Information Security Governance: What Is It And How Can We Accomplish It ?

volaryorangeΔιαχείριση

6 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

67 εμφανίσεις

Information Security Governance: What
Is It And How Can We Accomplish It ?

Todd Fitzgerald, CISM, CISA, CISSP, ITILV3
ISO27000 Certified

National Government Services

Medicare Systems Security Officer

ISACA Kettle
-
Moraine Chapter Meeting

December 4, 2008 Milwaukee, WI


A Little ‘Presentation Governance’ …

The opinions expressed are solely
the opinions of Todd Fitzgerald
and do not necessarily represent
the opinions of his employer. You
may or may not want to adopt the
these concepts in your
organization. Use a risk
-
based
approach before attempting


this at home.

Today’s Objectives… To Discuss


Security Governance Definition


Why We Need Security Governance


13 Questions


Leadership Core Competencies


Vehicles For Communication


Security Control Structures


Achieving Security Compliance


Effectively Working With Internal/External
Auditors


Security Governance Defined

“Information Security governance is
a subset of enterprise
governance that provides
strategic direction, ensures
objectives are achieved,
manages risk appropriately, uses
organizational resources
responsibility, and monitors the
success or failure of the
enterprise security programme.”



-

IT Governance Institute



And Wikipedia Says…


Governance

relates to decisions that define
expectations, grant
power
, or verify
performance
. It
consists either of a separate process or of a specific part
of
management

or
leadership

processes. Sometimes
people set up a
government

to administer these
processes and systems.


In the case of a
business

or of a
non
-
profit organization
,
governance relates to consistent management, cohesive
policies, processes and decision
-
rights for a given area
of responsibility. For example, managing at a corporate
level might involve evolving policies on
privacy
, on
internal investment, and on the use of data.

Governance Derived From Latin
Origins To denote “Steering”


Steering Vs “Power Over”


Defines expectations


Grants power


Verifies performance


Avoids undesirable
consequences


Coordinates and controls
activity


Provides processes to
control an activity

Risks Are Increasing

Cybercrime

Malware

Identity Theft

Lost Laptops

Targeted Financial Gain

Personal information Sharing

Slowing of security investment

Dissipation of security message

Competitive pressures

News Items Continue To Gain
Attention of Board of Directors

Bank of
America

1.3 million consumers
exposed


Lost back
-
up tape

DSW retail

1.2 million consumers
exposed


Hacking

Card Services

40 million consumers
exposed


Hacking

TJX Stores

45 million consumers
exposed


Internal theft

UCLA

800,000 consumers exposed


Human error

Fidelity

196,000 consumers exposed


Stolen laptop

A Who’s Who of Fortune 500
Companies.. And The List Is Growing

St. Joseph's Hospital

California Department of Health

California Department of Mental Health

Leading Organizations
Adhere

To


This Model




Source: “Learning from Leading Organizations”

SGAO/AIMD
-
98
-
68 Information Security Management

Assess Risk &

Determine Needs

Promote

Awareness

Monitor &

Evaluate

Implement

Policies &

Controls

Central

Management

Leading Organizations
Adhere

To
This Model




Source: “Learning from Leading Organizations”

SGAO/AIMD
-
98
-
68 Information Security Management

Assess Risk &

Determine Needs

Promote

Awareness

Monitor &

Evaluate

Implement

Policies &

Controls

Central

Management

Information Security Strategy
Must Align With Business
Objectives


Top
-
down process


Linkages to business
process and strategy


Information in oral,
paper, and electronic
forms


Transcends physical
boundaries


Establish acceptable
practices, policies, and
procedures


An Information Security Program With
Governance Provides Increased
Assurance


Risk management


Resource management
of critical skills and
infrastructure


Performance
measurement


Providing value
-
add in
delivery of services and
products


Specific Organizational
accountability for security


Can Organizations Survive
Without …?

