Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Similar presentations


Presentation on theme: "Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author."— Presentation transcript:

1 Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced Materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Overview  Threats to the enterprise  Security challenges  Six step process

3 Threat Statistics  47% of browser attacks - Microsoft IE  Average 6110 DoS attacks per day  28 days average vulnerability exposure  86% of all attacks are against home user  54% of DoS attacks world-wide against US  69% of vulnerabilities against Web applications (Symantec Internet Security Threat Report, Threats fro January 06- June 06, Vol X, September 2006)

4 Threats to the Enterprise  Virus, worms, Trojan horses  Web site hacking  Hackers and crackers  Terrorist attacks  Cyber crime and information warfare  Effects of emerging standards and technologies

5 Security Challenges  ID and prioritize opportunities to improve security effectiveness and efficiency  Manage security in dynamic threat environment with limited budget  Courts and government policy expectations  Securing Web services  Managing identity and access privileges “Business expects IT to be secure and CIO keep it that way” - Gartner

6 Six Step Process Inventory Risk Assessment Risk Assessment ID Needs Review Execute Support

7 Inventory Environment “The first thing we need to do is to actually draft out all of the assets that run on our computing system and understand what the relationship of each asset is to our business process” Andre Gold, CISO Continental Airlines  Prioritize assets  Ensure critical systems are protected  Use Enterprise Architecture

8 Risk Assessment - Portfolio Risks Threats Loss of Data Costs Prevention Data Recovery Look at all assets Best Practices Service Levels “CISO has to deal with how to let good guys in as well as keep the bad guys out” - Gartner

9 ID Needs and Write Plan  Define, align, and prioritize opportunities  Vulnerability vs largest risks  ID and define security goals  Determine costs and ROI – Key is Impact! “CISO not only must spend money wisely on correct security enhancements but must also qualify what they are doing with that budget” - Gartner

10 ID/Define Organizational Goals  Protect sensitive and critical information  Prevent unauthorized access to the network  Avoid embarrassing publicity  Maintain uninterrupted operations  Protect privacy  Set a “zero-incident” culture  Comply with federal and state regulations

11 Obtain Support and Approval  Need executive champion – CIO  Know top management priorities  Know what the competition is doing  Projects in line with market’s thinking  Use federal mandates and audit findings

12 Execute Plan  Use annual tactical plans  Execute strategic plan in small steps  Used to define and execute budget  Manage using cost planning and portfolio management  Report progress using balanced scorecard

13 Cost Planning and Portfolio Management Zero-based Budget Track Initiatives Management Review ID Problems Early

14 Balance Scorcard Answers … How am I doing? Am I on time? Within budget? Are there any problems or issues Keeps management informed!

15 Sample Scorecard DescriptionStatus Goal 2: Provide enhanced and secure IT infrastructure for all campus- wide customers 2.4 Establish self-monioring and reporting capability for all network systems Deploy self-policing technology Deploy automated monitoring and reporting tools Deploy and utilize vulnerability scanning technology Goal 3: Improve customer understanding of INFOSEC responsibilities 3.1 Develop and Enterprise-wide IT security awareness training program Establish and maintain a security web site for distributing security tips and guidance Establish security workshops

16 Review Plan Maintenance  Review annually  Compare against best practices  Adjust as necessary

17 Conclusion  An IT Security Strategic Plan will provide….  Better use of limited resources  Phased deployment and enhancements  Improved justification of security projects  Direct tie to university IT strategic plan  Better planning & execution of security spending  Implement best security practices and strategies to create an enterprise that is well managed and secure

18 Questions


Download ppt "Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author."

Similar presentations


Ads by Google