SlideShare ist ein Scribd-Unternehmen logo

Information Security Governance and Strategy - 3

Als PPTX, PDF herunterladen
Dam Frank
Dam Frank

Information Security Governance & Strategy

Leadership & Management
1 von 35
Lecture 3 Information Security Governance & Strategy
Review  IT security governance is the system by which an organization directs and controls IT security (adapted from ISO 38500)  IT security management is concerned with making decisions to mitigate risks; governance determines who is authorized to make decisions.  Governance specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks
Review  NIST describes IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.
Review  The five general governance areas are:  Govern the operations of the organization and protect its critical assets  Protect the organization's market share and stock price (perhaps not appropriate for education)  Govern the conduct of employees (educational AUP and other policies that may apply to use of technology resources, data handling, etc.)  Protect the reputation of the organization  Ensure compliance requirements are met
Review Governance Management Accountability Responsibility Authorizes decision rights Authorized to make decisions Enact policy Enforce policy Oversight Implementation Resource allocation Resource utilization Strategic planning Project planning
Review  Responsibility: Individuals and groups within the organization understand and accept their responsibilities in respect of both supply of, and demand for IT. Those with responsibility for actions also have the authority to perform those actions.  Strategy: The organization's business strategy takes into account the current and future capabilities of IT; the strategic plans for IT satisfy the current and ongoing needs of the organization's business strategy.  Acquisition: IT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision
Review  Performance: IT is fit for purpose in supporting the organization, providing the services, levels of service and service quality required to meet current and future business requirements.  Conformance: IT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented and enforced.  Human Behavior: IT policies, practices and decisions demonstrate respect for Human Behavior, including the current and evolving needs of all the 'people in the process'.
Characteristics of Effective Security Governance  It is an institution-wide issue  Leaders are accountable  It is viewed as an institutional requirement (cost of doing business)  It is risk-based  Roles, responsibilities and segregation of duties are defined  It is addressed and enforced in policy  Adequate resources are committed  Staff are aware and trained  A development life cycle is required  It is planned, managed, measureable and measured  It is reviewed and audited
Challenges of effective Governance  These challenges can be very useful in presenting rationale to leadership for implementing an effective institution security governance mode  Understanding the implications of ubiquitous access and distributed information  Appreciating the institution-wide nature of the security problem  Overcoming the lack of a game plan  Establishing the proper institutional structure and segregation of duties  Understanding complex global legal compliance requirements and liability risks (the word global may or may not apply to education)
Challenges of effective Governance  Assessing security risks and the magnitude of harm to the institution  Determining and justifying appropriate levels of resources and investment  Dealing with the intangible nature of security  Reconciling inconsistent deployment of security best practices and standards  Overcoming difficulties in creating and sustaining a security-aware culture
Outcomes of effective Governance  Strategic alignment of information security with institutional objectives  Risk management - identify, manage, and mitigate risks  Resource management  Performance measurement - defining, reporting, and using information security governance metrics  Value delivery by optimizing information security investment
Information Security Governance Best Practices  Information security activities should be governed based on relevant requirements, including laws, regulations, and organizational policies.  Senior managers should be actively involved in establishing information security governance framework and the act of governing the agency's implementation of information security. Information security responsibilities must be assigned and carried out by appropriately trained individuals.  Individuals responsible for information security within the agency should be held accountable for their actions or lack of actions.
Information Security Governance Best Practices  Information security priorities should be communicated to stakeholders of all levels within an organization to ensure a successful implementation of an information security program.  Information security activities must be integrated into other management activities of the enterprise, including strategic planning, capital planning, and enterprise architecture.  Information security organization structure should be appropriate for the organization it supports and should evolve with the organization, if the organization undergoes change.
Information Security Governance Best Practices  Information security managers should continuously monitor the performance of the security program/effort for which they are responsible, using available tools and information.  Information discovered through monitoring should be used as an input into management decisions about priorities and funding allocation to effect the improvement of security posture and the overall performance of the organization.
Question to engage institutional leaders  Questions to uncover information security issues  Does the head of security/CISO routinely meet or brief institutional leaders?  When was the last time top managers got involved in security-related decisions?  Do managers know who is responsible for security?  Would people recognize a security incident? Would they know who to call?
Question to engage institutional leaders  Questions to find out how managers addresses information security issues  Is the institution clear on its position relative to IT and security risks?  How much is spent on information security?  What percentage of staff had security training last year?
Question to engage institutional leaders  Questions to assess information security governance practices  Are managers confident that security is being adequately addressed in the enterprise?  Are managers aware of the latest information security issues and best practices?  Does the institution participate in an incident, threat, vulnerability notification and sharing service?  What is the industry best practice and how does the institution compare?  What can be done to successfully implement information security governance?
Question to engage institutional leaders  Questions individuals responsible for governance should ask and be able to answer.  Questions for directors/trustees  Does the board understand the institution's dependence on information?  Does the institution recognize the value and importance of information?  Does the institution have a security strategy?  Does the board understand the institution's potential liabilities in the event of regulatory non-compliance?
Question to engage institutional leaders  Questions for managers  How is the board kept informed of information security issues? When was the last briefing made to the board on security risks and status of security improvements?  Has someone been appointed to be responsible for developing, implementing and managing the information security program, and is he/she held accountable?  Are security roles and responsibilities clearly defined and communicated?  Is there a CISO or other officer with sufficient authority and resources to accomplish security objectives?
