pairing organizational strategy with security solutions · pairing organizational strategy with...

19
Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel New York City Jennifer Bayuk, CISA, CISM, CGEIT www.bayuk.com

Upload: others

Post on 21-Jun-2020

17 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

Pairing Organizational Strategy with Security

Solutions

June 9, 2010The Roosevelt Hotel

New York City

Jennifer Bayuk, CISA, CISM, CGEIT

www.bayuk.com

Page 2: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

Security Strategy Tone at the top Strategy Organization Process Risk Metrics

Strategy

Compliance

Monitoring

Policy

Awareness

Implementation

Page 3: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

Tone at the Top

• Is reflected in decisions• Is observed, not communicated• Exists whether cultivated or not• Cannot be created via documents

Page 4: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

Tone-setting Activities

• Memos to staff• Training Videos• Awareness activities• Program visibility• Process integration• Documentation availability

Page 5: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

Observe-Orient-Decide-Act – Original Military version

Plan-Do-Check-Correct – The ISACA COBIT version

Plan-Secure-Confirm-Remediate – A popular Software Vulnerability guide version

Prepare-Detect-Respond-Improve – Carnegie Mellon’s CERT version

Restrict-Run-Recover – A Big 4 consultant’s version

Security Program Strategy

Page 6: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

Tone Strategy

• How involved is management in the program?• Policy?• Process?• Job function?

Page 7: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

Information Security Process & IT Governance

Example: Incident Management

Source: IT Governance Institute

Information Security Process & IT Governance

©Jennifer L Bayuk, LLC

Page 8: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

InfoSec Resources

• Executive Management Steering Committee• Chief Risk Officer• Chief Privacy Officer• Information Security Manager• Director of IT Operations • IT Site Operations Manager• IT Implementation Management• IT Subject Matter Experts• Application Architects• IT Project Managers• IT Product Owners• Security Administrators• Business Application Owner• Business Data Owner• Procurement Manager• Compliance Manager• Physical Security Organization

Page 9: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

Where a person performs this role:

An associated InfoSec process responsibility is:

A sample key performance indicator is:

Manages the lifecycle of IT applications and platforms

Security Review Participation Security-policy-compliant systems configuration

Security Requirements Capture

Business requirements for confidentiality, integrity, and availability are documented

Application Security Design Technical implementation plans for meeting business process security requirements

Change Control Secure archive, retrieval, and compilation of organization-maintained source code and product customizations

Security Upgrade Management

Testing and application of security software fixes

Procures IT services Security Requirements Capture

Formal requirements for security in all Requests for Product Information and Proposals

Contract Requirements Business requirements for confidentiality, integrity, and availability in information service provider and technology maintenance contracts

Given “realms” of business operation, resource identification involves not only specifying areas of responsibilities, but also making use of existing business and operational process.

InfoSec Roles and Responsibilities

Page 10: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

A CXO is like a Pilot

• CXOs are comfortable at the helm

The plane has to stay in the air and get to the

destination.

Source: Bayuk, Jennifer, Introducing Security at the Cradle SANS Security and Audit Controls that Work Conference. April 2003

• Rulebooks provide comfort level for safe decisions

• Risk Managers provide checkpoints

Page 11: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

Jennifer L. Bayuk, 11

What CXOs Want

Source: Bayuk, Jennifer, Enterprise Security for the Executive, Praeger, 2010

©Jennifer L Bayuk, LLC

Page 12: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

Jennifer L. Bayuk, 12

Threat Landscape Overlay

Source: Enterprise Security for the Executive

Page 13: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

How not to view Security Risk

Source: Jaquith, Andrew, Security Metrics, Pearson Education, 2007.

Page 14: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

Hamster Wheel Approach

14Source: Enterprise Security for the Executive

Page 15: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

Weatherproofing Analogy

©Jennifer L Bayuk, LLC

Page 16: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

Policy at CXO Level• “All data used to run the physical plant should never

leave the plant unless through a process controlled by information technology, and then, only for the purpose of archiving recovery data.”

• “All information concerning our customers will not be shared with anyone who does not have an immediate need to know to accomplish a service or task on the customer’s behalf.”

• “All product inventory will be stored only in company warehouses unless it is in the process of being shipped under a customer purchase order.”

Page 17: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

Awareness promotes Accountability

Think holisticallyProgram should be unavoidable

Tone at the TopDocumentation

Roles and ResponsibilitiesProcess Creation

Corresponding Training Metrics

Page 18: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

18

CXO Support Strategy

Is the result what was

intended by the strategy and

policy?

Use the metrics to make decisions.

Allocate resources for independent

evidence collection.

Maintain accountability

for control points.

Turn strategy

into policy!

Focus on business

value!

Page 19: Pairing Organizational Strategy with Security Solutions · Pairing Organizational Strategy with Security Solutions June 9, 2010 The Roosevelt Hotel. New York City. Jennifer Bayuk,

Questions, Discussion?

Jennifer Bayuk, CISA, CISM, CGEITwww.bayuk.com

[email protected]

Presentation based on the book:Enterprise Security for the Business Executive

Setting the Tone at the Top, Praeger, 2010