PowerPoint Presentation

JANUS Associates

Information Security Governance

(A Comprehensive Approach to Information Security)Presented by: Patricia A. P. Fisher, CEO1What is the State of Information Security Today?Phishing breaches were 4 times higher in 2012 than in 2011Cost of breaches has increased from $214 to $222 per breachCyberattacks 102 successful attacks per week, compared to 72 in 2011, 50 in 2010 (RSA)By January 2013, cyber crime had grown to 46% of all attacks (Hackmageddon.com)Symantec reports that over $114bn in cash losses was reported worldwide

The number of phishing instances is rising 400% in the past year; cost per instance has gone up 4% during this same period (according to results reported to the Ponemon Institute)

The number of cyber attacks is also growing up over 40% in each of the past 2 years very consistent with the phishing increases

According to several surveys - the type of attack that is most rapidly growing in popularity cyber crime

These problems continue to grow even though weve been addressing information security as an issue for over 20 years

What is becoming apparent in the US is that simply buying more hardware and software is not the complete answer. Obviously, we need adequate tools but now that so many tools have become available organizations are asking how they can better utilize the tools they have and not simply continue to spend money

The answer is to improve the process of securing information not merely some of the technical mechanisms

This process is called governance.National Information Security GovernanceWhat is information security governance?LeadershipFramework established to ensure that all the security elements put in place to protect your data environment work efficiently, accomplish what is intended, and do so cost effectivelyProcesses to carry out what is intended by the leadership

Why is it important?Provides a framework for secure business operations in an interconnected worldEnsures the Countrys security resources are well spentWhat is information security governance?

Governance implies leadership you cant govern without someone at the top taking responsibility but for too long no one has wanted the responsibility of information security so each separate organization has often run its own type of program

Information security governance is the framework that you establish along with the processes within that framework to ensure that all the security elements put in place to protect your data environment work together, do so efficiently, accomplish what is intended (at all levels of the government or organization), and do so in a cost effective manner

What this means is that each Agency or Ministry must work in a cohesive manner with all the others to accomplish the common goals that will be defined in the law you are writing.

The framework includes responsibilities, processes, risk management, and verification all the elements that can create a successful outcomeNational Information Security GovernanceWhy is it important?Provides ability to conduct secure business operations in an interconnected worldEnsures the Countrys security resources are well spentGains international respect

Why is it important?

1 A good governance program establishes the concepts and structures that allow you to conduct business throughout the world with your partners trusting you and your transactions

2 You are using your resources wisely financial and people you avoid loss of business and you are able to keep staff working on the Countrys priorities not fixing problems that may be avoidable.

3 A solid information security program will support you in your efforts with the international community. It says youre serious that youre willing to do what the other leading nations do.

National Information Security GovernanceWhat does it need to include?Alignment with the information security strategy of the NationManagement of risksEfficient and effective managementVerification of results

As you write your law think about what the law means to those who must work with it.An example comes to mind:Recently in the US the Congress was drafting a cyber security law. In studying it, although the drafted law was advertised as a comprehensive information security law all it really did was establish research capabilities - this law was not adopted.Your law certainly needs, and intends to, establish CERT teams.However, what else should a comprehensive law do?Does it establish a management structure to oversee it?Does it establish similar policies and practices, where possible, so that information security is comprehensive?Does it establish a way to determine if each Ministry is compliant with the law, Does it determine where weaknesses may reside, andAre there any consequences to not complying?

These steps result in a comprehensive program

National Information Security GovernanceWhat benefits can be gained from a security governance program?International recognitionFewer breaches to deal with/increased efficiencyMore effective use of resources

As you move in this direction hold these elements in your minds because of the importance of what you are undertaking.

Youre going to gain international recognition trust and confidence from international partners throughout the world.

And, while an information security program may appear to be expensive its being proven again and again throughout the world that its far less costly than a major breach, theft, or error as many governments and organizations are learning.

Let me give you an example of a major problem we recently dealt with:This was a very large government organization that had no significant budget for information security. However, they suffered a data breach late one Thursday evening. I received a call from the top management asking what we could do to help them through this. Their words were we dont care what it costs, just fix it. It was expensive to fix and wouldnt their funds have better be spent on the entire program, not simply cleaning up a mess?

