SECURITY POLICY

AND
GOVERNANCE
6KS01
 Unit
UNIT23
Governance and Strategic Planning
for Security
CONTENTS
 The Role of Planning
 Strategic Planning
 Information Security Governance
 Planning for Information Security
Implementation.
Role of Planning
 Planning helps to manage resources in organizations.
 It helps to achieve specific goals during a defined period of time,
and then controlling the implementation of these steps.
 Planning provides direction for the organization's future.
 Such an uncoordinated effort would not only fail to meet
objectives, it will result in an inefficient use of resources.
 Organizational planning, when conducted by the appropriate
segments of the organization, provides a coordinated and
uniform script that increases efficiency and reduces waste and
duplication of effort by each organizational unit.
Precursors to Planning
 To implement effective planning, an organization's
leaders usually begin from previously developed
positions
 It explicitly state the organization's ethical,
entrepreneurial, and philosophical perspectives.
Precursors to Planning
 When an organization's stated positions do not
match the demonstrated ethical, entrepreneurial,
and philosophical approaches of its management
teams, the developmental plan- which is guided by
the organization's mission, vision, values, and
strategy- becomes unmanageable.
 Unit
UNIT23
Governance and Strategic Planning
for Security
Mission Statement
 The mission statement explicitly declares the business of
the organization and its intended areas of operations.
 Simply put, the mission statement must explain what the
organization does and for whom.
 It is the organization's identity card.
Mission Statement
 RWW's mission statement might take the following
form:
 Random Widget Works designs and manufactures
quality widgets and associated equipment and
supplies for use in modern business environments.
 A mission statement should be concise, should reflect
both internal and external operations, and should be
robust enough to remain valid for a period of four to
six years.
Vision Statement
 The vision statement is what the organization
wants to become and works with the mission
statement.
 The vision statement expresses where the
organization wants to go, while the mission
statement describes how it wants to get there.
 The mission, vision, and values statements
provide the philosophical foundation for
planning and guide the creation of the strategic
plan.
Vision Statement
 RWW's vision statement might take the
following form:
 Random Widget Works will be the preferred
manufacturer of choice for every business's
widget equipment needs, with an RWW widget
in every gizmo(gadget) in use.
 This is a very bold, ambitious vision statement.
It may not seem very realistic, but vision
statements are not meant to express the
probable, only the possible.
Values Statement
 The trust and confidence of stakeholders and the
public are important factors for any
organization.
 The quality management movement of the
1980s and 1990s illustrated that organizations
with strong values can earn greater loyalty from
customers and employees.
 The U.S. National Archives has formal mission,
vision, and values statements published on its
Web site.
Values Statement
 RWW's values statement might take the following
form:
 Random Widget Works values commitment, honesty,
integrity, and social responsibility among its
employee.
 It is committed to providing its services in harmony
with its corporate, social, legal, and natural
environments.
 Unit
UNIT23
Governance and Strategic Planning
for Security
Planning Levels
 Once the organization's overall strategic plan is
translated into strategic goals for each major
division or operation
 The next step is to translate these strategic goals
into objectives that are specific, measurable,
achievable, and time-bound.
 Strategic plans are used to create tactical plans,
which are in turn used to develop operational plans.
Strategy

The action of planning how to do or achieve

something.

Or

A plan that you use in order to achieve

something.
 Strategic Planning
 “The process of defining and specifying the
long-term direction (strategy) to be taken by
an organization, and the allocation and
acquisition of resources needed to pursue this
effort.”
 Guides organizational efforts

 Focuses resources toward goals.

Strategic Planning
 This form of planning makes use of a three-
step process.
 1) Where are we now?

 2) Where are we going?

 3) How will we get there?

Tactical planning

 Short-term focus (one to three years)

 Breaks down strategic goal into incremental objectives.
 Objective should be specific and will have a delivery date
within a year.
 Budgeting, resource allocation, and personnel are critical
components
 Components are general at strategic planning level but crucial
at tactical level
 Includes project and resource allocation, planning documents,
budgets, project reviews, and periodic (yearly, quarterly,
monthly) reports ,created for projects
 Also called as process project planning or intermediate
planning.
Operational planning

 Derived from tactical plans, to organize the ongoing, day-

to -day performance of tasks
 Includes coordination activities department boundaries,
communications requirements, weekly meetings,
summaries, progress reports, and associated tasks
 Reflect the organizational structure, with subunit,
department, or project team.
 Eg:- Operational planning within InfoSec may surrounds
such objectives as the selection, configuration, and
deployment of a firewall, or the design and implementation
of a security education, training, and awareness program.
 Unit
UNIT23
Governance and Strategic Planning
for Security
What is InfoSec governance?
 Governance
 The set of responsibilities and practices exercised
by the board and executive management with the
goal of
 Providing strategic direction
 Ensuring that objectives are achieved
 Ascertaining that risks are managed appropriately
 Verifying that the enterprise's resources are used
responsibly.
What is InfoSec governance?
 Governance, Risk management, and
Compliance (GRC)
 An approach to information security strategic
guidance from a board of directors or senior
management point of view that
 Seeks to integrate the three components of
 Information security governance
 Risk management
 Regulatory compliance.
What should a board of directors recommend as
an organization's Info objectives?

