Information Security Strategy - Guide

8/12/2019 Information Security Strategy - Guide

http://slidepdf.com/reader/full/information-security-strategy-guide 1/14



Copyright © 2009 Accenture All Rights Reserved. 2

Contents

Information security strategy development process

Determine security baseline

Understand business drivers and define security objective

Identify and prioritize gaps

Develop implementation/action plans

Implement activities




The strategy for information security is developed

through a four step process

Implementactivities

Understandbusinessdriversanddefinewantedposition

Developimplementation/action plans

Definetargetstate

Determine

information

securitybaselin

e

Step 1 Step 2 Step 3 Step 4 Step 5

Assess how security

needs to change inthe organization inthe next three to fiveyears in order toadequately supportthe business

Determine the current

state of informationsecurity, e.g.

-Information assets

-Processes

-Governance

-Organisation

-Risks

Prioritize business

needs and define atarget state

Determine solutions

to reach target stateand their associatedcost/effort, definebudget and createroad map

D e s c r i p t i o n

D u r a t i o n

1-2 weeks 2 days 2-3 days 1 week

A p p r o a c h Collect and analyze

secondary data Perform qualitative

and quantitativeinterviews and/orsurveys of IT andbusiness

Perform qualitative

interviews with ITand businessmanagement

Articulate policystatement

Describe target

state, e.g. ascapabilityimprovementsand eliminatedrisks

Create roadmap of

activities to bridgetarget state andcurrent position




ISO 17799 Information Security Domains*

The ISO Information Security Domains can be used as

a model to assess maturity

Compliance

Business

ContinuityManagement

InformationSecurityIncident

Management

InformationSystem Acq.Dev. and Maint.

AccessControl

Communication& OperationsManagement

Physical andEnvironmental

Security

HumanResourcesSecurity

AssetManagement

Organization ofInformation

Security

SecurityPolicy

InformationAssets

* See appendix for domain descriptions




Risk and Strategy

• What are your main security concerns and do you have plans to fix them?

• Is there any security initiative, which is not progressing as you would like? In a positive case, what is slowing it down andwhat would be required, in your opinion, to make it happen?

• What are your thoughts on where security can be improved/ increased?

• Do you have an ongoing process to classify data (Confidentiality, Integrity and Availability), assets value, threats andvulnerabilities?

• Have you identified main Business and Information Assets with their related value? This is relevant for both Risk

Assessment and Business Continuity Management.• Are you aware of any recent security incident within your organization or other competitors, which have called attention to

the press or customers?

• Do you have difficulties in prioritizing security investments and receive approval from the board?

Compliance, Organization and Management

• Are you currently struggling to comply with existing regulation (e.g. European Data Privacy, Sarbanes-Oxley, etc.)? If so,which regulation?

• Are you aware of new regulations you will need to comply with that will impact your security capability?

• Are you planning to achieve any secure certification (e.g. ISO27001) and if so, within which timeframe?

• Have you received any feedback from internal or external auditors, which requires your company to implement specificsecurity measures?

• Are you comfortable with existing security policies, procedures, roles and responsibilities, and the level of compliance and awareness from your permanent and temporary staff?

• Which metrics do you use to monitor ongoing level of security and compliance, and which actions do you take to correctthem?

• Do you feel comfortable with the existing level of security provided by third-parties and are you considering to outsource any security-critical service to external parties?

The first step is to determine the security baseline

through qualitative and quantitative interviews

Sample qualitative questions




The first step is to determine the security baseline

through qualitative and quantitative interviews

Maturity Scale

Nothing Ad-hoc Repeatable Defined Managed Optimized

Sample quantitative questions

7.1 RESPONSIBILITY FOR

ASSETS

Is there an inventory of key

information assets (data

sources)?

7.1.1 Inventory of assets

Is it clear who owns / is

responsible for the assets?

7.1.2 Ownership of

assets

Are there guidelines for

classifying assets?

