Chapter 4 of the Executive Guide manual PEOPLE. Overview People are the most important component of...
-
Upload
bernadette-clarke -
Category
Documents
-
view
215 -
download
1
Transcript of Chapter 4 of the Executive Guide manual PEOPLE. Overview People are the most important component of...
Overview
• People are the most important component of effective info security program
• 3 key areas for security evaluation framework1. Strategy 2. Components3. Administrations
People Strategy
• Information security strategy must be updated regularly due to new daily challenges/threats
• Measuring prevented security breaches helps to quantify the effectiveness of your security program
• Ensure compliance with regulations (HIPPA, Gram Leach Bliely, PCI, etc)
• Certifications for your Security Program is an indication of program best practice
People Components
• Assess personnel skills & credentials to ensure program’s success.
• Having dedicated information security org. indicates that Mngt is committed to a quality security program.
• Leaders who is qualified, informed and flexible to adapt to increasing security challenges.
People Administrations
• Must have well defined roles & responsibilities • Have authority to enforce policies• Commitment from C suites • Regular reporting to Executives and Board
ensure appropriate oversight.• SOD • Support & involvement of key organizations
(legal, HR, audit, etc. )
People Administrations Cont.
• Global program • Must include Risk management• Aligns with business goals by understanding risk
associated with existing and new products & services
• Have right people in the org. is paramount to overall success of the security program.
• Review table 4-1 for people evaluation of your security program.
Strategy
• Provide adequate training & have accountabilty• Identify a baseline and hire the right people
with the skills and credential to ensure program success
• 2 staffing strategies– Built in-house ( hire into the co)– Outsource (3rd party )
• What must NOT be outsourced?
In-House vs Outsources
In-House Pros & Cons• Challenges in finding skilled
staff• Retained knowledge• Robust security functions • Training • SLA• Ensure compliance with
increasing regulations
Outsources Pros & Cons • Enable Co to concentrate on
core competencies• Must have effective vendor
governance process • Knowledge transfers • Vendor financial stability • Service Level Agreement
(SLA)• Auditable clause• Exit strategy
Components
• Invest resources to hire & develop security team
• 3 categories of personnel1. Management2. Technical3. Audit staff
• Individuals needs to be both technical and business savy
Management Staff
• Need broad understanding of info security and business operations
• Need breath & depth experiences • Needs to have education & credentials – CISSP, CISM, CISA, GIAC etc..
Technical Staff
• Have the knowledge and skills for specific area of expertise & some business knowledge
• Be certified in the specific areas of concentrations (see SAN list)
• Continued education to stay abreast on current events & technology changes
Administrations
• Everyone plays a role in information security• Tone at the top is critical for the success of the
program• Policy & procedures provides guidance for
people to execute security programs• Review Info Security Roles & responsibilities
table 4-3
Organizational Structure
Functional/Centralized• Personnel remain w/in area
of expertise • Better utilization of scare
resources • Recourse are not close to
customer/user• Specialized expertises
Geographic/Decentralized• Closer relationships with
clients • Can encourage personnel to
adhered to security program
• Jack of all trades
Information Security Governance
• Ideal to have a board• Responsibilities include– Define goals/directions of a security program– Establish polices– Provide resources – Review KPI/Metrics on IT Operations – Make critical decisions regarding security systems
• Sr. Management from Key Operations ( IT, HR Legal, Audit, etc.
Governance cont.
• Security program align w/ Co. strategy• IT investments align w/ business priorities • Perform benchmark to ensure best practices • Audit security program periodically
Summary Key Points
• People are ???• Reporting relationship btw Information Security
management and Executives & Board is important because it give enforcement power to support security program
• Pro & Cons of in-house vs outsource security program
• People skills, training, certifications are important• Having appropriate governance in place ensure
support system is place.