Enterprise Information Security Framework
32
Enterprise Information Security Framework April 4, 2006 Enterprise Risk
-
Upload
shanwaheed -
Category
Documents
-
view
62 -
download
1
Transcript of Enterprise Information Security Framework
Deloitte templateEnterprise Information Security Framework
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Agenda
Overview of enterprise information security
Creating an enterprise information security program in support of risk, legal and regulatory obligations
Information security control frameworks
Establishing an ISMS
Benefits and Roadmap
What are the challenges facing many organizations and what can we do to help them?
We need to be able to provide an well organized and integrated framework to address all parts of information security in an organization an integrate well into the management processes and audit and compliance requirements.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Security challenges faced by organizations
Organizations are constantly challenged with information security issues with ever increasing threat profiles. Faced with these challenges, organizations continue to ask themselves;
Are our Information security initiatives aligned with our business needs?
Are our customers’ and trading partners’ information security initiatives and requirements compliant and compatible with ours?
Are our information security practices providing adequate assurance to meet regulation or compliance requirements?
Are we perceived as a responsive organization meeting the needs of our stakeholders, our customers, and trading partners?
Do our information security controls align with industry-related and internationally accepted guidelines?
Are we aware of our security risks and are they being effectively managed?
Are we measuring the effectiveness of our information security Investments?
Bottom Line…..Are We Secure?
Most organizations evolved from a threat and controls base that has little direct connection to the business.
Investments are necessary but also largely unconnected
We now need to rely on the security of others – perhaps putting the organization into an uncomfortable or uncertain position.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Security has become a critical aspect of every business solution
Organizations have typically lacked a systematic, integrated security and risk management approach for designing and implementing business solutions.
1. Most “Enterprise” Security Programs are Anything But
Board level interest in security is driving improved compliance, governance, ROI and portfolio management, yet security solutions remain largely reactive, silo-based and focused on technology.
2. Security Expectations and Delivery are Disconnected
…that links organizational, technical, administrative and physical security to a strategic combination of IT architecture, business drivers and processes, legal requirements, threat scenarios and design.
3. Enterprise Security Requires a Truly Integrated Approach . . .
Mostly based on reactive, threat-based controls from point solutions
What business problem are we trying to solve? – keep asking that question
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
The risks are enormous… and internal and external pressure continues to mount
Avoid audit by checklist
Reduce compliance liability
Reduce IT inefficiencies
Enhance productivity and quality
Improve customer service and responsiveness
Leverage risk to support competitive opportunities
Enhance and protect the Brand
Reduce cost
Risks
Effective management of information security risks using a framework can drive better business and IT decisions and achieve better results. It can:
Compliance
Liability
Business
Liability
Brand
Erosion
Escalating Costs
Reduced Effectiveness
Unprotected Assets
Auditors are now trying to please the regulators who are using a different checklist that you
As we have seen over the last little while – it doesn’t take much to loose customer confidence and much more difficult to get it back.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
The new business reality
How do we keep balance and be secure?
What we are looking at here is a diagram that you’ve probably seen in some form or another. It depicts the highly regulated business environment balanced with the highly leveraged business model most companies face.
The trick is knowing that you have balance between the extended enterprise model and your compliance targets.
The requirements and initiatives are now coming from – “We have to do this” rather than good business decisions.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Security is the balance of protection measures against the acceptance of risk
Risk Acceptance:
is a cost decision - the amount of investment required to lower the risk
is a pain decision - the ability to deal with ongoing security incidents
is a visibility decision - the potential impact to corporate reputation
should not be a surprise decision - accepting risk without knowing it
The majority of risk acceptance is a surprise
Lower levels of the organization accepting risk on behalf of the enterprise
Not being able to determine what is in fact “High Risk” – open to interpretation
Unclear authority for accepting risk – information security decision are over-ridden.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Measurement of security compliance is often based on an audit driven scorecard vs. a risk driven scorecard
Legal, regulatory and general business risk requirements are not consistently applied by business segments and departments
Security strategies often don’t take into account operational realities or provide reasonable options
Security policies and procedures are often created in a vacuum or solely based on “Best Practices”
Risk and controls are often not updated when system changes occur
Reporting is often a time consuming, one-off exercise
The traditional control implementation approach often does not address the needs
Organizations need to recognize their motivations stem typically from audit compliance rather than risk avoidance/management.
