Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Governance: What Is It And How Can We Accomplish It ? Todd Fitzgerald, CISM, CISA, CISSP, ITILV3 ISO27000 Certified National Government.

Similar presentations


Presentation on theme: "Information Security Governance: What Is It And How Can We Accomplish It ? Todd Fitzgerald, CISM, CISA, CISSP, ITILV3 ISO27000 Certified National Government."— Presentation transcript:

1 Information Security Governance: What Is It And How Can We Accomplish It ? Todd Fitzgerald, CISM, CISA, CISSP, ITILV3 ISO27000 Certified National Government Services Medicare Systems Security Officer ISACA Kettle-Moraine Chapter Meeting December 4, 2008 Milwaukee, WI

2 A Little ‘Presentation Governance’ … The opinions expressed are solely the opinions of Todd Fitzgerald and do not necessarily represent the opinions of his employer. You may or may not want to adopt the these concepts in your organization. Use a risk-based approach before attempting this at home.

3 Today’s Objectives… To Discuss Security Governance Definition Why We Need Security Governance 13 Questions Leadership Core Competencies Vehicles For Communication Security Control Structures Achieving Security Compliance Effectively Working With Internal/External Auditors

4 Security Governance Defined “Information Security governance is a subset of enterprise governance that provides strategic direction, ensures objectives are achieved, manages risk appropriately, uses organizational resources responsibility, and monitors the success or failure of the enterprise security programme.” - IT Governance Institute

5 And Wikipedia Says… Governance relates to decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems.powerperformancemanagementleadershipgovernment In the case of a business or of a non-profit organization, governance relates to consistent management, cohesive policies, processes and decision-rights for a given area of responsibility. For example, managing at a corporate level might involve evolving policies on privacy, on internal investment, and on the use of data.businessnon-profit organizationprivacy

6 Governance Derived From Latin Origins To denote “Steering” Steering Vs “Power Over” Defines expectations Grants power Verifies performance Avoids undesirable consequences Coordinates and controls activity Provides processes to control an activity

7 Risks Are Increasing Cybercrime Malware Identity Theft Lost Laptops Targeted Financial Gain Personal information Sharing Slowing of security investment Dissipation of security message Competitive pressures

8 News Items Continue To Gain Attention of Board of Directors Bank of America 1.3 million consumers exposed –Lost back-up tape DSW retail 1.2 million consumers exposed –Hacking Card Services 40 million consumers exposed –Hacking TJX Stores 45 million consumers exposed –Internal theft UCLA800,000 consumers exposed–Human error Fidelity196,000 consumers exposed–Stolen laptop

9 A Who’s Who of Fortune 500 Companies.. And The List Is Growing St. Joseph's Hospital California Department of Health California Department of Mental Health

10 Leading Organizations Adhere To This Model Source: “Learning from Leading Organizations” SGAO/AIMD Information Security Management Assess Risk & Determine Needs Promote Awareness Monitor & Evaluate Implement Policies & Controls Central Management

11 Leading Organizations Adhere To This Model Source: “Learning from Leading Organizations” SGAO/AIMD Information Security Management Assess Risk & Determine Needs Promote Awareness Monitor & Evaluate Implement Policies & Controls Central Management Governance

12 Information Security Strategy Must Align With Business Objectives Top-down process Linkages to business process and strategy Information in oral, paper, and electronic forms Transcends physical boundaries Establish acceptable practices, policies, and procedures

13 An Information Security Program With Governance Provides Increased Assurance Risk management Resource management of critical skills and infrastructure Performance measurement Providing value-add in delivery of services and products Specific Organizational accountability for security

14 Can Organizations Survive Without …? Equipment Computers People Buildings

15 Few Organizations Can Survive Without Customer Information Knowledge of processes Accounting and financial reporting information

16 However, Information Security Importance Varies Amongst Senior Executives Source: Fitzgerald/Krause CISO Survey – CISO Leadership: Essential Principles For Success, Auerbach, 2008)

17 However, Information Security Importance Varies Amongst Senior Executives Source: Fitzgerald/Krause CISO Survey – CISO Leadership: Essential Principles For Success, Auerbach, 2008) Board of Directors 31% Very Important 26% Important 26% Somewhat Important

18 However, Information Security Importance Varies Amongst Senior Executives Source: Fitzgerald/Krause CISO Survey – CISO Leadership: Essential Principles For Success, Auerbach, 2008) CEO 27% Very Important 38% Important 27% Somewhat Important

19 However, Information Security Importance Varies Amongst Senior Executives Source: Fitzgerald/Krause CISO Survey – CISO Leadership: Essential Principles For Success, Auerbach, 2008) Senior Execs 19% Very Important 38% Important 32% Somewhat Important

