Information Security Managing The Risk

(1)

Information Security –

Managing The Risk

(2)

Introduction

Information Security continues to be business critical and is increasingly

complex to manage for the following reasons:

-

72% of organizations report increased risk to information security,

based on both external and internal threats.

-

Legal and regulatory expectations pertaining to information are

also changing with increased complexity arising from organizations

operating across multiple jurisdictions; key considerations here are:

-

Has the information been retained longer than it should have been?

-

Does the data follow a defined life-cycle and is it safe to delete it?

-

Does the business have permission to share this data with its

partners?

-

Is it permissible for the company to use data supplied by another

company?

Information Security Forum November 2012

(3)

Whose job is it to manage security risks?

-

To counter these threats and remove fear, uncertainty and doubt,

organizations need to develop a comprehensive information security

management capability. So whose job is that?

• ISO 38500 “Corporate governance of information technology” places

responsibility for IT governance at the board of director’s level. Section

1.4.2 of ISO 38500:2008(E) states that directors could be held

responsible for security policy and standards failings. Information

security is not an IT only function; it is an organization responsibility in

which each employee, customer, and supplier has responsibilities.

-

Since vast amounts of information are digitally collected, stored and

(4)

Information Security Management

Information Security Management is the capability to direct, oversee and

control the actions and processes required to protect documented and digitized

information and information systems from unauthorized access, use, disclosure,

disruption, modification, or destruction in order to provide integrity,

confidentiality, accessibility, availability and usability of data; and to support

nonrepudiation (i.e. to prevent an author denying his/her own authorship or

actions).

Adapted from http://www.law.cornell.edu/uscode/text/44/3542

(5)

Scope of Information Security Management

-

Strategy & Governance

-

Identifying applicable regulations.

-

Establishing and maintaining security policies and controls.

-

Providing communication and training content on security.

-

Responding to security-related incidents.

-

Reporting on information security activities and compliance levels.

(6)

Information Security Management is Complex

The six categories of building blocks address:

-

Governance - Information Security Strategy; Security Policies, Standards, and

Controls; Security Roles, Responsibilities, and Accountabilities;

Communication and Training; Security Performance Reporting; and Supplier

Security

-

Technical Security – Security Architecture; IT Component Security; and

Physical Environment Security.

-

Security Resource Management - Security Budgeting; Tools and Resources;

and Resource Effectiveness

-

Security Risk Management – Security Threat Profiling; Security Risk

Assessment; Security Risk Prioritization; Security Risk Handling; and Security

Risk Monitoring

-

Security Data Management – Data Identification and Classifications; Access

Rights Management; Life-cycle Management

-

Business Continuity Management – Business Continuity Planning; and

Incident Management

(7)

Summary of insights and lessons learned (1 of 6)

What does

mature look

like?

•There is awareness and understanding across the

enterprise of the role that effective security plays in

business success i.e. security is recognized as an

enabler rather than a disabler.

•There are clear responsibilities for security

activities.

•There is agreement by business and IT stakeholders

on risk appetite, and the level of security that is

needed.

•Senior level sponsorship is evident.

•The organization has the capability to identify and

address new and emerging risks and threats.

•There is recognition that improvements to maturity

require an evolving process, with no short cuts.

•Business focused measures are defined,

(8)

Summary of insights and lessons learned (2 of 6)

Why would a

CIO/CEO

invest in

maturing this

CC?

•To build a competent and effective organization

capability to manage information security.

•To protect business value and business success

from any adverse effects of inadequate security.

•To demonstrate effective security for stakeholders

and regulators.

(9)

Summary of insights and lessons learned (3 of 6)

What is

unique, new

or different

about the

IT-CMF

approach?

•IVI’s ISM capability is informed by academics and

industry-based practitioners, and provides a toolkit to

enable organizations to measure their capability

maturity levels and develop a targeted improvement

programme.

•Use of the ISM maturity curve allows organizations

to set appropriate and structured security targets.

Detailed ISM Practices, Outcomes and Metrics

provide guidance to organizations in maturing their

ISM capability, with a view to deriving business value.

