Information Security Governance: What Is It and How Do We
Download
Report
Transcript Information Security Governance: What Is It and How Do We
Information Security Governance: What
Is It And How Can We Accomplish It ?
Todd Fitzgerald, CISM, CISA, CISSP, ITILV3
ISO27000 Certified
National Government Services
Medicare Systems Security Officer
ISACA Kettle-Moraine Chapter Meeting
December 4, 2008 Milwaukee, WI
A Little ‘Presentation Governance’ …
The opinions expressed are solely
the opinions of Todd Fitzgerald
and do not necessarily represent
the opinions of his employer. You
may or may not want to adopt the
these concepts in your
organization. Use a risk-based
approach before attempting
this at home.
Today’s Objectives… To Discuss
•
•
•
•
•
•
•
•
Security Governance Definition
Why We Need Security Governance
13 Questions
Leadership Core Competencies
Vehicles For Communication
Security Control Structures
Achieving Security Compliance
Effectively Working With Internal/External
Auditors
Security Governance Defined
“Information Security governance is
a subset of enterprise
governance that provides
strategic direction, ensures
objectives are achieved,
manages risk appropriately, uses
organizational resources
responsibility, and monitors the
success or failure of the
enterprise security programme.”
- IT Governance Institute
And Wikipedia Says…
• Governance relates to decisions that define
expectations, grant power, or verify performance. It
consists either of a separate process or of a specific part
of management or leadership processes. Sometimes
people set up a government to administer these
processes and systems.
• In the case of a business or of a non-profit organization,
governance relates to consistent management, cohesive
policies, processes and decision-rights for a given area
of responsibility. For example, managing at a corporate
level might involve evolving policies on privacy, on
internal investment, and on the use of data.
Governance Derived From Latin
Origins To denote “Steering”
•
•
•
•
•
Steering Vs “Power Over”
Defines expectations
Grants power
Verifies performance
Avoids undesirable
consequences
• Coordinates and controls
activity
• Provides processes to
control an activity
Risks Are Increasing
Cybercrime
Malware
Identity Theft
Lost Laptops
Targeted Financial Gain
Personal information Sharing
Slowing of security investment
Dissipation of security message
Competitive pressures
News Items Continue To Gain
Attention of Board of Directors
Bank of
America
1.3 million consumers
exposed
– Lost back-up tape
DSW retail
1.2 million consumers
exposed
– Hacking
Card Services
40 million consumers
exposed
– Hacking
TJX Stores
45 million consumers
exposed
– Internal theft
UCLA
800,000 consumers exposed – Human error
Fidelity
196,000 consumers exposed – Stolen laptop
A Who’s Who of Fortune 500
Companies.. And The List Is Growing
California Department of Health
California Department of Mental Health
St. Joseph's Hospital
Leading Organizations Adhere To
This Model
Assess Risk &
Determine Needs
Implement
Policies &
Controls
Central
Management
Promote
Awareness
Source: “Learning from Leading Organizations”
SGAO/AIMD-98-68 Information Security Management
Monitor &
Evaluate
Leading Organizations Adhere To
This Model
Assess Risk &
Determine Needs
Implement
Policies &
Controls
Central
Management
Promote
Awareness
Source: “Learning from Leading Organizations”
SGAO/AIMD-98-68 Information Security Management
Monitor &
Evaluate
Information Security Strategy
Must Align With Business
Objectives
• Top-down process
• Linkages to business
process and strategy
• Information in oral,
paper, and electronic
forms
• Transcends physical
boundaries
• Establish acceptable
practices, policies, and
procedures
•
•
•
•
•
An Information Security Program With
Governance Provides Increased
Assurance
Risk management
Resource management
of critical skills and
infrastructure
Performance
measurement
Providing value-add in
delivery of services and
products
Specific Organizational
accountability for security
Can Organizations Survive
Without …?
