Info-Tech Research Group1 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © Info-Tech Research Group Inc. Headline / Subhead Vertical Spacing V4 Build a Security Governance and Management Plan Establish the missing bridge between security and the business to support tomorrow’s enterprise with minimal resources.

Info-Tech Research Group2 2 This Research is Designed For:This Research Will Help You: This Research Will Assist:This Research Will Help You: This Research Is Designed For:This Research Will Help You: This Research Will Also Assist:This Research Will Help Them: Our understanding of the problem CISOs, CSOs, CEOs, CIOs, IT leaders, and business leaders who would like to improve alignment between security and business activities, optimize security resources, implement an effective risk mitigation strategy, and improve the transparency of security initiatives. CISOs, CSOs, and CIOs who would like to better support the business. Develop a customized comprehensive information security governance and management framework. Apply your security governance framework to your organization and create a roadmap for implementation. Develop a measurement program to continuously improve your security governance. CEOs, CFOs, and other business leaders. Business stakeholders that are continually affected by security. Understand the value of information security governance and management, as it has the ability to close any security gaps.

Info-Tech Research Group3 3 Resolution Situation Complication Info-Tech Insight Executive summary Security programs tend to focus on technology to protect organizations, while often neglecting the people, processes, and policies needed to manage the program. It seems like a daunting and almost useless project to undertake. This leads to several problems: o The security team doesn’t know whether it’s supporting business goals. o The organization has no sense of direction in terms of what security’s priorities or initiatives should be. o Risks are not treated appropriately. To bring your security program to the next level, security governance and management is needed. Your security governance and management program needs to be customized to your organization’s needs. This project will guide you through the process of creating a customized security governance and management plan that is comprehensive enough to cover all your bases, while keeping costs to a minimum. Begin defining your needs through a security pressure posture analysis and use best practices to determine what your security program should include. Conduct a gap analysis to collect the initiatives you need to reach your target state. Create an action plan and implement this project with the tools and templates provided by Info-Tech. Technology is not enough alone – security governance and management is needed. Governance and management ensures that your processes, people, and policies support organizational security. It provides a unifying direction and vision for the entire program, instead of having ad hoc controls for each new initiative.

Info-Tech Research Group4 4 Use these icons to help direct you as you navigate this research This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project. This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization. Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

Info-Tech Research Group5 5 Info-Tech offers various levels of support to best suit your needs Consulting “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” Guided Implementation “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” DIY Toolkit “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” Workshop “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” Diagnostics and consistent frameworks used throughout all four options

Info-Tech Research Group6 6 Best-Practice Toolkit 1.1 Understand the value of security governance and management 1.1 Create a convincing business case 2.1 Define your risk tolerance 2.2 Determine your security pressure posture 3.1a Understand the different components of a security governance and management program 3.1b Self-assess your security governance and management capabilities and maturity levels 3.2 Define the governance and management target state 4.1 Identify existing gaps 4.2 Build initiatives to bridge the gap 4.3 Estimate the resources needed 4.4 Build an effort map 4.5 Determine start time and accountability 5.1 Finalize roadmap and action plan 5.2 Build out governance and management deliverables 6.1 Develop your security metrics 6.5 Develop a cycle of continuous improvement through your measurement program Guided Implementations Understand the value and challenges of security governance and management to create your business case. Define your risk tolerance and determine your security pressure posture Perform a current state assessment of your capabilities and maturity levels. Establish the governance and management target state. Identify where there are existing gaps and where initiatives should be built. Prioritize the gaps based on resources and efforts to create an implementation timeline. Review and finalize the governance and management roadmap and action plan. Build out your governance and management deliverables Onsite Workshop Module 1: Assess security requirements Module 2: Perform a gap analysis Module 3: Develop gap initiatives Module 4: Implement gap initiatives Phase 1 Results: Understanding of the pressure posture and security governance. Phase 2 Results: Identified gaps in the program. Phase 3 Results: Actionable initiatives to continue building out security governance. Phase 4 Results: Completed governance and management deliverables. Assess security requirements Perform a gap analysis Develop gap initiatives Implement gap initiatives Security Governance and Management Project Overview

Info-Tech Research Group7 7 Workshop overview Contact your account representative or for more Workshop Day 1Workshop Day 2Workshop Day 3Workshop Day 4Workshop Day 5 Activities Assess security requirements 1.1 Understand the value of security governance and management 1.2 Create a convincing business case 1.3 Define your risk tolerance 1.4 Determine your security pressure posture Perform a gap analysis 2.1 Understand the different components of a security governance and management program 2.2 Self-assess your security governance and management capabilities and maturity levels 2.3 Define the governance and management target state Develop gap initiatives 3.1 Identify existing gaps 3.2 Build initiatives to bridge the gap 3.3 Estimate the resources needed 3.4 Build an effort map 3.5 Determine start time and accountability Implement initiatives 4.1 Finalize roadmap and action plan 4.2 Build out governance and management deliverables 4.3 Develop your security metrics 4.4 Develop a cycle of continuous improvement through your measurement program Communicate and continue to implement 5.1 Finalize deliverables 5.2 Support communication efforts 5.3 Identify resources in support of priority initiatives Deliverables 1.Business case for security governance and management. 2.Defined risk tolerance. 3.Defined security pressure posture. 1.Current maturity levels of the security governance and management capabilities. 2.Established target state for the capabilities. 1.Identified gaps in the existing security program. 2.Gap initiatives in order to close the gaps. 3.Prioritization of the gaps, assisting in implementation. 1.Finalized roadmap and action plan. 2.Completed governance and management deliverables. 3.Developed security metrics. 1.Security governance and management plan and roadmap. 2.Mapping of Info-Tech resources against individual initiatives.