SlideShare ist ein Scribd-Unternehmen logo

Business Case for InfoSec Program

William Godwin
William Godwin

This document presents a business case for establishing an information security program. It outlines the background, value, scope, and components of the program. The program aims to safeguard corporate information assets, establish security standards, comply with regulations, and align IT services with business needs. It involves categorizing data, determining risk appetite, analyzing business impacts, developing a security strategy and plans, and implementing controls. The goal is to effectively manage risks and threats, drive process maturity over time, and provide continuous improvements.

1 von 12
Downloaden Sie, um offline zu lesen
BUSINESS CASE FOR INFORMATION SECURITY PROGRAM Developed and Presented by: William Godwin3/12/2014 © 2014
Background  Safeguards the company’s most important asset: CORPORATE INFORMATION  Establishes a formal program and standard to:  Safeguard Confidentiality, Integrity, and Availability of information  Determine the company’s risk appetite  Categorize data and information assets  Establish appropriate security control baseline  Assess risk of compromise  Comply with governing regulations and corporate governance
Value  Identify IT Operations as a business enabler  Establish security benchmarks and determine assessment targets capable of maturing as threats evolve and become more sophisticated  Aligns IT Services with the company’s mission  Delivers long-term information security strategy  Effectively mitigate threats and risks and reduce incidents  Drive scalable processes and IT solutions  Provides insight to…  Optimize IT operations budget management  Promote organizational structure to integrate program  Conducive to organizational maturity
Scope  Organization Position/Posture  Data categorization of critical departments  Risk Appetite  Determine company’s tolerance to risk exposure  Business Impact Analysis  Determine criticality of departments and supporting resources  Develop Strategy, Plan, Implement and Execute  Cultivate Continuous Improvement Opportunities
Organization Position/Posture  Develop strategy for implementation. Reference output from Data Categorization & Risk Appetite exercise (Ref. slide #6 & slide #7)  Garner support from organization leadership  Large/Enterprise organizations may have multiple executives  Obtain operational leadership buy-in  Operational Managers will need to be made aware of their roles and expectations  Develop & establish corporate standards and requirements for information security
Data Categorization  Defines broad classes of information created, stored, and/or delivered by the company  Allows for logical groupings based on criticality to the business  Determines data sensitivity levels to unauthorized access, modification or loss of availability  Aids to …  Establish security baseline for protecting sensitive data  Identify business exposure  Determine impact on company should data become compromised  Permit executives to organize priority based on criticality of data
Determine & Establish Risk Appetite  Company may implement appropriate level of information security control based on the risk appetite.  Risk Appetite is determined by establishing the sensitivity of data stored, processed or transmitted by an information system. (Ref. slide #6)  Sensitivity is determined by understanding the criticality of the data to the company’s mission or regulatory requirements.
Business Impact Analysis  Categorize and analyze critical business departments/divisions  Create priority list of most sensitive business functions  Create priority list of support resources  Human Resources  Information Technology Resources  Establish information security requirements  Identify and implement baseline security controls to reduce risk
Strategy, Plan, Implement & Execute  Strategy  Identify desired service capability and control coverage – (Ref. slide #10)  Identify and gather regulatory requirements and corporate governance  Develop and execute strategic plan for program implementation  Planning for critical IT assets  Establish operation authority (typically an executive authorizes system to operate)  Document system Security Plan  Develop system IT Contingency Plan  Develop Configuration Management & Control Plan  Develop system Incident Response Plan  Implement security controls as specified within the security plan  Execute  Conduct threat assessment  Conduct initial Risk Assessment  Mitigate security exposure to acceptable levels  Conduct final security test to validate control implementation
Information Security Model Model Terms & Glossary Capability: Defines “what” information security process or process areas or disciplines. Coverage: Defines the “amount” of control and timeline coverage should be applied. Control: Managing obligations to the business, stakeholders, customers and demonstrating it. Info Security Mission & Goals 2 3 4 5 100% 50% 75% 25% Capability Coverage Optimal Path (Timeline) ROI & Cost- efficiency 1 Risk & Compliance Objectives Control 0% Capability Processes are … Coverage 1 Ad Hoc & Disorganized 0% 2 Repeatable (generally consistent pattern) 25% 3 Documented and communicated 50% 4 Monitored and measured 75% 5 Measured and improved 100% Maturing to Proactive Posture Capability: Process Discovery and Re-engineering to support Information Security program alignment with business and security requirements. Coverage: Integrate required regulations and observe areas for control enhancement. Control: Risk and Compliance based categorization and priority of information assets and processes. The Degree and complexity of controls are driven by the enterprises risk appetite and applicable compliance requirements. SEI, Carnegie Mellon 2008 Primary Drivers
Continuous Improvement Opportunities  Identify success/fail requirements  Identify metrics applicable to the organization. Examples such as…  Total vulnerabilities  Residual risk  Total incidents  Change in vulnerabilities and incidents  IT system operational budget change
Conclusion  Aids organization leaders to identify and assign priority to business units and supporting IT systems based on criticality  Enables effective financial planning for IT Operations and Security  Ensures compliance with regulatory requirements and governance  Enables effective management of risk to IT systems  Improve IT service capabilities through process maturity

