SlideShare uma empresa Scribd logo

Business Case for InfoSec Program

William Godwin
William Godwin

This document presents a business case for establishing an information security program. It outlines the background, value, scope, and components of the program. The program aims to safeguard corporate information assets, establish security standards, comply with regulations, and align IT services with business needs. It involves categorizing data, determining risk appetite, analyzing business impacts, developing a security strategy and plans, and implementing controls. The goal is to effectively manage risks and threats, drive process maturity over time, and provide continuous improvements.

1 de 12
Baixar para ler offline
BUSINESS CASE FOR INFORMATION SECURITY PROGRAM Developed and Presented by: William Godwin3/12/2014 © 2014
Background  Safeguards the company’s most important asset: CORPORATE INFORMATION  Establishes a formal program and standard to:  Safeguard Confidentiality, Integrity, and Availability of information  Determine the company’s risk appetite  Categorize data and information assets  Establish appropriate security control baseline  Assess risk of compromise  Comply with governing regulations and corporate governance
Value  Identify IT Operations as a business enabler  Establish security benchmarks and determine assessment targets capable of maturing as threats evolve and become more sophisticated  Aligns IT Services with the company’s mission  Delivers long-term information security strategy  Effectively mitigate threats and risks and reduce incidents  Drive scalable processes and IT solutions  Provides insight to…  Optimize IT operations budget management  Promote organizational structure to integrate program  Conducive to organizational maturity
Scope  Organization Position/Posture  Data categorization of critical departments  Risk Appetite  Determine company’s tolerance to risk exposure  Business Impact Analysis  Determine criticality of departments and supporting resources  Develop Strategy, Plan, Implement and Execute  Cultivate Continuous Improvement Opportunities
Organization Position/Posture  Develop strategy for implementation. Reference output from Data Categorization & Risk Appetite exercise (Ref. slide #6 & slide #7)  Garner support from organization leadership  Large/Enterprise organizations may have multiple executives  Obtain operational leadership buy-in  Operational Managers will need to be made aware of their roles and expectations  Develop & establish corporate standards and requirements for information security
Data Categorization  Defines broad classes of information created, stored, and/or delivered by the company  Allows for logical groupings based on criticality to the business  Determines data sensitivity levels to unauthorized access, modification or loss of availability  Aids to …  Establish security baseline for protecting sensitive data  Identify business exposure  Determine impact on company should data become compromised  Permit executives to organize priority based on criticality of data
Determine & Establish Risk Appetite  Company may implement appropriate level of information security control based on the risk appetite.  Risk Appetite is determined by establishing the sensitivity of data stored, processed or transmitted by an information system. (Ref. slide #6)  Sensitivity is determined by understanding the criticality of the data to the company’s mission or regulatory requirements.
Business Impact Analysis  Categorize and analyze critical business departments/divisions  Create priority list of most sensitive business functions  Create priority list of support resources  Human Resources  Information Technology Resources  Establish information security requirements  Identify and implement baseline security controls to reduce risk
Strategy, Plan, Implement & Execute  Strategy  Identify desired service capability and control coverage – (Ref. slide #10)  Identify and gather regulatory requirements and corporate governance  Develop and execute strategic plan for program implementation  Planning for critical IT assets  Establish operation authority (typically an executive authorizes system to operate)  Document system Security Plan  Develop system IT Contingency Plan  Develop Configuration Management & Control Plan  Develop system Incident Response Plan  Implement security controls as specified within the security plan  Execute  Conduct threat assessment  Conduct initial Risk Assessment  Mitigate security exposure to acceptable levels  Conduct final security test to validate control implementation
Information Security Model Model Terms & Glossary Capability: Defines “what” information security process or process areas or disciplines. Coverage: Defines the “amount” of control and timeline coverage should be applied. Control: Managing obligations to the business, stakeholders, customers and demonstrating it. Info Security Mission & Goals 2 3 4 5 100% 50% 75% 25% Capability Coverage Optimal Path (Timeline) ROI & Cost- efficiency 1 Risk & Compliance Objectives Control 0% Capability Processes are … Coverage 1 Ad Hoc & Disorganized 0% 2 Repeatable (generally consistent pattern) 25% 3 Documented and communicated 50% 4 Monitored and measured 75% 5 Measured and improved 100% Maturing to Proactive Posture Capability: Process Discovery and Re-engineering to support Information Security program alignment with business and security requirements. Coverage: Integrate required regulations and observe areas for control enhancement. Control: Risk and Compliance based categorization and priority of information assets and processes. The Degree and complexity of controls are driven by the enterprises risk appetite and applicable compliance requirements. SEI, Carnegie Mellon 2008 Primary Drivers
Continuous Improvement Opportunities  Identify success/fail requirements  Identify metrics applicable to the organization. Examples such as…  Total vulnerabilities  Residual risk  Total incidents  Change in vulnerabilities and incidents  IT system operational budget change
Conclusion  Aids organization leaders to identify and assign priority to business units and supporting IT systems based on criticality  Enables effective financial planning for IT Operations and Security  Ensures compliance with regulatory requirements and governance  Enables effective management of risk to IT systems  Improve IT service capabilities through process maturity

