Transcript Document
Information Security Governance 25th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER • Why is better IS Governance needed? • What drives IS Governance? • How to achieve better IS Governance? Agenda IS Governance 25th June 2007 - MFSA Defining Information Security • Information security covers all information processes, physical and electronic, regardless whether they involve people and technology or relationships with trading partners, customers, authorities and third parties. 25th June 2007 - MFSA Why IS Governance 25th June 2007 - MFSA Security Governance does not apply to us!!!! • Information Security is being handled by IT and its their responsibility; • And since I do not much know about IT, will avoid going into details as they know what they have to do in their own weird / technological world; • IT management knows better than the rest of the business including Exec Mgt what to secure, how, and when; • We are secure and we do not need to confirm that; • Security breach??? Cannot happen to me; • We’re small, we don’t need that; • Yes, we have a security policy!! 25th June 2007 - MFSA But …. • Needless to discuss if an organisation is dependent on the information it holds; • Managing information risks is a key part of corporate governance; • Information risk management and information security rarely hits the agenda of the Board of Directors and Executive Management; • Information Security is seen as an IT problem, and their cost, rather than a strategic enabler for Executive Management; • Board of Directors and Executive Management management do not know what they can do to ensure that they meet corporate governance requirements for information risk management; • Information Security does not only apply to IT. 25th June 2007 - MFSA Common scenarios of weak security governance • Isolated attempts to mitigate individual risks whilst security is continuously evolving; • Information security seen as a another component of IT and not as supporting the achievement of business objectives; • Reactive approach in managing information security:“Fix it when it breaks”; • Reactive approach to new regulations, and addressing the individual requirements of each regulation separately. 25th June 2007 - MFSA Security Governance in the Local Context • Governance does not only apply just for larger organisations; • We still don’t do away with complexity, regulation, dependency on information, and reputation. These are factors that need to be considered irrespective of the size; • Does not require significant investment, but security risks might make you lose whatever investment you have made; • The good news is that what needs to be done might require less effort, and may be more easily achievable; • Enforcement in highly regulated industries is still in its initial phases. 25th June 2007 - MFSA What IS Governance 25th June 2007 - MFSA What drives better information security governance? The four pillars are: • Senior Management Commitment, • Security Vision and Strategy, • Information Security Management Structure, • and Training and Awareness. This is not an IT implementation exercise 25th June 2007 - MFSA IS Governance 25th June 2007 - MFSA How How to Proactively Manage Information Security Risk 1. Develop a security framework for capturing and reporting at different levels of granularity; 2. Understand current state (gap analysis) in context of industry and regulations; 3. Capture security vision and directly align with business objectives; 4. Translate the vision into strategy and action; 5. Determine a practical approach towards communicating the vision and strategy. 25th June 2007 - MFSA 1 Use an organising framework An effective framework should: • Integrate people / processes / technologies; • Rather than a mere technology fix, the framework would ensure that IT security implementations will be aligned to the business objectives; • Model the interdependencies between areas of security (such manual vs electronic, physical vs logical); • Provide a structural hierarchy for communication to various audiences; • Support monitoring, benchmarking and comparison at various levels; • Integrate leading practices and widely known industry standards. 25th June 2007 - MFSA Measuring the performance of security management • Measuring, monitoring and reporting information security governance metrics is essential to ensure that organisational objectives are achieved; • Measurement of performance will assist management in the right allocation of resources; • Effective information security governance cannot be established overnight and requires continuous improvement supported by adequate measurement; • Various tools and methodologies are readily available on performance measurement; • Measurement has to take place at various levels of the organisational structure. 25th June 2007 - MFSA 2 Assess the Current Environment Carry out a gap analysis to answer: • Is there a clear structure for reporting and decision-making within security? • Are the security initiatives aligned with my business objectives? • Are the security policies and standards derived from the proper sources? • Does the security organisation provide sufficient architectural guidance? • Is security and privacy an integrated part of IT processes? • Does the security infrastructure effectively and efficiently meet the objectives? • Do the operational aspects of security meet the needs of the business? 25th June 2007 - MFSA 3 Develop Security Vision Aligned with Business • Based on the results of the gap analysis, assess the maturity of your current enterprise security capabilities; • Evaluate areas for improvement and possible high risk gaps; • Identify precisely where the organisation should be committing its scarce resources; • Develop an information security strategy document; • Develop comprehensive policies that support this strategy. 25th June 2007 - MFSA 4 Strategise and Action • Translate the vision into an actionable, repeatable and reportable strategy that identifies the business case supporting project creation, project prioritisation, risk assessment, and investment optimisation; • Develop along with the security policies, a comprehensive security programme through an actionable, realistic roadmap to achieve the vision; • Incorporate change into the strategy as a rigid and inflexible methodology provides a poor foundation for success. 25th June 2007 - MFSA 5 Effectively Communicate Vision • Different levels of audiences must be recognised; • Crafting the appropriate message for the target audience is critical to success; • Size of Malta makes it easier to communicate; • Efforts to communication should not be a one off, but has to be ongoing to be effective. • Information security awareness programs can take on many different forms. Whatever the delivery, the message must be clear: Management cares about security, and the employee should as well. 25th June 2007 - MFSA What should better IS Governance deliver • A structure to measure the performance of management of information security • Executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to an acceptable level • Prioritised and adequate resource allocation • Alignment of security objectives to business objectives 25th June 2007 - MFSA Common tools to better governance Various tools available for the different stages of the Security Governance project such as: • Guidelines provided by ITGI • Established frameworks such as COBIT • Best practices such as: • ISO 17799 / ISO 27002 • COBIT Security Baseline • Information Security Forum (ISF) Good practices to information security • ITIL 25th June 2007 - MFSA Thank You 25th June 2007 - MFSA [email protected]