People
Buildings
Computers
Equipment
Few Organizations Can Survive
Without
• Customer
Information
• Knowledge of
processes
• Accounting and
financial reporting
information
However, Information Security
Importance Varies Amongst Senior
Executives
Source: Fitzgerald/Krause CISO Survey – CISO Leadership: Essential Principles
For Success, Auerbach, 2008)
However, Information Security
Importance Varies Amongst Senior
Executives
Board of Directors
31% Very Important
26% Important
26% Somewhat Important
Source: Fitzgerald/Krause CISO Survey – CISO Leadership: Essential Principles
For Success, Auerbach, 2008)
However, Information Security
Importance Varies Amongst Senior
Executives
CEO
27% Very Important
38% Important
27% Somewhat Important
Source: Fitzgerald/Krause CISO Survey – CISO Leadership: Essential Principles
For Success, Auerbach, 2008)
However, Information Security
Importance Varies Amongst Senior
Executives
Senior Execs
19% Very Important
38% Important
32% Somewhat Important
Source: Fitzgerald/Krause CISO Survey – CISO Leadership: Essential Principles
For Success, Auerbach, 2008)
However, Information Security
Importance Varies Amongst Senior
Executives
Middle Management
8% Very Important
Source: Fitzgerald/Krause CISO Survey – CISO Leadership: Essential Principles
For Success, Auerbach, 2008)
However, Information Security
Importance Varies Amongst Senior
Executives
End Users
40% Somewhat Important
Source: Fitzgerald/Krause CISO Survey – CISO Leadership: Essential Principles
For Success, Auerbach, 2008)
Fear Uncertainty Doubt Gets
Investment $$$
EVENT
+
REACTION/
CONFUSION
=
INVESTMENT
However, The Next Time The
Event Happens
EVENT
+
REACTION
=
Without Security Governance,
Message Dissipates Over Time
The Governance Answer…
Security Needs Involvement From The
Board of Directors/Executive
Management
• Strategic Oversight
• Review alignment with
organization strategy
• Determine Risk profile for
organization
• Endorse security program
• Require regular reporting on
effectiveness
• Review investment return
• Potential new technologies to
add value, reduce costs
“Techie” Core Competencies
Analytical
Problem
Solving
Tool
Expertise
Best
Practices
Industry
Standards
Technical
Knowledge
Team
Work
Emerging
Technologies
Crisis
Mgmt
Shift To Leadership
Competencies
Interpersonal
Self-control
Awareness
Self-control
Perseverance
Adaptability
CISO
Technical
Leadership
Competency
& Managerial
Competency
Results-Oriented
Flexibility
Initiative
Efficiency
Self-Development
Critical
Orientation
Information Seeking
Thoroughness
Security Officer Core
Competencies
Financial/
Vision
Budgetary
Leadership
Interpersonal
Influencing
Effectiveness
Skills
Customer
Team
Focus
Work
Conceptual &
Written/Oral
Strategic
Communication
Thinking
(The Detail)
Source: Fitzgerald/Krause CISO Leadership Survey
(The Detail)
Self
Confidence
65%
Source: Fitzgerald/Krause CISO Leadership Survey
(The Detail)
Oral
74%
Self
Confidence
65%
Source: Fitzgerald/Krause CISO Leadership Survey
(The Detail)
Oral
74%
Written
74%
Source: Fitzgerald/Krause CISO Leadership Survey
Self
Confidence
65%
(The Detail)
Oral
74%
Written
74%
Influence
69%
Source: Fitzgerald/Krause CISO Leadership Survey
Self
Confidence
65%
(The Detail)
Oral
74%
Written
74%
Influence
69%
Source: Fitzgerald/Krause CISO Leadership Survey
Self
Confidence
65%
Teamwork
68%
Now The C-Level People Understand
The Security Guy Behind The Mask
and The Security Team’s Role, But…
Multiple Groups Must Understand Security
At The Appropriate Level
Senior
Board of Management
Directors
End Users
Management
• Competitive Disadvantage
• Fraud
• Loss due to disclosure,
destruction of information
• Reputation/Public
Confidence
• Bad decisions
• Business disruption
• Legal Liability
• Safety risks
• Loss of productivity
• Low Morale
• Corporate Espionage, loss
of contracts
Focus Different, Goals Ultimately The
Same
Management’s Objective
• Increase shareholder value (stock
price)
• Increase revenue
• Reduce administrative costs
• Increase market share
• Increase worker productivity
• Provide innovative products
• Provide quality products and
customer service
• Attract and retain talented
workforce
• Accept reasonable business risk
