Achieving Information Security Governance though ISMS ......Metrics Audits Operational Risk System...
Transcript of Achieving Information Security Governance though ISMS ......Metrics Audits Operational Risk System...
Achieving Information
Security Governance
though ISMS
Implementation
Prof. Edward Humphreys(Hagenberg University of Applied
Sciences, Austria & Beijing Institute
of Technology)
Governance is the activity of governing. It
consists of management and leadership
processes and relates to
• consistent management,
• cohesive policies and processes
• well-informed decision making and
• appropriate allocation of decision-rights
for example, managing at a corporate level involves evolving
policies on security of assets, risk management,
internal controls, management reviews, the use
of information …
Executives, CEO,
Directors
Business Unit
Heads
Senior Managers
CIO/CISO
Project Managers
Employees
What am I required to do?
What are my roles and
responsibilities?
How do I accomplish my
objectives?
How effectively do I achieve
my objectives?
What adjustments do I need
to make to improve?
Actors
Actions
Directives
Policies &
standardsProcedures
Executive manageme
nt
Senior and middle
management
Lower manageme
nt
direction
execution
control
Information
security
gap
What is needed
What is provided
widespread use and diversity of technology
systems interconnectivity distance and time no longer
constraints unevenness of technological
changes delegation of management and
control unconventional electronic
attacks against organizations external factors such as legal,
regulatory and contractual requirements
Corporate governance
Information security governance
IT governance
Effective information security requires the active engagement of
executive management defining specific tasks that employees at
all levels of an organization can discharge.
risk
assessment
risk management
decision making
implement
system of risk
controls
PLAN
ACT
CHECK
DO
risk re-
assessment
risk review
implement
improvement
s of risk
controls
ISMS
measurements
Plan, Do, Check,
Act (PDCA)
decision making
model
operationa
l (daily)
tactical
(review/follo
w-up)
strategic (annual
reviews, establishing
policies, organisational
objectives)
people (who)
process (how)
technology (what)
Assets
Operations
Tactical
Strategic
risksrisks
risks
controls
controls
Strategic alignment
• ISMS is driven by enterprise requirements
• Security solutions that are ‘fit for purpose’ for enterprise
processes
• Investment in information security aligned with enterprise
strategy and agreed upon the organisation’s risk profile
Strategy
Risk
System of
controls
Metrics
Audits
Tactical
Risk
System of Controls
Metrics
Audits
Operational
RiskSystem
of controls
Metrics Audits
PLAN
ACT
CHECK
DO
Strategy
Risk
System of
controls
Metrics
Audits
Tactical
Risk
System of Controls
Metrics
Audits
Operational
RiskSystem
of controls
Metrics Audits
Value delivery
• A standard set of security practices (following ISO/IEC 27002)
• Properly prioritized and distributed effort to areas
with greatest impact and business benefit
• Complete and customised solutions covering organization,
process
as well as technology
• A continuous improvement culture
PLAN
ACT
CHECK
DO
Strategy
Risk
System of
controls
Metrics
Audits
Tactical
Risk
System of Controls
Metrics
Audits
Operational
RiskSystem
of controls
Metrics Audits
Risk Management (ISO/IEC 27005)
• Identified risks and agreed upon risk profiles
• Understanding the impact of risk exposures
• User awareness of risk
• Risk management plan and priorities for taking action
• Risks and information security measurements (ISO/IEC
27004)
• Regular risk reviews
PLAN
ACT
CHECK
DO
Strategy
Risk
System of
controls
Metrics
Audits
Tactical
Risk
System of Controls
Metrics
Audits
Operational
RiskSystem
of controls
Metrics Audits
Measuring Performance (ISO/IEC 27004)
• Defined set of metrics
• Measurement process with feedback on progress made
• Reviews and audits (ISO/IEC 27007 + 27008)
• Independence assurance
PLAN
ACT
CHECK
DO
Establish ISMS security programme
Strategy, policy and standards Implement ISMS
organisationalsecurity and technical controls
Monitor, review and measure ISMS performance
Certification and assurance
security
capabili
ty
ISMS evolution
Governance is good as the
organisation’s
• risk management
• effectiveness of its system of controls
• review and audit of its information
security
• Governance of e-city is about risk, control,
audit, information security and system,
process and network resilience, and people
safety and security
Many organizations do not
approach security by deploying
sound, commonly accepted
practices; rather, they fix
problems as they occur and try to
keep up with the security risks
that accompany change and
growth. As a result, establishing
an ESP can be an especially
daunting task.
Fortunately, there are several
widely accepted security best
practices and standards. The
International Organization for
Standardization (ISO) leads the
way with ISO 17799 and ISO
27001.
1.3.9 Inconsistent Deployment of
Best Practices and Measures
This guide is designed to help business leaders
implement an effective program to govern
information technology (IT) and information security.
Implementing
Information Security
Governance based on
ISO/IEC 27001
Prof. Edward Humphreys(Hagenberg University of Applied
Sciences, Austria & Beijing
Institute of Technology)