20 However, Information Security Importance Varies Amongst Senior Executives Source: Fitzgerald/Krause CISO Survey – CISO Leadership: Essential Principles For Success, Auerbach, 2008) Middle Management 8% Very Important

21 However, Information Security Importance Varies Amongst Senior Executives Source: Fitzgerald/Krause CISO Survey – CISO Leadership: Essential Principles For Success, Auerbach, 2008) End Users 40% Somewhat Important

22 Fear Uncertainty Doubt Gets Investment $$$ EVENT REACTION/ CONFUSION + = INVESTMENT

23 However, The Next Time The Event Happens EVENTREACTION + = Without Security Governance, Message Dissipates Over Time

24 The Governance Answer… 

25 Security Needs Involvement From The Board of Directors/Executive Management Strategic Oversight Review alignment with organization strategy Determine Risk profile for organization Endorse security program Require regular reporting on effectiveness Review investment return Potential new technologies to add value, reduce costs

26 “Techie” Core Competencies Analytical Problem Solving Tool Expertise Best Practices Technical Knowledge Team Work Emerging Technologies Crisis Mgmt Industry Standards

27 Shift To Leadership Competencies Technical Competency CISO Leadership & Managerial Competency Adaptability Self-control Self-Development Orientation Flexibility Interpersonal Awareness Perseverance Self-control Critical Information Seeking Efficiency Initiative Thoroughness Results-Oriented

28 Security Officer Core Competencies Vision Leadership Influencing Skills Team Work Conceptual & Strategic Thinking Customer Focus Written/Oral Communication Interpersonal Effectiveness Financial/ Budgetary

29 (The Detail) Source: Fitzgerald/Krause CISO Leadership Survey

30 (The Detail) Source: Fitzgerald/Krause CISO Leadership Survey Self Confidence 65%

31 (The Detail) Source: Fitzgerald/Krause CISO Leadership Survey Self Confidence 65% Oral 74%

32 (The Detail) Source: Fitzgerald/Krause CISO Leadership Survey Self Confidence 65% Oral 74% Written 74%

33 (The Detail) Source: Fitzgerald/Krause CISO Leadership Survey Self Confidence 65% Oral 74% Written 74% Influence 69%

34 (The Detail) Source: Fitzgerald/Krause CISO Leadership Survey Self Confidence 65% Oral 74% Written 74% Influence 69% Teamwork 68%

35 Now The C-Level People Understand The Security Guy Behind The Mask and The Security Team’s Role, But…

36 Multiple Groups Must Understand Security At The Appropriate Level Competitive Disadvantage Fraud Loss due to disclosure, destruction of information Reputation/Public Confidence Bad decisions Business disruption Legal Liability Safety risks Loss of productivity Low Morale Corporate Espionage, loss of contracts Board of Directors Senior Management End Users Management IMPACT

37 Focus Different, Goals Ultimately The Same Increase shareholder value (stock price) Increase revenue Reduce administrative costs Increase market share Increase worker productivity Provide innovative products Provide quality products and customer service Attract and retain talented workforce Accept reasonable business risk Management’s ObjectiveSecurity Officer’s Objective Protect information from loss, destruction, unavailability Reduce risk of threats to acceptable level Implement effective controls Provide efficient service Enable secure development of new products Provide assurance through continuous control practices

38 Ensure Communication Plan Delivers Targeted Security Message Manager Meetings IT/Business Steering Committees Board of Director Meetings Management Newsletters s One-On-One Sessions Tactical Plans New Policies Scheduled Activities Strategic Initiatives Policy Approval Security Posture Competitor Comparison Interim Updates Issue Reinforcement Departmental Issues Testing Reality

39 Security Governance Depends Upon Clear Management Directives And Expected Outcomes Management Level Strategic Alignment Risk Management Value Delivery Performance Measurement Resource Management Integration Board of Directors Set direction Risk management policy reg compliance Set direction cost, info value Set direction reporting of security effectiveness Set direction knowledge management Set direction assuring process int Senior Executives Institute security integration processes Ensure risk mgmt in all activities Business cases, value protection Require monitoring and metrics for reporting Enable processes knowledge capture Oversight mgmt process functions Steering Committee Review assist integration efforts Identify risks compliance issues promote Review adequacy security initiatives Review extent security meets business obj Review processes knowledge capture ID critical business process, direct int Chief Information Sec Officer Develop strategy,ove rsee,liaise business BIA, risk strategies, enforce policies Monitor security resources Develop monitoring & metrics reporting Develops methods, metrics, efficiency ID gaps & overlaps, liaise other functions Source: Adapted from Information Security Governance Guidance, ITGI

