Presentation is loading. Please wait.

Presentation is loading. Please wait.

Successful Information Security Governance

Published byFabrice Jérôme Landry Modified over 5 years ago

Similar presentations

Presentation on theme: "Successful Information Security Governance"— Presentation transcript:

1 Successful Information Security Governance
Pitching, Integrating, Governing and Succeeding the Information Security Governance Project Brian D. Huntley P.E., PMP, CISA, CISSP, CBCP 11/19/2018 © 2013 Brian D. Huntley, P.E., PMP, CISA, CISSP, CBCP Reproduction and distribution rights granted to EGRC and NMI LLC.

2 Learning Objectives Information Security Governance
Program Development Program Management Risk Mitigation Closing known control gaps Continuous Service Improvement (CSI) Event, Incident, Problem Management Information Security Program Projects Originating drivers, triggers, and influences Special challenges = f (Origins) Challenge : Response Tactics Project Management Body of Knowledge (PMBOK®) Information Technology Infrastructure Library (ITIL®) 11/19/2018 © 2013 Brian D. Huntley, P.E., PMP, CISA, CISSP, CBCP Reproduction and distribution rights granted to EGRC and NMI LLC.

3 Information Security Governance
“Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives.” COBIT® 5 © 2012 ISACA. All rights reserved. Information Security Program Development “Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.” COBIT® 5 © 2012 ISACA. All rights reserved. Information Security Program Management 11/19/2018 © 2013 Brian D. Huntley, P.E., PMP, CISA, CISSP, CBCP Reproduction and distribution rights granted to EGRC and NMI LLC.

4 Drivers, Triggers, and Influences
Information Security Program Development Management Expected Known Planned Unexpected Unplanned Unknown 11/19/2018 © 2013 Brian D. Huntley, P.E., PMP, CISA, CISSP, CBCP Reproduction and distribution rights granted to EGRC and NMI LLC.

5 Information Security Project Challenges
MUST Deliver On Time and On Budget! 11/19/2018 © 2013 Brian D. Huntley, P.E., PMP, CISA, CISSP, CBCP Reproduction and distribution rights granted to EGRC and NMI LLC.

6 Challenge : Response Tactics
▪ Enterprise-Wide Scope ▪ Precise tactics demanded, on a large scale. Response: ▪ Task Decomposition 11/19/2018 © 2013 Brian D. Huntley, P.E., PMP, CISA, CISSP, CBCP Reproduction and distribution rights granted to EGRC and NMI LLC.

7 Task Decomposition Example
“The company will…… plan, design, agree and approve, fund, develop, and ..implement an Information Security Program… A corporate Information Security Program policy A set of information security policies An information assets inventory An information security controls inventory An Information Security Risk Assessment An information security Incident Response Plan… ..by… May 1, 2013 July 12, 2013 August 30, 2013 September 25, 2013… ..December 31, 2013.” Hypothetical 11/19/2018 © 2013 Brian D. Huntley, P.E., PMP, CISA, CISSP, CBCP Reproduction and distribution rights granted to EGRC and NMI LLC.

8 Challenge : Response Tactics
▪ Heavily-matrixed human resources ▪ Multiple competing interests ▪ “The company will agree……” Response: ▪ Governance Stakeholders Mapping “Circles of Influence” Model Project Governance Diagram Responsibility Assignment Matrix (RAM) Also – “Linear Responsibility Chart” (LRC) “RACI Matrix” (or “RASCI Matrix”) - Responsible, Accountable, Supporting, Consulted, Informed 11/19/2018 © 2013 Brian D. Huntley, P.E., PMP, CISA, CISSP, CBCP Reproduction and distribution rights granted to EGRC and NMI LLC.

9 Circles of Influence Model
Assign people to groups (“circles”) as a function of their relative influence Increasing Influence 11/19/2018 © 2013 Brian D. Huntley, P.E., PMP, CISA, CISSP, CBCP Reproduction and distribution rights granted to EGRC and NMI LLC.

10 Project Governance Diagram
Project Steering Committee Enterprise Initiative(s) Other Project(s) INFORMATION SECURITY PROJECT Team(s), Department(s), etc. ? ? Team(s), Department(s), etc. Individuals Inputs to Project Outputs of Project 11/19/2018 © 2013 Brian D. Huntley, P.E., PMP, CISA, CISSP, CBCP Reproduction and distribution rights granted to EGRC and NMI LLC.

11 Responsibility Assignment Matrix (RAM)
Responsible, Accountable, Supporting, Consulted, Informed 11/19/2018 © 2013 Brian D. Huntley, P.E., PMP, CISA, CISSP, CBCP Reproduction and distribution rights granted to EGRC and NMI LLC.