Fewer breaches or errors to deal with means that your focus can be on the Countrys business, not remediating or simply solving problems

so how do we go about setting up a governance structure here..Organizational GovernanceGovernance ModelSecurity Governance

IT Governance

Financial GovernancePolicies&ProceduresVerificationReportingSo, --What are the components of information security governance?

1st It needs to be well-thought through so that each component of the program works with the others.

2nd - Its various parts must be tightly coupled and integral to management of the organization so that all the operations of the organization work together. If governance is separate or simply an add-on it will have little effect and we find from practical experience that people will circumvent the process.

3rd The governance function cannot be subordinate to other Ministerial functions or it will be disregarded or forgotten. We observe this regularly. An organization wants to improve information security but because leaders often dont understand this technical discipline they regularly push it way down into the organization the result is that it has no ability to make higher up people adhere to the established rules.

4th It must include a framework that everyone adheres to or the security of information will be weak or ineffective. There can be no exceptions. We often see programs where the entire staff is told they must adhere to the rules but the top officials refuese to this tells staff that the leaders do not believe this is important.

5th It must tell people what is expected of them so they can adhere to what the organization wishes. These are policies and how to undertake them (procedures).

6th It must have a way to determine if it is effective, what we term verification. This is a critical step. If you do not verify how do you know the true status of anything? Its like sending a child to school and never testing him on his knowledge. If you ask any child if he understands the topic hell probably say yes but only thru testing will you know how well he understands and what actions your need to take to help him understand better.

7th It must provide mechanisms for reporting to management so that continuous improvements can be made.

In the example we just used this would be like reporting to the parents the results of academic tests. Does the child need special classes to improve learning or is he doing fine? The report card shows what he knows and tells you what improvements have occurred from period to period. So it is with information security. If no one is paying attention there is no way to know what is really taking place inside those computers.Governance ResponsibilityOrganizationStrategyRisk ManagementMinistry APoliciesMinistry BFunctionFunctionFunctionWho Does What In Governance?Country Government LevelProcedures...Departments..As we establish the information security governance program who do we assign responsibility to for various portions of the program?

Were separated this example into 2 sectionsResponsibility or what needs to be doneGovernment organization or who does what and at what level of government?

Once a comprehensive law is written and top officials in the government decide who, at the very top of the govt. will be responsible for all the components of the cyber security program, not only its implementation and functioning, but also its governance, we can begin to establish the details of the program.

following assignment of overall responsibility, to develop an overall strategy and risk management capability an assignment can be made at the Ministry level. This is appropriate because all the same elements may not be applicable to the Ministry of Culture as are to Defense.

Once the strategy and or specific design to manage risk is complete, each Ministry can assign specific governmental depts. Within the Ministry to develop consistent policies.

Further down in the organization procedres should be developed so all staff follow the same process to accomplish specific tasks.Existing ProblemsGovernments are often working at the tactical level without a strategic frameworkExamples:Security toolsIncident responseLack of regular feedback to executive managementExamples:Ad hoc testing occurs without a pre-defined structureFew requirements for action plans to provide solutionsNow that we know what we should do, what do we typically observe is actually happening?

Most governments would say that they have a governance model. However, when its components are not well-aligned the following often manifest themselves.

Department security personnel are installing tools, setting firewall/router rules, configuring systems, and monitoring incidents.

No one really knows how effective all these are because theres often not a well-formed set of policies and processes that everyone uses - or guidance that requires reporting appropriate results.

Nor is there often a requirement for written action plans with completion dates that get reported to department, division, or ministry management when issues are assigned to be solved.