In meeting compliance targets, we’ve observed that most organizations approach it from an audit findings/report perspective versus a risk perspective.
The subtle difference is that the intent of the control behind the compliance requirement can get lost in the shuffle.
We are migrating to a risk management approach from a threat management approach while audit tends to get caught up in threat management.
Make sure that we report on the right things for the organization
Requirements should be tuned to the organizations business requirements and culture and not just best practices.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Why address information security at the enterprise level?
Enterprise Solution Approach
Executive management support through strategic alignment – consistent security decisions, planning and investments
Facilitate accountability, authority and responsibility across the organization
Integrated and leveraged set of security solutions with long lasting value
Focused on eliminating root cause problems and identifying improvement opportunities
Reduce total-cost-of-ownership by consolidating management and eliminating overhead
Point Solution Approach
IT functional stove-pipes and lack of executive management visibility
One-off fixes that are not integrated or leveraged as long-term investments
Focused on solving immediate problems which will most likely recur over time
Increased total-cost-of-ownership and disruption from overhead, redundancies and conflicts
We are trying to educate clients into looking at the bigger picture
This usually means aiming higher in the organization
The IT people typically look for IT solutions not business or enterprise solutions
Corporate funding may be a factor if “project” funding detracts from an enterprise view of solutions.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
A sound enterprise information security strategy should have proper balance and integration with the security governance, architecture and operations
A security strategy is supported by three critical components …
Operations
Architecture
Governance
Governance
strategy and architecture
objectives
An effective program will integrate these component parts of information security management & Governance to deliver business value in the form of effective and sensible risk management over information assets.
We need a defined strategy to be able to implement the information security program
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Creating true enterprise security – the journey. How do I get there?
Illustrates the steps an components to define the information security program
This is illustrates what needs to be done and how the various components are related
Business Mission - The business mission and goals of the organization
Information Security Vision & Mission - The long range goals for IT security
Information Security Strategy - The defined responsibilities and path to achieve the IT Security Vision and Mission
Information Security principles - The statements of value, operation or belief that defines the organizations overall approach to IT Security
Risk Tolerance - The level of risk that the organization is willing to accept
Legislation and Regulatory Compliance - The legislation and regulations that the organization must be in compliance with
Corporate Policies - Corporate guidance that establish a basis for IT Security Principles and Policies
Information Security Policy Framework - The outline of responsibilities and processes for policies
Information Security Policies - The statements of expected obligations, responsibilities, and behaviors
Information Security Standards - Requirement for compliance to a particular means of executing a security function
Information Security Controls - The controls that are required to address a specific security risk or requirement
Information Security Architecture - Provides guidance to the organization by translating the business objectives and tolerance for risk into structures that can be technically implemented
Information Security Architecture Design Principles – The high-level decisions that provide overall guidance to the form and definition of the IT Security Architecture
Information Security Conceptual Architecture - The high-level view of the trust model and relationships
Information Security Functional Architecture - The specification, position and relationship of the required functions
Information Security Physical Architecture - The specification of the nodes that deliver the required functions
Information Security Operational Processes – The processes required to support the ongoing operation of the information security program
Information Security Management Processes - The processes that are required to manage the information security program
Information Security Controls - The controls that are required to address a specific security risk or requirement
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
What does the information security program look like? – Define the Information Security Program Framework
This illustrates all of the component parts of the information security program – what should be in place
The framework aids conversations – discussion on who is responsible for what and what needs to be done
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
How does the information security program operate? – Define the links
Here is a tool that can be used to measure the maturity and effectiveness of the program
The “Risk Catalog” approach developed by Bill Kobel, is a risk-driven workflow approach for defining and maintaining risk and control profiles for business systems and operations.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
The information security program provides a reference that can be used to measure how the program operates and its effectiveness
We can now use the information security program framework as a reference point to measure the maturity and effectiveness of the program
Use the “Risk Catalog” to manage the operational program
We will use the information security program framework as the reference
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
As a first phase, strategic planning is crucial
Executive Level Sponsorship
Executive level support key – don’t proceed without it
How do we ensure that the business is connected with information security
Do we know what an acceptable risk level is?
