SlideShare a Scribd company logo

Developing an Information Security Program

Download as PPT, PDF
S
Shauna_Cox

The document discusses the components and development of an effective information security program. It outlines that an information security program is needed due to factors like regulatory requirements, sophisticated attacks, and the strategic importance of security. The key components of an effective program include executive commitment, policies and procedures, monitoring processes and metrics, governance structure, and security awareness training. The document also describes standard methodologies and outlines the typical development process of plan, implement, operate and maintain, and monitor and evaluate.

1 of 39
Downloaded 129 times
2011 National BDPA Technology Conference Developing an Information Security Program Shauna Cox August 3 – 6, 2011 Chicago, IL
Presentation Objectives Understand the components of an Information Security Program. Understand the internal & external factors that impact Information Security Program development. Describe the various approaches used to develop an Information Security Program.
Agenda Need for Information Security Program Program Components Methodologies / Standards Information Security Program Development Process A Day In The Life
Reality A Hacker has to be successful once. A Security Professional must be successful every time.
Why is an Information Security Program Needed? Technology & Business Cycle Changes Regulatory Requirements Potential Security Threats Sophistication of Attacks / Attackers Strategic Necessity
Technology & Business Cycle Changes Decentralization of computing resources Accessibility of technology for novices & experts alike Technology dependency Layers of technology architecture
Regulatory Requirements FISMA HIPAA SOX Computer Security Act U.S. Privacy Act
Potential Threats Terrorism / Cyber-Terrorism Uninformed Users (Social Engineering) Disgruntled Users / Employees Intentional Hackers
Sophistication of Attacks Availability of Technology Greater Modes of Organization (i.e., social networking) Enhanced Technical Skills Easier to Maintain Anonymity Potentially Lucrative (e.g., organized criminals)
Strategic Necessity Competitive Survival & Advantage Business / Technology Alignment
Myth Information Security Policy = Information Security Program
Information Security Principles
People, Places & Things Roles & Responsibilities Scope of Authority Tools & Techniques
Roles & Responsibilities Information Security Function Executive Management Organizational (Line) Management Users
Information Security Function Develop, maintain & help enforce information security policies, procedures and controls. Oversee the deployment and integration of security solutions. Serve as an advisor on IT security-related issues.
Executive Management Provide the strategic vision for an information security program. Approve strategic goals and ensure information security is integrated into management processes. Ensure enterprise compliance with applicable regulatory directives.
Management Ensure compliance & help facilitate awareness of organizational information security policies & procedures. Enforce rules for appropriate use and protection of organization’s systems. Ensure proper segregation of duties in operational areas. Follow appropriate procedures and provide first-line authorization for system access.
Users Adhere to organizational policies and procedures. Protect individual user accounts and passwords used to access systems. Report known or suspected IT security breaches to appropriate personnel. Treat all information with the sensitivity necessary in accordance with applicable information classification systems.
Scope of Authority & Need
Tools & Techniques Standards Security Monitoring Tools Organizational Process Assets (policies, procedures, etc.)
Information Security Program Components Executive Commitment Policies & Procedures Monitoring Processes / Metrics Governance Structure Awareness Training
Executive Commitment Executives must understand the strategic impact of information security. Executive management articulates the priority of information security in word & in deed. The role of the information security function must adhere to a level of independence (i.e., reporting structure should be appropriate).
Policies & Procedures Acceptable Use Incident Handling Security Violations Identity Management Physical Security
Metrics Financial Application-based Incident Management Change Management Vulnerability Management
Governance Structure Governance: “…a set of responsibilities & practices exercised by the Board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly”. Source: IT Governance Institute (Board Briefing on IT Governance, 2 nd Edition)
Awareness Training Who? How?
Methodologies / Standards ISO 17799 developed by ISO includes 10 domains CobiT developed by ISACA derived from COSO
ISO 17799 Domains Information Security Policy Information Security Infrastructure Asset Classification & Control Personnel Security Physical & Environmental Security Communications & Operations Management Access Control System Development & Maintenance Business Continuity Management Compliance
Program Development Process
Program Development Process Plan & Organize Implement Operate & Maintain Monitor & Evaluate Source: All-In-One CISSP Exam Guide, 4 th Edition, by Shon Harris
Plan & Organize Establish commitment & oversight Conduct risk assessment Develop security architecture Identify solutions
Implement Assign roles & responsibilities Develop & implement policies, procedures, etc. Implement security blueprints Implement security solutions Develop audit & monitoring mechanisms Establish SLAs
Operate & Maintain Ensure baselines are met based on blueprints Conduct audits Manage SLAs
Monitor & Evaluate Review logs, audit results, metrics Assess goal accomplishments Evaluate via governance structure
A Day in the Life Conduct Self- Assessments Respond to Audits Train & Educate Provide Expertise Monitor Systems Manage Projects Track Compliance Gauge SLA Adherence
Game Changers Cloud Computing Mobile Computing Social Networking
Resources NIST ISC 2 ISACA SANS Institute
Questions
Contact Information Shauna Cox [email_address]
Ad

