Chapter 4 of the Executive Guide manual

PEOPLE

Overview

• People are the most important component of effective info security program

• 3 key areas for security evaluation framework1. Strategy 2. Components3. Administrations

People Strategy

• Information security strategy must be updated regularly due to new daily challenges/threats

• Measuring prevented security breaches helps to quantify the effectiveness of your security program

• Ensure compliance with regulations (HIPPA, Gram Leach Bliely, PCI, etc)

• Certifications for your Security Program is an indication of program best practice

People Components

• Assess personnel skills & credentials to ensure program’s success.

• Having dedicated information security org. indicates that Mngt is committed to a quality security program.

• Leaders who is qualified, informed and flexible to adapt to increasing security challenges.

People Administrations

• Must have well defined roles & responsibilities • Have authority to enforce policies• Commitment from C suites • Regular reporting to Executives and Board

ensure appropriate oversight.• SOD • Support & involvement of key organizations

(legal, HR, audit, etc. )

People Administrations Cont.

• Global program • Must include Risk management• Aligns with business goals by understanding risk

associated with existing and new products & services

• Have right people in the org. is paramount to overall success of the security program.

• Review table 4-1 for people evaluation of your security program.

Strategy

• Provide adequate training & have accountabilty• Identify a baseline and hire the right people

with the skills and credential to ensure program success

• 2 staffing strategies– Built in-house ( hire into the co)– Outsource (3rd party )

• What must NOT be outsourced?

In-House vs Outsources

In-House Pros & Cons• Challenges in finding skilled

staff• Retained knowledge• Robust security functions • Training • SLA• Ensure compliance with

increasing regulations

Outsources Pros & Cons • Enable Co to concentrate on

core competencies• Must have effective vendor

governance process • Knowledge transfers • Vendor financial stability • Service Level Agreement

(SLA)• Auditable clause• Exit strategy

Components

• Invest resources to hire & develop security team

• 3 categories of personnel1. Management2. Technical3. Audit staff

• Individuals needs to be both technical and business savy

Who has the ultimate responsibility to ensure customer data is secure

Outsourced vendor or Company?

Management Staff

• Need broad understanding of info security and business operations

• Need breath & depth experiences • Needs to have education & credentials – CISSP, CISM, CISA, GIAC etc..

Technical Staff

• Have the knowledge and skills for specific area of expertise & some business knowledge

• Be certified in the specific areas of concentrations (see SAN list)

• Continued education to stay abreast on current events & technology changes

Administrations

• Everyone plays a role in information security• Tone at the top is critical for the success of the

program• Policy & procedures provides guidance for

people to execute security programs• Review Info Security Roles & responsibilities

table 4-3

Roles & Responsibility Matrix

Organizational Structure

Functional/Centralized• Personnel remain w/in area

of expertise • Better utilization of scare

resources • Recourse are not close to

customer/user• Specialized expertises

Geographic/Decentralized• Closer relationships with

clients • Can encourage personnel to

adhered to security program

• Jack of all trades

SOD Matrix

Information Security Governance

• Ideal to have a board• Responsibilities include– Define goals/directions of a security program– Establish polices– Provide resources – Review KPI/Metrics on IT Operations – Make critical decisions regarding security systems

• Sr. Management from Key Operations ( IT, HR Legal, Audit, etc.

Governance cont.

• Security program align w/ Co. strategy• IT investments align w/ business priorities • Perform benchmark to ensure best practices • Audit security program periodically

Summary Key Points

• People are ???• Reporting relationship btw Information Security

management and Executives & Board is important because it give enforcement power to support security program

• Pro & Cons of in-house vs outsource security program

• People skills, training, certifications are important• Having appropriate governance in place ensure

support system is place.