•IVI’s ISM capability is integrated with other key

critical IT capabilities.

•The IT-CMF can be used by multiple stakeholders to

discuss and assess maturity in a structured way

(10)

Summary of insights and lessons learned (4 of 6)

What are the

key practices

required for

moving up the

maturity

profile?

• Develop security policies and awareness/understanding

(level 1 to 2)

•Develop and agree the information security strategy,

risk appetite and consistent policies (level 2 to 3).

•Develop and implement appropriate education and

awareness programmes (level 2 to 3).

•Ensure structured and integrated testing of security

effectiveness and independent validation (level 2 to 3).

•Target and test security awareness and understanding

(level 3 to 4)

•Engage stakeholders across the enterprise and adopt

business level metrics (level 3 to 4).

•Recognise the need to work effectively across the

supply chain and the extended enterprise (level 4 to 5).

•Audit and verify practices to improve reach and

consistency (levels 4 & 5).

(11)

Summary of insights and lessons learned (5 of 6)

Which

maturity

level is

typical for

different

types of

companies/

industries?

•Based on workgroup experiences of industry, smaller

organizations would be expected to be at level 2 and

larger and security sensitive organizations would be

expected to be at levels 3 and 4.

(12)

Summary of insights and lessons learned (6 of 6)

What

typically

prevents

companies

from moving

up the

maturity

profile?

•Lack of resources, typically financial and skills.

•Lack of visible and tangible senior management drive

and endorsement.

•Limited recognition of the need for a strategic approach

to security.

•Rapidly changing and an increasing volume of threats

and risks resulting in organizations taking a reactive

versus proactive stance.

•Organizational limitations including clarity and

boundaries of responsibilities and potential conflicts of

priorities.

•Lack of an ‘easy to apply’ ISM framework

12

(13)

Assessing Current Maturity

The information security management capability as defined in the

IT-CMF comes with:

-

On-line survey & assessment interviews identify current (ISM)

maturity level

-

Companies can relate their maturity levels at a capability building

block to benchmark levels.

-

Based on this knowledge and viewing their own strategic and tactical

objectives, target levels can be set for the desired capability maturity

level.

Steps to improve

(14)

Using ISM’s six categories, an Information Security Management capability can be matured.

The six categories of building blocks address:

-

Governance - Information Security Strategy; Security Policies, Standards, and Controls;

Security Roles, Responsibilities, and Accountabilities; Communication and Training; Security

Performance Reporting; and Supplier Security

-

Technical Security – Security Architecture; IT Component Security; and Physical Environment

Security.

-

Security Resource Management - Security Budgeting; Tools and Resources; and Resource

Effectiveness

-

Security Risk Management – Security Threat Profiling; Security Risk Assessment; Security

Risk Prioritization; Security Risk Handling; and Security Risk Monitoring

-

Security Data Management – Data Identification and Classifications; Access Rights

Management; Life-cycle Management

-

Business Continuity Management – Business Continuity Planning; and Incident Management

Infrastructure Management (TIM), Service Provisioning (SRP), and Solutions Delivery (SD)

(15)

Security – Is there an app for that?

-

Not any time soon!

-

The remaining slides can be read for additional detail and retained for your

(16)

(17)

(18)

IVI Global Community - Upcoming Events

₁₈

February 18

Virtual Meeting, 11-12 (EST)

Making it Real: Transforming IT with

IT-CMF, Dinesh Kumar, Mitovia

March 10 and 11

IVI Spring Summit, New York

Delivering Business Improvement +

IVI Certified Training – Assessor

Essentials (12 and 13 March)

April 15

Virtual Meeting, 11-12 (EST)

IT Professionalism - The international

dimension of e-Skills and the impact of

globalisation

Martin Sherry, IVI

May 20

Live event, US

Topic TBC

June 17

Virtual event, 11-12 (EST)

Innovation Management (TBC)

July 15

Virtual event, 11-12 (EST)

Agility in IT Management, Gar

MacCriosta, IVI

September 9 and 10

IVI Autumn Summit, Dublin

October 21

Virtual event

Topic TBC

November 18

Live event, US

(19)

Information Security Management

Summary of key practices, outcomes, and metrics

Maturity

Key practices

Outcomes

Key metrics

High

5 Optimizing

• Review and improve governance across the extended enterprise.