Recomendados

CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptxDESTROYER39
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness ProgramBill Gardner
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 

Recomendados

CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptxDESTROYER39
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness ProgramBill Gardner
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityAtlantic Training, LLC.
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxDinesh582831
 
Cyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesCyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesSlideTeam
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness TrainingDenis kisina
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information SecurityKen Holmes
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
PwC Point of View on Cybersecurity Management
PwC Point of View on Cybersecurity ManagementPwC Point of View on Cybersecurity Management
PwC Point of View on Cybersecurity ManagementCA Technologies
 
Securing Information Servicesv1.0
Securing Information Servicesv1.0Securing Information Servicesv1.0
Securing Information Servicesv1.0Vibi Abraham
 
Testing
TestingTesting
Testinglorenceman
 

Mais conteúdo relacionado

Mais procurados

Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityAtlantic Training, LLC.
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxDinesh582831
 
Cyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesCyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesSlideTeam
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness TrainingDenis kisina
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information SecurityKen Holmes
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
PwC Point of View on Cybersecurity Management
PwC Point of View on Cybersecurity ManagementPwC Point of View on Cybersecurity Management
PwC Point of View on Cybersecurity ManagementCA Technologies
 

Mais procurados (20)

Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier University
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
 
Cyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesCyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation Slides
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
 
Information security
Information securityInformation security
Information security
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
PwC Point of View on Cybersecurity Management
PwC Point of View on Cybersecurity ManagementPwC Point of View on Cybersecurity Management
PwC Point of View on Cybersecurity Management
 

Semelhante a Business Case for InfoSec Program

Securing Information Servicesv1.0
Securing Information Servicesv1.0Securing Information Servicesv1.0
Securing Information Servicesv1.0Vibi Abraham
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessmentpchronis
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramTammy Clark
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Business case for enterprise continuity planning
Business case for enterprise continuity planningBusiness case for enterprise continuity planning
Business case for enterprise continuity planningWilliam Godwin
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureSuresh Kanniappan
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Tammy Clark
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedkonchada
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedkonchada
 
2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnicalJack585826
 

Semelhante a Business Case for InfoSec Program (20)

Securing Information Servicesv1.0
Securing Information Servicesv1.0Securing Information Servicesv1.0
Securing Information Servicesv1.0
 
Testing
TestingTesting
Testing
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessment
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
Business case for enterprise continuity planning
Business case for enterprise continuity planningBusiness case for enterprise continuity planning
Business case for enterprise continuity planning
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updated
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updated
 
