Keys to Success for the Information Security Offic

DTS Introduction - Housekeeping : DTS Introduction - Housekeeping Welcome! Kelvin Pye, Assistant Director Office of Business Development & Innovation DTS Technology Days Partnering with Gartner Services and others Chris Byrnes discussion Structuring and managing an IT security program. Appropriate metrics for an IT security program. How an IT security program fits into your overall governance model. How to manage risk assessment processes in an IT security program.


Keys to Success for the Information Security Officer : Keys to Success for the Information Security Officer Chris Byrnes


The Top Five Issues : The Top Five Issues Where does the CISO report? How does governance affect the CISO? How do regulatory compliance issues affect the CISO? What role does the CISO play in the budget process? How does security architecture affect security program management?


1. Where does the CISO report? : 1. Where does the CISO report? It depends on: The maturity level of your security program The maturity level of risk management by the rest of your organization. You can report directly to the CIO only after you have proven your trustworthiness, professionalism and business focus to the CIO. You can report outside of the CIO only after the CIO has proven to the executive team that you are successful


Information Security Maturity : 50% 15% 5% Design Awareness Phase Corrective Phase Operations Excellence Phase Maturity Blissful Ignorance 30% Time NOTE: Population distributions represent typical, large Global 2000-type organizations Develop New Policy Set Initiate Strategic Program Architecture Institute Processes Conclude "Catch-Up" Projects Track Technology and Business Change Continuous Process Improvement Assess Current State Establish (or Re-Establish) Security Team Information Security Maturity


Over 30% of Organizations say Infosec is not part of IT department : Over 30% of Organizations say Infosec is not part of IT department Corporate decision to separate risk control from risk management Usually for compliance reasons A suitable reporting point exists Chief Risk Officer Head of Security (i.e. physical security or criminal investigation) Business model is subject to high levels of cybercrime IT department is already very large and specialized Political Wasteland


The Fragmentation of the Infosec Team? : The Fragmentation of the Infosec Team? Governance Administration Monitor & Response Enterprise Risk Management Operations


2. How does governance affect the CISO? : 2. How does governance affect the CISO? Enterprise Risk Mgt Corporate & Operational Governance Regulatory Compliance Requirements Authorities Accountabilities Policies Controls Corporate Governance Strategy Policy Architecture Apps


3. How do regulatory compliance issues affect the CISO? : 3. How do regulatory compliance issues affect the CISO? Enterprise Risk Mgt Corporate & Operational Governance Regulatory Compliance Requirements Authorities Accountabilities Corporate Governance Strategy Policy Architecture Apps Legal Counsel


4. What role does the CISO play in the budget process? : Security Budget $ Risk Management Organization Business Unit Operations $ $ $ Translate Into Security Requirements Express Risk in Technical Terms Express Acceptable Risk Explain Risk Without Technical Terms $ 4. What role does the CISO play in the budget process? $


The 4I Model for Security Value : The 4I Model for Security Value Issue 2 Regulatory and Stakeholder Exposure INTEGRITY INVESTMENT INDEMNITY INSURANCE Reliability of Business Operations Expected Return Risk Management Expected financial return Brand enhancement Competitive differentiation Future agility Stakeholder support Increased accountability Compliance Improved awareness Business process integrity: confidentiality, availability, and accuracy Continuous improvement Understanding of risk Appropriate risk mitigation


5. How does security architecture affect security program management? : 5. How does security architecture affect security program management? Security architecture provides a defined level of security (baseline, trust level) to a defined set of resources (trust domain). Multiple baseline/multiple trust domain architectures are demanded by many (most?) businesses. Security architecture may be a responsibility of the enterprise architecture team – WITH SUPERVISION!


The Activity Cycle of the CISO : The Activity Cycle of the CISO Information Security is maturing Enterprise Risk Management is emergent The role of the CISO is becoming clear. Let’s start by analyzing the audience: Who is looking at the information security function? What are they looking for?