Equipment

Computers

People

Buildings

Few Organizations Can Survive
Without


Customer
Information


Knowledge of
processes


Accounting and
financial reporting
information



However, Information Security
Importance Varies Amongst Senior
Executives

Source: Fitzgerald/Krause CISO Survey


CISO Leadership: Essential Principles

For Success, Auerbach, 2008)

However, Information Security
Importance Varies Amongst Senior
Executives

Source: Fitzgerald/Krause CISO Survey


CISO Leadership: Essential Principles

For Success, Auerbach, 2008)

Board of Directors

31% Very Important

26% Important

26% Somewhat Important

However, Information Security
Importance Varies Amongst Senior
Executives

Source: Fitzgerald/Krause CISO Survey


CISO Leadership: Essential Principles

For Success, Auerbach, 2008)

CEO

27% Very Important

38% Important

27% Somewhat Important

However, Information Security
Importance Varies Amongst Senior
Executives

Source: Fitzgerald/Krause CISO Survey


CISO Leadership: Essential Principles

For Success, Auerbach, 2008)

Senior Execs

19% Very Important

38% Important

32% Somewhat Important

However, Information Security
Importance Varies Amongst Senior
Executives

Source: Fitzgerald/Krause CISO Survey


CISO Leadership: Essential Principles

For Success, Auerbach, 2008)

Middle Management



8% Very Important


However, Information Security
Importance Varies Amongst Senior
Executives

Source: Fitzgerald/Krause CISO Survey


CISO Leadership: Essential Principles

For Success, Auerbach, 2008)

End Users

40% Somewhat Important

Fear Uncertainty Doubt Gets
Investment $$$

EVENT


REACTION/

CONFUSION


+


=


INVESTMENT


However, The Next Time The
Event Happens

EVENT


REACTION

+


=


Without Security Governance,

Message Dissipates Over Time

The Governance Answer…



Security Needs Involvement From The
Board of Directors/Executive
Management


Strategic Oversight


Review alignment with
organization strategy


Determine Risk profile for
organization


Endorse security program


Require regular reporting on
effectiveness


Review investment return


Potential new technologies to
add value, reduce costs

“Techie” Core Competencies

Analytical

Problem

Solving

Tool

Expertise

Best

Practices

Technical

Knowledge

Team

Work

Emerging

Technologies

Crisis

Mgmt

Industry

Standards

Shift To Leadership
Competencies

Technical

Competency

CISO
Leadership

& Managerial

Competency

Adaptability

Self
-
control

Self
-
Development

Orientation

Flexibility

Interpersonal

Awareness

Perseverance

Self
-
control

Critical

Information Seeking

Efficiency

Initiative

Thoroughness

Results
-
Oriented

Security Officer Core
Competencies

Vision

Leadership

Influencing

Skills

Team

Work

Conceptual &

Strategic

Thinking

Customer

Focus

Written/Oral

Communication

Interpersonal

Effectiveness

Financial/

Budgetary

(The Detail)

Source: Fitzgerald/Krause CISO Leadership Survey

(The Detail)

Source: Fitzgerald/Krause CISO Leadership Survey

Self

Confidence

65%

(The Detail)

Source: Fitzgerald/Krause CISO Leadership Survey

Self

Confidence

65%

Oral

74%

(The Detail)

Source: Fitzgerald/Krause CISO Leadership Survey

Self

Confidence

65%

Oral

74%

Written

74%

(The Detail)

Source: Fitzgerald/Krause CISO Leadership Survey

Self

Confidence

65%

Oral

74%

Written

74%

Influence

69%

(The Detail)

Source: Fitzgerald/Krause CISO Leadership Survey

Self

Confidence

65%

Oral

74%

Written

74%

Influence

69%

Teamwork

68%

Now The C
-
Level People Understand
The Security Guy Behind The Mask
and The Security Team’s Role, But…

Multiple Groups Must Understand Security
At The
Appropriate

Level



Competitive Disadvantage


Fraud


Loss due to disclosure,
destruction of information


Reputation/Public
Confidence


Bad decisions


Business disruption


Legal Liability


Safety risks


Loss of productivity


Low Morale


Corporate Espionage, loss
of contracts

Board of

Directors

Senior

Management

End Users

Management

Focus Different, Goals Ultimately The
Same


Increase shareholder value (stock
price)