Governance structures depend on desired outcomes  Top revenue growth - decentralized to promote customer responsiveness and innovation  Profit - centralized to promote sharing, reuse and efficient asset utilization  Multiple performance goals - blended centralized and decentralized
Information Security Governance Structures (ORG structures ISACA )  The NIST Security Handbook states that governance is highly dependent on the overall organization structure.  Centralized maintain budget control and ensure implementation and monitoring of information security controls.  Decentralized have policy and oversight responsibilities and budget responsibilities for their departmental security program not the operating unit information security program. Reporting structures are different as well.  Governance structures can be hybrid, with a combination of characteristics from both centralized and decentralized.
Political Archetypes  Weill and Ross use political archetypes in IT Governance [3] to describes people or groups who have decision rights.  Business monarchy: Senior business executives make IT decisions  IT monarchy: IT executives make IT decisions  Feudal: Business unit leaders make IT decisions to optimize local needs, but does not facilitate enterprise decision-making.  Federal: Coordinated IT decision-making between the center and the business units.  IT duopoly: IT executives and one other group (such as senior executives or business units) make IT decisions.
What Governance Arrangements Work Best  Monarchies work well when profit is a priority.  Feudal or business monarchy arrangements might work best when growth is a priority.  Federal arrangements can work well for input into all IT decisions. Avoid federal arrangement for all decisions since it's difficult to balance the center with the business unit needs.  Duopoly arrangements work well for IT principles, investment decisions and business application needs. Duopolies also work best when asset utilization is a priority.
Summary Roles and responsibilities ISACA Framework Chief Executive Officer - Oversee overall corporate security posture (accountable to the Board) - Brief Board, customers and public Chief Security Officer Chief Information Officer Chief Risk Officer Department/Agency Head - Set security policies, procedures, program and training - Incident management - Responsible for independent annual audit coordination - Compliance Mid-Level Manager - Compliance - Communicate policies and program (training) Enterprise staff/employees - Implement policies - Report vulnerabilities and breaches
Strategy Planning ISACA Framework  Each security plan must include:  Mission, vision, goals, objectives and how they relate to the agency mission  High-level plan for achieving information security goals and objectives including short-, mid-term objective and performance targets and performance measures.  The plans must be revisited when major changes happen including legislation, regulations, directives, agency mission priorities, emerging information security issues.
Acquisition and Procurement ISACA Framework  IT products that are expensive or will have a significant impact on an institutions liability should be reviewed for IT security risks before purchase. In large institutions, IT product acquisition provides an opportunity to evaluate centralization vs. proliferation of IT resources and the resulting impact on security. Acquisition also serves as a good control point for information security evaluation before investments are made. Contract language might be needed to protect the institution's data, especially with products known as 'software as a service' or SaaS.
Measuring and Reporting Performance ISACA Framework  Performance measurement should be a system of measuring, monitoring and reporting information security governance metrics to ensure that institutional objectives are achieved. Development/maintenance of a security and control framework that consists of standards, measures, practices, and procedures is essential to the metric evaluation of the governance structure.  A key metric is the adverse impacts of information security incidents experienced by the institution. An effective security program will show a trend of impact reduction. Quantitative measures can
Measuring and Reporting Performance ISACA Framework  Some example metrics might include:  Number of incidents damaging the institution's reputation with the public  Number of systems where security requirements are not met  Time to grant, change and remove access privileges  Number and type of suspected and actual access violations  Number and type of malicious code prevented  Number and type of security incidents  Number and type of obsolete accounts  Number of unauthorized IP addresses, ports and traffic types denied  Number of access rights authorized, revoked, reset or
Compliance ISACA Framework  IT and data within higher education information systems are becoming increasingly regulated and scrutinized. This regulation ranges from pressures for disclosure and transparency to pressures for privacy. These pressures accent the need for common approaches, common solutions, and consistent high-quality data.  Challenges and Keys to success  Balancing extensive requirement originating from multiple governing bodies.  Balancing legislation and agency specific policy.  Maintain currency  Prioritizing available funding according to requirements.
Policy ISACA Framework  Information security policy is an aggregate of directives, rules, and practices that prescribes how an organization manages, protects, and distributes information. Information security policy is an essential component of information security governance--- without the policy, governance has no substance and rules to enforce.
Policy ISACA Framework  Information security policy at the institutional level should address the fundamentals of institution's information security governance structure, including:  Information security roles and responsibilities;  Statement of security controls baseline and rules for exceeding the baseline; and  Rules of behaviour that agency users are expected to follow and minimum repercussions for noncompliance.
Policy ISACA Framework  Candidate policy topics at the governance level (which could be sections in existing, broader policies) may include:  Policy calling for a security strategy, an institution- wide security program, and governance of such a program  Code of conduct specifying what is meant by due diligence and standard of due care with respect to information security  Security ethics  Security risk specifying risk appetite, tolerance, scope and period of risk assessment, and ongoing risk management process
Policy ISACA Framework  Candidate policy topics at the governance level (which could be sections in existing, broader policies) may include:  Business case specifying the decision making process for security investments  Security roles and responsibilities  Asset classification and inventory  Data protection  Asset access specifying access rights to categories of assets and how these are managed  Change management  Security standards  Business continuity
Policy ISACA Framework  Candidate policy topics at the governance level (which could be sections in existing, broader policies) may include:  Disaster recovery  Managing external parties (vendors, suppliers)  Incident response  Security awareness, training, and education  Security measurement including measuring policy compliance and effectiveness  Adherence to policy, policy waivers and exceptions, and consequences of non-compliance
Risk Management ISACA Framework  Higher education information systems continue to be subject to a large number of security threats. The ability to secure the gamut of intuitional IT resources and data has become a compelling and increasingly urgent need.  Risk assessment is the part of the ongoing risk management process that assigns relative priorities for mitigation plans and implementation.

