janus associates
DESCRIPTION
JANUS Associates. Information Security Governance (A Comprehensive Approach to Information Security). Presented by: Patricia A. P. Fisher, CEO. What is the State of Information Security Today?. Phishing breaches were 4 times higher in 2012 than in 2011 - PowerPoint PPT PresentationTRANSCRIPT
JANUS Associates
Information Security Governance
(A Comprehensive Approach to Information Security)
Presented by: Patricia A. P. Fisher, CEO
What is the State of Information Security Today?
Phishing breaches were 4 times higher in 2012 than in 2011 Cost of breaches has increased from $214 to $222 per breach Cyberattacks – 102 successful attacks per week, compared to 72
in 2011, 50 in 2010 (RSA) By January 2013, cyber crime had grown to 46% of all attacks
(Hackmageddon.com)
Symantec reports that over $114bn in cash losses was reported worldwide
National Information Security Governance
What is information security governance? Leadership Framework established to ensure that all the security
elements put in place to protect your data environment work efficiently, accomplish what is intended, and do so cost effectively
Processes to carry out what is intended by the leadership‘
Why is it important? Provides a framework for secure business
operations in an interconnected world Ensures the Country’s security resources
are well spent
National Information Security Governance
Why is it important? Provides ability to conduct secure business operations
in an interconnected world Ensures the Country’s security resources are well spent Gains international respect
National Information Security Governance
What does it need to include? Alignment with the information security strategy of the Nation Management of risks Efficient and effective management Verification of results
National Information Security Governance
What benefits can be gained from a security governance program?
International recognition Fewer breaches to deal with/increased efficiency More effective use of resources
Organizational Governance
Governance Model
Security Governance
IT Governance
Financial Governance
Policies&
Procedures
Verification Reporting
Governance Responsibility
OrganizationStrategy
Risk ManagementMinistry A
Policies
Ministry B
Function Function Function
Who Does What In Governance?
Country Government Level
Procedures ……...Departments……..
Existing Problems
Governments are often working at the tactical level without a strategic framework
Examples: Security tools Incident response
Lack of regular feedback to executive management Examples:
Ad hoc testing occurs without a pre-defined structure Few requirements for action plans to provide solutions
Security of Operations
Stove-pipe management
Ministry ofFinance
Ministry of Agriculture
Ministry ofEducation
Ministry for Resources
Make Security Strategic
Stove-pipe management leads to gaps
Ministry ofFinance
Ministry of Agriculture
Ministry ofEducation
Ministry for Resources
GAP
GAP
GAP
Ministry ofFinance
Ministry of Agriculture
Ministry ofEducation
Ministry for Resources
A Holistic Approach to Governance
Security
Risk Management
Governance Implementation
The Role of Government Executive Management - Strategic
Commit To Holistic Security Excellence Set a common vision Establish principles to guide the program
Security
Governance Implementation
The Role of Ministry Executive Management - Strategic
Commit To a Program Create the security program plan Apply the necessary resources
Manage Change Drive transformation through organization
Measure Success Internal testing and measurement Audit improvement
Security
Governance Implementation
Governance Requirements
Centralized leadership Scalability and agility Comprehensive planning Management of risk
Continuous improvement in quality
Best Practices Security Governance
Approve
Define
Interpret
Implement Operations
Operational Governance
Enterprise Policy and Standards
Executive Leadership – Ministry LevelExecutive
Mgmt/CIO
CISO
Line of Business
Human Resources
Line of Business
Datacenter
Tiered Security Process
CIOCISO
Business Processes
Systems and Infrastructure
Risks
Audit Results
Vulnerabilit
y Assessment
s
Continuous Monitoring
Page 12
Security Awarenes
s
PoliciesGuidelinesStandards
Drive the Program
Feedback
Ministry Management
Likelihood X Impact = RISK
Risk Rating Very small Impact
Moderate Impact
Significant Impact
Huge Impact
Unlikely Low Risk Low Risk Low Risk Low Risk
Realistic Possibility
Low Risk Low Risk Moderate Risk
Moderate Risk
Strong Likelihood
Low Risk Moderate Risk
Moderate Risk
High Risk
Near Certainty
Low Risk Moderate Risk
High Risk High Risk
Page 14
Drive to the left
Risk Management
PlanRisk Analysis
Audits
DOPlan of Action and
Milestones
CheckContinuous Monitoring“After-Action” Reports
ActRevise Policy & ProgramRedirect Risk Analysis
Page 16
Vendor Risk Management
Risk Can Not Be Outsourced Boundaries of ownership for security controls must be crystal
clear Continuous security monitoring and reporting back Integration of incident response between the vendor and your
organizations
Page 17
The Role of Executives
Set Example: “Tone from the Top” Role Model Accountability
Set Expectations: Security expectations must be explicit in vendor agreements
Page 17
Establish Oversight: Vendors should submit to independent
security assessments and audits
Information Security Measuresof Performance
Program is Effective Investment reduces the number of findings in audit reports Success rate in closing items in the Plan of Action and Milestones Impacts from security incidents trend lower
Policies Are Followed and Effective Procedures should generate evidence of performance Continuous monitoring: antivirus, intrusion detection Vulnerability assessments After action reports on disaster recovery, incident response
Page 18
In Summary
Security Governance Set information security vision – Country level Establish strategy – Ministry level Bring in experienced employees/advisors Drive the vision Verify Improve security and lower levels of risk
Become best in class to improve quality, lower costs