Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Introduction Welcome! Format of day Response to previous requests from clients Amendment to schedule Using Information Security for Business Advantage.

Published byQuintin Syrett Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Introduction Welcome! Format of day Response to previous requests from clients Amendment to schedule Using Information Security for Business Advantage."— Presentation transcript:

1 1 Introduction Welcome! Format of day Response to previous requests from clients Amendment to schedule Using Information Security for Business Advantage

2 MWR InfoSecurity The Business Case for Information Security 12 March 2009 Alex Fidgen Ian Shaw

3 3 What will we achieve? Help you gain organisational commitment and justify required spend Introduction Part 1 - Visualisation techniques Part 2 - Communication techniques Part 3 - Supporting frameworks Using Information Security for Business Advantage

4 4 Introduction Communicating security risk can be very hard in environments without structured metrics The classic chicken and egg scenario We did not want to concentrate on the is there/isn’t there argument for ROI.

5 5 Problems Senior Management and Board directors need to increase shareholder value Mature metrics makes it easy to communicate shareholder value based risk Associating technical risks with revenue is impossible without a business context Information security managers with IT backgrounds find it hard to communicate risk at a business level The business seldom understands the value of its information assets

6 6 Communication! This is a communication issue!

7 7 Part 1 – Protecting Traditional Assets (Opening the Board’s Eyes to Information Security Spend – Is information security spending in line with traditional asset protection?) Using Information Security for Business Advantage

8 8 Questions your Board may be asking Why do we need to worry about this information security issue? Why is Malware Protection so expensive? Are these costs of doing business online justified? I don’t understand whether this expenditure is justified The following examples have been developed to demonstrate how security is integrated seamlessly into existing business models Try to ignore any immediate reaction to industry sector! Using Information Security for Business Advantage

9 9 Typical Retail Organisation (Asset Protection) Shops Warehouse / Distribution Human Resources Finance CCTV Counterfeit Detection Store Detectives Security Guards RFID Safes / Alarms Secure Cash Handling Vetting / References Disciplinary Procedure Internal Audit External Audit Stock Control Credit Control Accounting Policies / Standards Financial Reconciliations Product Integrity* * For example: tamper evident jars Cardwatch Local Crime Schemes

10 10 Typical Retail Organisation (Asset Protection) Using Information Security for Business Advantage Shops Warehouse / Distribution Human Resources Finance CCTV Counterfeit Detection Store Detectives Security Guards RFID Safes / Alarms Secure Cash Handling Vetting / References Disciplinary Procedure Internal Audit External Audit Stock Control Credit Control Accounting Policies / Standards Financial Reconciliations Product Integrity* * For example: tamper evident jars Cardwatch Local Crime Schemes

11 11 Typical E-Retail (Information Asset Protection) Using Information Security for Business Advantage Ecommerce Site Data Storage Business Interfaces IT/IS/ Development IT/IS/ Development Anti-Virus Firewalls Encryption Security in SDLC Threat Modelling Build Standards Information Security Policies Legislative Compliance Configuration Reviews Patch Management Access Control Reviews Application Testing Penetration Testing Monitoring / Intrusion Detection Vulnerability Assessment Vetting / References Disciplinary Procedure InfoSec Awareness Training

12 12 In Summary Information asset protection still lags behind traditional asset protection Opening the organisation’s eyes to traditional security measures can ‘set the scene’ to introduce information security A simple visualisation technique helps soften attitudes to information security spend Using Information Security for Business Advantage

13 13 Part 2 – A model for information asset identification and classification Using Information Security for Business Advantage

14 14 Part 2 - Communication of risk High level abstract link… How best to communicate the risk from this point forward Need to highlight risks that may impact shareholder value Must be flexible and expose risks not currently perceived One technique is threat modelling…plenty of others however Using Information Security for Business Advantage

15 15 Risk – A quick reminder An event that could have a detrimental effect on an asset A conduit that could be exploited by a threat An item of value The effect on a business of a risk being realised BUSINESS IMPACT Asset Threats Vulnerability Risks