Empfohlen

Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 

Empfohlen

Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Cyber Security Management
Cyber Security ManagementCyber Security Management
Cyber Security ManagementIT Governance Ltd
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 
Bcp drp
Bcp drpBcp drp
Bcp drpaqel aqel
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityjayashri kolekar
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Access Controls Capability Maturity Model (CMM).pptx
Access Controls Capability Maturity Model (CMM).pptxAccess Controls Capability Maturity Model (CMM).pptx
Access Controls Capability Maturity Model (CMM).pptxComplianceSPE
 
unit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxunit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxManushiKhatri
 

Weitere ähnliche Inhalte

Was ist angesagt?

Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityjayashri kolekar
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 

Was ist angesagt? (20)

Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & Control
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Cyber Security Management
Cyber Security ManagementCyber Security Management
Cyber Security Management
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident Management
 
Bcp drp
Bcp drpBcp drp
Bcp drp
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
information security management
information security managementinformation security management
information security management
 

Ähnlich wie Information Security Governance and Strategy - 3

Access Controls Capability Maturity Model (CMM).pptx
Access Controls Capability Maturity Model (CMM).pptxAccess Controls Capability Maturity Model (CMM).pptx
Access Controls Capability Maturity Model (CMM).pptxComplianceSPE
 
unit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxunit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxManushiKhatri
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfAbuHanifah59
 
IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptxFaith Shimba
 
Chapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfChapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfkimangeloullero
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdfsdfghj21
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aMaximaSheffield592
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practiceswacasr
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfalokkesh
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security ProgramShauna_Cox
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 

Ähnlich wie Information Security Governance and Strategy - 3 (20)

Access Controls Capability Maturity Model (CMM).pptx
Access Controls Capability Maturity Model (CMM).pptxAccess Controls Capability Maturity Model (CMM).pptx
Access Controls Capability Maturity Model (CMM).pptx
 
unit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxunit 3 security plans and policies.pptx
unit 3 security plans and policies.pptx
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
 
