ISMS2 - Security Interest Group Switzerland · Top Management Shareholders Board Governing Body ......
-
Upload
hoangnguyet -
Category
Documents
-
view
215 -
download
0
Transcript of ISMS2 - Security Interest Group Switzerland · Top Management Shareholders Board Governing Body ......
C O N F I D E N T I A L ©2017 KUDELSKI GROUP / All rights reserved.
ISMSHow to Manage Complex ISMS Programs
2
2©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
The Context
• Client need:
• 60+ ISMSes across
• ISO 27001 Certified
• 18 months
• An ISMS, by itself, is a complex challenge
• How do we scale that up?
• So let’s have a look at how we did it…
• Recap on single ISMSes challenges
• Overview of ISMS program challenges
• Emerging ISMS program best practices
• Then Q&A and complementary concepts if we have time
C O N F I D E N T I A L ©2017 KUDELSKI GROUP / All rights reserved.
Single ISMS Challenges
A Short Recap
4©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Why an ISMS?
Ref.: ISO 27001 Governance Report 2016 by IT Governance
5©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
ISMS
CISO
Hi, I’m Joe, the CISO.
I’m responsible to implement
and manage the ISMSOthers47%
IT Mgr19%
CISO18%
FTE16%
Managed by…
Ref.: ISO 27001 Governance
Report 2016 by IT Governance
SME
6©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Context
CCO
Legal
DPOCRO
CFOCIO
CEO
COO
Top ManagementShareholders
Board
Governing Body
3rd Parties
Vendors
Suppliers
Clients
Business
Partners
External Stakeholders
Risk
Owners
Internal
ReviewersSecurity
OrganizationControl
Owners
IT
Asset
Owners
Employees
Executives
Internal Stakeholders
Government
Independent
Auditor
Standards
External Authorities
CISO
Products &
Services
Processes Systems
7©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Stakeholders Needs
CCO
Legal
DPOCRO
CFOCIO
CEO
COO
Top ManagementShareholders
Board
Governing Body
3rd Parties
Vendors
Suppliers
Clients
Business
Partners
External Stakeholders
Risk
Owners
Internal
ReviewersSecurity
OrganizationControl
Owners
IT
Asset
Owners
Employees
Executives
Internal Stakeholders
Government
Independent
Auditor
Standards
External Authorities
Protect our brand / goodwill
Fix this
Comply with that
Lower
costs
Comply
with lawLeave me
alone
Implement
my new
strategy
Restructure with
my new org chart
Lower your
pricesBuy my
products &
services Comply with
your SLAs
and contracts
Don’t overload me
I have
different
priorities
Firefighting
I don’t want to be
held accountable
for that
I’m not
responsible
for this
CISO
Products &
Services
Processes Systems
Buy me the latest cool techno
8©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Challenges
CISO
Challenges
Ref.: ISO 27001 Governance Report 2016 by IT Governance
9©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Implementation
CISO
Timeline6-12 months
ISO 27001
ACME 2017
10©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Management
New Strategy
ReorgsTechnological
Obsolescence
Turnover
Market
Disruption
CISO
Technological
Disruption
12©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
ISMS Program Hi, this is Joe, again.
I’ve been promoted to manage a
global ISMS program.
CISO
13©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Entities Heterogeneity
CISO
• Multiple Sizes
• Multiple Natures
• Headquarters
• Regional Management
• Competency Centers
• Manufactures
• Sales Representations
• IT Services Organizations
• Data Centers
• Multiple Relationships &
Dependencies
14©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Integration Dimension
CISO
• Acquisitions
• Divestments
• Joint Ventures / Partnerships
• Varying Degrees of Finances /
Processes / Policies / IT / etc.
Integration
• Autonomous Entities
• Partially Integrated Entities
• Fully Integrated Entities
• Time evolution of the above
• Impact authority and leadership style
15©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Cultural Diversity
CISO
• Values & Attitude
• Ethics
• Notions of Modesty
• Courtesy
• Communication Styles
• Taboos
• Languages
• Religion / Beliefs
• Education
• Management Styles
• Work Customs
• Social Organization
• Notions of Time
16©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Geopolitical Dimension
CISO
• Government stability
• Rule of law
• Laws diversity (e.g. labour code)
• Disasters
• Conflicts / wars / terrorism
• Embargos
Key takeaway: in global operations,
there is always a severe catastrophe
going on
17©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
InfoSec Maturity Dimension
CISO
Chaotic
entitiesAdvanced
entities
Flock
entities
HINTS:
• A majority of stakeholders
simply don’t want to
become best-in-class
• It would be economically
unwise to bring all entities
to an advanced maturity
stage
• Low maturity is not bad, low
maturity coupled with high
inherent risk is bad
• Think in terms of
optimization and overall risk
efficiency
Or InfoSec Capability Dimension
18©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
First Conclusions
• Dramatic increase in complexity
• E.g. cloud, 3rd party mgmt, etc.
