© itgi, isaca - not for commercial use. john r. robles 787-647-3961 [email protected]...
TRANSCRIPT
© ITGI, ISACA - not for commercial use.
John R. [email protected]@gmail.comwww.johnrrobles.com
Guidance for Information Security Managers
Isaca - Information Security Governance
“This information is copyrighted by the IT Governance Institute and Information Systems Audit and Control Association. Any commercial use is strictly forbidden.
It may, however, be used for educational or promotional purposes by ISACA members and chapters on a not-for-profit basis.”
© ITGI, ISACA - not for commercial use.
Isaca Puerto Rico
Serving IT Audit, Security, and Controls Professionals in Puerto Rico since 1984 (Celebrating our 25th Anniversary in 2009)
More than 300 members Provide Certification … CISA (139), CISM (13),
CGEIT (6) Provide Education and Conferences… Monthly
educational meetings and yearly Symposium Standards…ITAF™: A Professional Practices
Framework for IT Assurance Research…The IT Governance Institute (ITGI)
© ITGI, ISACA - not for commercial use.
Isaca Puerto Rico
Publications… The Bookstore, Isaca Journal Downloads… Review Courses… for the CISA, CISM, CGEIT
Exams twice a year… Join a Growing and Dynamic Professional
Association!! www.isaca.org www.isacapuertorico.com [email protected]
© ITGI, ISACA - not for commercial use.
Introduction
Information Security has become a matter for consideration at the highest organizational level
‘It is no longer enough to communicate to the world of stakeholders why we exist and what constitutes success, we must also communicate how we are going to protect our existence’.
- Kiely, Laree; Terry Benzel; Systemic Security Management, Libertas Press, USA, 2006
This publication discusses how to develop an information security strategy within the organization's governance framework and how to drive that strategy through an information security program.
© ITGI, ISACA - not for commercial use.
Information Security Governance Guidance
Firms operating at best-in-class (security) levels are lowering financial losses to less than 1 percent of revenue, whereas other organizations are experiencing loss rates that exceed 5 percent.- Aberdeen Group, ‘Best Practices in Security Governance’, USA, 2005
© ITGI, ISACA - not for commercial use.
Information Security Program Requirements
© ITGI, ISACA - not for commercial use.
Executive ManagementSteering CommitteeChief Information Security Officer
Roles and Responsibilities
© ITGI, ISACA - not for commercial use.
What the Board, Executive Management and Security Management Should Do?
© ITGI, ISACA - not for commercial use.
Information Security Metrics and Monitoring
Information Security MetricsGovernance Implementation MetricsStrategic AlignmentRisk AssessmentValue DeliveryResource ManagementPerformance MeasurementAssurance Process Integration (Convergence)
© ITGI, ISACA - not for commercial use.
Establishing Information Security Governance
An Information Security Strategy
Corporate strategy is the pattern of decisions in a company that determines and reveals its objectives, purposes, or goals, produces the principal policies and plans for achieving those goals, and defines the range of business the company is to pursue, the kind of economic and human organization it is or intends to be, and the nature of the economic and non-economic contribution it intends to make to its shareholders, employees, customers and communities.
- Andrews, Kenneth; The Concept of Corporate Strategy, 2nd Edition, Dow-Jones Irwin, USA, 1980
© ITGI, ISACA - not for commercial use.
The GoalClassification and ValuationDeferred Information Maintenance
Information Security Objectives
© ITGI, ISACA - not for commercial use.
Defining ObjectivesThe Desire StateRisk ObjectivesNumber of ControlsCurrent State of Security
Strategy
© ITGI, ISACA - not for commercial use.
Strategy
© ITGI, ISACA - not for commercial use.
Strategy
© ITGI, ISACA - not for commercial use.
Elements of a StrategyPoliciesStandardsProcessesControlsTechnologiesPeople, Training, Etc.
Gap Analysis – Basic for an Action PlanAnnual or more frequently
The Strategy
© ITGI, ISACA - not for commercial use.
Create/Modify PoliciesCreate/Modify Standards
Action Plan
© ITGI, ISACA - not for commercial use.
Action Plan MetricsGeneral Metrics ConsiderationsSummary – Take into consideration
What is important to information security operations
Requirements of IT ManagementRequirements of business process ownersRequirements of senior management
Action Plan Intermediate Goals
© ITGI, ISACA - not for commercial use.
An Example Using the ITGI and CobiT Maturity Scale
Sample Policy StatementSample StandardAdditional Sample Policy StatementsConclusions
Establishing Information Security Governance
© ITGI, ISACA - not for commercial use.
.
Conclusion
“Although regulatory compliance has been a major driver in improving informationsecurity overall, recent studies have also shown that nearly half of all companies arefailing to initiate meaningful compliance efforts.”
© ITGI, ISACA - not for commercial use.
Appendix A – Critical Success FactorsFor Effective Information SecurityPerformance Measures
Determine whether Information Security is succeeding
Determine whether Information Security Governance is succeeding
© ITGI, ISACA - not for commercial use.
Appendix B – Self Assessment and Maturity Model
Self – Assessment for Information Security Governance
Maturity Levels – Detailed Descriptions
Purpose - Determine your Information Security Maturity Level
© ITGI, ISACA - not for commercial use.
Appendix Appendix C – A Generic Approach to
Information Security Initiative Scoping Determine Task Steps Determine Task Step Activities Determine Task Step Deliverables
Appendix D – An Approach to Information Security Metrics “NIST special publication 800-55 provides
an approach to security metrics”
© ITGI, ISACA - not for commercial use.
Glossary References Other Publications
Appendix
© ITGI, ISACA - not for commercial use.