CobiT IV Status - John R. Robles and Associates
Download
Report
Transcript CobiT IV Status - John R. Robles and Associates
Isaca - Information Security
Governance
Guidance for
Information
Security Managers
John R. Robles
787-647-3961
[email protected]
[email protected]
www.johnrrobles.com
“This information is copyrighted by the IT Governance Institute and Information Systems
Audit and Control Association. Any commercial use is strictly forbidden. It may, however,
be used for educational or promotional purposes by ISACA members and chapters on a notfor-profit basis.”
© ITGI, ISACA - not for commercial use.
Isaca Puerto Rico
Serving IT Audit, Security, and Controls Professionals
in Puerto Rico since 1984 (Celebrating our 25th
Anniversary in 2009)
More than 300 members
Provide Certification … CISA (139), CISM (13), CGEIT
(6)
Provide Education and Conferences… Monthly
educational meetings and yearly Symposium
Standards…ITAF™: A Professional Practices
Framework for IT Assurance
Research…The IT Governance Institute (ITGI)
© ITGI, ISACA - not for commercial use.
Isaca Puerto Rico
Publications… The Bookstore, Isaca Journal
Downloads…
Review Courses… for the CISA, CISM, CGEIT Exams
twice a year…
Join a Growing and Dynamic Professional
Association!!
www.isaca.org
www.isacapuertorico.com
[email protected]
© ITGI, ISACA - not for commercial use.
Introduction
Information Security has become a matter for consideration at the
highest organizational level
‘It is no longer enough to communicate to the world of stakeholders
why we exist and what constitutes success, we must also
communicate how we are going to protect our existence’.
- Kiely, Laree; Terry Benzel; Systemic Security Management, Libertas Press,
USA, 2006
This publication discusses how to develop an information security
strategy within the organization's governance framework and how to
drive that strategy through an information security program.
© ITGI, ISACA - not for commercial use.
Information Security
Governance Guidance
Firms operating at best-in-class (security) levels are
lowering financial losses to less than 1 percent of revenue,
whereas other organizations are experiencing loss rates
that exceed 5 percent.
- Aberdeen Group, ‘Best Practices in Security Governance’, USA,
2005
© ITGI, ISACA - not for commercial use.
Information Security Program Requirements
© ITGI, ISACA - not for commercial use.
Roles and Responsibilities
Executive Management
Steering Committee
Chief Information Security Officer
© ITGI, ISACA - not for commercial use.
What the Board, Executive Management
and Security Management Should Do?
© ITGI, ISACA - not for commercial use.
Information Security
Metrics and Monitoring
Information Security Metrics
Governance Implementation Metrics
Strategic Alignment
Risk Assessment
Value Delivery
Resource Management
Performance Measurement
Assurance Process Integration (Convergence)
© ITGI, ISACA - not for commercial use.
Establishing Information
Security Governance
An Information Security Strategy
Corporate strategy is the pattern of decisions in a company that determines and
reveals its objectives, purposes, or goals, produces the principal policies and
plans for achieving those goals, and defines the range of business the company
is to pursue, the kind of economic and human organization it is or intends to be,
and the nature of the economic and non-economic contribution it intends to
make to its shareholders, employees, customers and communities.
- Andrews, Kenneth; The Concept of Corporate Strategy, 2nd Edition, Dow-Jones
Irwin, USA, 1980
© ITGI, ISACA - not for commercial use.
Information Security Objectives
The Goal
Classification and Valuation
Deferred Information Maintenance
© ITGI, ISACA - not for commercial use.
Strategy
Defining Objectives
The Desire State
Risk Objectives
Number of Controls
Current State of Security
© ITGI, ISACA - not for commercial use.
Strategy
© ITGI, ISACA - not for commercial use.
Strategy
© ITGI, ISACA - not for commercial use.
The Strategy
Elements of a Strategy
Policies
Standards
Processes
Controls
Technologies
People, Training, Etc.
Gap Analysis – Basic for an Action Plan
Annual or more frequently
© ITGI, ISACA - not for commercial use.
Action Plan
Create/Modify
Create/Modify
Policies
Standards
© ITGI, ISACA - not for commercial use.
Action Plan Intermediate Goals
Action Plan Metrics
General Metrics Considerations
Summary – Take into consideration
What is important to information security
operations
Requirements of IT Management
Requirements of business process owners
Requirements of senior management
© ITGI, ISACA - not for commercial use.
Establishing Information
Security Governance
An Example Using the ITGI and CobiT
Maturity Scale
Sample Policy Statement
Sample Standard
Additional Sample Policy Statements
Conclusions
© ITGI, ISACA - not for commercial use.
Conclusion
“Although regulatory compliance has been a
major driver in improving information
security overall, recent studies have also
shown that nearly half of all companies are
failing to initiate meaningful compliance
efforts.”
.
© ITGI, ISACA - not for commercial use.
Appendix A – Critical Success Factors
For Effective Information Security
Performance Measures
Determine whether Information Security
is succeeding
Determine whether Information Security
Governance is succeeding
© ITGI, ISACA - not for commercial use.
Appendix B – Self Assessment and
Maturity Model
Self – Assessment for Information Security
Governance
Maturity Levels – Detailed Descriptions
Purpose - Determine your Information
Security Maturity Level
© ITGI, ISACA - not for commercial use.
Appendix
Appendix C – A Generic Approach to
Information Security Initiative Scoping
Determine Task Steps
Determine Task Step Activities
Determine Task Step Deliverables
Appendix D – An Approach to Information
Security Metrics
“NIST special publication 800-55 provides an
approach to security metrics”
© ITGI, ISACA - not for commercial use.
Appendix
Glossary
References
Other Publications
© ITGI, ISACA - not for commercial use.
© ITGI, ISACA - not for commercial use.