Increase revenue


Reduce administrative costs


Increase market share


Increase worker productivity


Provide innovative products


Provide quality products and
customer service


Attract and retain talented
workforce


Accept reasonable business risk




Management’s Objective

Security Officer’s Objective


Protect information from loss,
destruction, unavailability


Reduce risk of threats to
acceptable level


Implement effective controls


Provide efficient service


Enable secure development of
new products


Provide assurance through
continuous control practices


Ensure Communication Plan

Delivers Targeted Security Message

Manager

Meetings

IT/Business

Steering

Committees

Board of

Director Meetings

Management

Newsletters

emails

One
-
On
-
One

Sessions

Tactical Plans

New Policies

Scheduled Activities

Strategic Initiatives

Policy Approval

Security Posture

Competitor Comparison

Interim Updates

Issue Reinforcement

Departmental Issues

Testing Reality

Security Governance Depends Upon Clear
Management Directives And Expected
Outcomes

Management

Level

Strategic

Alignment

Risk

Management

Value

Delivery

Performance

Measurement

Resource

Management

Integration

Board of
Directors

Set
direction

Risk
management
policy reg
compliance

Set
direction
cost, info
value

Set direction
reporting of
security
effectiveness

Set direction
knowledge
management

Set
direction
assuring
process int

Senior
Executives

Institute
security
integration
processes

Ensure risk
mgmt in all
activities

Business
cases,
value
protection

Require
monitoring and
metrics for
reporting

Enable
processes
knowledge
capture

Oversight
mgmt
process
functions

Steering
Committee

Review
assist
integration
efforts

Identify risks
compliance
issues
promote

Review
adequacy
security
initiatives

Review extent
security meets
business obj

Review
processes
knowledge
capture

ID critical
business
process,
direct int

Chief
Information

Sec Officer

Develop
strategy,ove
rsee,liaise
business

BIA, risk
strategies,
enforce
policies

Monitor
security
resources

Develop
monitoring &
metrics
reporting

Develops
methods,
metrics,
efficiency

ID gaps &
overlaps,
liaise other
functions

Source: Adapted from Information Security Governance Guidance, ITGI

Security Governance Depends Upon Clear
Management Directives And Expected
Outcomes

Management

Level

Strategic

Alignment

Risk

Management

Value

Delivery

Performance

Measurement

Resource

Management

Integration

Board of
Directors

Set direction

Risk
management
policy reg
compliance

Set
direction
cost, info
value

Set direction
reporting of
security
effectiveness

Set direction
knowledge
management

Set direction
assuring
process int

Senior
Executives

Institute
security
integration
processes

Ensure risk
mgmt in all
activities

Business
cases,
value
protection

Require
monitoring and
metrics for
reporting

Enable
processes
knowledge
capture

Oversight
mgmt
process
functions

Steering
Committee

Review
assist
integration
efforts

Identify risks
compliance
issues
promote

Review
adequacy
security
initiatives

Review extent
security meets
business obj

Review
processes
knowledge
capture

ID critical
business
process,
direct int

Chief
Information

Sec Officer

Develop
strategy,over
see,liaise
business

BIA, risk
strategies,
enforce
policies

Monitor
security
resources

Develop
monitoring &
metrics
reporting

Develops
methods,
metrics,
efficiency

ID gaps &
overlaps,
liaise other
functions

Source: Adapted from Information Security Governance Guidance, ITGI

BOARD OF

DIRECTORS

Sets Direction

Security Governance Depends Upon Clear
Management Directives And Expected
Outcomes

Management

Level

Strategic

Alignment

Risk

Management

Value

Delivery

Performance

Measurement

Resource

Management

Integration

Board of
Directors

Set direction

Risk
management
policy reg
compliance

Set
direction
cost, info
value

Set direction
reporting of
security
effectiveness

Set direction
knowledge
management

Set direction
assuring
process int

Senior
Executives

Institute
security
integration
processes

Ensure risk
mgmt in all
activities

Business
cases,
value
protection

Require
monitoring and
metrics for
reporting

Enable
processes
knowledge
capture

Oversight
mgmt
process
functions

Steering
Committee

Review
assist
integration
efforts

Identify risks
compliance
issues
promote

Review
adequacy
security
initiatives

Review extent
security meets
business obj

Review
processes
knowledge
capture

ID critical
business
process,
direct int

Chief
Information

Sec Officer

Develop
strategy,over
see,liaise
business

BIA, risk
strategies,
enforce
policies

Monitor
security
resources

Develop
monitoring &
metrics
reporting

Develops
methods,
metrics,
efficiency

ID gaps &
overlaps,
liaise other
functions

Source: Adapted from Information Security Governance Guidance, ITGI

SENIOR

EXECUTIVES

Enable Security

&

Provide Oversight

Security Governance Depends Upon Clear
Management Directives And Expected
Outcomes