Recommended

Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Information risk management
Information risk managementInformation risk management
Information risk management
Akash Saraswat
 
Information system and security control
Information system and security controlInformation system and security control
Information system and security control
Cheng Olayvar
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
charlesgarrett
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
SAROJ BEHERA
 
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
Sophos Benelux
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
IT Strategy
IT StrategyIT Strategy
IT Strategy
Flevy.com Best Practices
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
Randy Bowman
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
David Sweigert
 
A military perspective on cyber security
A military perspective on cyber securityA military perspective on cyber security
A military perspective on cyber security
Joey Hernandez
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
khushboo
 
Isms
IsmsIsms
Isms
penetration Tester
 
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Information security
Information securityInformation security
Information security
linalona515
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
AlliedConSapCourses
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
Ad

More Related Content

What's hot (20)

Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
Sophos Benelux
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
IT Strategy
IT StrategyIT Strategy
IT Strategy
Flevy.com Best Practices
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
Randy Bowman
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
David Sweigert
 
A military perspective on cyber security
A military perspective on cyber securityA military perspective on cyber security
A military perspective on cyber security
Joey Hernandez
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
khushboo
 
Isms
IsmsIsms
Isms
penetration Tester
 
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Information security
Information securityInformation security
Information security
linalona515
 
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
Sophos Benelux
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
IT Strategy
IT StrategyIT Strategy
IT Strategy
Flevy.com Best Practices
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
Randy Bowman
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
David Sweigert
 
A military perspective on cyber security
A military perspective on cyber securityA military perspective on cyber security
A military perspective on cyber security
Joey Hernandez
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
khushboo
 
Isms
IsmsIsms
Isms
penetration Tester
 
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Information security
Information securityInformation security
Information security
linalona515
 

Similar to Developing an Information Security Program (20)

D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
AlliedConSapCourses
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
Tammy Clark
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
codka
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
codka
 
Cyber Security Risk Mitigation Checklist
Cyber Security Risk Mitigation ChecklistCyber Security Risk Mitigation Checklist
Cyber Security Risk Mitigation Checklist
timsnp
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
ImXaib
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
SARJERAO Sarju
 
CCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdfCCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdf
priyanshamadhwal2
 
II Security At Microsoft
II Security At MicrosoftII Security At Microsoft
II Security At Microsoft
Mark J. Feldman
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
IT-Toolkits.org
 
Information Security Framework
Information Security FrameworkInformation Security Framework
Information Security Framework
ssuser65fa31
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention
Manish Dixit Ceh
 
Security Plans & Policies in Cybersecurity.pptx
Security Plans & Policies in Cybersecurity.pptxSecurity Plans & Policies in Cybersecurity.pptx
Security Plans & Policies in Cybersecurity.pptx
obur2025ps
 
AI-GRC Pros, Are You Implementation-Ready.pdf
AI-GRC Pros, Are You Implementation-Ready.pdfAI-GRC Pros, Are You Implementation-Ready.pdf
AI-GRC Pros, Are You Implementation-Ready.pdf
infosecTrain
 
AI GRC Implementation Checklist by Infosectrain
AI GRC Implementation Checklist by InfosectrainAI GRC Implementation Checklist by Infosectrain
AI GRC Implementation Checklist by Infosectrain
priyanshamadhwal2
 
AI GRC Implementation Checklist-New.pdf
AI GRC Implementation Checklist-New.pdfAI GRC Implementation Checklist-New.pdf
AI GRC Implementation Checklist-New.pdf
infosec train
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-training
Swati Gupta
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
AlliedConSapCourses
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
Tammy Clark
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
codka
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
codka
 
Cyber Security Risk Mitigation Checklist
Cyber Security Risk Mitigation ChecklistCyber Security Risk Mitigation Checklist
Cyber Security Risk Mitigation Checklist
timsnp
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
ImXaib
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
SARJERAO Sarju
 
CCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdfCCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdf
priyanshamadhwal2
 
II Security At Microsoft
II Security At MicrosoftII Security At Microsoft
II Security At Microsoft
Mark J. Feldman
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
IT-Toolkits.org
 
Information Security Framework
Information Security FrameworkInformation Security Framework
Information Security Framework
ssuser65fa31
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention
Manish Dixit Ceh
 
Security Plans & Policies in Cybersecurity.pptx
Security Plans & Policies in Cybersecurity.pptxSecurity Plans & Policies in Cybersecurity.pptx
Security Plans & Policies in Cybersecurity.pptx
obur2025ps
 
AI-GRC Pros, Are You Implementation-Ready.pdf
AI-GRC Pros, Are You Implementation-Ready.pdfAI-GRC Pros, Are You Implementation-Ready.pdf
AI-GRC Pros, Are You Implementation-Ready.pdf
infosecTrain
 
AI GRC Implementation Checklist by Infosectrain
AI GRC Implementation Checklist by InfosectrainAI GRC Implementation Checklist by Infosectrain
AI GRC Implementation Checklist by Infosectrain
priyanshamadhwal2
 