• Use best practice architecture, components, and physical security options.

• Review, improve, and manage security budget, tools, and resources.

• Extend security risk management to the extended enterprise.

• Consistently use and improve data identification and classifications, access rights management and data life-cycles across the extended enterprise.

• Provide industry best practice information security guidelines and advice on business continuity.

• Reduced likelihood of regulatory issues to be managed.

• Fewer security issues.

• Less waste and better returns for the spend on security.

• Holistic risk management

• Value return is improved based on the widespread usage of sound data management layers. • Reduced impacts during incidents

# Security audit issues

# Compliance issues under corrective action # Security issues

# Security staff turnover rates # Security resource utilization ratios # Security issues included in risk register # Effort to develop security features in new

applications

# Count and cost of incidents

4 Advanced

• Regularly review and improve all aspects of security. • Implement governance criteria across the enterprise • Implement technical and physical security consistently

across the enterprise.

• Use risk assessment and value returns to guide security budget

• Roll data management and business continuity practices out across the enterprise

• Reduced risk of weak links compromising security.

• Locations and access points have sufficient security

• Security spend provides risk reduction and improves reputation • Higher returns from security

investment.

# Incidents and adverse audit findings by site, department, and/or function

# Equipment and configuration variances between HQ, Branch or end devices # Identified critical risks that are cost

effectively mitigated

# Security feature costs in new developments

3 Intermediate

• Implement documented security governance, roles, architecture, components, tools, resources, and practices aligned with some business units

• Identify and communicate data security classifications and life-cycles for IT and some business units

• Provide business continuity security plans

• Efficient, effective and consistent security is applied.

• Appropriate levels of security can be applied to business data.

# Stakeholder satisfaction

# Security competences being developed # Automated monitoring and screening # Availability and confidentiality issues # Cost to develop security features

# Security focused elements in continuity plan

2 Basic

• Establish and communicate policies based on regulations and standards and risk assessment. • Start to implement data security classifications,

life-cycles, and access control mechanisms

• Raised security awareness and improved security features • Aspects of security can be

managed using meta-data.

# Stakeholder awareness surveys # Security issues

# Security meta data utilization

1 Initial

• Educate and raise awareness of information security. • Use system and application secured options by

default.

• Basic security problems are fixed • Increased security

(20)

Information Security Management (ISM)

Transitions to increase maturity

Maturity

Action Taken

Value Delivered

High

5.

Optimized • Align security strategies across extended enterprise.

• Develop and adopt agile risk management practices.

• Promote security awareness and understanding across extended enterprise.

• Promote effective security designs and architectures. • Implement automated responses and alerts.

•Confidence in consistent security measures and reduced risk of weakest link compromising security

•Cost effective rapid responses to risk changes.

•Enhanced security is achievable only with security conscious staff.

•Effective security measures have little or no impact on business volumes or variety.

•Faster effective responses to threats limits exposure.

4.

Advanced _{• Regularly review and update security strategies.}

• Standardize risk management practices.

• Target and test security awareness and understanding. • Develop an enterprise approach to security architecture. • Align and focus data classification, lifecycle and access

management practices.

• Use advanced/targeted tools; ROI on budgets.

•Security measures match changing risks and threats.

•Training costs and learning efforts are reduced.

•Awareness weaknesses are identified and corrected.

•Security views are available showing layers and depth.

•Security factors are considered and factored in at data classification, lifecycle and access control design.

•Security spend and ROI are measured and managed.

3. Intermediate

• Align information security with business security strategy and risk appetite.

• Standardize risk practices and threat profiling. • Promote security awareness/understanding. • Apply extensive architecture and security features. • Develop general data classification, lifecycle and access

management practices.

• Increase tool use and make budgets transparent

•Information security measures match those the business needs.

•Threat profiles are interpreted consistently.