What do we have to be compliant with?
How is information security linked to the business?
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Information Security Governance defines the control and accountability environment
Information Security Principles
Audit
Enforcement
How are the governance components liked? Principles policies standards guidelines
What does audit require? – focus on risks and not on checklists
Who is responsible for enforcement?
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Information Security Architecture defines the solution, Operations monitors and manages the environment and Measurement provides program effectiveness reporting.
Information Security Architecture
Awareness and Training
Measurement and Assessment
Awareness and Training, Risk Management and Measurement round out the program
Put in the solution, manage the environment
Manage the risks, provide awareness and training on the program and measure the program results
The security architecture provide guidance to the organization at increasing levels of elaboration
We need to be able to measure the effectiveness of the operating program through KPIs, KPXs etc.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
The Information Security Architecture provides a mechanism to deliver a consistent approach to information security decisions and solutions
The Conceptual architecture should be understood by a wide audience – focused on communities and relationships
The Functional Architecture defines the required security functionality and where those functions need to be delivered
The Physical Architecture defined the technologies and structure that deliver the information security functions
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Establishing security requirements
Assess the risks to the organization, taking into account the organization’s overall business strategy and objectives.
Through a risk assessment, threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated.
Legal, statutory, regulatory, and contractual requirements
requirements that an organization, its trading partners, contractors, and service providers have to satisfy, and their socio-cultural environment.
The principles, objectives and business requirements for information processing that an organization has developed to support its operations.
Standard: ISO/IEC 17799:2005, BS-7799-3
Define the requirements for the information security program
The information security program should be based on managing risks – the key is understanding the level of acceptable risk and having a good process in place to determine the risk.
BS 7799-3 – Information Security Management Systems Part 3: Guidelines for Information Security Risk Management
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
ISO 17799 presents a comprehensive set of controls considered to be best practices in information security including policies, practices, procedures, organizational structures and software functions
Addresses information assets security from a risk-based perspective by way of policies and best practices.
Critical component of an overall enterprise security architecture
Recognized Information Security Management System Standard
Definitive details or “How-To’s” implement security
A comprehensive list of required controls to satisfy the requirements of every organization. Other controls may be required as a complement
An Information Security Methodology
11 Clauses 39 Objectives 146 Controls Over 500 Detailed Controls
Use a recognized standard to help anchor the program
The standard provide a collection of controls and practices and should be used as a reference
It is not a proscriptive standard for policies.
ISO 17799:2005
Security Policy
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Sarbanes-Oxley Compliance relies on COSO and CobiT to provide a structure for controls
COSO is the control framework of choice for SOX compliance
All 5 COSO layers must be considered when evaluating internal controls
CobiT is a widely accepted IT control framework
CobiT provides 4 domains of IT control
Controls in each domain address all 5 layers of COSO
Some established frameworks (COSO & CobiT) are important for SEC regulated organizations
Providing linkages between the information security program and the compliance frameworks will help compliance review and reporting
COS and COBIT are concerned with “processes”, information security is typically concerned with technologies and controls we need to be able to speak the same language.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
ISO 17799 is mapped to CobiT
ISO 17799
ISMS
ISO 17799 provides a more detailed control framework for information security
Provides the linkage between the information security decisions (ISO 17799) and the control objectives (CobiT)
Connect the guidance provided by the information security industry standard to the control framework set for auditing and compliance
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Organization focused
Optimized
Initial
Defined
Risks measured and managed quantitatively and aggregated on an enterprise-wide basis
Managed
Systematically Build and Improve Privacy & Security Capabilities
Use the IT & Security Operating Framework to establish a baseline and track progression over time…
Repeatable
Over time, the implemented information security management & governance program will yield increasing maturity of the overall information security management process.