Management

Level

Strategic

Alignment

Risk

Management

Value

Delivery

Performance

Measurement

Resource

Management

Integration

Board of
Directors

Set direction

Risk
management
policy reg
compliance

Set
direction
cost, info
value

Set direction
reporting of
security
effectiveness

Set direction
knowledge
management

Set direction
assuring
process int

Senior
Executives

Institute
security
integration
processes

Ensure risk
mgmt in all
activities

Business
cases,
value
protection

Require
monitoring and
metrics for
reporting

Enable
processes
knowledge
capture

Oversight
mgmt
process
functions

Steering
Committee

Review
assist
integration
efforts

Identify risks
compliance
issues
promote

Review
adequacy
security
initiatives

Review extent
security meets
business obj

Review
processes
knowledge
capture

ID critical
business
process,
direct int

Chief
Information

Sec Officer

Develop
strategy,over
see,liaise
business

BIA, risk
strategies,
enforce
policies

Monitor
security
resources

Develop
monitoring &
metrics
reporting

Develops
methods,
metrics,
efficiency

ID gaps &
overlaps,
liaise other
functions

Source: Adapted from Information Security Governance Guidance, ITGI

Steering

Committee

Reviews

Security

Initiatives

Security Governance Depends Upon Clear
Management Directives And Expected
Outcomes

Management

Level

Strategic

Alignment

Risk

Management

Value

Delivery

Performance

Measurement

Resource

Management

Integration

Board of
Directors

Set direction

Risk
management
policy reg
compliance

Set
direction
cost, info
value

Set direction
reporting of
security
effectiveness

Set direction
knowledge
management

Set direction
assuring
process int

Senior
Executives

Institute
security
integration
processes

Ensure risk
mgmt in all
activities

Business
cases,
value
protection

Require
monitoring and
metrics for
reporting

Enable
processes
knowledge
capture

Oversight
mgmt
process
functions

Steering
Committee

Review
assist
integration
efforts

Identify risks
compliance
issues
promote

Review
adequacy
security
initiatives

Review extent
security meets
business obj

Review
processes
knowledge
capture

ID critical
business
process,
direct int

Chief
Information

Sec Officer

Develop
strategy,over
see,liaise
business

BIA, risk
strategies,
enforce
policies

Monitor
security
resources

Develop
monitoring &
metrics
reporting

Develops
methods,
metrics,
efficiency

ID gaps &
overlaps,
liaise other
functions

Source: Adapted from Information Security Governance Guidance, ITGI

Security Officer

Develops

Security

Program

Multiple “Best Practice” Standards
Have Been Created To Provide
Guidance For Our “Security Cultures”


Control Objectives for Information and related
Technology (COBIT 4.1)


ISO27001/2 Information Security Management
System (ISMS)


Payment Card Industry Data Security Standard


Graham
-
Leach
-
Bliley (GLBA)


European Union Privacy Directives


Recommended Controls For Federal
Information Systems (NIST 800
-
53)


Federal Information System Controls Audit
Manual (FISCAM)


DISA Security Technical Implementation Guides
(STIGs)


HIPAA Final Security Rule



Each Control Framework/Set of
Standards Has Their Governance
Purpose

COBIT

ISO27001/27002

NIST 800
-
53

PCI Data Standard

HIPAA

DISA STIGS

FISMA


NIST 800
-
53 Recommended Controls
For Federal Information Systems Is
Very Useful For All Environments


Access Control (AC)


Awareness & Training (AT)


Audit & Accountability (AU)


Certification, Accreditation &
Security Assessments (CA)


Configuration Management (CM)


Contingency Planning (CP)


Identification & Authentication (IA)


Incident Response (IR)




Maintenance (MA)


Media Protection (MP)


Physical & Environmental
Protection (PE)


Planning (PL)


Personnel Security (PS)


Risk Assessment (RA)


System & Services Acquisition
(SA)


System & Communications
Protection (SC)


System & Information Integrity
(SI)



Attaining Compliance With These
Regulations Is A Life Changing Event!

