Post on 20-Jan-2017
Info-Tech Research Group 1Info-Tech Research Group 1
Info-Tech Research Group, Inc. is a global leader in providing IT research and advice.Info-Tech’s products and services combine actionable insight and relevant advice with
ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997-2015 Info-Tech Research Group Inc.
Build an Information Security StrategyTailor best practices to effectively manage information security.
Info-Tech Research Group 2Info-Tech Research Group 2
This Research is Designed For: This Research Will Help You:
This Research Will Assist: This Research Will Help You:
This Research Is Designed For: This Research Will Help You:
This Research Will Also Assist: This Research Will Help Them:
Our understanding of the problem
Security leaders or IT leaders who are tasked with developing a security strategy
CISOs/CSOs who would like to improve their security strategy and ensure that it is comprehensive enough for today’s threat landscape
Understand current security practices capabilities and performance
Understand your security obligations, scope, boundaries, and responsibilities
Establish a security target state based on your organizational context
Develop a strategy and roadmap to help you achieve your security target state
CEOs and other business leaders who want to understand which elements should be involved in a good security strategy
Understand the value of good security practices
Info-Tech Research Group 3Info-Tech Research Group 3
Resolution
Situation
Complication
Info-Tech Insight
Executive Summary
Technology sophistication and business adoption, the proliferation of hacking techniques, and the expansion of hacking motivations from financial to now social, political, or strategic motivations have resulted in organizations facing major security risk. Every organization needs some kind of information security program to protect their systems and assets. Organizations today face pressures from regulatory or legal obligations, customer requirements, and now senior management expectations.
Performing an accurate assessment of your current security operations and maturity levels can be extremely hard when you don’t know what to assess or how, not to mention an assessment alone is only the starting point. Senior management wants to know that adequate targets have been determined and there is a robust plan on how they are going to be met.
Info-Tech has developed and tested a robust information security framework with supporting methodologies to generate your organization’s comprehensive, highly actionable, and measurable security strategy and roadmap: • Info-Tech’s best of breed security framework combines COBIT 5, PCI DSS, ISO 27000 series, NIST SP 800-53, and
SANS security components to ensure all areas of security are considered and covered. • Robust security requirements gathering across the organization, key stakeholders, customers, regulators, and other
parties ensure the security strategy is built in alignment to and support of enterprise and IT strategies and plans.• A comprehensive current state assessment, gap analysis, and initiative generation ensures nothing is left off the table. • Tested and proven rationalization and prioritization methodologies ensure the strategy you generate is not only the one
the organization needs, but the one the organization will support.
Best of BreedIt’s hard to know which security framework is best. Info-Tech analyzed and integrated frameworks to ensure an exhaustive approach to security. AlignmentSecurity is still a friction point and viewed as a cost center. Align your security strategy with corporate and IT strategies to ensure support. CommunicationTo have a strategy implemented, you need to communicate to stakeholders in their language and show their concerns and perspectives were accounted for.
Info-Tech Research Group 4Info-Tech Research Group 4
Use these icons to help direct you as you navigate this research
This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.
This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team analysts, who will come onsite to facilitate a workshop for your organization.
Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.
Info-Tech Research Group 5Info-Tech Research Group 5
Consulting
“Our team does not have the time or the
knowledge to take this project on. We need
assistance through the entirety of this project.”
Guided Implementation
“Our team knows that we need to fix a
process, but we need assistance to
determine where to focus. Some check-ins along the way would
help keep us on track.”
DIY Toolkit
“Our team has already made this critical
project a priority, and we have the time and capability, but some guidance along the
way would be helpful.”
Workshop
“We need to hit the ground running and
get this project kicked off immediately. Our
team has the ability to take this over once we get a framework and
strategy in place.”
