 
Business Plan Sample for a Technology Company - Vilex in Pitchdeck (PowerPoin...
Business Plan Sample for a Technology Company - Vilex in Pitchdeck (PowerPoin...Business Plan Sample for a Technology Company - Vilex in Pitchdeck (PowerPoin...
Business Plan Sample for a Technology Company - Vilex in Pitchdeck (PowerPoin...Wanda Halpert
 
ISMS_of ISO 27001-2022-awareness training
ISMS_of ISO 27001-2022-awareness trainingISMS_of ISO 27001-2022-awareness training
ISMS_of ISO 27001-2022-awareness trainingHananZayed4
 

Semelhante a A Global Info Sec Policy Strategy (20)

Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...
 
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseThe Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
 
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent Campaign
 
Managing Projects in the Cloud
Managing Projects in the CloudManaging Projects in the Cloud
Managing Projects in the Cloud
 
Using GDPR to Transform Customer Experience
Using GDPR to Transform Customer ExperienceUsing GDPR to Transform Customer Experience
Using GDPR to Transform Customer Experience
 
Information governance process & technology
Information governance process & technologyInformation governance process & technology
Information governance process & technology
 
Cloud - Everyone is doing it, But is it safe?
Cloud - Everyone is doing it, But is it safe?Cloud - Everyone is doing it, But is it safe?
Cloud - Everyone is doing it, But is it safe?
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
 
So You Established a Mobile Strategy….What’s Next?
So You Established a Mobile Strategy….What’s Next?So You Established a Mobile Strategy….What’s Next?
So You Established a Mobile Strategy….What’s Next?
 
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
 
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
 
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
 
Mobility Risk, Strategy and Policy
Mobility Risk, Strategy and PolicyMobility Risk, Strategy and Policy
Mobility Risk, Strategy and Policy
 
eAccess-12 roundtable: Case Studies of Implementing BS 88878
eAccess-12 roundtable: Case Studies of Implementing BS 88878eAccess-12 roundtable: Case Studies of Implementing BS 88878
eAccess-12 roundtable: Case Studies of Implementing BS 88878
 
Forcepoint Raised the Bar: What's Next in the Cross Domain Community-george k...
Forcepoint Raised the Bar: What's Next in the Cross Domain Community-george k...Forcepoint Raised the Bar: What's Next in the Cross Domain Community-george k...
Forcepoint Raised the Bar: What's Next in the Cross Domain Community-george k...
 
BayBio - Facilitating R&D Collaborations through the Cloud
BayBio - Facilitating R&D Collaborations through the CloudBayBio - Facilitating R&D Collaborations through the Cloud
BayBio - Facilitating R&D Collaborations through the Cloud
 
Business Plan Sample for a Technology Company - Vilex in Pitchdeck (PowerPoin...
Business Plan Sample for a Technology Company - Vilex in Pitchdeck (PowerPoin...Business Plan Sample for a Technology Company - Vilex in Pitchdeck (PowerPoin...
Business Plan Sample for a Technology Company - Vilex in Pitchdeck (PowerPoin...
 
Belgina ism-v3 3
Belgina ism-v3 3Belgina ism-v3 3
Belgina ism-v3 3
 
ISMS_of ISO 27001-2022-awareness training
ISMS_of ISO 27001-2022-awareness trainingISMS_of ISO 27001-2022-awareness training
ISMS_of ISO 27001-2022-awareness training
 