Use a reference and tools to map progress over time
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
… by assessing the maturing level of the implemented control environment
Use to component parts of the operating framework to measure the maturity of the component parts
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Define and Implement an Information Security Management System (ISMS)
A management system establishes the policy and the objectives and the process used to achieve those objectives. The ISMS is put into effect by defining and implementing:
The organizational structure
Systematic processes and associated resources
The measurement and evaluation methodology
A review process to ensure problems are corrected and opportunities for improvement are recognized and implemented when justified
What gets monitored gets measured, what gets measured gets managed.
Establish a formal security management program
The information security program is a continuously operating system
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Manage the information security program through a formalized process
Policy (demonstration of commitment and principles for action)
Planning (identification of needs, resources, structure, responsibilities)
Implementation and operation (awareness building and training)
Performance assessment (monitoring and measuring, handling non-conformities, audits)
Improvement (corrective and preventive action, continual improvement)
Management review
ISO Guide 72:2001
Use the Plan, Act, Check, Do model to operationalize the program
The focus should be on continuous improvement
Requires management oversight and active participation
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Position the ISMS for ISO 27001 Certification
We have the methodologies that provide the framework and accompanying processes for the information security program that helps clients Implement an Information Security Management System (ISMS) and prepare for their ISO 27001 Certification
A well-defined and operating ISMS can be used as a basis for certifying to the ISO 27001 standard.
ISO 27001 is a standard defining the components of an “operating” ISMS – Annex A defined the component parts of the ISMS –basically the ISO 17799 standard using “shall” statements.
The scope identified the span of the ISMS
The statement of applicability identifies the applicable components of the ISMS – basically the component of the ISO 17799 standard that the ISMS is based on.
The key is management commitment and ongoing management of the ISMS.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Mature the Information Security Program Over Time
Illustrates how each component part can be implemented in turn to round out the program over time.
Longer-term implementation plan.
The method is designed to be implemented in modules that sum over time to the overall integrated program. Each module is designed to have specific deliverables that demonstrate progression with the overall program and encourage interest in moving ahead with the overall program.
Drag the side handles to change the width of the text block.
IT Security Vision & Mission
IT Security Conceptual Architecture
IT Security Functional Architecture
Security Architecture Design Principles
The long range goals for IT security
The high-level decisions that provide overall guidance to the form and definition of the IT Security Architecture
The high-level view of the trust model and relationships
The specification, position and relationship of the…
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Agenda
Overview of enterprise information security
Creating an enterprise information security program in support of risk, legal and regulatory obligations
Information security control frameworks
Establishing an ISMS
Benefits and Roadmap
What are the challenges facing many organizations and what can we do to help them?
We need to be able to provide an well organized and integrated framework to address all parts of information security in an organization an integrate well into the management processes and audit and compliance requirements.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Security challenges faced by organizations
Organizations are constantly challenged with information security issues with ever increasing threat profiles. Faced with these challenges, organizations continue to ask themselves;
Are our Information security initiatives aligned with our business needs?
Are our customers’ and trading partners’ information security initiatives and requirements compliant and compatible with ours?
Are our information security practices providing adequate assurance to meet regulation or compliance requirements?
Are we perceived as a responsive organization meeting the needs of our stakeholders, our customers, and trading partners?
Do our information security controls align with industry-related and internationally accepted guidelines?
Are we aware of our security risks and are they being effectively managed?
Are we measuring the effectiveness of our information security Investments?
Bottom Line…..Are We Secure?
Most organizations evolved from a threat and controls base that has little direct connection to the business.
Investments are necessary but also largely unconnected
We now need to rely on the security of others – perhaps putting the organization into an uncomfortable or uncertain position.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Security has become a critical aspect of every business solution
Organizations have typically lacked a systematic, integrated security and risk management approach for designing and implementing business solutions.
1. Most “Enterprise” Security Programs are Anything But
Board level interest in security is driving improved compliance, governance, ROI and portfolio management, yet security solutions remain largely reactive, silo-based and focused on technology.
2. Security Expectations and Delivery are Disconnected
…that links organizational, technical, administrative and physical security to a strategic combination of IT architecture, business drivers and processes, legal requirements, threat scenarios and design.