•Security-aware staff expand resources available to secure business assets

•Improved consistency and efficiency

•Security is applied to data and applications in accordance with business needs and priorities

•Tools free staff for higher value activities; increased understanding of value delivered from investments

2. Basic

• Develop basic risk management and threat profiling. • Develop security policies and awareness/understanding. • Start to implement basic architecture and security features. • Start using local practices in data classification, lifecycle and

access management.

• Start using tools and budget management.

•Awareness and competence grow.

•Immediate improvements in behaviour

•Concepts for a security foundation emerge

•Local successes on sensitive data and information act as a starting point for communities of practice

•Tools free people for higher value activities.

1. Initial

(21)

Information Security Management (ISM)

Critical capability maturity profile levels

Maturity

Information Security Management (ISM)

High

5 Optimizing

• The information security strategy is regularly aligned to business/IT strategies and risk appetite across the extended enterprise. • An effective multi-layered security architecture framework is used across the extended enterprise.

• A structured approach to measuring value for money is applied consistently to proposed security investments and post implementation, • Intelligence is gathered and security threat profiles defined and updated in collaboration with the extended enterprise

• Access rights management is dynamic and can effectively address organization restructures, acquisitions and divestments. • The extended enterprise works proactively to avoid security incidents occurring and incidents are effectively managed..

4 Advance

• There is an established security culture with dedicated and tailored employee training and measurement of efficiency and effectiveness • IT component security measures are implemented enterprise-wide for detection and mitigation of threats and attacks and tested

• Advanced managerial tools that monitor and alert and detect issues or non-compliances are specified to aggregate across the enterprise. Employee skill and competence levels are specified and a standardized toolset and resource management approach is adopted.

• A standardized security risk assessment process is consistently used across the enterprise and aligned with an enterprise risk process. • Access rights processes including a movers process, are effectively implemented across the enterprise and audited.

• Enterprise-wide continuity planning is provided for each specific risk. IT regularly tests and confirms business restoration can be achieved

3 Intermediate

• There is a growing security aware culture. Detailed security requirements for procurement are defined and adhered to

• IT and some business units have a shared vision for security; most security architecture features are common and depth of defence and configuration management practices are evident.

• There is visibility of security budget requirements and allocations with consistent training programmes and an agreed approach to toolsets • The security risk prioritization process is based on a repeatable evaluation of business impact, probability of occurrence, and time-horizon • Access rights including joiners and leavers, are granted based on a formal authorization process.

• An agreed business and IT continuity plan, addressing backups, archival and system recovery, is implemented with some testing

2 Basic

• Information security policies and standards are developed by IT and reviewed after major incidents. There is some performance measurement.

• Physical security guidelines are emerging, and IT and facilities departments are active with restricted physical access to key locations • A small number of key information security roles are identified within IT and individuals are allocated responsibility and accountability • Some basic intelligence gathering and security threat profiling takes place but there is no consistent method .

• Data security classification guidelines are defined for key sensitive data items and processes for managing the security of data throughout its lifecycle are emerging. Access rights management is basic and is dependent on vendor supplied solutions .

• There is basic management of security incidents in IT and Key incidents are recorded.

1 Initial

• Information security strategy, policies and standards are defined ad hoc with little alignment to business strategies or risk appetite • IT component security is addressed ad hoc or locally and mainly reflects the security bundled by primary suppliers only.

• The purchase specification of security tools, products and resources tends to be ad hoc. or local • There is no systematic monitoring of security risks. A risk register is not present or is incomplete.

(22)

Security Risk Management Capability Building Blocks

Category

Capability

Building Block

Description

Governance

Information

Security Strategy

Develops, communicates, and supports the organization’s IT security

objectives so they fit the organization’s business model and risk

appetite.

Security Policies,

Standards, and

Controls

Establishes and maintains security policies and controls

incorporating relevant security standards, regulatory and legislative

security requirements; ensuring they fit the organization’s business

model and security objectives.

Security Roles,

Responsibilities,

and Accountabili

Identifies and establishes information security roles including

allocation and enforcement of security responsibilities. Agrees and /

or assigns responsibilities and accountability to allocated resources.