Cisa 2013 ch2
Cisa 2013 ch2Cisa 2013 ch2
Cisa 2013 ch2
 
IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptx
 
Chapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfChapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdf
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
CISSPills #3.06
CISSPills #3.06CISSPills #3.06
CISSPills #3.06
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Testing
TestingTesting
Testing
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practices
 
Task 2
Task 2Task 2
Task 2
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
 
it grc
it grc it grc
it grc
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
 
Gtag 1 information risk and control
Gtag 1 information risk and controlGtag 1 information risk and control
Gtag 1 information risk and control
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 

Mehr von Dam Frank

Is online education an effective replacement for traditional classroom teaching?
Is online education an effective replacement for traditional classroom teaching?Is online education an effective replacement for traditional classroom teaching?
Is online education an effective replacement for traditional classroom teaching?Dam Frank
 
Lesson 7: The Seven Woes Against the Scribes and Pharisees
Lesson 7: The Seven Woes Against the Scribes and PhariseesLesson 7: The Seven Woes Against the Scribes and Pharisees
Lesson 7: The Seven Woes Against the Scribes and PhariseesDam Frank
 
Lesson 6 : Jewish Sects at the Time of Christ
Lesson 6 : Jewish Sects at the Time of ChristLesson 6 : Jewish Sects at the Time of Christ
Lesson 6 : Jewish Sects at the Time of ChristDam Frank
 
Lesson 5: Non Biblical Sources of Jesus Christ Historicity
Lesson 5: Non Biblical Sources of Jesus Christ HistoricityLesson 5: Non Biblical Sources of Jesus Christ Historicity
Lesson 5: Non Biblical Sources of Jesus Christ HistoricityDam Frank
 
Lesson 4 : Non Biblical Sources of Jesus Christ Historicity
Lesson 4 : Non Biblical Sources of Jesus Christ HistoricityLesson 4 : Non Biblical Sources of Jesus Christ Historicity
Lesson 4 : Non Biblical Sources of Jesus Christ HistoricityDam Frank
 
Lesson 3: Non Biblical Sources of Christ Historicity
Lesson 3: Non Biblical Sources of Christ HistoricityLesson 3: Non Biblical Sources of Christ Historicity
Lesson 3: Non Biblical Sources of Christ HistoricityDam Frank
 
Lesson 2: Non Biblical Sources of Jesus Christ Historicity
Lesson 2: Non Biblical Sources of Jesus Christ HistoricityLesson 2: Non Biblical Sources of Jesus Christ Historicity
Lesson 2: Non Biblical Sources of Jesus Christ HistoricityDam Frank
 
What is Sin?
What is Sin?What is Sin?
What is Sin?Dam Frank
 
The Son of God - Part 6 Redemption
The Son of God - Part 6 RedemptionThe Son of God - Part 6 Redemption
The Son of God - Part 6 RedemptionDam Frank
 
The Son of God - Part 6 Substitution
The Son of God - Part 6 SubstitutionThe Son of God - Part 6 Substitution
The Son of God - Part 6 SubstitutionDam Frank
 
The Son of God - Part 6 Propitiation
The Son of God - Part 6 PropitiationThe Son of God - Part 6 Propitiation
The Son of God - Part 6 PropitiationDam Frank
 
The Son of God - Part 5
The Son of God - Part 5The Son of God - Part 5
The Son of God - Part 5Dam Frank
 
The Son of God - Part 6
The Son of God - Part 6The Son of God - Part 6
The Son of God - Part 6Dam Frank
 
The Son of God - Part 4
The Son of God - Part 4The Son of God - Part 4
The Son of God - Part 4Dam Frank
 
The Son of God - Part 3
The Son of God - Part 3The Son of God - Part 3
The Son of God - Part 3Dam Frank
 
Jesus is God: Defending the Claim
Jesus is God: Defending the Claim Jesus is God: Defending the Claim
Jesus is God: Defending the Claim Dam Frank
 
Messianic Prophecies Quiz
Messianic Prophecies QuizMessianic Prophecies Quiz
Messianic Prophecies QuizDam Frank
 
Messianic Prophecies
Messianic Prophecies Messianic Prophecies
Messianic Prophecies Dam Frank
 
The Progressive Revelation of the Name
The Progressive Revelation of the NameThe Progressive Revelation of the Name
The Progressive Revelation of the NameDam Frank
 
The Nature of God
The Nature of GodThe Nature of God
The Nature of GodDam Frank
 

Mehr von Dam Frank (20)

Is online education an effective replacement for traditional classroom teaching?
Is online education an effective replacement for traditional classroom teaching?Is online education an effective replacement for traditional classroom teaching?
Is online education an effective replacement for traditional classroom teaching?
 