Security Officer’s Objective
• Protect information from loss,
destruction, unavailability
• Reduce risk of threats to
acceptable level
• Implement effective controls
• Provide efficient service
• Enable secure development of
new products
• Provide assurance through
continuous control practices
Ensure Communication Plan
Delivers Targeted Security Message
Manager
Meetings
Strategic Initiatives
Policy Approval
Board of
Director Meetings
Interim Updates
Issue Reinforcement
One-On-One
Sessions
Tactical Plans
New Policies
Scheduled Activities
IT/Business
Steering
Committees
Security Posture
Competitor Comparison
Management
Newsletters
emails
Departmental Issues
Testing Reality
Security Governance Depends Upon Clear
Management Directives And Expected
Outcomes
Management
Level
Strategic
Alignment
Risk
Management
Value
Delivery
Performance
Measurement
Resource
Management
Integration
Board of
Directors
Set
direction
Risk
management
policy reg
compliance
Set
direction
cost, info
value
Set direction
reporting of
security
effectiveness
Set direction
knowledge
management
Set
direction
assuring
process int
Senior
Executives
Institute
security
integration
processes
Ensure risk
mgmt in all
activities
Business
cases,
value
protection
Require
monitoring and
metrics for
reporting
Enable
processes
knowledge
capture
Oversight
mgmt
process
functions
Steering
Committee
Review
assist
integration
efforts
Identify risks
compliance
issues
promote
Review
adequacy
security
initiatives
Review extent
security meets
business obj
Review
processes
knowledge
capture
ID critical
business
process,
direct int
Chief
Information
Sec Officer
Develop
strategy,ove
rsee,liaise
business
BIA, risk
strategies,
enforce
policies
Monitor
security
resources
Develop
monitoring &
metrics
reporting
Develops
methods,
metrics,
efficiency
ID gaps &
overlaps,
liaise other
functions
Source: Adapted from Information Security Governance Guidance, ITGI
Security Governance Depends Upon Clear
Management Directives And Expected
Outcomes
Management
Level
Strategic
Alignment
Risk
Management
Value
Delivery
Performance
Measurement
Resource
Management
Integration
Board of
Directors
Set direction
Risk
management
policy reg
compliance
Set
direction
cost, info
value
Set direction
reporting of
security
effectiveness
Set direction
knowledge
management
Set direction
assuring
process int
BOARD OF
DIRECTORS
Senior
Executives
Institute
security
integration
processes
Ensure risk
mgmt in all
activities
Business
cases,
value
protection
Steering
Committee
Review
assist
integration
efforts
Identify risks
compliance
issues
promote
Chief
Information
Sec Officer
Develop
strategy,over
see,liaise
business
BIA, risk
strategies,
enforce
policies
Sets Direction
Require
monitoring and
metrics for
reporting
Enable
processes
knowledge
capture
Oversight
mgmt
process
functions
Review
adequacy
security
initiatives
Review extent
security meets
business obj
Review
processes
knowledge
capture
ID critical
business
process,
direct int
Monitor
security
resources
Develop
monitoring &
metrics
reporting
Develops
methods,
metrics,
efficiency
ID gaps &
overlaps,
liaise other
functions
Source: Adapted from Information Security Governance Guidance, ITGI
Security Governance Depends Upon Clear
Management Directives And Expected
Outcomes
Management
Level
Strategic
Alignment
Risk
Management
Value
Delivery
Performance
Measurement
Resource
Management
Integration
Board of
Directors
Set direction
Risk
management
policy reg
compliance
Set
direction
cost, info
value
Set direction
reporting of
security
effectiveness
Set direction
knowledge
management
Set direction
assuring
process int
SENIOR
EXECUTIVES
Enable Security
&
Provide Oversight
Senior
Executives
Institute
security
integration
processes
Ensure risk
mgmt in all
activities
Business
cases,
value
protection
Require
monitoring and
metrics for
reporting
Enable
processes
knowledge
capture
Oversight
mgmt
process
functions
Steering
Committee
Review
assist
integration
efforts
Identify risks
compliance
issues
promote
Review
adequacy
security
initiatives
Review extent
security meets
business obj
Review
processes
knowledge
capture
ID critical
business
process,
direct int
Chief
Information
Sec Officer
Develop
strategy,over