40 Security Governance Depends Upon Clear Management Directives And Expected Outcomes Management Level Strategic Alignment Risk Management Value Delivery Performance Measurement Resource Management Integration Board of Directors Set directionRisk management policy reg compliance Set direction cost, info value Set direction reporting of security effectiveness Set direction knowledge management Set direction assuring process int Senior Executives Institute security integration processes Ensure risk mgmt in all activities Business cases, value protection Require monitoring and metrics for reporting Enable processes knowledge capture Oversight mgmt process functions Steering Committee Review assist integration efforts Identify risks compliance issues promote Review adequacy security initiatives Review extent security meets business obj Review processes knowledge capture ID critical business process, direct int Chief Information Sec Officer Develop strategy,over see,liaise business BIA, risk strategies, enforce policies Monitor security resources Develop monitoring & metrics reporting Develops methods, metrics, efficiency ID gaps & overlaps, liaise other functions Source: Adapted from Information Security Governance Guidance, ITGI BOARD OF DIRECTORS Sets Direction

41 Security Governance Depends Upon Clear Management Directives And Expected Outcomes Management Level Strategic Alignment Risk Management Value Delivery Performance Measurement Resource Management Integration Board of Directors Set directionRisk management policy reg compliance Set direction cost, info value Set direction reporting of security effectiveness Set direction knowledge management Set direction assuring process int Senior Executives Institute security integration processes Ensure risk mgmt in all activities Business cases, value protection Require monitoring and metrics for reporting Enable processes knowledge capture Oversight mgmt process functions Steering Committee Review assist integration efforts Identify risks compliance issues promote Review adequacy security initiatives Review extent security meets business obj Review processes knowledge capture ID critical business process, direct int Chief Information Sec Officer Develop strategy,over see,liaise business BIA, risk strategies, enforce policies Monitor security resources Develop monitoring & metrics reporting Develops methods, metrics, efficiency ID gaps & overlaps, liaise other functions Source: Adapted from Information Security Governance Guidance, ITGI SENIOR EXECUTIVES Enable Security & Provide Oversight

42 Security Governance Depends Upon Clear Management Directives And Expected Outcomes Management Level Strategic Alignment Risk Management Value Delivery Performance Measurement Resource Management Integration Board of Directors Set directionRisk management policy reg compliance Set direction cost, info value Set direction reporting of security effectiveness Set direction knowledge management Set direction assuring process int Senior Executives Institute security integration processes Ensure risk mgmt in all activities Business cases, value protection Require monitoring and metrics for reporting Enable processes knowledge capture Oversight mgmt process functions Steering Committee Review assist integration efforts Identify risks compliance issues promote Review adequacy security initiatives Review extent security meets business obj Review processes knowledge capture ID critical business process, direct int Chief Information Sec Officer Develop strategy,over see,liaise business BIA, risk strategies, enforce policies Monitor security resources Develop monitoring & metrics reporting Develops methods, metrics, efficiency ID gaps & overlaps, liaise other functions Source: Adapted from Information Security Governance Guidance, ITGI Steering Committee Reviews Security Initiatives

43 Security Governance Depends Upon Clear Management Directives And Expected Outcomes Management Level Strategic Alignment Risk Management Value Delivery Performance Measurement Resource Management Integration Board of Directors Set directionRisk management policy reg compliance Set direction cost, info value Set direction reporting of security effectiveness Set direction knowledge management Set direction assuring process int Senior Executives Institute security integration processes Ensure risk mgmt in all activities Business cases, value protection Require monitoring and metrics for reporting Enable processes knowledge capture Oversight mgmt process functions Steering Committee Review assist integration efforts Identify risks compliance issues promote Review adequacy security initiatives Review extent security meets business obj Review processes knowledge capture ID critical business process, direct int Chief Information Sec Officer Develop strategy,over see,liaise business BIA, risk strategies, enforce policies Monitor security resources Develop monitoring & metrics reporting Develops methods, metrics, efficiency ID gaps & overlaps, liaise other functions Source: Adapted from Information Security Governance Guidance, ITGI Security Officer Develops Security Program

44 Multiple “Best Practice” Standards Have Been Created To Provide Guidance For Our “Security Cultures” Control Objectives for Information and related Technology (COBIT 4.1) ISO27001/2 Information Security Management System (ISMS) Payment Card Industry Data Security Standard Graham-Leach-Bliley (GLBA) European Union Privacy Directives Recommended Controls For Federal Information Systems (NIST ) Federal Information System Controls Audit Manual (FISCAM) DISA Security Technical Implementation Guides (STIGs) HIPAA Final Security Rule