Diagnostics and consistent frameworks used throughout all four options
Info-Tech offers various levels of support to best suit your needs
Info-Tech Research Group 6Info-Tech Research Group 6
Best-Practice Toolkit
1.1 Introduce security management
1.2 Understand business and IT strategy and plans
1.3 Define security obligations, scope, and boundaries
1.4 Define risk tolerance level1.5 Assess security risk profile
2.1 Assess current security capabilities and performance
2.2 Review pen test results 2.3 Define security target state
3.1 Identify security gaps3.2 Build initiatives to bridge
the gap 3.3 Estimate the resources
needed3.4 Prioritize gap initiatives3.5 Determine start time and
accountability
4.1 Finalize security roadmap and action plan
4.2 Build a security charter4.3 Build the security program
organizational structure4.4 Create a change and
communication plan4.5 Develop a metrics program4.6 Develop a security services
catalog
Guided Implementations
Review the scope of the security strategy plans
Define the organizational risk tolerance
Assess the security risk profile of the business
Perform a current state assessment of the security controls
Determine the future target state of the security controls
Identify existing gaps and create gap initiatives to close the gaps
Determine the benefit, cost, and resources needed for each initiative
Build a roadmap based on the security initiatives
Optimize your strategy
Onsite Workshop
Module 1:Assess Security Requirements
Module 2:Perform a Gap Analysis
Module 3:Continue the Gap Analysis
Module 4:Plan for the Transition
Phase 1 Results:• Security obligations
statement• Security scope and
boundaries statement• Security risk profile• Defined risk tolerance level
Phase 2 Results:• Current security capabilities• Target future state defined
Phase 3 Results:• Security program gaps
identified• Gap initiatives defined• Estimated effort, budget,
and resource readiness assessment
Phase 4 Results:• Security roadmap and
action plan• Security charter• Change and communication
plan• Metrics program• Security services catalog
Assess Security Requirements
Perform a Gap Analysis
Develop Gap Initiatives
Plan for the Transition
Information security project overview
Info-Tech Research Group 7Info-Tech Research Group 7
Workshop overview
Contact your account representative or email Workshops@InfoTech.com for more information.
Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
Activities
Assess security requirements Perform a gap analysis Develop gap initiatives Plan for the transition Communicate and
implement
1.1 Introduce security management
1.2 Understand business and IT strategy and plans
1.3 Define security obligations, scope, and boundaries
1.4 Define risk tolerance level
1.5 Assess security pressure posture
2.1 Assess current security capabilities and performance
2.2 Review pen test results
2.3 Define security target state
3.1 Identify security gaps3.2 Build initiatives to
bridge the gap 3.3 Estimate the
resources needed3.4 Prioritize gap
initiatives3.5 Determine start time
and accountability
4.1 Finalize security roadmap and action plan
4.2 Create a change and communication plan
4.3a Build a security charter
4.3b Build the security program organizational structure
4.3c Develop a metrics program
4.3d Develop a security services catalog
5.1 Finalize deliverables 5.2 Support
communication efforts5.3 Identify resources in
support of priority initiatives
Deliverables
1. Security obligations statement
2. Security scope and boundaries statement
3. Defined risk tolerance level
4. Security pressure posture
1. Security capabilities and performance report
2. Security future state
1. Future state–current state gap analysis
2. Initiatives to address the gap
3. Estimated effort needed
4. Budget & resource readiness analysis
1. Security roadmap and action plan
2. Security charter3. Change and
communication plan4. Metrics program5. Security services
catalog
1. Security strategy and roadmap deck/document
2. Mapping of Info-Tech resources against individual initiatives
Info-Tech Research Group 8Info-Tech Research Group 8
Info-Tech’s framework integrates several best practices to create a best-of-breed security framework
COBIT 5
ISO 27000 SeriesComprehensive standard providing best practices associated with each control
PCI-DSSProvides more detailed instructions than most other best practices but not much breadth
SANS Twenty Critical Security ControlsProvides a great list of controls for effective cyber defence
NIST SP800 SeriesProvides a detailed list of security controls along with many implementation best practices intended for federal information systems and organizations
COBIT 5 for SecurityMore principle and process-based than other best practices
SANS Critical
Controls
NIST SP800-
53
ISO 27000 series PCI-DSS
Info-Tech’s Best-of-Breed Information Security
Framework
Info-Tech Research Group 9Info-Tech Research Group 9
Practical component level of Information Security Program Framework
Info
rmat
ion
Secu
rity
Fram
ewor
k Gov
erna
nce
Man
agem
ent
Context and Leadership Evaluation and Direction Compliance, Audit and Review
Information Security Charter