see,liaise
business
BIA, risk
strategies,
enforce
policies
Monitor
security
resources
Develop
monitoring &
metrics
reporting
Develops
methods,
metrics,
efficiency
ID gaps &
overlaps,
liaise other
functions
Source: Adapted from Information Security Governance Guidance, ITGI
Security Governance Depends Upon Clear
Management Directives And Expected
Outcomes
Management
Level
Strategic
Alignment
Risk
Management
Value
Delivery
Performance
Measurement
Resource
Management
Integration
Board of
Directors
Set direction
Risk
management
policy reg
compliance
Set
direction
cost, info
value
Set direction
reporting of
security
effectiveness
Set direction
knowledge
management
Set direction
assuring
process int
Institute
security
integration
processes
Ensure risk
mgmt in all
activities
Business
cases,
value
protection
Require
monitoring and
metrics for
reporting
Enable
processes
knowledge
capture
Oversight
mgmt
process
functions
Steering
Committee
Review
assist
integration
efforts
Identify risks
compliance
issues
promote
Review
adequacy
security
initiatives
Review extent
security meets
business obj
Review
processes
knowledge
capture
ID critical
business
process,
direct int
Chief
Information
Sec Officer
Develop
strategy,over
see,liaise
business
BIA, risk
strategies,
enforce
policies
Monitor
security
resources
Develop
monitoring &
metrics
reporting
Develops
methods,
metrics,
efficiency
ID gaps &
overlaps,
liaise other
functions
Senior
Executives
Steering
Committee
Reviews
Security
Initiatives
Source: Adapted from Information Security Governance Guidance, ITGI
Security Governance Depends Upon Clear
Management Directives And Expected
Outcomes
Management
Level
Strategic
Alignment
Risk
Management
Value
Delivery
Performance
Measurement
Resource
Management
Integration
Board of
Directors
Set direction
Risk
management
policy reg
compliance
Set
direction
cost, info
value
Set direction
reporting of
security
effectiveness
Set direction
knowledge
management
Set direction
assuring
process int
Security Officer
Develops
Security
Program
Senior
Executives
Institute
security
integration
processes
Ensure risk
mgmt in all
activities
Business
cases,
value
protection
Require
monitoring and
metrics for
reporting
Enable
processes
knowledge
capture
Oversight
mgmt
process
functions
Steering
Committee
Review
assist
integration
efforts
Identify risks
compliance
issues
promote
Review
adequacy
security
initiatives
Review extent
security meets
business obj
Review
processes
knowledge
capture
ID critical
business
process,
direct int
Chief
Information
Sec Officer
Develop
strategy,over
see,liaise
business
BIA, risk
strategies,
enforce
policies
Monitor
security
resources
Develop
monitoring &
metrics
reporting
Develops
methods,
metrics,
efficiency
ID gaps &
overlaps,
liaise other
functions
Source: Adapted from Information Security Governance Guidance, ITGI
Multiple “Best Practice” Standards
Have Been Created To Provide
Guidance For Our “Security Cultures”
• Control Objectives for Information and related
Technology (COBIT 4.1)
• ISO27001/2 Information Security Management
System (ISMS)
• Payment Card Industry Data Security Standard
• Graham-Leach-Bliley (GLBA)
• European Union Privacy Directives
• Recommended Controls For Federal
Information Systems (NIST 800-53)
• Federal Information System Controls Audit
Manual (FISCAM)
• DISA Security Technical Implementation Guides
(STIGs)
• HIPAA Final Security Rule
Each Control Framework/Set of
Standards Has Their Governance
Purpose
COBIT
ISO27001/27002
NIST 800-53
PCI Data Standard
HIPAA
DISA STIGS
FISMA
NIST 800-53 Recommended Controls
For Federal Information Systems Is
Very Useful For All Environments
•
•
•
•
•
•
•
•
Access Control (AC)
Awareness & Training (AT)
Audit & Accountability (AU)
Certification, Accreditation &
Security Assessments (CA)
Configuration Management (CM)
Contingency Planning (CP)
Identification & Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Physical & Environmental
Protection (PE)
Planning (PL)
Personnel Security (PS)
Risk Assessment (RA)
System & Services Acquisition
(SA)
System & Communications
Protection (SC)
System & Information Integrity
(SI)
Attaining Compliance With These
Regulations Is A Life Changing Event!