Strategic Planning Assumption : Strategic Planning Assumption As a result of pressure from their value chain partners and regulatory demands for transparency and privacy, 80% of large organizations (90% of publicly held ones) will implement defined, documented security architectures and baselines for over 60% of their IT assets by 2009. (0.7 probability). By 2009 70% of large commercial organizations will have implemented coherent, consistent risk management processes across major classes of risk in response to Board and auditor demands. (0.7 probability).


Who Looks for What? : Who Looks for What?


Slide17 : The Reality Is Three Views of the Same Object


Priorities : Priorities Business Policy Process Behavior Tools


Melding Three Views : Melding Three Views Business Policy Process Behavior Tools Controls Architecture Process


Slide21 : Security Officer’s Activity Cycle RUN


The Govern/Plan/Build/Run Structure : The Govern/Plan/Build/Run Structure ISO/IEC 27001:2005 Information Security Management System (ISMS) Intro: Plan – Do – Check – Act Details: Establish – Implement – Monitor – Maintain Gartner: Govern – Plan – Build - Run These are cycles. All phases are iterative. In the Gartner AC the monitor function is explicit in Run phase. 27001 has no reference to governance It accepts that inputs (requirements and expectations) arrive somehow from “interested parties.”


The Process Maturity Process : The Process Maturity Process Same objectives as QA/SixSigma/ISO9000 Conceptually similar to ITIL Formal definition & maturity assessment of individual security-related processes SEI/CMM equivalent Maturation plan for low maturity processes RACI analysis & simplification


Four (?) Run Functions : Four (?) Run Functions Communications & Relationship Risk & Controls Assessment Management Identity & Access Management Threat & Vulnerability Management


Controls View : G RA Controls Controls View


What Is A Control? : What Is A Control?


What Is A Control? : CONTROL POLICY (accountability) PROCESS (Metrics, Accountability) Technology (Automation) What Is A Control?


ISO/IEC 17799:2005 : ISO/IEC 17799:2005 Being renamed ISO/IEC 27002:2007 Explicitly a control structure Subset, map to COBIT 4.0 Eleven sections (up from 10)


Architecture View : Architecture View Security architecture provides a defined level of security (baseline, trust level) to a defined set of resources (trust domain). Multiple baseline/multiple trust domain architectures are demanded by many (most?) businesses. Security architecture may be a responsibility of the enterprise architecture team – WITH SUPERVISION!


Typical Content and Structure : Typical Content and Structure Vision Security Services Framework Process Model Roles & Responsibility Model Policy Framework Information Classification Framework Organization Models Security Information Flow Models Logical Design Models Trust Models Organizational Architecture Security Information Architecture Information Classification Register Technical Reference Models Security Infrastructure Architectures Security Services Architectures Application Security Architectures Business Viewpoint Information Viewpoint Technical Viewpoint Conceptual Level Logical Level Implementation Level Trust Level Definitions Conceptual Design Models Design Principles Requirements Templates


Typical Contents – Security Architecture : Typical Contents – Security Architecture Vision/strategy Services framework, process model, role model, policy framework, classification framework, trust level definitions, conceptual design models Organization models, security information flow models, design principles, logical design models, trust models, trust domain models, requirements templates Organization architecture, security information architecture, information classification register, technical reference models, security infrastructure architectures, security services architecture, application security architectures


The Role of the CISO : The Role of the CISO Translate business and regulatory requirements into policy, technical standards and controls Bring together process, architecture and controls perspectives into a single program Assure compliance to policy Measure compliance to policy Assure the sufficiency of policy The Role of the CISO


Recommendations : Recommendations Search for staff with good communications skills and an understanding of your business Develop a process-oriented security program. Assign ownership and accountability for the risk management function, minimizing conflicts of interest and separations of duties issues Develop a continuous risk assessment process. Continuously monitor, measure, and report security posture to management. Build greater levels of accountability, transparency and measurability into security controls.


Q&A : Q&A ?


Department of Technology Services : Department of Technology Services Thank you. Slides will be available on the DTS website, as well as a recording of this session. Please complete the evaluation form and leave your business card at the registration desk. Next Event – DTS Customer Forum at the GTC West 2006 Conference, May 18th 2:00 – 4:00 PM, Sacramento Convention Center, Room 311 Coming soon, “The Demystification of Identity Management”