Culture and Awareness
Information Security Organizational Structure
Security Risk Management
Security Strategy and Communication
Security Policies
Security Compliance Management
External Security Audit
Management Review of Security
Internal Security Audit
Prevention
Detection
Response and Recovery
Measurement
Identity and Access Management
Identity Security
Data Security
Hardware Asset Management
Data Security & Privacy
Infrastructure Security
Network Security
Metrics Program
Endpoint Security
Malicious Code
Application Security
Vulnerability Management
Cryptography Management
Physical Security
Configuration and Change Management Vendor Management
Security Threat Detection Log and Event Management
Security Incident Management
Security eDiscovery and Forensics
Backup and Recovery
Information Security in BCM
Continuous Improvement
Change and Support HR Security
HR Security
Cloud Security
Info-Tech Research Group 10Info-Tech Research Group 10
Domain level of Information Security Program Framework
Info
rmat
ion
Secu
rity
Fram
ewor
k
Governance
Management
Prevention
Detection
Response and
Recovery
Assurance Measurement
Metrics Program
Continuous Improvement
Context and Leadership
Evaluation and
Direction
Compliance, Audit and
Review
Management CommitmentStrategic AlignmentConfident or Risk/Compliance Posture
Defence in DepthPeople, Process, TechnologyFlexibility to Trends
Result-OrientatedTransparencyContinuous Improvement
Info-Tech Research Group 11Info-Tech Research Group 11
Info-Tech’s Information Security Methodology and Maturity Level Model
Context and Leadership
Evaluation and Direction
Compliance and Review Prevention Detection Response
and Recovery Measurement
ML: 5
ML: 4
ML: 3
ML: 2
ML: 1
Each security area has five possible maturity levels • This generates a security maturity
matrix and is the basis for the framework.
Collectively, these seven areas form Info-Tech’s information Security Framework • These areas were designed by Info-Tech to be process- and management-based areas that can
be evaluated independently of each other. • Each security component has many sub-components
1
2 All seven security areas are evaluated on the five-level maturity model • Using info-Tech scoring methodology, sub
components are evaluated individually with the aggregate scores generating the component scores.
3
Target scores for each security area are identified • The security maturity model is used to identify maturity levels that meet
the organization’s security requirements.• From the current state maturity levels and target levels, gaps are
identified and developed into initiatives to be completed.
4
The best advice I can give is to bring everything together end to end. Don’t limit yourself in any one focused area…If you take an end-to-end approach instead of trying to focus on specific areas and compartmentalize them, you will be 100% more successful.
– Technology Services, USA
Building a holistic framework ensures that all your bases are covered while preventing duplications of the same functions, resulting in a more efficient program.
Info-Tech Research Group 12Info-Tech Research Group 12
Navigate the 4 phases of the blueprint using this table of contents and deliverables
Phase 1: Assess security requirements
Phase 2: Perform a gap analysis
Phase 3: Develop gap initiatives
Phase 4: Plan for the transition
1.1 Introduce Security Management 2.1 Assess current security capabilities
3.1 Identify security gaps 4.1 Finalize the security roadmap and action plan
Template: Information Security Strategy Workbook Template
Tool: Information Security Program Gap Analysis and Roadmap Tool
Tool: Information Security Program Gap Analysis and Roadmap Tool
Tool: Information Security Program Gap Analysis and Roadmap Tool
1.2 Understand business and IT strategy plans
2.2 Review penetration test results 3.2 Build initiatives to bridge the gap 4.2 Build a security charter
Template: Information Security Strategy Workbook Template
Prerequisite: Penetration Test Results Report
Tool: Information Security Program Gap Analysis and Roadmap Tool
Template: Information Security Charter Template
1.3 Define security obligations, scope, and boundaries
2.3 Define security target state 3.3 Estimate resources needed 4.3 Build the security program organizational structure
Template: Information Security Strategy Workbook Template
Tool: Information Security Program Gap Analysis and Roadmap Tool
Tool: Information Security Program Gap Analysis and Roadmap Tool
Template: Security Governance Organizational Structure Template
1.4 Define risk tolerance level 3.4 Prioritize gap initiatives 4.4 Create a change and communication plan
Template: Information Security Strategy Workbook Template
Tool: Information Security Program Gap Analysis and Roadmap Tool
Information Security Communication Plan Template
1.5 Assess security risk profile 3.5 Determine start time and accountability
4.5 Develop a metrics program
Tool: Security Pressure Posture Analysis Tool
Tool: Information Security Program Gap Analysis and Roadmap Tool
Tool: Security Metrics Tool
4.6 Develop a security services catalog
Template: Security Services Catalog