• Scaling issues
• Identities, assets, etc.
• Multi-year time frame
• Individual ISMSes are your tools to
regain control and implement the
strategy
• To exert influence, necessity to shift
from hard power (managerial
posture) to soft power (leadership
skill)
Be
co
st
effic
ient
Be flexible
Pre
se
rve
w
ha
t wo
rksLead rather
than manage
THE
CHALLENGE
C O N F I D E N T I A L ©2017 KUDELSKI GROUP / All rights reserved.
Emerging ISMS Program Best Practices
Or How We Pulled It Out!
20©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Think “Program”
Your Value Proposition• Strategy Execution
• Visibility & Understanding
• Maneuverability
• Efficiency
• Managed Interdependencies
21©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Accept Reality
CISO
HARRY POTTER
• ISMS
• Best-in-class
• Visibility
• Control
• Launching pad for continuous improvement
• Writing a policy has no magical effect
• Document reality, not what we want
• Keep it simple
22©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Staged Approach
• Use gamification, think “journey”, think
“levels”
• Design a staged approach
• Start: identification of a new scope
• Give early quick wins
• ISMS readiness assessment
• Target: ISO 27001 certification
• Monitor the journey with metrics and
dashboard
• Remember that not everyone wants to
be best-in-class, but nobody wants to
be at the end of the pack
ISMS Program
ISO27K1
Certified
GRC Platform
OnboardedIdentified Gap
Analysis
ABCD
EFGH
UVST
QR
OP
MN
KL
IJ
XY
CISO
You are here,
move on!
23©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
The ISMS Coaches
• A global team of trained ISMS coaches
• Key part of your communication plan
• Establish a continuous dialogue
between the local ISMSes and the
ISMS program
• Listen to issues
• Provide support
• Share knowledge
• Transmit your message
• Promote & develop regional champions
ISMS Coaches CISO
24©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Agile Industrialization
• Distinguish Unique from Generic
• Pursue the equilibrium between
undercontrol & overcontrol
• Embrace feedbacks
• Manage A Central Repository
• Taxonomies, Templates, Checklists, Tools,
etc.
• A great example: the Control Library
LOCALDIVERGENCE
•Tactically Efficiency
•Field-Proven Experience
•Creative
•Habits / Inertia
•Resistance
GLOBAL CONVERGENCE
•Strategically Efficiency
•Theoretical
•Holistic
•Habits / Inertia
•Resistance
25©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Manage fractal dimensions with levels
• Controls
• Asset Level Controls
• Managerial Level Controls
• Program Level Controls
• Risks
• Local Risks
• Intermediary Risks
• Global Risks
• Applications, Policies, etc., etc.
26©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
• Flexible!
• Fine-grained access controls
• Make it easy to link objects
• Wide functional scope
• Business Entities
• Processes
• Risks
• Controls
• Incidents
• Policies
• Assets (any kind of)
• ISMS specific features, e.g. SoA
• Metrics & KxIs
• Documents (ISMS Management Reviews, etc.)
• Custom Objects
Ref.: OCEG 2016
A centralized technological platform
28©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Where we are now
• A single ISMS process
• 58+ individually certified ISMSes
• Spanning 40+ local IT organizations, + regional offices, etc.
• 85 countries
• From initial workshop to certification: 12-16 weeks
• External audits from 8 to 4 days
• Multiple ISMS extensions
• Hundreds of metrics that we are just starting to leverage
• Multiple continuous improvement initiatives
29©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
What we learned
We all knew it but we rediscovered it:
• STRONG support from top management is vital
• Communication is key
A new discipline: ISMS Program Management
• Emerging best practices
• Agile industrialization
• Embracing feedback
Promising future developments
• Data analytics, etc.
CISO
Any
question?
30©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Thank You
David DORET
GRC Consulting Practice Lead
Mobile: +41 79 726 48 82
Email: [email protected]
C O N F I D E N T I A L ©2017 KUDELSKI GROUP / All rights reserved.
