Presentation is loading. Please wait.

Presentation is loading. Please wait.

© ITGI, ISACA - not for commercial use. John R. Robles 787-647-3961 Guidance for Information.

Published byElfreda Norman Modified over 8 years ago

Similar presentations

Presentation on theme: "© ITGI, ISACA - not for commercial use. John R. Robles 787-647-3961 Guidance for Information."— Presentation transcript:

1 © ITGI, ISACA - not for commercial use. John R. Robles 787-647-3961 jrobles@coqui.net john.robles@gmail.com www.johnrrobles.com Guidance for Information Security Managers Isaca - Information Security Governance “This information is copyrighted by the IT Governance Institute and Information Systems Audit and Control Association. Any commercial use is strictly forbidden. It may, however, be used for educational or promotional purposes by ISACA members and chapters on a not- for-profit basis.”

2 © ITGI, ISACA - not for commercial use. Isaca Puerto Rico  Serving IT Audit, Security, and Controls Professionals in Puerto Rico since 1984 (Celebrating our 25 th Anniversary in 2009)  More than 300 members  Provide Certification … CISA (139), CISM (13), CGEIT (6)  Provide Education and Conferences… Monthly educational meetings and yearly Symposium  Standards…ITAF™: A Professional Practices Framework for IT Assurance  Research…The IT Governance Institute (ITGI)

3 © ITGI, ISACA - not for commercial use. Isaca Puerto Rico  Publications… The Bookstore, Isaca Journal  Downloads…  Review Courses… for the CISA, CISM, CGEIT Exams twice a year…  Join a Growing and Dynamic Professional Association!!  www.isaca.org www.isaca.org  www.isacapuertorico.com www.isacapuertorico.com  isaca_pr@yahoo.com isaca_pr@yahoo.com

4 © ITGI, ISACA - not for commercial use. Introduction u u Information Security has become a matter for consideration at the highest organizational level u u ‘It is no longer enough to communicate to the world of stakeholders why we exist and what constitutes success, we must also communicate how we are going to protect our existence’. - Kiely, Laree; Terry Benzel; Systemic Security Management, Libertas Press, USA, 2006 u u This publication discusses how to develop an information security strategy within the organization's governance framework and how to drive that strategy through an information security program.

5 © ITGI, ISACA - not for commercial use. Information Security Governance Guidance Firms operating at best-in-class (security) levels are lowering financial losses to less than 1 percent of revenue, whereas other organizations are experiencing loss rates that exceed 5 percent. - Aberdeen Group, ‘Best Practices in Security Governance’, USA, 2005

6 © ITGI, ISACA - not for commercial use. Information Security Program Requirements

7 © ITGI, ISACA - not for commercial use. u u Executive Management u u Steering Committee u u Chief Information Security Officer Roles and Responsibilities

8 © ITGI, ISACA - not for commercial use. What the Board, Executive Management and Security Management Should Do?

9 © ITGI, ISACA - not for commercial use. Information Security Metrics and Monitoring u u Information Security Metrics u u Governance Implementation Metrics u u Strategic Alignment u u Risk Assessment u u Value Delivery u u Resource Management u u Performance Measurement u u Assurance Process Integration (Convergence)

10 © ITGI, ISACA - not for commercial use. Establishing Information Security Governance u u An Information Security Strategy Corporate strategy is the pattern of decisions in a company that determines and reveals its objectives, purposes, or goals, produces the principal policies and plans for achieving those goals, and defines the range of business the company is to pursue, the kind of economic and human organization it is or intends to be, and the nature of the economic and non-economic contribution it intends to make to its shareholders, employees, customers and communities. - Andrews, Kenneth; The Concept of Corporate Strategy, 2 nd Edition, Dow-Jones Irwin, USA, 1980

11 © ITGI, ISACA - not for commercial use. u u The Goal u u Classification and Valuation u u Deferred Information Maintenance Information Security Objectives

12 © ITGI, ISACA - not for commercial use. u u Defining Objectives u u The Desire State u u Risk Objectives u u Number of Controls u u Current State of Security Strategy