Communication

and Training

Disseminates security processes, policies and other relevant

information. Provides training content in security practices and

develops security knowledge and skills.

Security

Performance

Reporting

Reports on the levels of compliance achieved, and the effectiveness

and efficiency of the security activities.

Supplier Security

Defines security requirements and expectations pertaining to the

procurement and supply of hardware, software, services and data.

(23)

Information Security Management Capability Building Blocks

Category

Capability

Building Block

Description

Technical

Security

Architecture

Establishes and applies criteria and practices in designing security

solutions with the aim of achieving appropriate cost effective

protection. Defines security layers to provide depth of defence and

configuration management of security features.

IT Component

Security

Defines and implements the measures to protect physical and virtual

IT, servers, networks, and end-points such as peripherals and mobile

devices. Specifies and procures specific security tools/ products and

resources.

Physical

Environment

Security

Establishes and maintains measures to control access into and

protect the physical infrastructure from threats and environmental

factors (e.g. extreme temperatures, flooding, fire).

Security

Resource

Management

Security

Budgeting

Provides security related budget criteria. This includes concepts such

as new equipment must be purchased with specific security features

e.g. virus protection.

Tools and

Resources

Specifies and procures specific security tools/ products and

resources. Manages the tools, security solutions and the staff

assigned for security purposes.

Resource

Effectiveness

(24)

Security Risk Management Capability Building Blocks

Category

Capability

Building Block

Description

Security Risk

Management

Security Threat

Profiling

Gathers intelligence on threats and vulnerabilities from internal and

external sources. Identifies and documents the security threat

profiles by their potential impact on business objectives and

activities.

Security Risk

Assessment

Runs assessments to identify, document and quantify/ score

security-related risks and their components. Assessments include the

evaluation of exposure to risks, and measurement of their likely

impact.

Security Risk

Prioritization

Prioritizes security risks and risk handling strategies, based on

residual risks, acceptable risk levels and changes to the business/ IT

environment or operating environment such as outsourcing, mergers

and acquisitions.

Security Risk

Handling

Implements risk handling strategies, where risks can be deferred,

accepted, mitigated, transferred or eliminated, and risk ownership

allocated. Interacts with Incident Management functions.

Security Risk

Monitoring

Tracks changes to the identified security risks, and validates the

effectiveness of risk handling strategies/ controls.

(25)

Security Risk Management Capability Building Blocks

Category

Capability

Building Block

Description

Security Data

Management

Data

Identification

and

Classifications

Defines security classifications and provides guidance for associated

protection levels and access control.

Access Rights

Management

Manages the lifecycle of user accounts and certificates, and the

granting, denial and revocation of access rights. Matches access

control procedures to data classifications.

Life-cycle

Management

Provides the security expertise and guidance to ensure that data

throughout its lifecycle is appropriately available, adequately

preserved and/ or destroyed to meet business, regulatory and/ or

security requirements.

Business

Continuity

Management

Business

Continuity

Planning

Provides expertise and guidance to ensure that business continuity

planning is effective in ensuring data integrity, confidentiality and

availability. This may include input on backup management, archiving

management, and systems recovery policies and procedures.

Incident

Management

Establishes and implements procedures for handling incidents and

near incidents. Evaluates the nature and impact of incidents.

(26)

Limitation of Liability

-

The material contained herein may not be copied, photocopied, reproduced, translated, or

-

reduced to any electronic medium or machine-readable form, in whole or in part, without

-

prior written consent of the Innovation Value Institute, except in the manner described in the

-

documentation.

-

All other brand names, product names, and trademarks are copyright of their respective

-

owners.

-

While every reasonable precaution has been taken in the preparation of this document, the

-

author and publishers assume no responsibility for errors or omissions, nor for uses made

-

of the material contained herein and the decisions based upon such use. No warranties are

-

made, express or implied, with regards to either the contents of this work, its

-

merchantability, or fitness for a particular purpose. Neither the author nor the publishers

-

shall be liable for direct, indirect, special, incidental, or consequential damages arising out of

(27)