In addition, rarely is there any feedback to the Ministry or at top levels of the government regarding results of security efforts. In the US, there is now an annual grading system that establishes a letter grade (A-F) for each governmental agency. While this is a first step, it has been focused on compliance with rules and policies, and not significantly focused on verifying what problems exist. The US government is beginning to change this orientation and do more technical observation and testing because officials are starting to understand the US agencies can be compliant but not secure and the US govt. Needs to refocus them

Lets use an example: if Security Governance resides at the Technology Agency, how can we ensure that:the Ministry of Industry and Tradethe Ministry of Education, orother ministriesAlso use the same framework or policies and proceduresYet, it the framework is at the top of the government, and the program is driven down through all agencies, there will be a consistent focus

What we still see regularly in in organizations in the US is the following

Security of OperationsStove-pipe managementMinistry ofFinanceMinistry of AgricultureMinistry ofEducationMinistry for ResourcesWe call this way of operating ---- stovepipe operations

Historically, security has been decentralized, with managers in each business function, here represented by your Ministries, responding to security requirements based on their own interpretation or best judgment or not at all. For example, often lines of business such as your ministries might have completely different information sec. policies and procedures

Within each of those ministries people might change jobs but not have access to specific data removed, so their access grows until a security problem might result.

In addition, Data Center controls regularly are based on what Data Center management perceives is needed within the organization. Yet, because this originates from a narrow technical perspective it may not meet the entire needs of the organization.

Whats the result of this approach?Ambiguity of ownership of shared resources between different organizations regularly results in either duplicated information security policies used in each or, if some organizations buy something from another one some portions of security may be left out due to an assumption the other organization is responsible (this second issue is the most common) Make Security StrategicStove-pipe management leads to gaps Ministry ofFinanceMinistry of AgricultureMinistry ofEducationMinistry for ResourcesGAPGAPGAPGaps between the operational areas (stove-pipes) regularly result in vulnerabilities that, in turn, cause data breaches as well as audit findings. At the top of the government, for example, Country management (the President or the Prime Minister or Parliament) has no way of knowing that good security practices are being followed, because each stovepipe may be using a slightly different standard or policy or procedure and no one knows what may be left out.

This type of security process means that security monitoring is rarely optimal for the organization,that consistency does not occur, andthat improvements in overall quality are hindered because there is insufficient tracking of trends or adherence to standards. For example,

If a security vulnerability was found in the Agriculture Ministry, who (in the rest of the government) would know the details of it and ensure that it was not pervasive throughout the government or why it might be important?

Conversely, if the same situation occurred in the finance Ministry, at what point would that become a concern for the other ministries? Is this clearly defined?

Ministry ofFinanceMinistry of AgricultureMinistry ofEducationMinistry for ResourcesA Holistic Approach to GovernanceSecurityRisk ManagementSecurity governance needs to take a holistic approach

JANUS works with its clients to get their organizations to view security in a holistic way. Such a view forms a matrix across the government or organization, instead of stove-pipes. The gaps become closed.

In addition, we have found that this way of thinking at the top level of the government lends itself to improvements that benefit more than simply the security function. It also improves quality, cost efficiency, and greater job satisfaction since many recurring problems are solved with this comprehensive view.

How do we move to a governance model?

First, we define who does what within the model.Governance ImplementationThe Role of Government Executive Management - Strategic

Commit To Holistic Security ExcellenceSet a common visionEstablish principles to guide the program

SecurityThe first of these is Executive Management at the top levels of the Czech government

Executive Management must project a vision. This can be defined by the security management but top government officials need to agree and set the tone if governance is to be successful and if the Country is to reap its benefits.

In order to transform security into an effective function, each Line of Business the various ministries (the stovepipe) in the organization needs to see Country officials setting what is called the tone at the top. This consists of a clear vision statement, that Security is everyones job. Each person needs to have the same focus. Along with that we need to create a unified security program, and allocate or acquire appropriate resources.

Governance ImplementationThe Role of Ministry Executive Management - Strategic

Commit To a ProgramCreate the security program planApply the necessary resourcesManage ChangeDrive transformation through organization Measure SuccessInternal testing and measurementAudit improvement

SecurityAt the Ministry level, top level officials also have a strategic responsibility although slightly different from the Countrys top leaders. They need to set a Ministry vision that complements that established at the Country level.

Once these program elements are in place, we need to follow through, and ensure that all areas of the organization agree with and comply with the directives and processes defined by the security program.

Such a centralized information security program will also enable centralized monitoring of results, which is essential to improving quality and efficiency. Monitoring of quality can take many forms, as we will see a little later in this presentation. Chief among them is of course, a reduction in the number and severity of audit findings, data breach incidents, or rework.