Empfohlen

Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Cybersecurity - Overview
Cybersecurity - OverviewCybersecurity - Overview
Cybersecurity - OverviewThanuja Seneviratne
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 

Empfohlen

Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Cybersecurity - Overview
Cybersecurity - OverviewCybersecurity - Overview
Cybersecurity - OverviewThanuja Seneviratne
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalAtlantic Training, LLC.
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Jay Nagar
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
information security awareness course
information security awareness courseinformation security awareness course
information security awareness courseAbdul Manaf Vellakodath
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System SecurityCSSRL PUNE
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITYMohammad Shakirul islam
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Cyber security
Cyber securityCyber security
Cyber securityBhavin Shah
 
Securing Information Servicesv1.0
Securing Information Servicesv1.0Securing Information Servicesv1.0
Securing Information Servicesv1.0Vibi Abraham
 
Testing
TestingTesting
Testinglorenceman
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalAtlantic Training, LLC.
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Jay Nagar
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System SecurityCSSRL PUNE
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 

Was ist angesagt? (20)

Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
information security awareness course
information security awareness courseinformation security awareness course
information security awareness course
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System Security
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
Cyber security
Cyber securityCyber security
Cyber security
 

Ähnlich wie Business Case for InfoSec Program

Securing Information Servicesv1.0
Securing Information Servicesv1.0Securing Information Servicesv1.0
Securing Information Servicesv1.0Vibi Abraham
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessmentpchronis
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramTammy Clark
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Business case for enterprise continuity planning
Business case for enterprise continuity planningBusiness case for enterprise continuity planning
Business case for enterprise continuity planningWilliam Godwin
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureSuresh Kanniappan
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Tammy Clark
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedkonchada
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedkonchada
 
2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnicalJack585826
 

Ähnlich wie Business Case for InfoSec Program (20)

Securing Information Servicesv1.0
Securing Information Servicesv1.0Securing Information Servicesv1.0
Securing Information Servicesv1.0
 
Testing
TestingTesting
Testing
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessment
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
Business case for enterprise continuity planning
Business case for enterprise continuity planningBusiness case for enterprise continuity planning
Business case for enterprise continuity planning
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updated
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updated
 