3. Enterprise Security Requires a Truly Integrated Approach . . .
Mostly based on reactive, threat-based controls from point solutions
What business problem are we trying to solve? – keep asking that question
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
The risks are enormous… and internal and external pressure continues to mount
Avoid audit by checklist
Reduce compliance liability
Reduce IT inefficiencies
Enhance productivity and quality
Improve customer service and responsiveness
Leverage risk to support competitive opportunities
Enhance and protect the Brand
Reduce cost
Risks
Effective management of information security risks using a framework can drive better business and IT decisions and achieve better results. It can:
Compliance
Liability
Business
Liability
Brand
Erosion
Escalating Costs
Reduced Effectiveness
Unprotected Assets
Auditors are now trying to please the regulators who are using a different checklist that you
As we have seen over the last little while – it doesn’t take much to loose customer confidence and much more difficult to get it back.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
The new business reality
How do we keep balance and be secure?
What we are looking at here is a diagram that you’ve probably seen in some form or another. It depicts the highly regulated business environment balanced with the highly leveraged business model most companies face.
The trick is knowing that you have balance between the extended enterprise model and your compliance targets.
The requirements and initiatives are now coming from – “We have to do this” rather than good business decisions.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Security is the balance of protection measures against the acceptance of risk
Risk Acceptance:
is a cost decision - the amount of investment required to lower the risk
is a pain decision - the ability to deal with ongoing security incidents
is a visibility decision - the potential impact to corporate reputation
should not be a surprise decision - accepting risk without knowing it
The majority of risk acceptance is a surprise
Lower levels of the organization accepting risk on behalf of the enterprise
Not being able to determine what is in fact “High Risk” – open to interpretation
Unclear authority for accepting risk – information security decision are over-ridden.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Measurement of security compliance is often based on an audit driven scorecard vs. a risk driven scorecard
Legal, regulatory and general business risk requirements are not consistently applied by business segments and departments
Security strategies often don’t take into account operational realities or provide reasonable options
Security policies and procedures are often created in a vacuum or solely based on “Best Practices”
Risk and controls are often not updated when system changes occur
Reporting is often a time consuming, one-off exercise
The traditional control implementation approach often does not address the needs
Organizations need to recognize their motivations stem typically from audit compliance rather than risk avoidance/management.
In meeting compliance targets, we’ve observed that most organizations approach it from an audit findings/report perspective versus a risk perspective.
The subtle difference is that the intent of the control behind the compliance requirement can get lost in the shuffle.
We are migrating to a risk management approach from a threat management approach while audit tends to get caught up in threat management.
Make sure that we report on the right things for the organization
Requirements should be tuned to the organizations business requirements and culture and not just best practices.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Why address information security at the enterprise level?
Enterprise Solution Approach
Executive management support through strategic alignment – consistent security decisions, planning and investments
Facilitate accountability, authority and responsibility across the organization
Integrated and leveraged set of security solutions with long lasting value
Focused on eliminating root cause problems and identifying improvement opportunities
Reduce total-cost-of-ownership by consolidating management and eliminating overhead
Point Solution Approach
IT functional stove-pipes and lack of executive management visibility
One-off fixes that are not integrated or leveraged as long-term investments
Focused on solving immediate problems which will most likely recur over time
Increased total-cost-of-ownership and disruption from overhead, redundancies and conflicts
We are trying to educate clients into looking at the bigger picture
This usually means aiming higher in the organization
The IT people typically look for IT solutions not business or enterprise solutions
Corporate funding may be a factor if “project” funding detracts from an enterprise view of solutions.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
A sound enterprise information security strategy should have proper balance and integration with the security governance, architecture and operations
A security strategy is supported by three critical components …
Operations
Architecture
Governance
Governance
strategy and architecture
objectives
An effective program will integrate these component parts of information security management & Governance to deliver business value in the form of effective and sensible risk management over information assets.
We need a defined strategy to be able to implement the information security program
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Creating true enterprise security – the journey. How do I get there?