 According to ITGI (Information Technology Governance

Institute) InfoSec governance includes
 All the accountabilities & methods undertaken by the
board of directors and executive management to provide:
 Strategic direction
 Establishment of objectives
 Measurement of progress toward those objectives
 Verification that risk management practices are
appropriate
 Validation that the organization's assets are used properly
 What should a board of directors recommend as an
organization's Info objectives?

ITGI(Information Technology Governance Institute)

recommends that boards of directors supervise strategic
InfoSec objectives by:
1. Creating and promoting a culture that accept the criticality
of information and InfoSec to the organization
2. Verifying that management's investment in InfoSec is
properly aligned with organizational strategies and the
organization's risk environment
3. Assigning and assuring that a complete InfoSec program is
developed and implemented
4. Requiring reports from the various layers of management
on the InfoSec program's effectiveness and acceptability
What are the five basic outcomes that should be
achieved through InfoSec governance?

 InfoSec governance consists of the

 Leadership
 Organizational structures
 Processes that safeguard information
 Critical to the success of these structures
 Processes is effective communication among all
parties, which requires constructive relationships, a
common language
 Shared commitment to addressing the issues
 What are the five basic outcomes that should be
achieved through InfoSec governance?

Five basic outcomes of InfoSec governance:

1) Strategic arrangement of InfoSec with business strategy to
support organizational objectives
2) Risk management by executing appropriate measures to
manage and reduce threats to information resources
3) Resource management by utilizing InfoSec knowledge
and infrastructure efficiently and effectively
4) Performance measurement by measuring, monitoring, and
reporting InfoSec governance measures to ensure that
organizational objectives are achieved
5) Value delivery by optimizing InfoSec investments in
support of organizational objectives
 Unit
UNIT23
Governance and Strategic Planning
for Security
Benefits of Information Security
Governance

InfoSec governance, if properly implemented, can yield

significant benefits, including:
1. An increase in share value for organizations
2. Increased predictability and reduced uncertainty of
business operations
3. Protection from the increasing potential for civil or
legal liability as a result of information inaccuracy
or the absence of due care
4. Optimization of the allocation of limited security
resources
Benefits of Information Security
Governance
5. Assurance of effective InfoSec policy and policy
compliance
6. A firm foundation for efficient and effective risk
management, process improvement, and rapid
incident response
7. A level of assurance that critical decisions are not
based on faulty information
8. Accountability for safeguarding information during
critical business activities, such as mergers and
acquisitions, business process recovery, and
regulatory response
IDEAL Model
 CGTF(Corporate Governance Task Force)
framework designed the IDEAL model includes
five phases:
 Initiating
 Diagnosing
 Establishing
 Acting
 Learning
IDEAL Model
Information Security Governance
Responsibilities

 The CGTF(Corporate Governance Task Force)

framework defines the responsibilities of
 the board of directors/trustees,
 the senior organizational executive (i.e., CEO),
 executive team members,
 senior managers,
 all employees and
 users
 The CGTF document also outlines the requirements for
an InfoSec program
 Unit
UNIT23
Governance and Strategic Planning
for Security
What is security convergence and why is it
significant?

 Security convergence refers to the

convergence of two historically distinct
security functions –
 Physical Security and

 Information Security – within enterprises;

 Both are integral parts of a Risk

Management program.
What is security convergence and why is it
significant?
• Significantly lower costs.
• Use existing servers to make the decisions.
• Use existing IT infrastructure (switches, cables, UPS
systems) to keep the system running.
• Use existing IT redundancy and backup to protect in case of
failures.
• Let the IT department protect valuable data and keep out
cyber-intruders.
• Merge physical access (doors) and logical access
(computers) into a single system.
What is security convergence and why is
it significant?

• Let security worry about the "who, when, and

where." Let IT handle moving the data.
• Take away remote databases not managed by
IT, and reduce the ability of hackers to
penetrate the access system and use it as a
gateway to the rest of the IT system.
• Save significant hardware money to spend on
other security measures.
 Unit
UNIT23
Governance and Strategic Planning
for Security
Information Security Governance
Principles
1. Establish organization-wide information security.
2. Adopt a risk-based approach.
3. Set the direction of investment decisions.
4. Ensure conformance with internal and external
requirements.
5. Foster(promote) a security-positive environment.
6. Review performance in relation to business
outcomes
Five Governance Processes
1. Evaluate-
 Review the status of current and projected
progress toward organizational information
security objectives
 Make a determination whether
modifications of the program or its strategy are
needed to keep on track with strategic goals
Five Governance Processes
2. Direct-
 The board of directors provides instruction
for developing or implementing changes to the
security program
 Include modification of available resources,
structure of priorities of effort, adoption of policy,
recommendations for the risk management
program, or alteration to the organization's risk
tolerance
Five Governance Processes
3. Monitor-
 The review and assessment of organizational
information security performance toward goals and
objectives by the governing body
 Monitoring is enabled by ongoing performance