Lesson 7: The Seven Woes Against the Scribes and Pharisees
Lesson 7: The Seven Woes Against the Scribes and PhariseesLesson 7: The Seven Woes Against the Scribes and Pharisees
Lesson 7: The Seven Woes Against the Scribes and Pharisees
 
Lesson 6 : Jewish Sects at the Time of Christ
Lesson 6 : Jewish Sects at the Time of ChristLesson 6 : Jewish Sects at the Time of Christ
Lesson 6 : Jewish Sects at the Time of Christ
 
Lesson 5: Non Biblical Sources of Jesus Christ Historicity
Lesson 5: Non Biblical Sources of Jesus Christ HistoricityLesson 5: Non Biblical Sources of Jesus Christ Historicity
Lesson 5: Non Biblical Sources of Jesus Christ Historicity
 
Lesson 4 : Non Biblical Sources of Jesus Christ Historicity
Lesson 4 : Non Biblical Sources of Jesus Christ HistoricityLesson 4 : Non Biblical Sources of Jesus Christ Historicity
Lesson 4 : Non Biblical Sources of Jesus Christ Historicity
 
Lesson 3: Non Biblical Sources of Christ Historicity
Lesson 3: Non Biblical Sources of Christ HistoricityLesson 3: Non Biblical Sources of Christ Historicity
Lesson 3: Non Biblical Sources of Christ Historicity
 
Lesson 2: Non Biblical Sources of Jesus Christ Historicity
Lesson 2: Non Biblical Sources of Jesus Christ HistoricityLesson 2: Non Biblical Sources of Jesus Christ Historicity
Lesson 2: Non Biblical Sources of Jesus Christ Historicity
 
What is Sin?
What is Sin?What is Sin?
What is Sin?
 
The Son of God - Part 6 Redemption
The Son of God - Part 6 RedemptionThe Son of God - Part 6 Redemption
The Son of God - Part 6 Redemption
 
The Son of God - Part 6 Substitution
The Son of God - Part 6 SubstitutionThe Son of God - Part 6 Substitution
The Son of God - Part 6 Substitution
 
The Son of God - Part 6 Propitiation
The Son of God - Part 6 PropitiationThe Son of God - Part 6 Propitiation
The Son of God - Part 6 Propitiation
 
The Son of God - Part 5
The Son of God - Part 5The Son of God - Part 5
The Son of God - Part 5
 
The Son of God - Part 6
The Son of God - Part 6The Son of God - Part 6
The Son of God - Part 6
 
The Son of God - Part 4
The Son of God - Part 4The Son of God - Part 4
The Son of God - Part 4
 
The Son of God - Part 3
The Son of God - Part 3The Son of God - Part 3
The Son of God - Part 3
 
Jesus is God: Defending the Claim
Jesus is God: Defending the Claim Jesus is God: Defending the Claim
Jesus is God: Defending the Claim
 
Messianic Prophecies Quiz
Messianic Prophecies QuizMessianic Prophecies Quiz
Messianic Prophecies Quiz
 
Messianic Prophecies
Messianic Prophecies Messianic Prophecies
Messianic Prophecies
 
The Progressive Revelation of the Name
The Progressive Revelation of the NameThe Progressive Revelation of the Name
The Progressive Revelation of the Name
 
The Nature of God
The Nature of GodThe Nature of God
The Nature of God
 

Kürzlich hochgeladen

Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchFarmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchRashtriya Kisan Manch
 
Reflecting, turning experience into insight
Reflecting, turning experience into insightReflecting, turning experience into insight
Reflecting, turning experience into insightWayne Abrahams
 
Shaping Organizational Culture Beyond Wishful Thinking
Shaping Organizational Culture Beyond Wishful ThinkingShaping Organizational Culture Beyond Wishful Thinking
Shaping Organizational Culture Beyond Wishful ThinkingGiuseppe De Simone
 
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...CIToolkit
 
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingSimplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingCIToolkit
 
How-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem ResolutionHow-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem ResolutionCIToolkit
 
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证jdkhjh
 
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)jennyeacort
 
Measuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsMeasuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsCIToolkit
 
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixUnlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixCIToolkit
 
From Red to Green: Enhancing Decision-Making with Traffic Light Assessment
From Red to Green: Enhancing Decision-Making with Traffic Light AssessmentFrom Red to Green: Enhancing Decision-Making with Traffic Light Assessment
From Red to Green: Enhancing Decision-Making with Traffic Light AssessmentCIToolkit
 