Illustrates the steps an components to define the information security program
This is illustrates what needs to be done and how the various components are related
Business Mission - The business mission and goals of the organization
Information Security Vision & Mission - The long range goals for IT security
Information Security Strategy - The defined responsibilities and path to achieve the IT Security Vision and Mission
Information Security principles - The statements of value, operation or belief that defines the organizations overall approach to IT Security
Risk Tolerance - The level of risk that the organization is willing to accept
Legislation and Regulatory Compliance - The legislation and regulations that the organization must be in compliance with
Corporate Policies - Corporate guidance that establish a basis for IT Security Principles and Policies
Information Security Policy Framework - The outline of responsibilities and processes for policies
Information Security Policies - The statements of expected obligations, responsibilities, and behaviors
Information Security Standards - Requirement for compliance to a particular means of executing a security function
Information Security Controls - The controls that are required to address a specific security risk or requirement
Information Security Architecture - Provides guidance to the organization by translating the business objectives and tolerance for risk into structures that can be technically implemented
Information Security Architecture Design Principles – The high-level decisions that provide overall guidance to the form and definition of the IT Security Architecture
Information Security Conceptual Architecture - The high-level view of the trust model and relationships
Information Security Functional Architecture - The specification, position and relationship of the required functions
Information Security Physical Architecture - The specification of the nodes that deliver the required functions
Information Security Operational Processes – The processes required to support the ongoing operation of the information security program
Information Security Management Processes - The processes that are required to manage the information security program
Information Security Controls - The controls that are required to address a specific security risk or requirement
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
What does the information security program look like? – Define the Information Security Program Framework
This illustrates all of the component parts of the information security program – what should be in place
The framework aids conversations – discussion on who is responsible for what and what needs to be done
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
How does the information security program operate? – Define the links
Here is a tool that can be used to measure the maturity and effectiveness of the program
The “Risk Catalog” approach developed by Bill Kobel, is a risk-driven workflow approach for defining and maintaining risk and control profiles for business systems and operations.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
The information security program provides a reference that can be used to measure how the program operates and its effectiveness
We can now use the information security program framework as a reference point to measure the maturity and effectiveness of the program
Use the “Risk Catalog” to manage the operational program
We will use the information security program framework as the reference
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
As a first phase, strategic planning is crucial
Executive Level Sponsorship
Executive level support key – don’t proceed without it
How do we ensure that the business is connected with information security
Do we know what an acceptable risk level is?
What do we have to be compliant with?
How is information security linked to the business?
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Information Security Governance defines the control and accountability environment
Information Security Principles
Audit
Enforcement
How are the governance components liked? Principles policies standards guidelines
What does audit require? – focus on risks and not on checklists
Who is responsible for enforcement?
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Information Security Architecture defines the solution, Operations monitors and manages the environment and Measurement provides program effectiveness reporting.
Information Security Architecture
Awareness and Training
Measurement and Assessment
Awareness and Training, Risk Management and Measurement round out the program
Put in the solution, manage the environment
Manage the risks, provide awareness and training on the program and measure the program results
The security architecture provide guidance to the organization at increasing levels of elaboration
We need to be able to measure the effectiveness of the operating program through KPIs, KPXs etc.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
The Information Security Architecture provides a mechanism to deliver a consistent approach to information security decisions and solutions
The Conceptual architecture should be understood by a wide audience – focused on communities and relationships
The Functional Architecture defines the required security functionality and where those functions need to be delivered
The Physical Architecture defined the technologies and structure that deliver the information security functions
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Establishing security requirements
Assess the risks to the organization, taking into account the organization’s overall business strategy and objectives.
Through a risk assessment, threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated.
Legal, statutory, regulatory, and contractual requirements
requirements that an organization, its trading partners, contractors, and service providers have to satisfy, and their socio-cultural environment.
The principles, objectives and business requirements for information processing that an organization has developed to support its operations.
Standard: ISO/IEC 17799:2005, BS-7799-3
Define the requirements for the information security program
The information security program should be based on managing risks – the key is understanding the level of acceptable risk and having a good process in place to determine the risk.
BS 7799-3 – Information Security Management Systems Part 3: Guidelines for Information Security Risk Management
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
ISO 17799 presents a comprehensive set of controls considered to be best practices in information security including policies, practices, procedures, organizational structures and software functions
Addresses information assets security from a risk-based perspective by way of policies and best practices.