2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 

Business Case for InfoSec Program

  • 1. BUSINESS CASE FOR INFORMATION SECURITY PROGRAM Developed and Presented by: William Godwin3/12/2014 © 2014
  • 2. Background  Safeguards the company’s most important asset: CORPORATE INFORMATION  Establishes a formal program and standard to:  Safeguard Confidentiality, Integrity, and Availability of information  Determine the company’s risk appetite  Categorize data and information assets  Establish appropriate security control baseline  Assess risk of compromise  Comply with governing regulations and corporate governance
  • 3. Value  Identify IT Operations as a business enabler  Establish security benchmarks and determine assessment targets capable of maturing as threats evolve and become more sophisticated  Aligns IT Services with the company’s mission  Delivers long-term information security strategy  Effectively mitigate threats and risks and reduce incidents  Drive scalable processes and IT solutions  Provides insight to…  Optimize IT operations budget management  Promote organizational structure to integrate program  Conducive to organizational maturity
  • 4. Scope  Organization Position/Posture  Data categorization of critical departments  Risk Appetite  Determine company’s tolerance to risk exposure  Business Impact Analysis  Determine criticality of departments and supporting resources  Develop Strategy, Plan, Implement and Execute  Cultivate Continuous Improvement Opportunities
  • 5. Organization Position/Posture  Develop strategy for implementation. Reference output from Data Categorization & Risk Appetite exercise (Ref. slide #6 & slide #7)  Garner support from organization leadership  Large/Enterprise organizations may have multiple executives  Obtain operational leadership buy-in  Operational Managers will need to be made aware of their roles and expectations  Develop & establish corporate standards and requirements for information security
  • 6. Data Categorization  Defines broad classes of information created, stored, and/or delivered by the company  Allows for logical groupings based on criticality to the business  Determines data sensitivity levels to unauthorized access, modification or loss of availability  Aids to …  Establish security baseline for protecting sensitive data  Identify business exposure  Determine impact on company should data become compromised  Permit executives to organize priority based on criticality of data
  • 7. Determine & Establish Risk Appetite  Company may implement appropriate level of information security control based on the risk appetite.  Risk Appetite is determined by establishing the sensitivity of data stored, processed or transmitted by an information system. (Ref. slide #6)  Sensitivity is determined by understanding the criticality of the data to the company’s mission or regulatory requirements.
  • 8. Business Impact Analysis  Categorize and analyze critical business departments/divisions  Create priority list of most sensitive business functions  Create priority list of support resources  Human Resources  Information Technology Resources  Establish information security requirements  Identify and implement baseline security controls to reduce risk
  • 9. Strategy, Plan, Implement & Execute  Strategy  Identify desired service capability and control coverage – (Ref. slide #10)  Identify and gather regulatory requirements and corporate governance  Develop and execute strategic plan for program implementation  Planning for critical IT assets  Establish operation authority (typically an executive authorizes system to operate)  Document system Security Plan  Develop system IT Contingency Plan  Develop Configuration Management & Control Plan  Develop system Incident Response Plan  Implement security controls as specified within the security plan  Execute  Conduct threat assessment  Conduct initial Risk Assessment  Mitigate security exposure to acceptable levels  Conduct final security test to validate control implementation
  • 10. Information Security Model Model Terms & Glossary Capability: Defines “what” information security process or process areas or disciplines. Coverage: Defines the “amount” of control and timeline coverage should be applied. Control: Managing obligations to the business, stakeholders, customers and demonstrating it. Info Security Mission & Goals 2 3 4 5 100% 50% 75% 25% Capability Coverage Optimal Path (Timeline) ROI & Cost- efficiency 1 Risk & Compliance Objectives Control 0% Capability Processes are … Coverage 1 Ad Hoc & Disorganized 0% 2 Repeatable (generally consistent pattern) 25% 3 Documented and communicated 50% 4 Monitored and measured 75% 5 Measured and improved 100% Maturing to Proactive Posture Capability: Process Discovery and Re-engineering to support Information Security program alignment with business and security requirements. Coverage: Integrate required regulations and observe areas for control enhancement. Control: Risk and Compliance based categorization and priority of information assets and processes. The Degree and complexity of controls are driven by the enterprises risk appetite and applicable compliance requirements. SEI, Carnegie Mellon 2008 Primary Drivers
  • 11. Continuous Improvement Opportunities  Identify success/fail requirements  Identify metrics applicable to the organization. Examples such as…  Total vulnerabilities  Residual risk  Total incidents  Change in vulnerabilities and incidents  IT system operational budget change
  • 12. Conclusion  Aids organization leaders to identify and assign priority to business units and supporting IT systems based on criticality  Enables effective financial planning for IT Operations and Security  Ensures compliance with regulatory requirements and governance  Enables effective management of risk to IT systems  Improve IT service capabilities through process maturity