1. Info-Tech Research Group1 V3.1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2014 Info-Tech Research Group Inc. Build a Security Governance and Management Plan Establish the missing bridge between security and the business to support tomorrow’s enterprise with minimal resources. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 - 2014 Info-Tech Research Group

2. Info-Tech Research Group2 Most organizations perceive security governance and management to be a time-consuming and expensive endeavour. However, a customized program will provide results with a relatively low investment. Introduction CISOs, CSOs, CEOs, CIOs, IT leaders, and business leaders who would like to improve alignment between security and business activities, optimize security resources, implement an effective risk mitigation strategy, and improve the transparency of security initiatives CISOs, CSOs, and CIOs who would like to better support the business Articulate the value of information security governance and management to senior management Develop a customized comprehensive information security governance and management framework at the lowest cost possible Apply your security governance framework to your organization and create a roadmap for implementation with provided tools and templates Develop a measurement program to continuously improve your security governance This Research Is Designed For:This Research Will Help You:

3. Info-Tech Research Group3 Develop a Security Governance and Management Plan Security Pressure Posture Establish Target State Gap Analysis Make the Case Implementation Goals and objectives of the workshop Understand the value of security governance and management Determine your security pressure posture Common elements in successful governance and management programs Scope your security governance program Explore best practices and compliance requirements Examine common gaps in the industry Conduct a gap analysis and scale the gap Build your implementation roadmap Implement based on best practices Create a convincing business case Develop Metrics Build a comprehensive metrics program Understand the components in security governance and management Establish your security governance and management framework Day 2 Day 1

4. Info-Tech Research Group4 Workshop Overview ModuleWorkshop GoalsOutputs 1.Make the case for security governance and management to drive executive engagement Define goals/objectives for the workshop Demonstrate the value of implementing or improving security governance and management for the business Expectations for the workshop Understanding of the value of information security governance Completed Business Case template 2.Objectively establish and analyze your security pressure posture Objectively assess security pressure posture based on our list of comprehensive criteria Provide a security posture description that business stakeholders can easily digest Better understanding of the organization’s security pressure posture 3.Establish a clear target state by defining your security governance and management framework Create a customized framework for security governance and management that is comprehensive and avoids duplication Understand each component of security governance Achieve alignment between business objectives and security initiatives Customized security governance target state framework Understanding of each component and its importance in a security governance framework

5. Info-Tech Research Group5 Workshop Overview ModuleWorkshop GoalsOutputs 4.Analyze the gap between the current and target state to drive processes for implementation Scale the gap between current state and target state in a way that can be communicated to business stakeholders Identify the initiatives required to reach the target state Gap analysis report 5.Build an action plan and roadmap to implement your security governance cost effectively Prioritize and organize security initiatives based on the gap analysis Identify interdependencies between initiatives Understand best practices associated with each component implementation Security governance implementation plan Implementation guidelines and tips Completed templates and tools required for implementation 6.Build a metrics program to direct your investments and measure your effectiveness Build a holistic measurement program or refresh your existing program to create a meaningful and sustainable program Security metrics program

6. Info-Tech Research Group6 Executive Summary Problem: Many organizations currently take an ad hoc approach to security governance and management, which leads to several problems: The security team doesn’t know whether it’s supporting business goals The security team doesn’t know how secure the organization’s information really is The organization has no sense of direction in terms of what security’s priorities or initiatives should be Risks are not treated appropriately When security cannot articulate how it supports the business, it diminishes in value and is likely to experience budget cuts. A large barrier to implementing a comprehensive security governance and management program is the perception of the large quantity of resources it requires. With all the compliance requirements, standards, and best practices, it also seems like a daunting project. However, based on Info-Tech’s estimates, a small organization with a low level of requirements can implement a security governance and management program for as little as $10,000. In comparison, this program can save the organization $12,000 - $130,000 per year. Large organizations could benefit $300,000 - $2,250,000 per year with an initial investment of approximately $60,000. Solution: Your security governance and management program needs to be customized to your organization’s needs. This project will guide you through the process of creating a customized security governance and management plan that is comprehensive enough to cover all your bases, while keeping costs at a minimum. Begin defining your needs through a security pressure posture analysis and utilize best methods to determine what your security program should include at a minimum. Conduct a gap analysis to collect the initiatives you need to reach your target state. Create an action plan and implement this project with the tools and templates provided by Info-Tech.