measurement
Five Governance Processes
4. Communicate-
The interaction between the governing body and
external stakeholders, where information on
organizational efforts and recommendations for
change are exchanged
Five Governance Processes
5. Assure-
 The assessment of organizational efforts by
external entities like
 certification or accreditation groups

 regulatory agencies

 auditors

 other oversight entities

 In An effort to validate organizational security

governance, security programs, and strategies

Sec SDLC

Primary objective
 Sec SDLC designed such that it can help

developers to
 Create software and applications

 Reduces the security risks at later stages

significantly from the start

 Phases involved in SecSDLC
 1. System Investigation :
 Started by the officials/directives working at the top
level management in the organization
 The objectives and the goals of project is considered
priory
 An Information Security Policy is defined which
contains the descriptions of security applications and
programs installed along with their implementations
 Phases involved in SecSDLC
 System Analysis:
 Detailed document analysis of the documents from
the System Investigation phase are done
 Already existing security policies, applications and
software are analyzed in order to check for different
flaws and vulnerabilities in the system
 Upcoming threat possibilities are also analyzed
 Risk management comes under this process only
 Phases involved in SecSDLC
 Logical Design:
 The development of tools and following blueprints that are
involved in various information security policies their
applications and software
 Backup and recovery policies are also drafted in order to prevent
future losses
 In case of any disaster the steps to take in business are also
planned
 The decision for outsourcing the company project is decided in
this phase
 It is analyzed whether the project can be completed in the
company itself or it needs to be sent to another company for the
specific task
 Phases involved in SecSDLC
Physical Design:
 Different solutions are investigated for any
unforeseen issues which may be encountered in the
future
 Issues are analysed and written down in order to

cover the most of the vulnerabilities that were missed

during the analysis phase
 Phases involved in SecSDLC
 Implementation:
 Whether the project being in-house or outsource the
proper documentation are provided of the product in
order to meet the requirements
 Implementation and the integration process of the
project are carried out with the help of various teams
aggressively testing whether the product meets the
system requirements specified in the system
documentations
Phases involved in SecSDLC
 Maintenance & Change:
 After the implementation of the security program it
must be ensured that it is functioning properly and
is managed accordingly
 The security program must be kept up to date
accordingly in order to counter new threats that can
be left unseen at the time of design
Sr.
No SDLC Sec SDLC
1 System development life cycle Security system development life cycle

2 Deliver quality systems which Help developers to create software and

meet or exceed customer applications that reduces the security
expectations risks at later stages
3 Focuses mainly on the designs Eliminates security vulnerabilities,
and implementations of an identification of threats and the risks,
information system remove and manage the risks involved
4 The Phases of SDLC are The Phases of Sec SDLC are
planning, System Investigation
System analysis, System Analysis
System design, Logical Design
Development, Physical Design
Implementation, Implementation
Integration and testing, Maintenance
Operations and maintenance
Sr. CSO CISO
No.

1 Chief Security Officer. Chief Information Security

Officer.
2 Responsible for corporate safety Responsible to track and assess
the threats.
3 Ensure physical and Responsible to ensure the
technological stability So they protection of information and
need to recognize what tools data
they need and how to secure
them
4 Focuses on the strategic Focuses on maintaining
planning of the organization's information and data security
information technology
initiatives
Managerial controls
 Cover security processes that are designed by the
strategic planners and executed by the security
administration of the organization
 Set the direction and scope of the security process and
provide detailed instructions for its conduct
 Address the design and implementation of the security
planning process and security program management
 Also address risk management and security controls
reviews
 Describe the necessity and scope of legal compliance
 Maintenance of the entire security systems life cycle
 Operational Security Control
 Deal with the operational functionality of security in the
organization
 Cover management functions and lower-level planning, such as
disaster recovery and incident response planning {IRP)
 Address personnel security, physical security, and the
protection of production inputs and outputs
 Also provide structure to the development of education,
training, and awareness programs for users, administrators, and
management
 Address hardware and software systems maintenance and the
integrity of data
Technical Security Control
 Address technical approaches used to implement
security in the organization
 Address specific operational issues, such as control
development and integration into business functions
 Technical controls must be selected, acquired (made
or bought), and integrated into the organization's IT
structure
 Include logical access controls, such as those used for
identification, authentication, authorization, and
accountability
Project Champion
 An executive with sufficient influence to
move the project forward
 Ensure that it is properly managed, and push
for its acceptance throughout the organization
 Without this high-level support, many mid-
level administrators fail to dedicate enough
resources to the project
Systems development life cycle (SDLC)

 A methodology for the design and implementation of an

information system
 Phases address the investigation, analysis, design,
implementation, and maintenance of an information
system
 Organizations often implement information systems by
using a methodology known as a systems development
life cycle (SDLC)
 Also known as an application development life cycle
 Develope key project milestones, allocate resources,
select personnel, and perform the tasks needed to
accomplish a project's objectives
Top Down Approach
 The top-down approach features
 Strong upper-management support
 Dedicated champion
 Dedicated funding
 Clear planning
 Implementation process
 Ability to influence organizational culture