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramBeyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramCIToolkit
 
The Final Activity in Project Management
The Final Activity in Project ManagementThe Final Activity in Project Management
The Final Activity in Project ManagementCIToolkit
 
From Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement RoadmapsFrom Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement RoadmapsCIToolkit
 
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic Traits
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic TraitsDigital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic Traits
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic TraitsHannah Smith
 
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024Giuseppe De Simone
 

Kürzlich hochgeladen (16)

Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchFarmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
 
Reflecting, turning experience into insight
Reflecting, turning experience into insightReflecting, turning experience into insight
Reflecting, turning experience into insight
 
Shaping Organizational Culture Beyond Wishful Thinking
Shaping Organizational Culture Beyond Wishful ThinkingShaping Organizational Culture Beyond Wishful Thinking
Shaping Organizational Culture Beyond Wishful Thinking
 
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
 
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingSimplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
 
How-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem ResolutionHow-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem Resolution
 
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
 
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
 
Measuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsMeasuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield Metrics
 
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixUnlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
 
From Red to Green: Enhancing Decision-Making with Traffic Light Assessment
From Red to Green: Enhancing Decision-Making with Traffic Light AssessmentFrom Red to Green: Enhancing Decision-Making with Traffic Light Assessment
From Red to Green: Enhancing Decision-Making with Traffic Light Assessment
 
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramBeyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
 
The Final Activity in Project Management
The Final Activity in Project ManagementThe Final Activity in Project Management
The Final Activity in Project Management
 
From Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement RoadmapsFrom Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
 
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic Traits
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic TraitsDigital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic Traits
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic Traits
 