45 Each Control Framework/Set of Standards Has Their Governance Purpose COBIT ISO27001/27002 NIST PCI Data Standard HIPAA DISA STIGS FISMA

46 NIST Recommended Controls For Federal Information Systems Is Very Useful For All Environments Access Control (AC) Awareness & Training (AT) Audit & Accountability (AU) Certification, Accreditation & Security Assessments (CA) Configuration Management (CM) Contingency Planning (CP) Identification & Authentication (IA) Incident Response (IR) l Maintenance (MA) l Media Protection (MP) l Physical & Environmental Protection (PE) l Planning (PL) l Personnel Security (PS) l Risk Assessment (RA) l System & Services Acquisition (SA) l System & Communications Protection (SC) l System & Information Integrity (SI)

47 Attaining Compliance With These Regulations Is A Life Changing Event! UP TO…. Source: SecurityCompliance.com statistics, CSI J o urnal, Volume XXII, No 3, Summer 2006)

48 Achieving Security Compliance Assurance Requires Specific Due Diligence 1.Designate individual responsible for compliance assurance oversight 2.Establish security management governing body 3.Select control frameworks and controls 4.Conduct awareness and training 5.Research and apply technical controls 6.Verify Compliance 7.Implement formal remediation process 8.Dedicate staff, automate compliance tasks 9.Report on compliance metrics 10.Enforce penalties for noncompliance to policy 11.Collaborate and network externally 11-Factor Security Compliance Assurance Manifesto Source: Compliance Assurance: Taming The Beast, Information Security Handbook, 2008

49 Security Audits Necessary To Ensure Controls Are Functioning Source: “Learning from Leading Organizations” SGAO/AIMD Information Security Management Assess Risk & Determine Needs Promote Awareness Monitor & Evaluate Implement Policies & Controls Central Management Audit

50 Controls Must Be Tested To Provide Adequate Assurance of Compliance To Policies Quarterly vulnerability assessments Annual penetration tests External/Internal Audits Random spot-checks Informal testing with security awareness training Security configuration reviews SDLC walkthroughs

51 Let’s Agree On This Before We ‘Dump’ On The Auditors Auditors and Security Officers exist to ensure the business has: –Documented policies –Documented procedures/processes –Documented evidence of implementation these controls –Evidence of ongoing operations –Periodically tested the controls

52 What Do Security Officers LIKE about Auditors ? Internal Audit areas usually have organizational clout Controls-oriented Can identify previously unknown issues Provide ammunition/urgency for fixing issues quickly Provide knowledge of best practices and standards Internal Auditors find issues prior to external audits

53 Adopting A “Reasonable” Approach To Auditing For Security Governance Security OfficerAuditor Recognition that auditing is an ongoing business process Maintain current infrastructure documentation Advance preparation of compensating controls by critical asset Understand audit procedures and control frameworks Take “mystery” out of process Advance communication of document expectations Give credit to defense-in-depth analysis Record “observations for improvement” vs. findings

54 Final Thoughts Security Governance requires Top- Down Responsibility Sharing Ask the question – why am I involving this group? What is needed from them? Governance provides visibility to the effectiveness of the security program, and is the pathway to future security investments

55 Further Reading “CISO Leadership: Essential Principles For Success”, 2008 Book by Todd Fitzgerald and Micki Krause, ISC2 Press/Auerbach Publications Available on Amazon.com, ISC2 Website “Security Governance: Taming the Compliance Beast”,T.Fitzgerald, 2008 Information Security Handbook (Tipton, Krause) “13 Questions the CISO, CEO, and CISO Should Ask Each Other”, T. Fitzgerald, ISC2 Journal, September/October 2007 “Security Governance”, 2007 Information Security Handbook, T.Fitzgerald (Tipton, Krause) NIST 800 series special publications (www.csrc.nist.gov/publications)www.csrc.nist.gov/publications IT Governance Institute, Information Security Governance: Guidance For Boards of Directors and Executive Management 2 nd Edition, NEW!!

56 TODD FITZGERALD Todd Fitzgerald, CISSP, CISA, CISM ISO27000 & ITIL V3 Certified Medicare Systems Security Officer 6775 W. Washington St Milwaukee, WI USA THANK YOU !!


Download ppt "Information Security Governance: What Is It And How Can We Accomplish It ? Todd Fitzgerald, CISM, CISA, CISSP, ITILV3 ISO27000 Certified National Government."

Similar presentations


Ads by Google