- Plan (ITIL -> Plan)
- Build (ITIL -> Do)
- Run (ITIL -> Check)
- Monitor (ITIL -> Act)
Information Security Manager's Responsibility
- Define and manage information security program
- Provide education and guidance to executive team
- Present options and information to decision making
- Act as on adviser
Governance dependent to Business strategy
Technology dependent to Policy
Objective of Information Security Governance
- Strategic alignment:
o Aligned with business strategy to support objectives
- Risk management:
o Mitigate risk and reduce impacts to acceptable levels
- Value delivery:
o Optimizing security investments in support of objectives
- Resource optimization:
o Security knowledge/infrastructure used efficiently/effectively
- Performance measurement:
o Monitoring and reporting to ensure objectives achieved
- Integration:
o Integrate relevant assurance factors to ensure that processes operate as intended from end to end
Business Goals and Objectives
Goals include:
- Providing strategic direction
- Ensuring that objectives are achieved
- Ascertaining that risk is managed appropriately
- Verifying that the enterprise's resources are used responsibly
Scope and Charter of IS Governance
- Information security deals with all aspects of information
- IT security is concerned with security of information within the boundaries of the technology domain.
Role and Responsibilities of Senior Management
- Board of directors/senior management:
o Information security governance
- Executive management:
o Implementing effective security governance and defining the strategic security objectives
- Steering committee:
o Ensuring that all stakeholders impacted by security considerations are involved
- Chief information security officer (CISO)
o Responsibilities currently range from the CISO who reports to the CEO to system administrators who have part-time responsibility for security management.
Information Security Role and Responsibilities
Information Security Manager (ISM): (ข้อสอบ)
- Develops security strategy with input from key business units and approval of strategy by senior leadership.
- Educates management
Information Security Requires:
- Leadership and ongoing support from senior management.
- Integration with and cooperation from organizational business unit management.
- Establishing reporting and communication channels.
Governance and Third-party Relationships
Rules in processes for:
- Service providers
- Outsourced operations
- Treading partners
- Merged or acquired organization
Effective Security Metrics
- It is difficult or impossible to manage any activity that cannot be measured.
- Standard security metrics may include:
o Downtime due to viruses
o Percentage of servers patched
o Number of penetrations of systems
Governance Implementation Metrics
Key goal indicators (KGIs) and key performance indicators (KPIs) can:
- Be useful in providing information about achievement of process or service goals
- Help determine whether milestones are being met
* KGIs tend to reflect more strategic goals, e.g., strategic goals of information security governance, whereas KPIs tend to reflect more tactical goals, such as reducting the number of breaks-ins into systems.
Information Security Strategy Overview
People Process Output
Senior Manager -------> Business Strategy ---------------> Business Objectives
Steering Committee and -> Risk Management/Information --> Security Attributes
Executive Management Security Strategy
CISO/Steering Committee-> Security Action Plan Policies, --> Security Programs
Standards
Information Security Strategy Objectives
The six major goals of governance are:
- Strategic alignment --> ล้อตามแผนกลยุทธ์
- Effective risk management --> การจัดการผลกระทบ
- Value delivery --> ให้คุณค่า
- Resource management --> บริหารทรัพยากร
- Performance management --> บริหารคุณภาพ
- Process assurance integration --> กระบวนการเพิ่มความเชื่อมั่น
The Desired State
- The desired state should include a snapshot of all relevant conditions at a particular point in the future: (ข้อสอบ)
o Should include principles, policies and frameworks; processes; organizational structures; culture, ethics and behavior; information; services infrastructure and applications; and people, skills and competencies.
- A "desired state of security" must be defined qualitatively in terms of attributes, characteristics and outcomes:
o Strategy development will have limits on the types of enforcement methods to consider.
The desired state according to COBIT:
- "Protecting the interests of those relying on information, and the processes, system and communications that handle, store and deliver the information, form harm resulting form failures of availability, confidentiality and integrity"
- Focus on IT-related processes from IT governance, management and control perspectives.
COBIT 5 is based on five key principles for governance and management of enterprise IT:
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-end
3. Applying a Single, Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance From Management
The desired state of security may also be defined as levels in the Capability Maturity Model (CMM): (ข้อสอบ)
0. Nonexistent ----------------> ไม่ได้ทำ
1. Ad hoc --------------------> ทำแบบไม่มี formal
2. Repeatable but intuitive ----> มีผลลัพธ์
3. Defined process -----------> มี process
4. Managed and measurable --> สามารถวัดได้
5. Optimized ------------------> มีทางเลือกให้มากกว่า 1
Balanced Scorecard (ข้อสอบ)
is a strategic planning and management system that is used extensively in business and industry, government, and nonprofit organizations worldwide to align business activities to the vision and strategy of the organization, improve internal and external communications, and monitor organization.