UP TO….
Source: SecurityCompliance.com statistics, CSI Journal, Volume XXII, No 3, Summer 2006)
Achieving Security Compliance Assurance
Requires Specific Due Diligence
11-Factor Security Compliance Assurance Manifesto
1. Designate individual
responsible for compliance
assurance oversight
2. Establish security
management governing body
3. Select control frameworks and
controls
4. Conduct awareness and
training
5. Research and apply technical
controls
6. Verify Compliance
7. Implement formal
remediation process
8. Dedicate staff, automate
compliance tasks
9. Report on compliance
metrics
10. Enforce penalties for
noncompliance to policy
11. Collaborate and network
externally
Source: Compliance Assurance: Taming The Beast, Information Security Handbook, 2008
Security Audits Necessary To Ensure
Controls Are Functioning
Audit
Implement
Policies &
Controls
Audit
Assess Risk &
Determine Needs
Central
Management
Promote
Awareness
Source: “Learning from Leading Organizations”
SGAO/AIMD-98-68 Information Security Management
Audit
Monitor &
Evaluate
Audit
Controls Must Be Tested To Provide
Adequate Assurance of Compliance To
Policies
• Quarterly vulnerability
assessments
• Annual penetration tests
• External/Internal Audits
• Random spot-checks
• Informal testing with
security awareness
training
• Security configuration
reviews
• SDLC walkthroughs
Let’s Agree On This Before We
‘Dump’ On The Auditors
• Auditors and Security Officers
exist to ensure the business has:
– Documented policies
– Documented
procedures/processes
– Documented evidence of
implementation these controls
– Evidence of ongoing operations
– Periodically tested the controls
What Do Security Officers LIKE
about Auditors ?
• Internal Audit areas usually
have organizational clout
• Controls-oriented
• Can identify previously
unknown issues
• Provide ammunition/urgency
for fixing issues quickly
• Provide knowledge of best
practices and standards
• Internal Auditors find issues
prior to external audits
Adopting A “Reasonable” Approach To
Auditing For Security Governance
Security Officer
• Recognition that
auditing is an ongoing
business process
Auditor
• Take “mystery” out
of process
• Maintain current
infrastructure
documentation
• Advance
communication of
document
expectations
• Advance preparation
of compensating
controls by critical
asset
• Give credit to
defense-in-depth
analysis
• Understand audit
procedures and
control frameworks
• Record
“observations for
improvement” vs.
findings
Final Thoughts
• Security Governance requires TopDown Responsibility Sharing
• Ask the question – why am I
involving this group? What is
needed from them?
• Governance provides visibility to
the effectiveness of the security
program, and is the pathway to
future security investments
Further Reading
NEW!!
• “CISO Leadership: Essential Principles For Success”, 2008 Book
by Todd Fitzgerald and Micki Krause, ISC2 Press/Auerbach
Publications Available on Amazon.com, ISC2 Website
• “Security Governance: Taming the Compliance
Beast”,T.Fitzgerald, 2008 Information Security Handbook (Tipton,
Krause)
• “13 Questions the CISO, CEO, and CISO Should Ask Each
Other”, T. Fitzgerald, ISC2 Journal, September/October 2007
• “Security Governance”, 2007 Information Security Handbook ,
T.Fitzgerald (Tipton, Krause)
• NIST 800 series special publications
(www.csrc.nist.gov/publications)
• IT Governance Institute, Information Security Governance:
Guidance For Boards of Directors and Executive Management 2nd
Edition, www.itgi.org
THANK YOU !!
Todd Fitzgerald, CISSP,
CISA,
CISM
TODD
FITZGERALD
ISO27000 & ITIL V3 Certified
Medicare Systems Security Officer
6775 W. Washington St
Milwaukee, WI USA 53214
[email protected]
[email protected]