1. x Company
Global Information Security
Policy and Standards
Strategy for global enterprise adoption
Harry Contreras CISSP - Phoenix, AZ
2. Global Information Security
Global Information Security Policy
Presentation Date - Agenda
Global Information Security Policy Development and
Adoption Strategy
• Policy program overview and strategy
• Review present state of X-Co InfoSec Policy
• Intranet site presence and relationships
• Interdependencies to negotiate and maintain
• Concurrence on stated future direction & strategy
3. Global Information Security
Information Security Policy – Program Lifecycle
Collaborate Converge Adopt Govern
With stakeholders define Unify divergent policy Authorize, endorse the Initiate policy governance
required policy, into the corporate body corporate policy & body to oversee and
standards and of works. standards for global underwrite policy actions
processes to protect X- Focus business unit implementation. to maintain currency and
Co interests and meet policy reference sites to Communicate via relevancy for the global X-
business needs. point to corporate site. compliance & security Co enterprise.
awareness programs.
Content delivery via
Intranet site vehicle.
Key Benefits - Key Benefits - Key Benefits - Key Benefits
• Corporate policy meets • Multiple policies are • Recognized as • Policy council oversight
global X-Co business now one authoritative policy • Annual review addresses
requirements • OpCos can focus on • Translated for global changes in business
• Regulatory requirements business issues employee population climate, risks and new
met in corporate program regulatory issues
Collaborate Converge Adopt Govern
4. Global Information Security
Information Security Policy – Program Timeline
Policy Program Delivery Milestones
For a “C-Level” audience
(In the format or your choice)
Layout of “high-level” timeline with Milestones
Key events over time
Q1-Year Q4-Year
Milestones
Collaborate Converge Adopt Govern
5. Global Information Security
Information Security Policy – Program Timeline
Milestone TimeLine Entry Description
/ Forecast
Policy Finalization Activity for Initial review period and vetting of policy content by X-Co & OpCo
Mm/Dd/Yyyy Version 1.0 stakeholders and authorizers
Policy Authorization and InfoSec Policy Version 1.0 is endorsed by C-Level Officers. CISO and
Mm/Dd/Yyyy Endorsement CCO of X-Co sign off on InfoSec policy for the enterprise
Policy Communication Plan Communications to All X-Co, OpCo Management and IT leadership with
Mm/Dd/Yyyy Launch announcement of “Compliance by Date” for the company
Global InfoSec Governance Global InfoSec council formed to represent corporate and OpCo IT
Mm/Dd/Yyyy Council Formed security interests for the enterprise
Develop “high-level” Project Plan
Develop policy revision changes Compilation period begins to assimilate changes to present policy in
Mm/Dd/Yyyy WBS for presentation of developing plan milestones.
for Policy v1.0 preparation of the InfoSec Policy Version 2.0
Proposed Policy Changes for Period ends for accepting proposed policy changes to developing InfoSec
Mm/Dd/Yyyy Policy V2 - Freeze Policy version 2.0
Proposed Compliance Date for Company-wide compliance by date for InfoSec Policies from version 1.0
Mm/Dd/Yyyy Policy V1.0 (1 Mm/Dd/Yyyy)
Annual Policy Review Cycle for Global InfoSec Governance council reviews and assesses proposed
Mm/Dd/Yyyy Version 2.0 changes to Policy version 1.0 in preparation for delivering Version 2.0
InfoSec Governance Council Global InfoSec Governance council approves InfoSec Policy version 2.0
Mm/Dd/Yyyy Accept Policy Version 2.0 and forecasts future compliance by date
Collaborate Converge Adopt Govern
6. Global Information Security
Information Security Policy Development & Strategy
Approach for Collaboration and Convergence
Establish top-level Intranet presence for InfoSec Policy
• Utilize corporate intranet site: intra.X-Co.com
• Serve up policy & standards in document repository
• Distribute linkage to other OpCos
Integrate cross-linkages with existing OpCos policy sites
• As corporate body of content increases
• Converge OpCo policies & remove site references
Collaborate Converge
7. Global Information Security
Information Security Policy – Site Relationships
Intranet.X-Co.com
Corporate
Intranet
Site
Opco Opco Opco Opco Opco
Intranet Intranet Intranet Intranet Intranet
Site Site Site Site Site
OpCo A OpCo B OpCo C OpCo D OpCo E
Collaborate Converge
8. Global Information Security
Converged - Information Security “Portal” Page
X Company Intranet Site
Corporate Security Page - Policy Hosting Location
Corporate Global
Global Information Security Policy & Standards Library
• Information Security Policy
• Security Position Statements
• Security Standards
• Code of Business Conduct
Overview & Introduction Security Awareness
• CISO quarterly remarks Content
Policy & Standards Repository • Today’s Hot Topics
Security Topic– Quick Reference • Awareness Library
•Tools & Resources
Security Awareness Section
Links to OpCo policy content Links to Policy sites
• Marsh
• Mercer
• Guy Carpenter
Content and presentation format to • Oliver Wyman
• Kroll
be collaboratively developed with
Communications. Incident Reporting
• Report an Incident here
Collaborate Converge
9. Global Information Security
Information Security Policy & Standards - Framework
Overarching Global Policy (Core)
Authorized & Endorsed (AUP) Acceptable Use Policy
Acceptable Use Privacy and
Data endorsed by Human Resources,
IT Security Policy Manual Protection Legal and Compliance
Implementation policy details
Policy
Security Position Statements (Core) Collaborate on preexisting
Addresses new technologies &
Mitigating immediate business risks content from OpCos for
AUP convergence into these two
Subordinate Security Standards
Detailed technology specs categories
Required compliance controls
Security Awareness Content
Awareness Library of Tools & Resources
Security IT Security IT Security IT Security
Position Policy Standards Awareness
Statements Manual Materials
Converge Adopt
10. Global Information Security
Strategy for Adoption and Governance within X-Co
Obtain Authority and Endorsements
• CISO – Chief Information Security Officer
• CCO – Chief Compliance Officer acknowledgement
• CIOs of the Operating Companies
• Global InfoSec Council (Governance over InfoSec policy)
• Legal, Human Resources and Compliance stakeholders
Partnerships and Socialization
• Corporate Communications
• Internal Audit
• Compliance Organizations (e.g. SOX, HIPAA)
Communicate
• Promotion through Communications functions
• Security Awareness Campaign (Year)
Adopt Govern
11. Global Information Security
Information Security Policy Governance
IT Security Policy Development
• Global InfoSec Council – Governance participation
• IT Security Policy Content Review Cycle (Annual)
Communications
• Intranet Content Publication
• IT Security Bulletins and Alerts
• User Awareness Campaign Development
Govern
12. Global Information Security
Critical Success Factors
Build Relationships with All OpCos and include in
the Governance body
Define & ‘converge” Information Security Processes
• Set up GIS Intranet Policy Service Page
• Automate policy services and support
Deploy Updated Security Policy and Standards
• IT Security Policy Education with Business Units
Govern
13. Global Information Security
Information Security Policy - Summary
Collaborate, Converge, Adopt and Govern
- Sustaining Objectives -
Security - Be recognized as the visionary security leaders that collaboratively
consults with the business.
Security –Enable the business with compliant and consistent security policy
and controls focused on secure future computing within the X-Co
environment.
Security - Ensure governed, integrated protection for entire X-Co enterprise
and resources.
Protecting Colleagues, Clients and Corporate Assets of X-Co, Inc.
Collaborate Converge Adopt Govern