7. Info-Tech Research Group7 Guided Implementation points in the Security Governance and Management project Book a Guided Implementation Today: Info-Tech is just a phone call away and can assist you with your project. Our expert Analysts can guide you to successful project completion. Here are the suggested Guided Implementation points in the Security Governance and Management project: Section 1: Security Governance and Management Business Case Get started by reviewing the completed sections of your business case to discuss its effectiveness. Section 2: Security Pressure Posture Tool Discuss your security pressure posture results and its implications for your organization. Review each question to ensure your responses were appropriate for your context. Section 3: Security Governance and Management Target State Framework Discuss each baseline component’s purpose and appropriateness for your organization. Review any changes you’ve made to your customized set of baseline components and discuss any concerns you may have. Section 4: Gap Analysis Verify your current state and evaluate the magnitude of your gaps. Discuss the outcome of your report and its implications for your implementation plan. To enroll, send an email to GuidedImplementations@InfoTech.com or call 1-888-670-8889 and ask for the Guided Implementation Coordinator.GuidedImplementations@InfoTech.com This symbol signifies when you’ve reached a Guided Implementation point in your project.

8. Info-Tech Research Group8 Guided Implementation points in the Security Governance and Management project Book a Guided Implementation Today: Info-Tech is just a phone call away and can assist you with your project. Our expert Analysts can guide you to successful project completion. Here are the suggested Guided Implementation points in the Security Governance and Management project: Section 5: Implementation Plan Review each initiative in your implementation plan to examine its value, feasibility, dependencies, implementation options, and other factors to consider. Evaluate the feasibility of your entire implementation timeline and receive tips for implementation success. Includes specific GIs for: Reviewing your security charter and documented organizational structure Reviewing your information security policies and risk management process Reviewing the progress of your remaining basic extension components for security governance and management Reviewing the progress of your advanced components for security governance and management Section 6: Security Metrics Program Review your metrics program and discuss its comprehensiveness for your organization. Examine each metric to understand how to interpret it and the costs that may be associated with collecting it. Receive advice on how to implement each metric from a best practices point of view. To enroll, send an email to GuidedImplementations@InfoTech.com or call 1-888-670-8889 and ask for the Guided Implementation Coordinator.GuidedImplementations@InfoTech.com This symbol signifies when you’ve reached a Guided Implementation point in your project.

9. Info-Tech Research Group9 What’s in this Section:Sections: Make the case for security governance and management to drive executive engagement Make the case for security governance and management Establish and analyze your security pressure posture Establish a target state for security governance and management by defining your framework Analyze the gap between current state and target state Build a roadmap to implement your security governance and management Build a metrics program Understand where security governance and management fit in your overall security framework Recognize the importance and benefits of security governance and management Explore common security governance and management challenges Develop a convincing business case for security governance and management

10. Info-Tech Research Group10 Corporate Governance Security Governance IT Governance Understand the elements involved in information security governance and management Security Governance Definition “Information security governance includes the elements required to provide senior management assurance that its direction and intent are reflected in the security posture of the organization by utilising a structured approach to implementing an information security program.” ISACA, Information Security Governance, Guidance for Information Security Managers Monitoring the effectiveness of the security program Regular communications with stakeholders regarding security activities and performance Security governance is an integral part of IT governance and corporate governance. Security governance involves the following activities: Evaluating current security activities and its impact on business objectives Providing direction for the security team by determining a risk appetite, allocating investment and resources etc. Security Management Definition “Information Security Management refers to the processes that ensure confidentiality, integrity, and availability of an organization’s assets, information, data, and IT services.” ITIL v3 Security management executes based on direction from security governance. Some activities involved in security management include: Building and executing a metrics program Creating policies Executing risk management based on a risk appetite defined by security governance Developing and executing a training and awareness program Developing a security charter and organizational structure Ensuring compliance Security Governance Security Management Executes based on governance Directs, evaluates, and monitors

11. Info-Tech Research Group11 Understand where information security and governance fit in a complete security program Info-Tech covers a wide range of security areas including network security services, asset security services, and identity security services. Information Security Governance and Management is the foundation for a complete Information Security Program. Security governance ensures that the “right things” are done. Comparatively, security management ensures that “things are done right.”

12. Info-Tech Research Group12 Info-Tech Research Group Helps IT Professionals To: Sign up for free trial membership to get practical solutions for your IT challenges www.infotech.com Quickly get up to speed with new technologies Make the right technology purchasing decisions – fast Deliver critical IT projects, on time and within budget Manage business expectations Justify IT spending and prove the value of IT Train IT staff and effectively manage an IT department “Info-Tech helps me to be proactive instead of reactive – a cardinal rule in a stable and leading edge IT environment. - ARCS Commercial Mortgage Co., LP Toll Free: 1-888-670-8889