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
 

Information Security Governance and Strategy - 3

  • 1. Lecture 3 Information Security Governance & Strategy
  • 2. Review  IT security governance is the system by which an organization directs and controls IT security (adapted from ISO 38500)  IT security management is concerned with making decisions to mitigate risks; governance determines who is authorized to make decisions.  Governance specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks
  • 3. Review  NIST describes IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.
  • 4. Review  The five general governance areas are:  Govern the operations of the organization and protect its critical assets  Protect the organization's market share and stock price (perhaps not appropriate for education)  Govern the conduct of employees (educational AUP and other policies that may apply to use of technology resources, data handling, etc.)  Protect the reputation of the organization  Ensure compliance requirements are met
  • 5. Review Governance Management Accountability Responsibility Authorizes decision rights Authorized to make decisions Enact policy Enforce policy Oversight Implementation Resource allocation Resource utilization Strategic planning Project planning
  • 6. Review  Responsibility: Individuals and groups within the organization understand and accept their responsibilities in respect of both supply of, and demand for IT. Those with responsibility for actions also have the authority to perform those actions.  Strategy: The organization's business strategy takes into account the current and future capabilities of IT; the strategic plans for IT satisfy the current and ongoing needs of the organization's business strategy.  Acquisition: IT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision
  • 7. Review  Performance: IT is fit for purpose in supporting the organization, providing the services, levels of service and service quality required to meet current and future business requirements.  Conformance: IT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented and enforced.  Human Behavior: IT policies, practices and decisions demonstrate respect for Human Behavior, including the current and evolving needs of all the 'people in the process'.
  • 8. Characteristics of Effective Security Governance  It is an institution-wide issue  Leaders are accountable  It is viewed as an institutional requirement (cost of doing business)  It is risk-based  Roles, responsibilities and segregation of duties are defined  It is addressed and enforced in policy  Adequate resources are committed  Staff are aware and trained  A development life cycle is required  It is planned, managed, measureable and measured  It is reviewed and audited
  • 9. Challenges of effective Governance  These challenges can be very useful in presenting rationale to leadership for implementing an effective institution security governance mode  Understanding the implications of ubiquitous access and distributed information  Appreciating the institution-wide nature of the security problem  Overcoming the lack of a game plan  Establishing the proper institutional structure and segregation of duties  Understanding complex global legal compliance requirements and liability risks (the word global may or may not apply to education)
  • 10. Challenges of effective Governance  Assessing security risks and the magnitude of harm to the institution  Determining and justifying appropriate levels of resources and investment  Dealing with the intangible nature of security  Reconciling inconsistent deployment of security best practices and standards  Overcoming difficulties in creating and sustaining a security-aware culture
  • 11. Outcomes of effective Governance  Strategic alignment of information security with institutional objectives  Risk management - identify, manage, and mitigate risks  Resource management  Performance measurement - defining, reporting, and using information security governance metrics  Value delivery by optimizing information security investment
  • 12. Information Security Governance Best Practices  Information security activities should be governed based on relevant requirements, including laws, regulations, and organizational policies.  Senior managers should be actively involved in establishing information security governance framework and the act of governing the agency's implementation of information security. Information security responsibilities must be assigned and carried out by appropriately trained individuals.  Individuals responsible for information security within the agency should be held accountable for their actions or lack of actions.
  • 13. Information Security Governance Best Practices  Information security priorities should be communicated to stakeholders of all levels within an organization to ensure a successful implementation of an information security program.  Information security activities must be integrated into other management activities of the enterprise, including strategic planning, capital planning, and enterprise architecture.  Information security organization structure should be appropriate for the organization it supports and should evolve with the organization, if the organization undergoes change.
  • 14. Information Security Governance Best Practices  Information security managers should continuously monitor the performance of the security program/effort for which they are responsible, using available tools and information.  Information discovered through monitoring should be used as an input into management decisions about priorities and funding allocation to effect the improvement of security posture and the overall performance of the organization.
  • 15. Question to engage institutional leaders  Questions to uncover information security issues  Does the head of security/CISO routinely meet or brief institutional leaders?  When was the last time top managers got involved in security-related decisions?  Do managers know who is responsible for security?  Would people recognize a security incident? Would they know who to call?
  • 16. Question to engage institutional leaders  Questions to find out how managers addresses information security issues  Is the institution clear on its position relative to IT and security risks?  How much is spent on information security?  What percentage of staff had security training last year?
  • 17. Question to engage institutional leaders  Questions to assess information security governance practices  Are managers confident that security is being adequately addressed in the enterprise?  Are managers aware of the latest information security issues and best practices?  Does the institution participate in an incident, threat, vulnerability notification and sharing service?  What is the industry best practice and how does the institution compare?  What can be done to successfully implement information security governance?
  • 18. Question to engage institutional leaders  Questions individuals responsible for governance should ask and be able to answer.  Questions for directors/trustees  Does the board understand the institution's dependence on information?  Does the institution recognize the value and importance of information?  Does the institution have a security strategy?  Does the board understand the institution's potential liabilities in the event of regulatory non-compliance?
  • 19. Question to engage institutional leaders  Questions for managers  How is the board kept informed of information security issues? When was the last briefing made to the board on security risks and status of security improvements?  Has someone been appointed to be responsible for developing, implementing and managing the information security program, and is he/she held accountable?  Are security roles and responsibilities clearly defined and communicated?  Is there a CISO or other officer with sufficient authority and resources to accomplish security objectives?