2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 

Business Case for InfoSec Program

  • 1. BUSINESS CASE FOR INFORMATION SECURITY PROGRAM Developed and Presented by: William Godwin3/12/2014 © 2014
  • 2. Background  Safeguards the company’s most important asset: CORPORATE INFORMATION  Establishes a formal program and standard to:  Safeguard Confidentiality, Integrity, and Availability of information  Determine the company’s risk appetite  Categorize data and information assets  Establish appropriate security control baseline  Assess risk of compromise  Comply with governing regulations and corporate governance
  • 3. Value  Identify IT Operations as a business enabler  Establish security benchmarks and determine assessment targets capable of maturing as threats evolve and become more sophisticated  Aligns IT Services with the company’s mission  Delivers long-term information security strategy  Effectively mitigate threats and risks and reduce incidents  Drive scalable processes and IT solutions  Provides insight to…  Optimize IT operations budget management  Promote organizational structure to integrate program  Conducive to organizational maturity
  • 4. Scope  Organization Position/Posture  Data categorization of critical departments  Risk Appetite  Determine company’s tolerance to risk exposure  Business Impact Analysis  Determine criticality of departments and supporting resources  Develop Strategy, Plan, Implement and Execute  Cultivate Continuous Improvement Opportunities
  • 5. Organization Position/Posture  Develop strategy for implementation. Reference output from Data Categorization & Risk Appetite exercise (Ref. slide #6 & slide #7)  Garner support from organization leadership  Large/Enterprise organizations may have multiple executives  Obtain operational leadership buy-in  Operational Managers will need to be made aware of their roles and expectations  Develop & establish corporate standards and requirements for information security
  • 6. Data Categorization  Defines broad classes of information created, stored, and/or delivered by the company  Allows for logical groupings based on criticality to the business  Determines data sensitivity levels to unauthorized access, modification or loss of availability  Aids to …  Establish security baseline for protecting sensitive data  Identify business exposure  Determine impact on company should data become compromised  Permit executives to organize priority based on criticality of data
  • 7. Determine & Establish Risk Appetite  Company may implement appropriate level of information security control based on the risk appetite.  Risk Appetite is determined by establishing the sensitivity of data stored, processed or transmitted by an information system. (Ref. slide #6)  Sensitivity is determined by understanding the criticality of the data to the company’s mission or regulatory requirements.
  • 8. Business Impact Analysis  Categorize and analyze critical business departments/divisions  Create priority list of most sensitive business functions  Create priority list of support resources  Human Resources  Information Technology Resources  Establish information security requirements  Identify and implement baseline security controls to reduce risk
  • 9. Strategy, Plan, Implement & Execute  Strategy  Identify desired service capability and control coverage – (Ref. slide #10)  Identify and gather regulatory requirements and corporate governance  Develop and execute strategic plan for program implementation  Planning for critical IT assets  Establish operation authority (typically an executive authorizes system to operate)  Document system Security Plan  Develop system IT Contingency Plan  Develop Configuration Management & Control Plan  Develop system Incident Response Plan  Implement security controls as specified within the security plan  Execute  Conduct threat assessment  Conduct initial Risk Assessment  Mitigate security exposure to acceptable levels  Conduct final security test to validate control implementation
  • 10. Information Security Model Model Terms & Glossary Capability: Defines “what” information security process or process areas or disciplines. Coverage: Defines the “amount” of control and timeline coverage should be applied. Control: Managing obligations to the business, stakeholders, customers and demonstrating it. Info Security Mission & Goals 2 3 4 5 100% 50% 75% 25% Capability Coverage Optimal Path (Timeline) ROI & Cost- efficiency 1 Risk & Compliance Objectives Control 0% Capability Processes are … Coverage 1 Ad Hoc & Disorganized 0% 2 Repeatable (generally consistent pattern) 25% 3 Documented and communicated 50% 4 Monitored and measured 75% 5 Measured and improved 100% Maturing to Proactive Posture Capability: Process Discovery and Re-engineering to support Information Security program alignment with business and security requirements. Coverage: Integrate required regulations and observe areas for control enhancement. Control: Risk and Compliance based categorization and priority of information assets and processes. The Degree and complexity of controls are driven by the enterprises risk appetite and applicable compliance requirements. SEI, Carnegie Mellon 2008 Primary Drivers
  • 11. Continuous Improvement Opportunities  Identify success/fail requirements  Identify metrics applicable to the organization. Examples such as…  Total vulnerabilities  Residual risk  Total incidents  Change in vulnerabilities and incidents  IT system operational budget change
  • 12. Conclusion  Aids organization leaders to identify and assign priority to business units and supporting IT systems based on criticality  Enables effective financial planning for IT Operations and Security  Ensures compliance with regulatory requirements and governance  Enables effective management of risk to IT systems  Improve IT service capabilities through process maturity