Lets move now to what the specific steps are to implement a successful security governance program, and, in turn, effective security.

Governance ImplementationGovernance Requirements

Centralized leadership Scalability and agility Comprehensive planningManagement of riskContinuous improvement in quality

Before we discuss specific the steps for implementing a security governance program lets also discuss general requirements that any such program needs to address, including any growth issues combined with escalating needs or expectations for security compliance. The security plan should address these five requirements:

1st Appropriate levels of centralization of security leadership. Without a leader a program will not be successful. Government programs also need their leaders as well as international needs.

2nd Today, every organization needs scalability and agility, with an information security governance structure that can expand and adjust to a rapidly changing organizational structure

3rd The Security program needs to be much more comprehensive than in the past, gaps must be closed, and the full range of security requirements must be included.

4th This includes an ongoing risk management program that actively identifies risks, makes pragmatic choices about how and where to remediate, takes action and monitors for effectiveness of results.

5th It also includes analysis of the effectiveness of security policies and infrastructure by tracking measures of risk and compliance, and making adjustments in a continuous cycle of improvement in quality.

Now were going to go a little deeper. How do we actually put such a program in place?

we now know what we need to do but.Best Practices Security GovernanceApproveDefineInterpretImplementWho does what? As we begin to think about security governance, at what level of the organization do various program components occur.

This organizational chart combines centralized leadership with a flexible and scalable governance structure.

While executive Ministry leadership drives the entire governance program for the organization, the CIO tracks the health of the information security program, and tracks risks to the organizations information assets. The CIO provides final approval for information security policy, and receives reports of risk and compliance from the CISO

The CISO establishes security policies and standards for the entire organization at the Ministry level. This is where the new holistic approach really takes hold. The CISO monitors reports on risk and compliance, and assembles executive summaries on risk. The CISO leads mitigation efforts to reduce gaps and audit findings. The CISO assumes leadership of the response to security incidents. The CISOs office includes senior engineers who provide subject matter expertise in technical aspects of security. Often, we find that organizations do not have a centralized security engineering function, and do not take leadership during security incidents. To make this change happen, managers must be found who have significant subject matter expertise or who can be trained to have such expertise. And appropriate relationships need to be established and enforced with third parties and business partners.

At the Line of Business level, various managers assigned security repsonsibilities should interpret organizational security policy and standards, in the context of their local or departmental operation. These managers oversee compliance with standards, in the datacenters, finance, in personnel, and other functional areas so they must be encouraged to gain enough understanding with which to fulfill this mission.

System engineers in the datacenter and operational areas respond to security directives by establishing work plans and procedures for security, and performing daily operations according to policy. To make this happen executive leadership needs to ensure that third party personnel at the Datacenters do not have divided loyalty. Vender agreements need to be clear, and the organization needs to be perceived as in charge when it comes to security. Leadership needs to make clear to all parties that security policy at the datacenter level must be in accordance with policies established by the Ministry CISO. This is a significant change from many current situations we find throughout organizations.

When these layers are in place, a risk management framework can be established which will be a core process for improvements in quality.Tiered Security ProcessRisks

Audit Results Vulnerability Assessments

Continuous MonitoringPage 12Security Awareness

PoliciesGuidelinesStandards

Drive the ProgramFeedbackMinistry ManagementWhile the Country government sets the vision, at the Ministry level the executive management must drive the security program.

We can illustrate this in a 3-tiered structure

This three tiered management structure is a typical leading practices information security structure.

The CISO drives security awareness down and across the organization. Business processes at the mid tier are adapted to security directives.

At the systems and infrastructure level, security controls are implemented through work orders, procedures, and investment in technology. The health of the network is monitored, success of work orders is monitored, and vulnerabilities are identified during vulnerability assessments and audits, and these results are fed back up through the organization to the CISO.

To understand how this applies to risk management, lets review some common terms and concepts for risk management. Likelihood X Impact = RISKRisk RatingVery small ImpactModerate ImpactSignificant ImpactHuge ImpactUnlikelyLow Risk

Low RiskLow RiskLow RiskRealistic PossibilityLow Risk

Low RiskModerate RiskModerate RiskStrong LikelihoodLow Risk

Moderate Risk Moderate RiskHigh RiskNear CertaintyLow Risk

Moderate RiskHigh RiskHigh RiskPage 14Drive to the leftWhen we set up a security program we do so to ensure that our risk is only as great as our organization is comfortable with.