7.1.3 Acceptable use of

assets Are the assets classified?


http://slidepdf.com/reader/full/information-security-strategy-guide 7/14Copyright © 2009 Accenture All Rights Reserved. 7

The wanted position is determined by interviews with

business and IT and articulated in a policy statement

Sample Information Security Policy Statement

Objective

The Information Security Principles is a tool for management team at ClientCo to set direction in regards

to protecting Diaverums Information Assets (Data Sources) in regards to:

• Confidentiality - Data should only be accessible by authorized users

• Integrity - Data should be authentic, sufficiently accurate and reliable

• Availability - Data should be accessible when needed

Principles

• Information Security has the endorsement and support of executive management and the Board

- Management is delegated to an appropriate security organization with clear roles and responsibilities

• Everyone is responsible for Information Security (Clinics, HQ, Corporate and External Parties)

- Awareness is built through continuous training and communication, and clear policies

• The organization strives to be compliant with all regulatory requirements

- The regulatory environment is continuously monitored, and compliance is audited regularly

• Protection of data is critical in a highly regulated market

- Proper access controls is combined with high awareness of data sensitivity

• Risk exposure is balanced with the cost of risk mitigation

- Risks are understood and managed based on potential business impact

• Security measures are proactively implemented based on a comprehensive understanding of threats

- Industry standards (E.g. ISO17799) are used to baseline capabilities and assess potential gaps



The target state is expressed as capability

improvements and eliminated risks

Example output from target state definition



Solutions to reach the target state are identified and

combined into an implementation road map

Proposed initiatives to reach target state

Tier I: Secure

fundamentals

Tier II: Enable strategic

agenda

Tier III: Enable differentiation Actions Actions

Actions Actions Actions Actions

Actions

Actions Actions Actions



The final step is to initiate the implementation

Initiatives

Effort

(Man days) 2009 2010 2011 2012

Ensure regulatory compliance 34

Audit and secure critical assets 28

Design security organisation 6

Develop security policy 23

Design security processes 40

Create individual policies 19

Secure standards and processes 12

Create guidelines 15

Implement ISO 27001 25

C r i t i c

a l

R e q u i r e d

D i f f e r e n t i a t

i n g

Example implementation road map



Appendix



Definition of CMMI Maturity levels

0. Non-existent

1. Initial

2. Repeatable

3. Defined

Complete lack of any recognizable processes. The enterprise has not even recognized that

there is an issue to be addressed.

There is evidence that the enterprise has recognized that the issues exist and need to be

addressed. There are, however, no standardized processes; instead there are ad hoc

approaches that tend to be applied on an individual or case-by-case basis. The overall

approach to management is disorganized.

Processes have developed to the stage where similar procedures are followed by differentpeople undertaking the same task. There is no formal training or communication of standard

procedures, and responsibility is left to the individual. There is a high degree of reliance on

the knowledge of individuals and, therefore, errors are likely.

Procedures have been standardized and documented, and communicated through training.

It is, however, left to the individual to follow these processes, and it is unlikely that deviations

will be detected. The procedures themselves are not sophisticated but are the formalizations

of existing practices.

4. ManagedIt is possible to monitor and measure compliance with procedures and to take action where

processes appear not to be working effectively. Processes are under constant improvement

and provide good practice. Automation and tools are used in a limited or fragmented way.

Definition of CMMI maturity levels:

5. Optimized

Processes have been refined to a level of best practice, based on the results of continuous

improvement and maturity modeling with other enterprises. IT is used in an integrated way

to automate the workflow, providing tools to improve quality and effectiveness, making the

enterprise quick to adapt.




Description of the ISO17799 domain’s aim and focus: (1/2)

1. Security Policy – To provide management direction and support for information

security in accordance with business requirements and relevant laws and

regulations.

2. Organization of Information Security – To manage and plan information security

within the organization, taking into account the needs of both internal and external

parties.

3. Asset Management - To deliver appropriate levels of protection and ensure that

information receives a level of protection that is appropriate to its needs.

4. Human resources (personnel) Security - To ensure that staff, during

employment, after termination and during change of employment, are part of the

information security process.

5. Physical and Environmental Security – To secure buildings, locations and

equipment in such a way as to prevent unauthorized physical access, damage andinterference to the organization's assets, premises and information.




6. Communications and Operations Management - To ensure that information is

treated properly, backed up correctly and handled securely to the highest

standards available.

7. Access Control - To control access to information, networks, and applications.

Preventing unauthorized access, interference, damage and theft.

8. Information Systems acquisition, development and maintenance - To ensure

that security is an integral part of the information system. Securing applications,

files and reducing vulnerabilities.

9. Information Security Incident Management – To ensure information security

events and weaknesses are communicated consistently in a manner allowing

timely corrective action to be taken.

10. Business Continuity Management – To counteract interruptions to business

activities and to protect critical business processes from the effects of major

failures of information systems or disasters and to ensure their timely resumption.

11. Compliance - To avoid breaches of any law, regulation or contractual obligations.

To ensure compliance without adverse affects on Information Security.

Description of the ISO17799 domain’s aim and focus: (2/2)

Information Security Strategy - Guide

Documents

Transcript of Information Security Strategy - Guide