Scribd
Upload
8 views24 pages

Topic 3 - Information security program development and management

The document outlines the components and management of an Information Security Program, emphasizing the need for strategic alignment, risk management, and value delivery. It discusses the importance of developing a roadmap, integrating security processes, and utilizing technology resources effectively. Additionally, it highlights common challenges faced in implementing security programs and the necessity of continuous improvement and management support.

Uploaded by

jlbosch78
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
8 views24 pages

Topic 3 - Information security program development and management

The document outlines the components and management of an Information Security Program, emphasizing the need for strategic alignment, risk management, and value delivery. It discusses the importance of developing a roadmap, integrating security processes, and utilizing technology resources effectively. Additionally, it highlights common challenges faced in implementing security programs and the necessity of continuous improvement and management support.

Uploaded by

jlbosch78
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 24

CISM PREP

Topic 3
Information Security Program
The Information Security Program

A body of work to change the organisation

Preceding steps:
• Development of security strategy
• Performing a gap analysis
• Development of roadmap
Information Security Program

• Execute the strategy


• Achieve acceptable levels of risk
• Create from ground up or adopt an existing
program
• Information security manager background
• Non-technical skill set required
Information Security Program

• Information security fragmented or centralised


• Executive sponsorship - alignment
• Keeping costs down and benefit high
• Visibility of progress
• Define objectives and obtain consensus
• Skunk-works are controversial
Information Security Program Outcomes
Strategic alignment
• Business mission
• Business owners and business plans

Risk management
• Develop comprehensive understanding of the organisation
• To a level acceptable to the organisation
• With finger on the pulse for emerging risks

Value delivery
• Demonstrate benefit
• Efficient delivery
Information Security Program Outcomes
Resource management
• Utilise team members well
• Implement security processes and practices
• Embed security in business

Performance measurement
• Monitor and report progress
• Strategic, tactical and operational metrics

Assurance process integration


• Work closely with audit and risk
• Develop RTOs applicable to the business
Scope and Charter
• A summary of proposed or endorsed program initiatives
• Is there an existing security program
• What initiatives are included
• What areas of the business are included
• Business benefits and requirements
• Key indicators of success
• Budget and resources
• Selected products and vendors
• Delivery timeframe
Technology Resources
• Antivirus, endpoint security
• Access, identify, authentication and authorisation
• Multifactor authentication
• Public key infrastructure
• Central authentication
• Backup, archiving and redundancy
• Encryption (storage and transmission)
• Data leak prevention
• Digital signatures
• Firewalls, segmentation, IDS/IPS, wireless IPS and web application firewalls
• Security logging, monitoring and alerting
• VPN, proxies and remote access portals
• Vulnerability and patch management
Developing a Roadmap

Staged and realistic plan


Specific projects and initiatives
Design appropriate controls to meet objectives
Security posture of existing systems
Gap analysis
• Identifying areas for improvement
• Specifying controls to address risks
Enterprise Security Architecture

• Design and implement controls consistent with policy and


standards
• Break down a complex enterprise system
• Create approachable and understandable building blocks
• A need for an overall design
• Avoids piecemeal security controls
• Addressing business requirements
• Baked into policy and standards
• Strategic approach to controls
TOGAF - ADM
Preliminary framework and principles
a) Architecture vision
b) Business architecture (strategy, channels, processes)
c) Information systems architectures
d) Technology architecture
e) Opportunities and solutions
f) Migration planning
g) Implementation governance
h) Architectural change management
Security Program Management and Administrative
Activities
Personnel
• Roles
• Skill
• Culture
Security awareness and training
Acceptable use
Ethics
Documentation
• Review and maintenance
• Version control
Program and project management
Risk management
Business case development
Security Program Management and Administrative
Activities
Budgeting
• Resources and technology
• Budget cycles
Problem management
Vendor management
• Security service vendors
• Checklists
Program management evaluation
• Picking up a program
• Resource levels
Security Program Management and Administrative
Activities

Legal and regulatory


Physical and environmental
• Data centres and offices
• Portable devices
Regional variances
• Regulatory
• Culture
Security Program Services and Operational
Activities
Security liaison
• Physical and corporate security
• IT Audit, external auditors, QA, privacy and compliance
• Information Technology and the PMO
• HR and Legal
Cross organisational responsibilities
Incident response
Security review and audits
Security Program Services and Operational
Activities
Security technology management
Due diligence
• Standard of due care
Compliance and monitoring
• Policy and standards compliance
• Compliance enforcement
Risk assessment
Security Program Services and Operational
Activities
Outsourcing and service providers
• Third party registers
• Third party checklists and reviews
Cloud computing
• SecaaS, DRaaS, IDaaS, FRaaS
• SaaS, PaaS, IaaS
Integration with IT processes
• Project delivery
• Change management
• Software development
• Configuration management
• Release management
Controls and Countermeasures
Countermeasures
• Response to a specific threat
Physical and environmental controls
Control technology categories
• Native, supplemental and management
Technical control components
• Placement, effectiveness, efficiency, policy, implementation
Testing controls
Baseline controls
Controls and Countermeasures
Control categories Control methods
• Preventative • Managerial
• Detective • Technical• Control design considerations
• Corrective • Physical – Access control
• Compensating – Secure failure
– Least privilege
• Deterrent
– Compartmentalise
– Segregation of duties
– Transparency
– Trust and trust no one
• Control strength
Control Frameworks
• 27001/27002
• NIST
• PCI DSS • Control design considerations
– Access control
• HIPAA
– Secure failure
– Least privilege
– Compartmentalise
– Segregation of duties
– Transparency
– Trust and trust no one
• Control strength
Metrics and Monitoring

Levels
• Strategic
• Management
• Operational
Monitoring approaches
• Continuous monitoring of security events
• Evaluating success of security investments
Information security management performances
Metrics and Monitoring
Effectiveness of technical architecture
• Issue reoccurrence
• Standardisation
• Baked-in security
• Resource utilisation
Operational performance
• Incident identification, notification and resolution
• Frequency and severity of incidents
Monitoring and communication
Common InfoSec Program Challenges

Organisational and culture change


Resistance
Management support
Resources
• Funding
• Staffing
Continuous improvement
Discussion Questions
1. What techniques might be used to identify risk within business processes?

2. What is the difference between functional and non-functional requirement?

3. Why is it important to define agreed metrics for the information security program?

4. How does data leak prevention stop sensitive data leaving the organisation?

5. Why is a charter document helpful in an enterprise?

6. Why is it difficult to change organisational culture?

You might also like