Presentation on theme: "Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author."— Presentation transcript:
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced Materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Overview Threats to the enterprise Security challenges Six step process
Threat Statistics 47% of browser attacks - Microsoft IE Average 6110 DoS attacks per day 28 days average vulnerability exposure 86% of all attacks are against home user 54% of DoS attacks world-wide against US 69% of vulnerabilities against Web applications (Symantec Internet Security Threat Report, Threats fro January 06- June 06, Vol X, September 2006)
Threats to the Enterprise Virus, worms, Trojan horses Web site hacking Hackers and crackers Terrorist attacks Cyber crime and information warfare Effects of emerging standards and technologies
Security Challenges ID and prioritize opportunities to improve security effectiveness and efficiency Manage security in dynamic threat environment with limited budget Courts and government policy expectations Securing Web services Managing identity and access privileges “Business expects IT to be secure and CIO keep it that way” - Gartner
Six Step Process Inventory Risk Assessment Risk Assessment ID Needs Review Execute Support
Inventory Environment “The first thing we need to do is to actually draft out all of the assets that run on our computing system and understand what the relationship of each asset is to our business process” Andre Gold, CISO Continental Airlines Prioritize assets Ensure critical systems are protected Use Enterprise Architecture
Risk Assessment - Portfolio Risks Threats Loss of Data Costs Prevention Data Recovery Look at all assets Best Practices Service Levels “CISO has to deal with how to let good guys in as well as keep the bad guys out” - Gartner
ID Needs and Write Plan Define, align, and prioritize opportunities Vulnerability vs largest risks ID and define security goals Determine costs and ROI – Key is Impact! “CISO not only must spend money wisely on correct security enhancements but must also qualify what they are doing with that budget” - Gartner
ID/Define Organizational Goals Protect sensitive and critical information Prevent unauthorized access to the network Avoid embarrassing publicity Maintain uninterrupted operations Protect privacy Set a “zero-incident” culture Comply with federal and state regulations
Obtain Support and Approval Need executive champion – CIO Know top management priorities Know what the competition is doing Projects in line with market’s thinking Use federal mandates and audit findings
Execute Plan Use annual tactical plans Execute strategic plan in small steps Used to define and execute budget Manage using cost planning and portfolio management Report progress using balanced scorecard
Cost Planning and Portfolio Management Zero-based Budget Track Initiatives Management Review ID Problems Early
Balance Scorcard Answers … How am I doing? Am I on time? Within budget? Are there any problems or issues Keeps management informed!
Sample Scorecard DescriptionStatus Goal 2: Provide enhanced and secure IT infrastructure for all campus- wide customers 2.4 Establish self-monioring and reporting capability for all network systems 2.4.1 Deploy self-policing technology 2.4.2 Deploy automated monitoring and reporting tools 2.4.3 Deploy and utilize vulnerability scanning technology Goal 3: Improve customer understanding of INFOSEC responsibilities 3.1 Develop and Enterprise-wide IT security awareness training program 3.1.1 Establish and maintain a security web site for distributing security tips and guidance 3.1.2 Establish security workshops
Review Plan Maintenance Review annually Compare against best practices Adjust as necessary
Conclusion An IT Security Strategic Plan will provide…. Better use of limited resources Phased deployment and enhancements Improved justification of security projects Direct tie to university IT strategic plan Better planning & execution of security spending Implement best security practices and strategies to create an enterprise that is well managed and secure
Your consent to our cookies if you continue to use this website.