Critical component of an overall enterprise security architecture
Recognized Information Security Management System Standard
Definitive details or “How-To’s” implement security
A comprehensive list of required controls to satisfy the requirements of every organization. Other controls may be required as a complement
An Information Security Methodology
11 Clauses 39 Objectives 146 Controls Over 500 Detailed Controls
Use a recognized standard to help anchor the program
The standard provide a collection of controls and practices and should be used as a reference
It is not a proscriptive standard for policies.
ISO 17799:2005
Security Policy
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Sarbanes-Oxley Compliance relies on COSO and CobiT to provide a structure for controls
COSO is the control framework of choice for SOX compliance
All 5 COSO layers must be considered when evaluating internal controls
CobiT is a widely accepted IT control framework
CobiT provides 4 domains of IT control
Controls in each domain address all 5 layers of COSO
Some established frameworks (COSO & CobiT) are important for SEC regulated organizations
Providing linkages between the information security program and the compliance frameworks will help compliance review and reporting
COS and COBIT are concerned with “processes”, information security is typically concerned with technologies and controls we need to be able to speak the same language.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
ISO 17799 is mapped to CobiT
ISO 17799
ISMS
ISO 17799 provides a more detailed control framework for information security
Provides the linkage between the information security decisions (ISO 17799) and the control objectives (CobiT)
Connect the guidance provided by the information security industry standard to the control framework set for auditing and compliance
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Organization focused
Optimized
Initial
Defined
Risks measured and managed quantitatively and aggregated on an enterprise-wide basis
Managed
Systematically Build and Improve Privacy & Security Capabilities
Use the IT & Security Operating Framework to establish a baseline and track progression over time…
Repeatable
Over time, the implemented information security management & governance program will yield increasing maturity of the overall information security management process.
Use a reference and tools to map progress over time
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
… by assessing the maturing level of the implemented control environment
Use to component parts of the operating framework to measure the maturity of the component parts
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Define and Implement an Information Security Management System (ISMS)
A management system establishes the policy and the objectives and the process used to achieve those objectives. The ISMS is put into effect by defining and implementing:
The organizational structure
Systematic processes and associated resources
The measurement and evaluation methodology
A review process to ensure problems are corrected and opportunities for improvement are recognized and implemented when justified
What gets monitored gets measured, what gets measured gets managed.
Establish a formal security management program
The information security program is a continuously operating system
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Manage the information security program through a formalized process
Policy (demonstration of commitment and principles for action)
Planning (identification of needs, resources, structure, responsibilities)
Implementation and operation (awareness building and training)
Performance assessment (monitoring and measuring, handling non-conformities, audits)
Improvement (corrective and preventive action, continual improvement)
Management review
ISO Guide 72:2001
Use the Plan, Act, Check, Do model to operationalize the program
The focus should be on continuous improvement
Requires management oversight and active participation
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Position the ISMS for ISO 27001 Certification
We have the methodologies that provide the framework and accompanying processes for the information security program that helps clients Implement an Information Security Management System (ISMS) and prepare for their ISO 27001 Certification
A well-defined and operating ISMS can be used as a basis for certifying to the ISO 27001 standard.
ISO 27001 is a standard defining the components of an “operating” ISMS – Annex A defined the component parts of the ISMS –basically the ISO 17799 standard using “shall” statements.
The scope identified the span of the ISMS
The statement of applicability identifies the applicable components of the ISMS – basically the component of the ISO 17799 standard that the ISMS is based on.
The key is management commitment and ongoing management of the ISMS.
* Enterprise Security Framework POV - 2005 © Deloitte & Touche LLP and affiliated entities.
Mature the Information Security Program Over Time
Illustrates how each component part can be implemented in turn to round out the program over time.
Longer-term implementation plan.
The method is designed to be implemented in modules that sum over time to the overall integrated program. Each module is designed to have specific deliverables that demonstrate progression with the overall program and encourage interest in moving ahead with the overall program.
Drag the side handles to change the width of the text block.
IT Security Vision & Mission
IT Security Conceptual Architecture
IT Security Functional Architecture
Security Architecture Design Principles
The long range goals for IT security
The high-level decisions that provide overall guidance to the form and definition of the IT Security Architecture
The high-level view of the trust model and relationships
The specification, position and relationship of the…