13 © ITGI, ISACA - not for commercial use. Strategy

14 © ITGI, ISACA - not for commercial use. Strategy

15 © ITGI, ISACA - not for commercial use. u u Elements of a Strategy u u Policies u u Standards u u Processes u u Controls u u Technologies u u People, Training, Etc. u u Gap Analysis – Basic for an Action Plan u u Annual or more frequently The Strategy

16 © ITGI, ISACA - not for commercial use. u u Create/Modify Policies u u Create/Modify Standards Action Plan

17 © ITGI, ISACA - not for commercial use. u u Action Plan Metrics u u General Metrics Considerations u u Summary – Take into consideration u u What is important to information security operations u u Requirements of IT Management u u Requirements of business process owners u u Requirements of senior management Action Plan Intermediate Goals

18 © ITGI, ISACA - not for commercial use. u u An Example Using the ITGI and CobiT Maturity Scale u u Sample Policy Statement u u Sample Standard u u Additional Sample Policy Statements u u Conclusions Establishing Information Security Governance

19 © ITGI, ISACA - not for commercial use.. Conclusion “Although regulatory compliance has been a major driver in improving information security overall, recent studies have also shown that nearly half of all companies are failing to initiate meaningful compliance efforts.”

20 © ITGI, ISACA - not for commercial use. Appendix A – Critical Success Factors For Effective Information Security u u Performance Measures u u Determine whether Information Security is succeeding u u Determine whether Information Security Governance is succeeding

21 © ITGI, ISACA - not for commercial use. Appendix B – Self Assessment and Maturity Model u u Self – Assessment for Information Security Governance u u Maturity Levels – Detailed Descriptions u u Purpose - Determine your Information Security Maturity Level

22 © ITGI, ISACA - not for commercial use. Appendix  Appendix C – A Generic Approach to Information Security Initiative Scoping  Determine Task Steps  Determine Task Step Activities  Determine Task Step Deliverables  Appendix D – An Approach to Information Security Metrics  “NIST special publication 800-55 provides an approach to security metrics”

23 © ITGI, ISACA - not for commercial use.   Glossary   References   Other Publications Appendix

24 © ITGI, ISACA - not for commercial use.

Download ppt "© ITGI, ISACA - not for commercial use. John R. Robles 787-647-3961 Guidance for Information."

Similar presentations

Organizational Governance

Organizational Governance
COBIT® 5 for Assurance Introduction

COBIT® 5 for Assurance Introduction
Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.

Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.
1 2009 ISACA All rights reserved. Unlocking the Value of Technology Investments Speaker Name/Title Date.

ISACA All rights reserved. Unlocking the Value of Technology Investments Speaker Name/Title Date.
Information System Assurance Practices in China Key players doing IS Assurance In China Regulatory Regime and Professional Organizations -Regulatory AuthoritiesRegulatory.

Information System Assurance Practices in China Key players doing IS Assurance In China Regulatory Regime and Professional Organizations -Regulatory AuthoritiesRegulatory.
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
CISA/CISM Programs DoD and Component Overview June 29, 2006.

CISA/CISM Programs DoD and Component Overview June 29, 2006.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
IS Audit Function Knowledge

IS Audit Function Knowledge
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.

1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
The Business Plan : Creating and Starting The Venture

The Business Plan : Creating and Starting The Venture
How can projects be controlled?

How can projects be controlled?
ISACA Wellington: 2014 Strategy. Background ISACA’s vision: Trust in, and value from, information and information systems ISACA’s mission: For professionals.

ISACA Wellington: 2014 Strategy. Background ISACA’s vision: Trust in, and value from, information and information systems ISACA’s mission: For professionals.
Chapter 2 Careers in Fraud Examination and Financial Forensics.

Chapter 2 Careers in Fraud Examination and Financial Forensics.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM 817.352.4929 or

Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or
© 2007 ISACA ® All Rights Reserved DAMA-NCR Chapter Meeting March 11, 2008.

© 2007 ISACA ® All Rights Reserved DAMA-NCR Chapter Meeting March 11, 2008.
Cutlip & Center's Effective PUBLIC RELATIONS

Cutlip & Center's Effective PUBLIC RELATIONS

Similar presentations

Ads by Google