O SlideShare utiliza cookies para otimizar a funcionalidade e o desempenho do site, assim como para apresentar publicidade mais relevante aos nossos usuários. Se você continuar a navegar o site, você aceita o uso de cookies. Leia nosso Contrato do Usuário e nossa Política de Privacidade.
O SlideShare utiliza cookies para otimizar a funcionalidade e o desempenho do site, assim como para apresentar publicidade mais relevante aos nossos usuários. Se você continuar a utilizar o site, você aceita o uso de cookies. Leia nossa Política de Privacidade e nosso Contrato do Usuário para obter mais detalhes.
O slideshow foi denunciado.
Desbloqueou transferências ilimitadas no SlideShare!
There is no single universal model for organizational structure to ensure thatthe Information Security requirements for the organization are adequatelymet.There is still some uncertainty regarding what such Information SecurityGovernance actually consists ofInformation Security Governance does not function in isolationInformation Security Governance, Management and Operations have very differentfunctions, and clarity among them is fundamental to the performance ofeach.How do Organizations currently operate Globally & in the Middle East?3 Information Security Governance @ 2011 Deloitte & Touche
17% of Organizations Globally have a person responsible for Information Security. 33% inthe Middle East40% of the CISOs Globally report directly to IT related positions (CIO, IT executive andCTO). 31% in the Middle EastOnly 67% of respondents indicate that have a security governance structure. 49% in theMiddle EastOnly 56% of respondents indicate they have a documented and approved informationsecurity strategy. 38% in the Middle EastOnly 18% of respondents have established metrics that have been aligned to businessvalue and report on a scheduled basis. 15% in the Middle EastOnly 30% of respondents state that there is appropriate alignment between the businessand information security initiatives. 32% in the Middle East4 Information Security Governance @ 2011 Deloitte & Touche
Corporate governance is the set of processes, customs, policies, laws, andinstitutions affecting the way a corporation (or company) is directed, administered orcontrolled. includes the relationships among the manyCorporate governance alsostakeholders involved and the goals for which the corporation isgoverned.Subsets of Corporate Governance include:• Financial Governance• Information Technology Governance• Enterprise Risk Governance• Information Security Governance6 Information Security Governance @ 2011 Deloitte & Touche
The structure, oversight and managementprocesses which ensure the delivery of Corporatethe of overall corporate governance Governancerequires integration between the differentsubsets of the Corporate GovernanceModel Enterprise Information Legal Risk Technology GovernanceAn organization’s Information Governance GovernanceSecurity Governance can be definedas "the processes that ensure thatreasonable and appropriate actions aretaken to protect the organizations Informationinformation resources, in the most Security Governanceeffective and efficient manner, in pursuitof its business goals“ Information Information Security Security Management Operations Information Security Organization @ 2011 Deloitte & Touche 7 Information Security Governance
―Information Security governance―, ―Information Security Management" and―Information Security Operations" are broad terms, and we must bring these topics intofocus. Members of governance committees must understand the difference betweenthem in order to avoid dysfunction and meet Business, Risk and IT goalsVery Broadly,Information Security Governance: Exists to ensure that the security program adequatelymeets the strategic needs of the business.Information Security Management: Implements that program.Information Security Operations: executes or manages security-related processesrelating to current infrastructure on a day-to-day basis.Each of these layers must engage with corresponding layers throughoutthe enterprise.8 Information Security Governance @ 2011 Deloitte & Touche
Information Security Steering Commitee 3rd Party Service Corporate Risk Providers Management Chief Infromation Officer (CIO) Lines of Business IT Operations Management Information Security GovernanceInformation Security Information Security Communication Advisory Board Forum 3rd Party Service Information Security Information Security 3rd Party Service Providers Management Operations Providers 9 Information Security Governance @ 2011 Deloitte & Touche
Prudent CISOs are building their Security Governance Strategies based on the currenteconomic climate, changes in the technology landscape, and most importantly, to meetand exceed the business expectations. Yet despite their best intentions, many are stillstruggling to improve relationships with the business that they operate in.Without alignment, Information CultureSecurity Governance operates ina vacuum and will implementsecurity controls that are Controls 1. Plan Processinvariably either too strong —and thus, is expensive andrestrictive — or too weak, 3. Manageresulting in too much residual 2. Implement 4. Monitorrisk. People Security Governance Integration Technology11 Information Security Governance @ 2011 Deloitte & Touche
The following 4 domains must be considered when establishing an Information SecurityGovernance Program Plan Implement Manage Monitor Security Program Develop Governance Accountabilities Project Oversight Strategy Processes Institute Governance Security Architecture Funding Value Assessments Forums Security Policy Conflict Conciliation Operational Security Budget Review and and Arbitration Oversight Development Governance Policy Program and Project Metrics and Management Oversight Measurement12 Information Security Governance @ 2011 Deloitte & Touche
Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Plan Security Program Strategy Security Program 1. Current State Strategy 2. Desired State 3. Gap AnalysisSecurity Architecture 4. Project and Initiatives Derived from the Gap Analysis 5. A Reporting Framework Security Budget Governance Policy Management13 Information Security Governance @ 2011 Deloitte & Touche
Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Plan Security Architecture Security architecture is the planning discipline that provides the Security Program foundational models, templates and principles that support the Strategy program strategy. These artifacts are used to develop security technology and process solutions that match business requirements while maximizing standardization and reuseSecurity Architecture • Security Operations • Security Monitoring and Review • User Management Security Budget • User Awareness • Application Security • Database / Metadata Security • Host Security Governance Policy • Internal Network Security Management • Network Perimeter Security • Physical and Environmental Security14 Information Security Governance @ 2011 Deloitte & Touche
Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Plan Security Budget Planning The process of allocating financial resources to information Security Program security projects and operational Strategy activitiesSecurity Architecture Governance Policy Management Sets the principles for policy management, specifically regarding issues such as: Security Budget • Ownership • Documentation standards • Approval and formalization procedures Governance Policy • Enforcement regimes Management • Review and exception procedures15 Information Security Governance @ 2011 Deloitte & Touche
Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Implement Develop Governance Processes Design the governance processes:Develop Governance • The goal of the process Processes • The action steps to be taken and in what sequence • The responsibilities associated with the process • The process flowInstitute Governance Forums Integrate the security governance framework with existing IT frameworks and Information Security Management frameworks in order to leverage the commonalities between the frameworks Security Policy Review and Development Institute Governance Forums Establish Governance forums and steering committee • Establish the accountabilities and responsibilities for information security within the organization. • Oversee the governance processes. • Commission and sponsor the corporate information security program.16 Information Security Governance @ 2011 Deloitte & Touche
Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Implement Security Policy Review and Development Assess the (1) completeness (2) effectiveness and (3) practicality ofDevelop Governance enforcement of your organization’s information security policy. Processes Identify major strengths and weaknesses of the policy and provide recommendations for improvement.Institute Governance Forums Security Policy Review and Development17 Information Security Governance @ 2011 Deloitte & Touche
Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Manage Design and explain management processes to the respective stakeholders for implementation: Accountabilities Process Process Description Accountabilities and responsibilities for information security are Accountabilities executed effectively. Manage effective allocation of financial resources for security Funding Funding initiatives as decided in the budget process. Facilitate assessment of conflicting security requirements Conflict Conciliation between different stakeholders. Ensure specific policy andConflict Conciliation and Arbitration controls decisions are based on adequate consideration of and Arbitration individual and collective requirements. Program and Project Track security program and projects, deliverables, and costs toProgram and Project Oversight ensure they remain within acceptable tolerances. Oversight18 Information Security Governance @ 2011 Deloitte & Touche
Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Monitor Design and explain monitoring processes to the respective stakeholders for implementation: Project Oversight Process Process Description Assess project results. Report on objectives achieved and Project Oversight missed, as well as unexpected results and consequences. Value Assessments Periodically assess the value of information security Value Assessments investments. Is the organization getting the anticipated benefits from investments involving information security? Operational Ensure that the execution of the information security Oversight program, and all its associated processes and activities, is Operational Oversight done within the parameters set out by the program strategy, architecture, and policy strategy. Measuring and reporting on the impact of the information Metrics and Metrics and Measurement security program on overall IT governance and Corporate Measurement Governance.19 Information Security Governance @ 2011 Deloitte & Touche
Strategic Alignment of information security with business strategy to supportorganizational objectivesRisk Management by executing appropriate measures to manage and mitigate risksand reduce potential impacts on information resources to an acceptable levelResource Management by utilizing information security knowledge and infrastructureefficiently and effectivelyPerformance Measurement by measuring, monitoring and reporting informationsecurity governance metrics to ensure that organizational objectives are achievedValue Delivery by optimizing information security investments in support oforganizational objectives 21 Information Security Governance @ 2011 Deloitte & Touche
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of whichis a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche TohmatsuLimited and its member firms.Member of Deloitte Touche Tohmatsu Limited