  • 20. Governance structures depend on desired outcomes  Top revenue growth - decentralized to promote customer responsiveness and innovation  Profit - centralized to promote sharing, reuse and efficient asset utilization  Multiple performance goals - blended centralized and decentralized
  • 21. Information Security Governance Structures (ORG structures ISACA )  The NIST Security Handbook states that governance is highly dependent on the overall organization structure.  Centralized maintain budget control and ensure implementation and monitoring of information security controls.  Decentralized have policy and oversight responsibilities and budget responsibilities for their departmental security program not the operating unit information security program. Reporting structures are different as well.  Governance structures can be hybrid, with a combination of characteristics from both centralized and decentralized.
  • 22. Political Archetypes  Weill and Ross use political archetypes in IT Governance [3] to describes people or groups who have decision rights.  Business monarchy: Senior business executives make IT decisions  IT monarchy: IT executives make IT decisions  Feudal: Business unit leaders make IT decisions to optimize local needs, but does not facilitate enterprise decision-making.  Federal: Coordinated IT decision-making between the center and the business units.  IT duopoly: IT executives and one other group (such as senior executives or business units) make IT decisions.
  • 23. What Governance Arrangements Work Best  Monarchies work well when profit is a priority.  Feudal or business monarchy arrangements might work best when growth is a priority.  Federal arrangements can work well for input into all IT decisions. Avoid federal arrangement for all decisions since it's difficult to balance the center with the business unit needs.  Duopoly arrangements work well for IT principles, investment decisions and business application needs. Duopolies also work best when asset utilization is a priority.
  • 24. Summary Roles and responsibilities ISACA Framework Chief Executive Officer - Oversee overall corporate security posture (accountable to the Board) - Brief Board, customers and public Chief Security Officer Chief Information Officer Chief Risk Officer Department/Agency Head - Set security policies, procedures, program and training - Incident management - Responsible for independent annual audit coordination - Compliance Mid-Level Manager - Compliance - Communicate policies and program (training) Enterprise staff/employees - Implement policies - Report vulnerabilities and breaches
  • 25. Strategy Planning ISACA Framework  Each security plan must include:  Mission, vision, goals, objectives and how they relate to the agency mission  High-level plan for achieving information security goals and objectives including short-, mid-term objective and performance targets and performance measures.  The plans must be revisited when major changes happen including legislation, regulations, directives, agency mission priorities, emerging information security issues.
  • 26. Acquisition and Procurement ISACA Framework  IT products that are expensive or will have a significant impact on an institutions liability should be reviewed for IT security risks before purchase. In large institutions, IT product acquisition provides an opportunity to evaluate centralization vs. proliferation of IT resources and the resulting impact on security. Acquisition also serves as a good control point for information security evaluation before investments are made. Contract language might be needed to protect the institution's data, especially with products known as 'software as a service' or SaaS.
  • 27. Measuring and Reporting Performance ISACA Framework  Performance measurement should be a system of measuring, monitoring and reporting information security governance metrics to ensure that institutional objectives are achieved. Development/maintenance of a security and control framework that consists of standards, measures, practices, and procedures is essential to the metric evaluation of the governance structure.  A key metric is the adverse impacts of information security incidents experienced by the institution. An effective security program will show a trend of impact reduction. Quantitative measures can
  • 28. Measuring and Reporting Performance ISACA Framework  Some example metrics might include:  Number of incidents damaging the institution's reputation with the public  Number of systems where security requirements are not met  Time to grant, change and remove access privileges  Number and type of suspected and actual access violations  Number and type of malicious code prevented  Number and type of security incidents  Number and type of obsolete accounts  Number of unauthorized IP addresses, ports and traffic types denied  Number of access rights authorized, revoked, reset or
  • 29. Compliance ISACA Framework  IT and data within higher education information systems are becoming increasingly regulated and scrutinized. This regulation ranges from pressures for disclosure and transparency to pressures for privacy. These pressures accent the need for common approaches, common solutions, and consistent high-quality data.  Challenges and Keys to success  Balancing extensive requirement originating from multiple governing bodies.  Balancing legislation and agency specific policy.  Maintain currency  Prioritizing available funding according to requirements.
  • 30. Policy ISACA Framework  Information security policy is an aggregate of directives, rules, and practices that prescribes how an organization manages, protects, and distributes information. Information security policy is an essential component of information security governance--- without the policy, governance has no substance and rules to enforce.
  • 31. Policy ISACA Framework  Information security policy at the institutional level should address the fundamentals of institution's information security governance structure, including:  Information security roles and responsibilities;  Statement of security controls baseline and rules for exceeding the baseline; and  Rules of behaviour that agency users are expected to follow and minimum repercussions for noncompliance.
  • 32. Policy ISACA Framework  Candidate policy topics at the governance level (which could be sections in existing, broader policies) may include:  Policy calling for a security strategy, an institution- wide security program, and governance of such a program  Code of conduct specifying what is meant by due diligence and standard of due care with respect to information security  Security ethics  Security risk specifying risk appetite, tolerance, scope and period of risk assessment, and ongoing risk management process
  • 33. Policy ISACA Framework  Candidate policy topics at the governance level (which could be sections in existing, broader policies) may include:  Business case specifying the decision making process for security investments  Security roles and responsibilities  Asset classification and inventory  Data protection  Asset access specifying access rights to categories of assets and how these are managed  Change management  Security standards  Business continuity
  • 34. Policy ISACA Framework  Candidate policy topics at the governance level (which could be sections in existing, broader policies) may include:  Disaster recovery  Managing external parties (vendors, suppliers)  Incident response  Security awareness, training, and education  Security measurement including measuring policy compliance and effectiveness  Adherence to policy, policy waivers and exceptions, and consequences of non-compliance
  • 35. Risk Management ISACA Framework  Higher education information systems continue to be subject to a large number of security threats. The ability to secure the gamut of intuitional IT resources and data has become a compelling and increasingly urgent need.  Risk assessment is the part of the ongoing risk management process that assigns relative priorities for mitigation plans and implementation.

Hinweis der Redaktion

  1. Ubiquitous: present, appearing, or found everywhere.
  2. Duopoly lends itself to better acquisitions and utilization of IT assets