AI GRC Implementation Checklist-New.pdf
AI GRC Implementation Checklist-New.pdfAI GRC Implementation Checklist-New.pdf
AI GRC Implementation Checklist-New.pdf
infosec train
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-training
Swati Gupta
 
Ad

Developing an Information Security Program

  • 1. 2011 National BDPA Technology Conference Developing an Information Security Program Shauna Cox August 3 – 6, 2011 Chicago, IL
  • 2. Presentation Objectives Understand the components of an Information Security Program. Understand the internal & external factors that impact Information Security Program development. Describe the various approaches used to develop an Information Security Program.
  • 3. Agenda Need for Information Security Program Program Components Methodologies / Standards Information Security Program Development Process A Day In The Life
  • 4. Reality A Hacker has to be successful once. A Security Professional must be successful every time.
  • 5. Why is an Information Security Program Needed? Technology & Business Cycle Changes Regulatory Requirements Potential Security Threats Sophistication of Attacks / Attackers Strategic Necessity
  • 6. Technology & Business Cycle Changes Decentralization of computing resources Accessibility of technology for novices & experts alike Technology dependency Layers of technology architecture
  • 7. Regulatory Requirements FISMA HIPAA SOX Computer Security Act U.S. Privacy Act
  • 8. Potential Threats Terrorism / Cyber-Terrorism Uninformed Users (Social Engineering) Disgruntled Users / Employees Intentional Hackers
  • 9. Sophistication of Attacks Availability of Technology Greater Modes of Organization (i.e., social networking) Enhanced Technical Skills Easier to Maintain Anonymity Potentially Lucrative (e.g., organized criminals)
  • 10. Strategic Necessity Competitive Survival & Advantage Business / Technology Alignment
  • 11. Myth Information Security Policy = Information Security Program
  • 13. People, Places & Things Roles & Responsibilities Scope of Authority Tools & Techniques
  • 14. Roles & Responsibilities Information Security Function Executive Management Organizational (Line) Management Users
  • 15. Information Security Function Develop, maintain & help enforce information security policies, procedures and controls. Oversee the deployment and integration of security solutions. Serve as an advisor on IT security-related issues.
  • 16. Executive Management Provide the strategic vision for an information security program. Approve strategic goals and ensure information security is integrated into management processes. Ensure enterprise compliance with applicable regulatory directives.
  • 17. Management Ensure compliance & help facilitate awareness of organizational information security policies & procedures. Enforce rules for appropriate use and protection of organization’s systems. Ensure proper segregation of duties in operational areas. Follow appropriate procedures and provide first-line authorization for system access.
  • 18. Users Adhere to organizational policies and procedures. Protect individual user accounts and passwords used to access systems. Report known or suspected IT security breaches to appropriate personnel. Treat all information with the sensitivity necessary in accordance with applicable information classification systems.
  • 20. Tools & Techniques Standards Security Monitoring Tools Organizational Process Assets (policies, procedures, etc.)
  • 21. Information Security Program Components Executive Commitment Policies & Procedures Monitoring Processes / Metrics Governance Structure Awareness Training
  • 22. Executive Commitment Executives must understand the strategic impact of information security. Executive management articulates the priority of information security in word & in deed. The role of the information security function must adhere to a level of independence (i.e., reporting structure should be appropriate).
  • 23. Policies & Procedures Acceptable Use Incident Handling Security Violations Identity Management Physical Security
  • 24. Metrics Financial Application-based Incident Management Change Management Vulnerability Management
  • 25. Governance Structure Governance: “…a set of responsibilities & practices exercised by the Board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly”. Source: IT Governance Institute (Board Briefing on IT Governance, 2 nd Edition)
  • 27. Methodologies / Standards ISO 17799 developed by ISO includes 10 domains CobiT developed by ISACA derived from COSO
  • 28. ISO 17799 Domains Information Security Policy Information Security Infrastructure Asset Classification & Control Personnel Security Physical & Environmental Security Communications & Operations Management Access Control System Development & Maintenance Business Continuity Management Compliance
  • 30. Program Development Process Plan & Organize Implement Operate & Maintain Monitor & Evaluate Source: All-In-One CISSP Exam Guide, 4 th Edition, by Shon Harris
  • 31. Plan & Organize Establish commitment & oversight Conduct risk assessment Develop security architecture Identify solutions
  • 32. Implement Assign roles & responsibilities Develop & implement policies, procedures, etc. Implement security blueprints Implement security solutions Develop audit & monitoring mechanisms Establish SLAs
  • 33. Operate & Maintain Ensure baselines are met based on blueprints Conduct audits Manage SLAs
  • 34. Monitor & Evaluate Review logs, audit results, metrics Assess goal accomplishments Evaluate via governance structure
  • 35. A Day in the Life Conduct Self- Assessments Respond to Audits Train & Educate Provide Expertise Monitor Systems Manage Projects Track Compliance Gauge SLA Adherence
  • 36. Game Changers Cloud Computing Mobile Computing Social Networking
  • 37. Resources NIST ISC 2 ISACA SANS Institute
  • 39. Contact Information Shauna Cox [email_address]