UP TO….

Source: SecurityCompliance.com statistics, CSI J
o
urnal, Volume XXII, No 3, Summer 2006)

Achieving Security Compliance Assurance
Requires Specific Due Diligence

1.
Designate individual
responsible for compliance
assurance oversight

2.
Establish security
management governing body

3.
Select control frameworks and
controls

4.
Conduct awareness and
training

5.
Research and apply technical
controls




6.
Verify Compliance

7.
Implement formal
remediation process

8.
Dedicate staff, automate
compliance tasks

9.
Report on compliance
metrics

10.
Enforce penalties for
noncompliance to policy

11.
Collaborate and network
externally

11
-
Factor Security Compliance Assurance Manifesto

Source: Compliance Assurance: Taming The Beast, Information Security Handbook, 2008

Security Audits Necessary To Ensure
Controls Are Functioning

Source: “Learning from Leading Organizations”

SGAO/AIMD
-
98
-
68 Information Security Management

Assess Risk &

Determine Needs

Promote

Awareness

Monitor &

Evaluate

Implement

Policies &

Controls

Central

Management

Audit

Audit

Audit

Audit

Controls Must Be Tested To Provide
Adequate Assurance of Compliance To
Policies


Quarterly vulnerability
assessments


Annual penetration tests


External/Internal Audits


Random spot
-
checks


Informal testing with
security awareness
training


Security configuration
reviews


SDLC walkthroughs


Let’s Agree On This Before We
‘Dump’ On The Auditors


Auditors and Security Officers
exist to ensure the business has:


Documented policies


Documented
procedures/processes


Documented evidence of
implementation these controls


Evidence of ongoing operations


Periodically tested the controls

What Do Security Officers LIKE
about Auditors ?


Internal Audit areas usually
have organizational clout


Controls
-
oriented


Can identify previously
unknown issues


Provide ammunition/urgency
for fixing issues quickly


Provide knowledge of best
practices and standards


Internal Auditors find issues
prior to external audits




Adopting A “Reasonable” Approach To
Auditing For Security Governance

Security Officer

Auditor



Recognition that
auditing is an ongoing
business process



Maintain current
infrastructure
documentation



Advance preparation
of compensating
controls by critical
asset



Understand audit
procedures and
control frameworks



Take “mystery” out
of process



Advance
communication of
document
expectations



Give credit to
defense
-
in
-
depth
analysis



Record
“observations for
improvement” vs.
findings

Final Thoughts


Security Governance requires Top
-
Down Responsibility Sharing


Ask the question


why am I
involving this group? What is
needed from them?


Governance provides visibility to
the effectiveness of the security
program, and is the pathway to
future security investments

Further Reading


“CISO Leadership: Essential Principles For Success”, 2008 Book
by Todd Fitzgerald and Micki Krause, ISC2 Press/Auerbach
Publications Available on Amazon.com, ISC2 Website


“Security Governance: Taming the Compliance
Beast”,T.Fitzgerald, 2008 Information Security Handbook (Tipton,
Krause)


“13 Questions the CISO, CEO, and CISO Should Ask Each
Other”, T. Fitzgerald, ISC2 Journal, September/October 2007


“Security Governance”, 2007 Information Security Handbook ,
T.Fitzgerald (Tipton, Krause)


NIST 800 series special publications
(
www.csrc.nist.gov/publications
)


IT Governance Institute, Information Security Governance:
Guidance For Boards of Directors and Executive Management 2
nd

Edition,
www.itgi.org




NEW!!

TODD FITZGERALD


Todd Fitzgerald, CISSP, CISA, CISM

ISO27000 & ITIL V3 Certified

Medicare Systems Security Officer

6775 W. Washington St

Milwaukee, WI USA 53214

Todd.fitzgerald@WellPoint.com

Todd_fitzgerald@yahoo.com

THANK
YOU
!!