12 Challenge : Response Tactics
▪ Meaningful communications and status reporting 80%! (False Positive) Response: ▪ Earned Value Analysis (EVA) High SWAG How much is done? 48%! (On schedule, On budget) Measured Response Low SWAG Only 10%... (False Negative) 11/19/2018 © 2013 Brian D. Huntley, P.E., PMP, CISA, CISSP, CBCP Reproduction and distribution rights granted to EGRC and NMI LLC.

13 Challenge : Response Tactics
Planned Minimal Funding ≈ Longer Timelines Unplanned “BAU” Budget Short Timelines Response: ▪ Planning With Uncertainty – ▪ Selection of Project Execution Method Crashing → Spiral Development → Waterfall Method Time Cost Uncertainty 11/19/2018 © 2013 Brian D. Huntley, P.E., PMP, CISA, CISSP, CBCP Reproduction and distribution rights granted to EGRC and NMI LLC.

14 Selection of Methodology
Waterfall Method Spiral Development Task 1 Task 2 Task 3 Task 4 Task 5 Crashing 11/19/2018 © 2013 Brian D. Huntley, P.E., PMP, CISA, CISSP, CBCP Reproduction and distribution rights granted to EGRC and NMI LLC.

15 Summary Successful information security governance requires planning and execution of projects to develop and manage the Information Security Program. Use thoughtful selection and deliberate application of structured project management tactics to meet the unique challenges of the Information Security Project. Plan your work, and work your plan. 11/19/2018 © 2013 Brian D. Huntley, P.E., PMP, CISA, CISSP, CBCP Reproduction and distribution rights granted to EGRC and NMI LLC.

16 Brian D. Huntley P.E., PMP, CISA, CISSP, CBCP bhuntley@gwi.net
11/19/2018 © 2013 Brian D. Huntley, P.E., PMP, CISA, CISSP, CBCP Reproduction and distribution rights granted to EGRC and NMI LLC.

Download ppt "Successful Information Security Governance"

Similar presentations

The Value of a Project Management Office Copyright: Kathy J. Lang, 2004.

The Value of a Project Management Office Copyright: Kathy J. Lang, 2004.
Presented by. © 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored.

Presented by. © 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored.
PROJECT RISK MANAGEMENT

PROJECT RISK MANAGEMENT
RAMIRI2 Prague 2012 Project management and the RI Life Cycle.

RAMIRI2 Prague 2012 Project management and the RI Life Cycle.
Project Change Management

Project Change Management
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
Project Integration Management Sections of this presentation were adapted from A Guide to the Project Management Body of Knowledge 4 th Edition, Project.

Project Integration Management Sections of this presentation were adapted from A Guide to the Project Management Body of Knowledge 4 th Edition, Project.
Managing the Information Technology Resource Jerry N. Luftman

Managing the Information Technology Resource Jerry N. Luftman
David Sweeney, Director Brooke Woodruff, IT Manager

David Sweeney, Director Brooke Woodruff, IT Manager
Managing Projects https://www.youtube.com/watch?v=9LSnINglkQA

Managing Projects
Project Management “Introduction to Project Management: Tools, Techniques, and Practices” BA 320 Operations Management.

Project Management “Introduction to Project Management: Tools, Techniques, and Practices” BA 320 Operations Management.
Part II Project Planning © 2012 John Wiley & Sons Inc.

Part II Project Planning © 2012 John Wiley & Sons Inc.
What is Business Analysis Planning & Monitoring?

What is Business Analysis Planning & Monitoring?
BSBPMG506A Manage Project Human Resources 9.1 Develop Human Resource Plan The process of identifying and documenting project roles, responsibilities, required.

BSBPMG506A Manage Project Human Resources 9.1 Develop Human Resource Plan The process of identifying and documenting project roles, responsibilities, required.
The Evergreen, Background, Methodology and IT Service Management Model

The Evergreen, Background, Methodology and IT Service Management Model
Module 8: Risk Management, Monitoring and Project Control We would like to acknowledge the support of the Project Management Institute and the International.

Module 8: Risk Management, Monitoring and Project Control We would like to acknowledge the support of the Project Management Institute and the International.
Project Management 3. Project Management Plans. Week 3.

Project Management 3. Project Management Plans. Week 3.
Certificate IV in Project Management Introduction to Project Management Course Number 17871 Qualification Code BSB41507.

Certificate IV in Project Management Introduction to Project Management Course Number Qualification Code BSB41507.
Roles and Responsibilities

Roles and Responsibilities
What is IT Governance? Corporate governance

What is IT Governance? Corporate governance

Similar presentations

Ads by Google