A Global Info Sec Policy Strategy

  • 1. x Company Global Information Security Policy and Standards Strategy for global enterprise adoption Harry Contreras CISSP - Phoenix, AZ
  • 2. Global Information Security Global Information Security Policy Presentation Date - Agenda Global Information Security Policy Development and Adoption Strategy • Policy program overview and strategy • Review present state of X-Co InfoSec Policy • Intranet site presence and relationships • Interdependencies to negotiate and maintain • Concurrence on stated future direction & strategy
  • 3. Global Information Security Information Security Policy – Program Lifecycle Collaborate Converge Adopt Govern With stakeholders define Unify divergent policy Authorize, endorse the Initiate policy governance required policy, into the corporate body corporate policy & body to oversee and standards and of works. standards for global underwrite policy actions processes to protect X- Focus business unit implementation. to maintain currency and Co interests and meet policy reference sites to Communicate via relevancy for the global X- business needs. point to corporate site. compliance & security Co enterprise. awareness programs. Content delivery via Intranet site vehicle. Key Benefits - Key Benefits - Key Benefits - Key Benefits • Corporate policy meets • Multiple policies are • Recognized as • Policy council oversight global X-Co business now one authoritative policy • Annual review addresses requirements • OpCos can focus on • Translated for global changes in business • Regulatory requirements business issues employee population climate, risks and new met in corporate program regulatory issues Collaborate Converge Adopt Govern
  • 4. Global Information Security Information Security Policy – Program Timeline Policy Program Delivery Milestones For a “C-Level” audience (In the format or your choice) Layout of “high-level” timeline with Milestones Key events over time Q1-Year Q4-Year Milestones Collaborate Converge Adopt Govern
  • 5. Global Information Security Information Security Policy – Program Timeline Milestone TimeLine Entry Description / Forecast Policy Finalization Activity for Initial review period and vetting of policy content by X-Co & OpCo Mm/Dd/Yyyy Version 1.0 stakeholders and authorizers Policy Authorization and InfoSec Policy Version 1.0 is endorsed by C-Level Officers. CISO and Mm/Dd/Yyyy Endorsement CCO of X-Co sign off on InfoSec policy for the enterprise Policy Communication Plan Communications to All X-Co, OpCo Management and IT leadership with Mm/Dd/Yyyy Launch announcement of “Compliance by Date” for the company Global InfoSec Governance Global InfoSec council formed to represent corporate and OpCo IT Mm/Dd/Yyyy Council Formed security interests for the enterprise Develop “high-level” Project Plan Develop policy revision changes Compilation period begins to assimilate changes to present policy in Mm/Dd/Yyyy WBS for presentation of developing plan milestones. for Policy v1.0 preparation of the InfoSec Policy Version 2.0 Proposed Policy Changes for Period ends for accepting proposed policy changes to developing InfoSec Mm/Dd/Yyyy Policy V2 - Freeze Policy version 2.0 Proposed Compliance Date for Company-wide compliance by date for InfoSec Policies from version 1.0 Mm/Dd/Yyyy Policy V1.0 (1 Mm/Dd/Yyyy) Annual Policy Review Cycle for Global InfoSec Governance council reviews and assesses proposed Mm/Dd/Yyyy Version 2.0 changes to Policy version 1.0 in preparation for delivering Version 2.0 InfoSec Governance Council Global InfoSec Governance council approves InfoSec Policy version 2.0 Mm/Dd/Yyyy Accept Policy Version 2.0 and forecasts future compliance by date Collaborate Converge Adopt Govern
  • 6. Global Information Security Information Security Policy Development & Strategy Approach for Collaboration and Convergence Establish top-level Intranet presence for InfoSec Policy • Utilize corporate intranet site: intra.X-Co.com • Serve up policy & standards in document repository • Distribute linkage to other OpCos Integrate cross-linkages with existing OpCos policy sites • As corporate body of content increases • Converge OpCo policies & remove site references Collaborate Converge
  • 7. Global Information Security Information Security Policy – Site Relationships Intranet.X-Co.com Corporate Intranet Site Opco Opco Opco Opco Opco Intranet Intranet Intranet Intranet Intranet Site Site Site Site Site OpCo A OpCo B OpCo C OpCo D OpCo E Collaborate Converge
  • 8. Global Information Security Converged - Information Security “Portal” Page X Company Intranet Site Corporate Security Page - Policy Hosting Location Corporate Global Global Information Security Policy & Standards Library • Information Security Policy • Security Position Statements • Security Standards • Code of Business Conduct Overview & Introduction Security Awareness • CISO quarterly remarks Content Policy & Standards Repository • Today’s Hot Topics Security Topic– Quick Reference • Awareness Library •Tools & Resources Security Awareness Section Links to OpCo policy content Links to Policy sites • Marsh • Mercer • Guy Carpenter Content and presentation format to • Oliver Wyman • Kroll be collaboratively developed with Communications. Incident Reporting • Report an Incident here Collaborate Converge
  • 9. Global Information Security Information Security Policy & Standards - Framework Overarching Global Policy (Core) Authorized & Endorsed (AUP) Acceptable Use Policy Acceptable Use Privacy and Data endorsed by Human Resources, IT Security Policy Manual Protection Legal and Compliance Implementation policy details Policy Security Position Statements (Core) Collaborate on preexisting Addresses new technologies & Mitigating immediate business risks content from OpCos for AUP convergence into these two Subordinate Security Standards Detailed technology specs categories Required compliance controls Security Awareness Content Awareness Library of Tools & Resources Security IT Security IT Security IT Security Position Policy Standards Awareness Statements Manual Materials Converge Adopt
  • 10. Global Information Security Strategy for Adoption and Governance within X-Co Obtain Authority and Endorsements • CISO – Chief Information Security Officer • CCO – Chief Compliance Officer acknowledgement • CIOs of the Operating Companies • Global InfoSec Council (Governance over InfoSec policy) • Legal, Human Resources and Compliance stakeholders Partnerships and Socialization • Corporate Communications • Internal Audit • Compliance Organizations (e.g. SOX, HIPAA) Communicate • Promotion through Communications functions • Security Awareness Campaign (Year) Adopt Govern
  • 11. Global Information Security Information Security Policy Governance IT Security Policy Development • Global InfoSec Council – Governance participation • IT Security Policy Content Review Cycle (Annual) Communications • Intranet Content Publication • IT Security Bulletins and Alerts • User Awareness Campaign Development Govern
  • 12. Global Information Security Critical Success Factors Build Relationships with All OpCos and include in the Governance body Define & ‘converge” Information Security Processes • Set up GIS Intranet Policy Service Page • Automate policy services and support Deploy Updated Security Policy and Standards • IT Security Policy Education with Business Units Govern
  • 13. Global Information Security Information Security Policy - Summary Collaborate, Converge, Adopt and Govern - Sustaining Objectives - Security - Be recognized as the visionary security leaders that collaboratively consults with the business. Security –Enable the business with compliant and consistent security policy and controls focused on secure future computing within the X-Co environment. Security - Ensure governed, integrated protection for entire X-Co enterprise and resources. Protecting Colleagues, Clients and Corporate Assets of X-Co, Inc. Collaborate Converge Adopt Govern