• No results found

Information Security Governance

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Information Security Governance"

Copied!
13
0
0

Loading.... (view fulltext now)

Download now ( 13 Page )

Full text

(1)

Aart Bitter [email protected]

Information Security Governance

Agenda

• Governance & Compliance

• Information Security Governance

• Aanpak om information security governance

in organisaties in te voeren en te borgen

• Relaties tussen information security en

(2)

5 oktober 2006 Service Manager Dag 2006 3

Governance & Compliance

Doelstellingen

Verantwoordelijkheden

Sturen

Verantwoorden Toezicht houden

Beheersen Governance Compliance In accordance with legislation, guidelines, or specifications

Derived from Latin origins that suggest the notion of 'steering'

Verantwoorden

Beheersen

5 oktober 2006 Service Manager Dag 2006 4

Agenda

• Governance, Compliance

• Information Security Governance

• Aanpak om information security governance

in organisaties in te voeren en te borgen

• Relaties tussen information security en

(3)

5 oktober 2006 Service Manager Dag 2006 5

Information Security Governance

Informatie-beveiligingsbeleid Informatie-beveiligingsbeleid Implementeren Implementeren Risico management Risico management Bewaken Bewaken ST UREN ST UREN BEHEERSENBEHEERSEN Doelstellingen Verant-woordelijkheden TOEZICH T HOUDEN TOEZICH T HOUDEN VERANT W OORDEN VERANT W OORDEN GOVERN A NCE GOVERN A NCE COMPLI A C E COMPLI A C E

Agenda

• Governance, Compliance

• Information Security Governance

• Aanpak om information security governance

in organisaties in te voeren en te borgen

• Relaties tussen information security en

(4)

5 oktober 2006 Service Manager Dag 2006 7

Information Security Governance

aanpak

Plan Do Check Act Alignment Plann ing Eva luation Implementation Beleid Wet- en regelgeving Risk Mgt. Normen Performance- & Risk Indicators Maatregelen Processen Procedures Scorecards Assessments Audits GOV E RNA NCE GOV E RNA NCE COM P LI A NCE COM P LI A NCE Informatie-beveiligingsbeleid Informatie-beveiligingsbeleid Invoeren Invoeren Risico management Risico management Bewaken Bewaken

5 oktober 2006 Service Manager Dag 2006 8

Security Governance processen

Tactical Policies Implementation Identification Measure Manage Operational Security strategy Strategic Monitor Risk Management Business objectives Alignment Planning Implementation Evaluation

(5)

5 oktober 2006 Service Manager Dag 2006 9

Alignment -

Beveiligingsbeleid

• Doelstellingen voor

informatiebeveiliging

• Wettelijke eisen en regels

• Informatiebeveiliging en risicoanalyse

• Risicomanagement

• Beveiligingsorganisatie

Beleid

Planning -

Risicomanagement

• Risicomanagement:

• Welke risico’s accepteert u

• Welke maatregelen gaat u nemen

• Hoe gaat u meetregelen invoeren

• Hoe gaat u informatiebeveiliging

meten

accept Impact L L M Risico matrix Kan s H M H R e d u c e Avoid Move
(6)

5 oktober 2006 Service Manager Dag 2006 11

Implementation -

Invoeren

Kennis in de organisatie (zichtbaar) Cultuur in de Cultuur in de organisatie organisatie (onzichtbaar) (onzichtbaar) Gedrag Energie Politiek Angst Persoonlijke voorkeuren Motieven Normen en Waarden Drijfveren Houding IT - processen Functieprofielen

Kennis & Vaardigheden

Orga nisati e-structuur Planning & Control

5 oktober 2006 Service Manager Dag 2006 12

Evaluation -

Bewaken

Resultaten Security Scan

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 1 2 3 4 5 6 7 8 9 10

Categorie uit de Code

Sc or e Impact Zeker Mogelijk Onwaar-schijnlijk

Laag Middel Hoog

Risico matrix Kan s 1 2 3 7 4 5 6 8 9 10

(7)

5 oktober 2006 Service Manager Dag 2006 13

Agenda

• Governance, Compliance

• Information Security Governance

• Aanpak om information security governance

in organisaties in te voeren en te borgen

• Relaties tussen information security

governance en service management

Service & Security Management

Security Management Business Continuity Mgt Capacity Management Availability Management Service Level Management Service Delivery Strategisch Tactisch Financial Management

Klant definieert eisen op basis van bedrijfsprocessen Rapportage SLA Sturing Audit en evaluatie Onderhoud Plan Implementatie Managers Set ITIL ITIL

(8)

5 oktober 2006 Service Manager Dag 2006 15

NEW: ISO-20000 process model

Release Processes Release Management Resolution Processes Incident Management Problem Management Relationship Processes Business Relationship Management Supplier Management