Obviously, the Ministry of Finance or Defense is far less tolerant of risk than, perhaps the Ministry of Culture

This chart illustrates the concept of risk that each Ministry needs to consider.

Risk is equal to the likelihood of an impact times the size of the impact. This is where risk management comes in. Every organization has vulnerabilities. No organization would even want to be totally free of risk, because having no risk is too expensive. In business, some risk is part of making a profit. In technology, there will be risks that are acceptable, because the risk is so small or inconsequential that addressing the risk is not cost justified. There are other risks where investment to address the risk is a required cost of doing business. Information Security risk management is the process by which you can make informed decisions to prioritize which risks should be addressed.

In this table you see that a risk that has little expected impact and little likelihood of occurring is ranked as a low risk. On the other hand, some very unlikely risks have a huge expected impact. What would happen if a meteor struck? The likelihood is so small that protecting against a meteor strike is not justified.

There is a strong likelihood of fraud, if financial applications accessible by the Internet do not have proper password management, and the impact of fraud can be grave, so an absence of appropriate password management in financial systems could be a High Risk. A well-structured information Security Program will reduce the number of high risks by first identifying the risks, prioritizing them, and investing in solutions to remove the high risks. Risk ManagementPlanRisk Analysis AuditsDOPlan of Action and MilestonesCheckContinuous MonitoringAfter-Action ReportsActRevise Policy & ProgramRedirect Risk AnalysisPage 16As part of the governance program, managing risk is a required element. In this diagram, we use a chart called a Plan Do Check Act cycle, as applied to risk management. Starting at the Planning Stage, the Ministry conducts a risk analysis of its entire infrastructure, including business processes. The risks are then ranked in terms of priority, and project plans are developed to address top priority risks, often called a Plan of Actions and Milestones. The POAM describes what remediation is planned and assigns dates for each step along the way and also with what will occur on that date.

In the DO stage, the CISO will drive the process to remediate risks, with each project in the Plan of Actions and Milestones. Executive Ministry Leadership should work with the CIO and CISO to ensure that ownership for remediation efforts is clear, remediation is properly funded, and a schedule for closing findings is tracked. This is an area where security often fails because of ambiguity of ownership. Executive leadership needs to ensure that responsible parties accept ownership and responsibility for remediation. The CISO should have immediate, on demand access to the current status of all remediation projects, as well as ongoing access to monitoring reports.

In the CHECK stage, the effectiveness of remediation is monitored, through ongoing monitoring and reports on security intrusions, vulnerability assessments, and many other sources. Metrics ae gathered and reporting occurs.

On the right side of the cycle, the DO stage, technology and process is improved. On the left side of the cycle, the ACT stage, higher level considerations come into play and the security program is improved. When persistent vulnerabilities continue to appear despite best efforts with existing resources, the CISO may determine that changes to policy, standards, staff, or to the program structure may be required.

Changes in the Ministrys business environment, including new functions or changes to requirements may also require a change in how risk is assessed. And the cycle starts again, with a refreshed understanding of risks and approaches to risk. Improvements to quality will be achieved by moving repeatedly through this cycle.

Next, lets look at one of the most common reasons why organizations do not always see an improvement in quality.Vendor Risk ManagementRisk Can Not Be OutsourcedBoundaries of ownership for security controls must be crystal clearContinuous security monitoring and reporting backIntegration of incident response between the vendor and your organizations

Page 17

We see organizations trying to rid themselves of risk by outsourcing.

Many organizations depend heavily on suppliers, service providers, and other third party business associates and this dependence is growing throughout the world.

Ownership of RISK for systems, network, applications cannot be outsourced. It is perfectly reasonable to have a third party manage systems and applications but if anything should happen to the data within those systems and applications the organization that outsourced the functions still owns the risk. If government or citizens information is mistakenly published on the internet, or if critical systems fail, the Ministry or organization that outsourced will be held responsible, and the Czech public will also hold it responsible. System management of functions can be outsourced, but system risk cannot be.