16 16 What is threat modelling Threat Modelling: Grades Threats Allows identification of vulnerabilities Enhances the final calculation of risk Very powerful and business focussed Using Information Security for Business Advantage

17 17 Using Information Security for Business Advantage What it can provide: Defence in depth Effective controls with efficient expenditure Asset protection is proportional to the business value Greater measurable returns on security investment

18 18 Case Study – Insurance Company In excess of 600 systems Business run in a federated sense There is/was no centralised security management function, Some security testing in the past against core systems No set budget for security Some basic security training, around physical security and access control Using Information Security for Business Advantage

19 19 How the model was formed.. identified the systems and the assets, a high level risk assessment based on the business risk and potential business impact Assignation of a commercial revenue value to each system Using Information Security for Business Advantage

20 20 How the model was formed.. cont All revenue streams documented the most important systems quickly became evident, Allowed focus on the most financially important assets Intangible assets were also assessed (reputation, client satisfaction, employee happiness etc.).

21 21 What did this do? This made an actual and tangible link to the management team connecting the value of the information assets (within systems) with the value of assigned security spend to identify and manage the risk It open their eyes to the asset value, and made justification of budget almost self fulfilling

22 22 Using Information Security for Business Advantage Part 3 – Effecting Change (Operational Information Security)

23 23 Where are we? Using Information Security for Business Advantage Information Assets Threats Vulnerabilities Risks = Existing Controls Current Position =+

24 24 What is the appetite for risk? Using Information Security for Business Advantage Current Position Where we want to be -= STAGE 1 Organisational Changes STAGE 1 Organisational Changes

25 25 Stage 1 – Organisational Change What is required for successful organisational change Change Plan – how will we know when we arrive? Resources – do we have the resources to achieve the change? Sponsorship – do we have executives backing for change? Support (Culture) – important if exec sponsorship is broken? Using Information Security for Business Advantage

26 26 Stage 2 - Operation Measure performance (results not activities) Make changes as necessary Periodically review performance Review measures Using Information Security for Business Advantage

27 27 Summary Your organisation is protecting its assets, but probably not adequately protecting its information assets The risks may be different from the perceived risks. Communicate this by identifying assets and the threats to them You can only manage what your measure. Identify the changes necessary, measure transition Using Information Security for Business Advantage

28 28 Questions? Using Information Security for Business Advantage

Download ppt "1 Introduction Welcome! Format of day Response to previous requests from clients Amendment to schedule Using Information Security for Business Advantage."

Similar presentations

ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.

ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Develop an Information Strategy Plan

Develop an Information Strategy Plan
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.

Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.
Learning Objectives LO1 Describe the finance and investment process: risk assessment, typical transactions, source documents, controls, and account balances.

Learning Objectives LO1 Describe the finance and investment process: risk assessment, typical transactions, source documents, controls, and account balances.
Security Controls – What Works

Security Controls – What Works
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Return On Investment Integrated Monitoring and Evaluation Framework.

Return On Investment Integrated Monitoring and Evaluation Framework.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
The Information Systems Audit Process

The Information Systems Audit Process
1 Pertemuan 17 Organisational Back Up Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

1 Pertemuan 17 Organisational Back Up Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
Joint Business Plan Madhurjya K. Dutta 1mk_dutta Sept 2010.

Joint Business Plan Madhurjya K. Dutta 1mk_dutta Sept 2010.
Gain Executive Support in Measuring the Effectiveness of Your BCM Program -Cheyene Haase BC Management, Inc.

Gain Executive Support in Measuring the Effectiveness of Your BCM Program -Cheyene Haase BC Management, Inc.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.
Information Systems Security Risk Management. © G. Dhillon All Rights Reserved Alignment Glenmeade Vision To provide a personalized experience to our.

Information Systems Security Risk Management. © G. Dhillon All Rights Reserved Alignment Glenmeade Vision To provide a personalized experience to our.
Professional Certificate – Managing Public Accounts Committees Ian “Ren” Rennie.

Professional Certificate – Managing Public Accounts Committees Ian “Ren” Rennie.

Similar presentations

Ads by Google