Post on 03-Jan-2016
Security Governance: What, Why, How?
Presented by
Jason A Witty, CISSP
What is Security?
A firewall? A group of paranoid IT staff? An intrusion prevention mechanism? A process to keep your data safe? A deterrent? An enabler? A road block?
Security is Many Things
Source: IBM Global ServicesSource: IBM Global Services
Security Must be Holistic
Source: IBM Global ServicesSource: IBM Global Services
Security: The Big Picture
Source: IBM Global ServicesSource: IBM Global Services
Why Do We Need A Holistic Approach?Your entire staff must protect againstthousands of security problems…
Attackers only need one thing to be missed.
But with appropriate planning and execution, a comprehensive information security program will protect your corporate assets.
So What is Security Governance?
The Information Systems Audit and ControlAssociation & Foundation (ISACA)'s Definition:
"Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations."
From http://www.isaca.org/cismcont1.htm
Governance: AppropriateLevels of Security
Environmental & PhysicalSecurity
Classification& Controlof Assets
SystemAccess
Controls
BusinessContinuity
Planning
Computer & NetworkManagement
Compliance
SecurityPolicy
PersonnelSecurity
SystemDevelopment& Maintenance
SecurityOrganization
1 2
3 4
5 6
87
9 10
12 3 4
5
6789
10
ISO 17799 (Best Practices)
67
8910
5432
1
How much is enough?
Source: Forsythe Solutions, used with permission
Goals of Security Governance
Link business strategy to security strategy Ensure senior management understands
information risk and supports the information security program
Ensure all employees understand their information security responsibilities
Ensure proper business representation during security policy review processes
Governance Goals - 2
Decrease litigation risks by ensuring corporate policies take legal regulatory environment into account
Create procedures and guidelines that operationalize information security policies
Develop information security value proposition and measure program effectiveness
Some Regulations to Consider US: HIPAA US: Gramm Leach Bliley (GLBA) US: California: SB 1386 – mandates public disclosure
of computer-security breaches in which confidential information may have been compromised. Becomes active on July 01 2003.
UK: Data Protection Act of 1998 EU: European Data Directive 95/46/EC NL: Personal Data Protection Act
http://www.privacyinternational.org/countries/index.html
Privacy Due Care Requirement Federal Trade Commission required that Eli Lilly
and Company redress a privacy violation from June 2001.– An E-Mail with the names of all 669 subscribers listed
in the TO: field went to users of the www.prozac.com medication reminder service.
– It was an unintentional leakage of personal information.
– This was a violation of Lilly’s privacy policy.– Lilly failed to maintain and protect the privacy of
sensitive information.
FTC Consent Decree Lilly is required to implement a security and
privacy program that does the following:– Designate personnel to coordinate and oversee the
program.– Identify reasonably foreseeable internal and external
security risks.– Conduct an annual review to monitor effectiveness and
compliance with the program.– Adjust the program to address changes in the business
and any recommendations. www.ftc.gov/opa/2002/01/elililly.htm
How to Implement Security Governance Have a dedicated security organization with the
right charter from executive management Build strong relationships with business
stakeholders– Gain trust and buy-in
Establish review and approval processes Establish governance team(s) - committees
– Schedule regular meetings– Report issues and exceptions to senior management
Integrate security awareness training & education into employee job responsibilities
Stakeholders in Security Governance Legal Audit Physical Security IT Operations HR
PR Privacy Team Info-Security Team
Things to Watch Out For
1) Not having a written policy2) If you have a written policy……..
– Can it can be enforced?– Does management buy-in to implementing the policy?
Does funding exist?– Does technology exist? Is it mature?– Do proper skill-sets exist?– How are users educated and updated?– How are exceptions and violations handled?
3) Politics4) Not being aware of your regulatory obligations5) Trying to do everything at once
When Governance is Implemented Correctly
Cross-functional executive committee reviews and approve corporate security policies
Employees are regularly trained, and understand all security policies and responsibilities
Metrics are captured to regularly measure and report program efficiency– Incidents are tracked– Regular vulnerability assessments are conducted– All exceptions are rated by risk level and regularly
reviewed & corrected in a timely fashion
Repeatable processes ensure security is inserted very early in project and systems lifecycles
Security is built into corporate culture and is viewed as a competitive advantage
Executive buy-in is obvious – videos, regular emails, posters, etc.
When Governance is Implemented Correctly - 2
Questions?