- Financial- Customer
- Internal Business Processes
- Learning and Growth
ISO/IEC 27001:2013 - the 14 major areas are:
A.5: Information security policies
A.6: Organization of information security
A.7: Human resource security (controls that are applied before, during, or after employment)
A.8: Asset management
A.9: Access control
A.10: Cryptography
A.11: Physical and environmental security
A.12: Operations security
A.13: Communications security
A.14: System acquisition, development and maintenance
A.15: Supplier relationships
A.16: Information security incident management
A.17: Information security aspects of business continuity
Risk
Current Risk
- The current state of risk must also be assessed through a comprehensive risk assessment
- After risk assessment, a business impact analysis/assessment (BIA) must be performed
o Shows the impact of adverse events (e.g. outages) over different period of time
o Provides some of the information needed to develop an effective strategy
o The ultimate objective of security is to provide business process assurance, including minimizing the impact of adverse events.
o The difference between acceptable levels of impact and current level of potential impacts must be addressed by the strategy (ข้อสอบ)
Information Security Strategy Development
- Must move from current state to desired state (ข้อสอบ)
- Basis for creating a road map
- A set of information security objectives coupled with available processes, methods, tools and techniques creates the means to construct a security strategy.
Strategy Resource
The Information Security manager must be aware of:
- Resources that are available
- Cultural or other reasons (e.g., management reluctance to change or modify policies) that certain options are precluded
Strategy Constraints
- Numerous constraints that set boundaries for options available to the ISM exist.
- They need to be thoroughly defined and understood before initiating strategy development.
Action Plan to Implement Strategy
- Implementing an information strategy requires one or more projects or initiatives.
- Analysis of the gap between the current state and the desired state for each defined metric identifies the requirements and priorities for the an overall plan or road map to achieve the objectives and close the gaps.
Implementing Security Governance Example
Implementing security governance utilizing the Capability Maturity Model:
- To define objectives (KGIs)
- To determine a strategy
- As a metric for progress
- CMM level 4 is a typical organizational desired state (ข้อสอบ)
==============================================================
Practice Question 1-1
A security strategy is important for an organization PRIMARILY because it provides:
a. basis for determining the best logical security architecture for the organization.
b. management intent and direction for security activities.
c. provides users guidance on how to operate securely in everyday tasks.
d. helps IT auditors ensure compliance.
Practice Question 1-2
Which of the following is the MOST important reason to provide effective communication about information security?
a. It makes information security more palatable to resistant employees.
b. It mitigates the weakest link in the information security landscape.
c. It informs business units about the information security strategy.
d. It helps the organization conform to regulatory information security requirements.
Practice Question 1-3
Which of the following approaches BEST helps the information security manager achieves compliance with various regulatory requirements?
a. Rely on corporate counsel to advise which regulations are the most relevant.
b. Stay current with all relevant regulations and request legal interpretation.
c. involve all impacted departments and treat regulations as just another risk.
d. Ignore many of the regulations that have no penalties.
Practice Question 1-4
The MOST important consideration in developing security policies is that:
a. they are based on a threat profile.
b. they are complete and no detail is left out.
c. management signs off on them.
d. all employee read and understand them.
Practice Question 1-5
The PRIMARY objective in creating good procedures is:
a. to make sure that they work as intended.
b. that they are unambiguous and meet the standards.
c. that they be written in plain language and widely distributed.
d. that compliance can be monitored.
Practice Question 1-6
Which of the following MOST helps ensure that assignment of roles and responsibilities is effective?
a. Senior management is in support of the assignments.
b. The assignments are consistent with existing proficiencies (แต่ละบุคคล).
c. The assignments are mapped to required skill.
d. The assignments are given on a voluntary basis.
Practice Question 1-7
What is the PRIMARY benefit organizations derive from effective information security governance?
a. Maintaining appropriate regulatory compliance
b. Ensuring disruptions are within acceptable levels
c. Prioritizing allocation of remedial resources
d. Maximizing return on security investments
Practice Question 1-8
From an information security manager's perspective, the MOST important factors regarding data retention are:
a. business and regulatory requirements.
b. document integrity and destructions.
c. media availability and storage.
d. data confidentiality and encryption.
Practice Question 1-9
Which role is in the BEST position to review and confirm appropriateness of a user access list?
a. Data owner
b. Information security manager
c. Domain administrator
d. Business manager
Practice Question 1-10
In implementing information security governance, the information security manager is PRIMARILY responsible for:
a. developing the security strategy.
b. reviewing the security strategy.
c. communicating the security strategy.
d. approving the security strategy.
Nicely written blog.
ReplyDeleteInformation security guidelines for working from home
Information security dos and donts
Data protection tips for organizations to keep information secure
ISO 27001 consultants in Bangalore
ISO 27001 Internal Auditor training in Bangalore and India - Inzinc Consulting India
The question and answer frame of IT security and risks, here, has made this article even more interesting!
ReplyDeleteThe question and answer frame of IT security and risks, here, has made this article even more interesting!
ReplyDeleteBellwether
ISO 27001 Consulting Company