Transcript Document

Security Governance:
What, Why, How?
Presented by
Jason A Witty, CISSP
What is Security?
 A firewall?
 A group of paranoid IT staff?
 An intrusion prevention mechanism?
 A process to keep your data safe?
 A deterrent?
 An enabler?
 A road block?
Security is Many Things
Source: IBM Global Services
Security Must be Holistic
Source: IBM Global Services
Security: The Big Picture
Source: IBM Global Services
Why Do We Need A Holistic
Approach?
Your entire staff must protect against
thousands of security problems…
Attackers only need one thing to be
missed.
But with appropriate planning and execution,
a comprehensive information security
program will protect your corporate assets.
So What is Security Governance?
The Information Systems Audit and Control
Association & Foundation (ISACA)'s Definition:
"Establish and maintain a framework to provide
assurance that information security strategies are
aligned with business objectives and consistent
with applicable laws and regulations."
From http://www.isaca.org/cismcont1.htm
Governance: Appropriate
Levels of Security
ISO 17799 (Best Practices)
1
2
Security
Policy
How much is enough?
3
10
9
8
2
6
5
3
4
Personnel
Security
Computer
& Network
Management
7
1
Security
Organization
4
5
6
Compliance
7
10
9
8
7
6
1
5
2
3
Environmental
& Physical
Security
Classification
& Control
of Assets
8
System
Development
& Maintenance
4
9
10
Business
Continuity
Planning
Source: Forsythe Solutions, used with permission
System
Access
Controls
Goals of Security Governance
 Link business strategy to security strategy
 Ensure senior management understands
information risk and supports the
information security program
 Ensure all employees understand their
information security responsibilities
 Ensure proper business representation
during security policy review processes
Governance Goals - 2
 Decrease litigation risks by ensuring
corporate policies take legal regulatory
environment into account
 Create procedures and guidelines that
operationalize information security policies
 Develop information security value
proposition and measure program
effectiveness
Some Regulations to Consider
 US: HIPAA
 US: Gramm Leach Bliley (GLBA)
 US: California: SB 1386 – mandates public
disclosure of computer-security breaches in which
confidential information may have been compromised.
Becomes active on July 01 2003.
 UK: Data Protection Act of 1998
 EU: European Data Directive 95/46/EC
 NL: Personal Data Protection Act
http://www.privacyinternational.org/countries/index.html
Privacy Due Care Requirement
 Federal Trade Commission required that Eli Lilly
and Company redress a privacy violation from
June 2001.
– An E-Mail with the names of all 669 subscribers listed
in the TO: field went to users of the www.prozac.com
medication reminder service.
– It was an unintentional leakage of personal
information.
– This was a violation of Lilly’s privacy policy.
– Lilly failed to maintain and protect the privacy of
sensitive information.
FTC Consent Decree
 Lilly is required to implement a security and
privacy program that does the following:
– Designate personnel to coordinate and oversee the
program.
– Identify reasonably foreseeable internal and external
security risks.
– Conduct an annual review to monitor effectiveness and
compliance with the program.
– Adjust the program to address changes in the business
and any recommendations.
 www.ftc.gov/opa/2002/01/elililly.htm
How to Implement Security
Governance
 Have a dedicated security organization with the
right charter from executive management
 Build strong relationships with business
stakeholders
– Gain trust and buy-in
 Establish review and approval processes
 Establish governance team(s) - committees
– Schedule regular meetings
– Report issues and exceptions to senior management
 Integrate security awareness training & education
into employee job responsibilities
Stakeholders in Security
Governance
 Legal
 Audit
 Physical Security
 IT Operations
 HR
 PR
 Privacy Team
 Info-Security Team
Things to Watch Out For
1) Not having a written policy
2) If you have a written policy……..
–
–
–
–
–
–
Can it can be enforced?
Does management buy-in to implementing the
policy? Does funding exist?
Does technology exist? Is it mature?
Do proper skill-sets exist?
How are users educated and updated?
How are exceptions and violations handled?
3) Politics
4) Not being aware of your regulatory obligations
5) Trying to do everything at once
When Governance is Implemented
Correctly
 Cross-functional executive committee reviews
and approve corporate security policies
 Employees are regularly trained, and
understand all security policies and
responsibilities
 Metrics are captured to regularly measure and
report program efficiency
– Incidents are tracked
– Regular vulnerability assessments are conducted
– All exceptions are rated by risk level and regularly
reviewed & corrected in a timely fashion
When Governance is Implemented
Correctly - 2
 Repeatable processes ensure security is
inserted very early in project and systems
lifecycles
 Security is built into corporate culture and is
viewed as a competitive advantage
 Executive buy-in is obvious – videos,
regular emails, posters, etc.
Questions?