What we see occurring in the US presently is that agencies are working to clarify boundaries of ownership for systems and for security controls. If things are outsourced (including to the cloud which is so popular today), the agency or organization that outsourced the function is beginning to establish agreements to monitor systems and processes that occur at the place where the systems reside and if security incidents occur at that outsourcer, because we know for certain that security incidents will occur, the originators information security team needs to be immediately informed and involved in the response to the incident. You should not rely solely on someone else to identify and manage all your security incidents without your involvement.

Your executives should drive this in several ways:

The Role of ExecutivesSet Example: Tone from the TopRole Model AccountabilitySet Expectations: Security expectations must be explicit in vendor agreements

Page 17Establish Oversight: Vendors should submit to independent security assessments and audits

As each Ministry establishes its program to meet the Countrys vision of security, top officials in each Ministry need to ensure that everyone knows what is expected.

1st - They need to continue to set the example of country officials by being role models and adhering to security themselves. This is a large component of tone at the top.

2nd - Set expectations among all business partners outside the Ministry, and codify those expectations with explicit security requirements written into vendor agreements, memoranda of understanding, and service level agreements. Do not let your vendors and contractors tell you what they do, or worse, not tell you everything until there is a problem

3rd - Establish ongoing oversight of third parties. The CISOs office needs authority and cooperation to conduct independent security assessments and monitoring of the various departments and all other areas in scope for the security program. Your executives must also ensure that the security program is properly staffed, with the appropriate tools and resources to effectively conduct monitoring of third parties. Telling staff to do this with no resources with which to undertake the task is going to fail.

However, this does not mean that an open checkbook need be available. Far from this, careful expenditures are called for your koruna should be able to buy more by coordinated spending. Information Security Measuresof PerformanceProgram is EffectiveInvestment reduces the number of findings in audit reportsSuccess rate in closing items in the Plan of Action and MilestonesImpacts from security incidents trend lower Policies Are Followed and EffectiveProcedures should generate evidence of performanceContinuous monitoring: antivirus, intrusion detection Vulnerability assessmentsAfter action reports on disaster recovery, incident response

Page 18

Once the risk management program is in place, through verification and reporting you can ensure that the program is effective, and also that the policies and standards of the program are also effective.

At the Program level, the CISO should gather metrics on the number and severity of risks and findings, which should begin to trend lower over time, The success of the program is also measured by how effectively projects are managed to close high-risk findings. For example, metrics might include how many projects to close risk are completed on time, and estimated vs actual cost expended.

It is critically important not to punish reporters of security incidents. Increases in the number of incidents is not an indication of a failure of the program. Quite the opposite is true. An alert and well trained CIRT team will identify more incidents than a poorly trained or poorly motivated team. An increase in security maturity is often followed by an increase in security incidents being reported. Impact, not number of security incidents is the important metric to track.

At the Policy Level, the CISO will gather two types of metrics: one form of metric determines if policies are followed, the second form of metric determines if policies are effective.

Work orders should be designed to generate audit logs or records, which can be monitored for completion and adherence to policy

The number and nature of findings in vulnerability assessments are a useful metric for determining if policies are both followed and effective

At this point the use of tools is appropriate Note how much thought has gone into developing the Program before we even consider tools. The number of incidents reported by monitoring - such as antivirus or intrusion detection is a common way to determine if policies are effective, as are after action reports and lessons learned from actual events or disaster recovery testing.

All of these metrics should be generated by the datacenters and operational areas, and provided to the security managers and/or the Ministry CISO for analysis.

With these actions you will establish and maintain an effective security governance program.In SummarySecurity GovernanceSet information security vision Country levelEstablish strategy Ministry levelBring in experienced employees/advisors Drive the visionVerifyImprove security and lower levels of riskBecome best in class to improve quality, lower costsSecurity governance starts at the top..

Get Country and executive management to accept the vision.

Establish the strategy to better control overall risk

Bring in experienced employees and advisors to speed the process for improvementDrive the vision of risk management throughout the organizationVerify

This is how you can achieve an internationally respected information security program.