Service Delivery Processes

Service Level management Service Reporting Capacity Management

Service Continuity and Availability management

Information Security Management Budgeting and Accounting

For IT Services

Control Processess

Configuration Management Change Management

5 oktober 2006 Service Manager Dag 2006 16

(9)

5 oktober 2006 Service Manager Dag 2006 17

Corporate control – COSO / ERM

Committee of Sponsoring Organizations of the Treadway Commission

Informatie-beveiligingsbeleid

Invoeren Risicomanagement

Bewaken

Service Management en Security

Implement &

Operate the ISMS Do

Establish the ISMS Plan Maintain & Improve ISMS Act Establish policies and processes

Implement the defined and agreed processes

Continually improve the operation of the ISMS

Informatie-beveiligingsbeleid Informatie-beveiligingsbeleid Invoeren Invoeren Risico management Risico management Bewaken Bewaken

(10)

5 oktober 2006 Service Manager Dag 2006 19

Control Framework

Part 1 ISMS Specification Part 2 Code of Practice Processes, ITIL, MOF, … Procedures, work instructions, Technical standards & guidelines

5 oktober 2006 Service Manager Dag 2006 20

Certificeringen

IS Development Acces s con trol Op eration s Ph ys ica l S ecu ri ty HRM S ecu ri ty Security Policy

Security Organization Asset Management

Security Incident Mgt. Business Continuity

Compliance

Risk Assessment and Treatment Establish the ISMS

Monitor and Review the ISMS

Im p lemen t an d Op erate th e I S MS Main tain an d I m p rove th e I S MS Release Processes Release Management Resolution Processes Incident Management Problem Management Relationship Processes Business Relationship Management Supplier Management

Service Delivery Processes

Service Level management Service Reporting Capacity Management

Service Continuity and Availability management

Information Security Management Budgeting and Accounting

For IT Services

Control Processess

Configuration Management Change Management Control Environment

Information and Communication

Risk Assessment Monitoring

ISO-20000

SoX:

CobIT

ITGC

COSO

SAS70

ISO-27001

(11)

5 oktober 2006 Service Manager Dag 2006 21

& Service Management

Sign-offs and audits

Leveren en bewaren van evidence Continue assessments

Interne procesverbeteringen

Opzet, bestaan en…

werking

Aantoonbaar Process - &

Risk Based

Information Security Governance

& de Service Manager (1)

• Voldoen aan interne controle en

risicobeheersing

• Change-, Autorisatie- en Identity

Management procedures, Logging &

Monitoring, Bewijsplicht en Bewaarplicht

• Maatregelen, review/monitor, evidence,

(12)

5 oktober 2006 Service Manager Dag 2006 23

Information Security Governance

& de Service Manager (2)

• SLA en contracten dienen

(wederzijdse) rechten en plichten te

omvatten op het gebied van:

• Informatiebeveiliging

• Wet- en regelgeving

• Rapportages en audits

5 oktober 2006 Service Manager Dag 2006 24

Conclusie

Compliance

en

Governance

eisen kunnen

vergaande gevolgen hebben voor de ICT

organisatie, processen en infrastructuur en

dus voor de

Service Manager

.

(13)

5 oktober 2006 Service Manager Dag 2006 25

Thank you.

www.itgi.org www.isaca.org Aart.Bitter@information-security-governance.com www.bsa.org www.bsi-global.com www.coso.org www.corpgov.nl www.information-security-governance.com

References

Download now ( PDF - 13 Page - 798.39 KB )

Related documents

C OLLECTE D FICTIO NS. Jorge Luis Borges TRA NSL ATED BY. , Andrew Hurley VIKING

a Symboliste from Ni:mes, a devotee essentally of Poe-who begat Baude- l aire, who begat Mallarme, who begat Valery, who begat M. ) The Quixote is a contingent work; the

Jenny Obee, Head of Information Management Tel: Micailah Fleming, IT Director

Service delivery processes: Service level management Service reporting Service continuity and availability management Budgeting and accounting for services Capacity

An application in stochastics of the Laguerre-type polynomials

We explain how an inner product derived from a perturbation of a weight function by the addition of a delta distribution is used in the orthogonalization procedure of a sequence

Definition. Pathogenesis. D. Logas 379

Fortunately, clinical symptoms and treatment of immunologic and nonimmunologic food reactions are identical.. Therefore, for the sake of simplicity, most clinicians use the term food

TOGETHER WE CAN DO MORE

Change Management; Confi guration Management; Service Level Management; IT service Financial Management; Availability management; Capacity management;. IT service

Post-translational modifications in priming the plant immune system : ripe for exploitation?

Model of the molecular basis of defence priming in plant cells and the connection to PTMs. In

Council of the City of Gold Coast. Asbestos Management Plan. Facilities Management

Some routine maintenance and service works are likely to impact on ACM from time to time. Situations where this can occur will be identified through the City of Gold Coast

Vocal Bender. User Guide

The Amplitude modulator lets you use the amplitude envelope of the voice signal to manipulate other controls of the plugin. This works much like an