We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byElfreda Norman
Modified over 5 years ago
© ITGI, ISACA - not for commercial use. John R. Robles 787-647-3961 email@example.com firstname.lastname@example.org www.johnrrobles.com Guidance for Information Security Managers Isaca - Information Security Governance “This information is copyrighted by the IT Governance Institute and Information Systems Audit and Control Association. Any commercial use is strictly forbidden. It may, however, be used for educational or promotional purposes by ISACA members and chapters on a not- for-profit basis.”
© ITGI, ISACA - not for commercial use. Isaca Puerto Rico Serving IT Audit, Security, and Controls Professionals in Puerto Rico since 1984 (Celebrating our 25 th Anniversary in 2009) More than 300 members Provide Certification … CISA (139), CISM (13), CGEIT (6) Provide Education and Conferences… Monthly educational meetings and yearly Symposium Standards…ITAF™: A Professional Practices Framework for IT Assurance Research…The IT Governance Institute (ITGI)
© ITGI, ISACA - not for commercial use. Isaca Puerto Rico Publications… The Bookstore, Isaca Journal Downloads… Review Courses… for the CISA, CISM, CGEIT Exams twice a year… Join a Growing and Dynamic Professional Association!! www.isaca.org www.isaca.org www.isacapuertorico.com www.isacapuertorico.com email@example.com firstname.lastname@example.org
© ITGI, ISACA - not for commercial use. Introduction u u Information Security has become a matter for consideration at the highest organizational level u u ‘It is no longer enough to communicate to the world of stakeholders why we exist and what constitutes success, we must also communicate how we are going to protect our existence’. - Kiely, Laree; Terry Benzel; Systemic Security Management, Libertas Press, USA, 2006 u u This publication discusses how to develop an information security strategy within the organization's governance framework and how to drive that strategy through an information security program.
© ITGI, ISACA - not for commercial use. Information Security Governance Guidance Firms operating at best-in-class (security) levels are lowering financial losses to less than 1 percent of revenue, whereas other organizations are experiencing loss rates that exceed 5 percent. - Aberdeen Group, ‘Best Practices in Security Governance’, USA, 2005
© ITGI, ISACA - not for commercial use. Information Security Program Requirements
© ITGI, ISACA - not for commercial use. u u Executive Management u u Steering Committee u u Chief Information Security Officer Roles and Responsibilities
© ITGI, ISACA - not for commercial use. What the Board, Executive Management and Security Management Should Do?
© ITGI, ISACA - not for commercial use. Information Security Metrics and Monitoring u u Information Security Metrics u u Governance Implementation Metrics u u Strategic Alignment u u Risk Assessment u u Value Delivery u u Resource Management u u Performance Measurement u u Assurance Process Integration (Convergence)
© ITGI, ISACA - not for commercial use. Establishing Information Security Governance u u An Information Security Strategy Corporate strategy is the pattern of decisions in a company that determines and reveals its objectives, purposes, or goals, produces the principal policies and plans for achieving those goals, and defines the range of business the company is to pursue, the kind of economic and human organization it is or intends to be, and the nature of the economic and non-economic contribution it intends to make to its shareholders, employees, customers and communities. - Andrews, Kenneth; The Concept of Corporate Strategy, 2 nd Edition, Dow-Jones Irwin, USA, 1980
© ITGI, ISACA - not for commercial use. u u The Goal u u Classification and Valuation u u Deferred Information Maintenance Information Security Objectives
© ITGI, ISACA - not for commercial use. u u Defining Objectives u u The Desire State u u Risk Objectives u u Number of Controls u u Current State of Security Strategy
© ITGI, ISACA - not for commercial use. Strategy
© ITGI, ISACA - not for commercial use. Strategy
© ITGI, ISACA - not for commercial use. u u Elements of a Strategy u u Policies u u Standards u u Processes u u Controls u u Technologies u u People, Training, Etc. u u Gap Analysis – Basic for an Action Plan u u Annual or more frequently The Strategy
© ITGI, ISACA - not for commercial use. u u Create/Modify Policies u u Create/Modify Standards Action Plan
© ITGI, ISACA - not for commercial use. u u Action Plan Metrics u u General Metrics Considerations u u Summary – Take into consideration u u What is important to information security operations u u Requirements of IT Management u u Requirements of business process owners u u Requirements of senior management Action Plan Intermediate Goals
© ITGI, ISACA - not for commercial use. u u An Example Using the ITGI and CobiT Maturity Scale u u Sample Policy Statement u u Sample Standard u u Additional Sample Policy Statements u u Conclusions Establishing Information Security Governance
© ITGI, ISACA - not for commercial use.. Conclusion “Although regulatory compliance has been a major driver in improving information security overall, recent studies have also shown that nearly half of all companies are failing to initiate meaningful compliance efforts.”
© ITGI, ISACA - not for commercial use. Appendix A – Critical Success Factors For Effective Information Security u u Performance Measures u u Determine whether Information Security is succeeding u u Determine whether Information Security Governance is succeeding
© ITGI, ISACA - not for commercial use. Appendix B – Self Assessment and Maturity Model u u Self – Assessment for Information Security Governance u u Maturity Levels – Detailed Descriptions u u Purpose - Determine your Information Security Maturity Level
© ITGI, ISACA - not for commercial use. Appendix Appendix C – A Generic Approach to Information Security Initiative Scoping Determine Task Steps Determine Task Step Activities Determine Task Step Deliverables Appendix D – An Approach to Information Security Metrics “NIST special publication 800-55 provides an approach to security metrics”
© ITGI, ISACA - not for commercial use. Glossary References Other Publications Appendix
© ITGI, ISACA - not for commercial use.
COBIT® 5 for Assurance Introduction
Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.
ISACA All rights reserved. Unlocking the Value of Technology Investments Speaker Name/Title Date.
Information System Assurance Practices in China Key players doing IS Assurance In China Regulatory Regime and Professional Organizations -Regulatory AuthoritiesRegulatory.
Introduction to Enterprise Risk Management (ERM)
CISA/CISM Programs DoD and Component Overview June 29, 2006.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
By Collin Smith COBIT Introduction By Collin Smith
IS Audit Function Knowledge
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
The Business Plan : Creating and Starting The Venture
How can projects be controlled?
ISACA Wellington: 2014 Strategy. Background ISACA’s vision: Trust in, and value from, information and information systems ISACA’s mission: For professionals.
Chapter 2 Careers in Fraud Examination and Financial Forensics.
Internal Auditing and Outsourcing
Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or
© 2007 ISACA ® All Rights Reserved DAMA-NCR Chapter Meeting March 11, 2008.
Cutlip & Center's Effective PUBLIC RELATIONS
© 2021 SlidePlayer.com Inc. All rights reserved.