Useful Concepts
If we have time…
32©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Program Risk Management Theory
Program
Threshold
Strategic
Threshold
STRATEGY
PROGRAM
PROJECTS
Strategic Risks
Program Risks
Project Risks
Risk Aggregation
Strategic
Risk
Delegation
33©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Risk Routing• Definition: To transfer pertinent risks to the appropriate level up
(Escalation) or down (Delegation) in the organizational layers for
desirable mitigation at the right level
• Risk Responses: Avoid / Transfer / Mitigate / Accept
• In practice, this is not a mechanical but a complex decision based on
numerous inter-related factors, e.g. expected risk values, treatment
capabilities, resource dependencies, expertise, time frame,
managerial preferentialism, politics, etc.
• Horizontal Routing: If another program is better positioned to
manage it
• Possible overlaps: e.g. managed by program but outstanding parts
delegated or escalated or reported
(Ref.: Rasheed, Shahid, ChangFeng Wang, and Bruno Lucena. “Risk Leveling in Program Environments—A Structured
Approach for Program Risk Management.” Sustainability 7, no. 5 (May 13, 2015): 5896–5919. doi:10.3390/su7055896.)
STRATEGY
PROJECTS
ESCA
LATE
DELEG
ATE
PROGRAM
Subsidiarity Principle: definition: (politics) the principle that a central
authority should have a subsidiary function, performing only those
tasks which cannot be performed at a more local level.
Ref.: https://en.oxforddictionaries.com/definition/subsidiarity
34©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
The Added Value of Risk Assessment
Risk Perception (After)Risk Perception (Before) Apply Risk Analysis ToolChoose Tool From
Risk Analysis ToolboxUncertainty Too HighFor Given Risk Level
? Better Risk Response Ideas
UncertaintyReduction
InherentUncertainty
ResidualUncertainty
CorrectedRiskRange&Level
InitialRiskRange
CostDeeperUnderstanding
• Risk assessment methods are numerous but just tools, be agnostic!
• Map to Common Scales
• Risk Filtering: Definition: Qualification for Detailed / Advanced / Comprehensive Analysis at
this stage of the process
• Risk Filtering Criteria: nature of risk / uncertainty, process phase, timeframe, available
resources, managerial preferential, expected returns, regulatory implications, etc.
35©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Process-based
Approach
Ref.:Knut, Haufe, Ricardo Colomo-Palacios, and
Et Al. “A Process Framework for Information
Security Management.” IJISPM - International
Journal of Information Systems and Project
Management, no. 4 (2016): 27–47.
doi:10.12821/ijispm040402.
36©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
• Non-linear
• Highly sensitive to initial conditions
• Fractal-like
• Feedback
• Cascading effects
• Exhibits emergent behaviors
• IT IS UNPREDICTABLE
To learn more: Santa Fe Institute, Introduction to Complexity (MOOC)
https://www.complexityexplorer.org/courses/74-introduction-to-complexity-spring-2017
A
BC
D
What is complexity?
37©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Mindset Shift To Embrace Complexity
Viewed through lens of complexity theory
Viewed as dynamic, self-organising and non-linear
Treated from a holistic view point
Normal
Addressed by embracing diversity
Turbulent
Continuous
Full of opportunities and unleashes creativity
Uncontrollable hence emphasis on networks and not hierarchical
Normal
Imprecise and vague
Revolutionary and incremental hence patterning
Viewed through traditional classical science philosophy
Treated essentially as mechanistic and linear
Dealt with using reductionist methods
Disruptive
Addressed by seeking uniformity
Incremental
An event
Calamitous
Controllable therefore seek centralised and hierarchical strategy
Abnormal
Precise and objective
Cause & Effect thus seek correlations
Change is...
Mechanistic View Dynamic View
Ref.: A Complexity Science Based Approach to Programme Risk Management, Smith, Bower & Aritua, 2008
38©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Program
• PMI: “A group of related projects
managed in a coordinated way to obtain
benefits and control not available from
managing them individually. Programs
may include elements of related work
outside of the scope of the discrete
projects in the program.”
• Some use Programme to designate the
organizational structure that manages the program.
• Program (US) or Programme (UK)
• Oxford Dictionary: “A set of related measures or
activities with a particular long-term aim” Ref.: https://en.oxforddictionaries.com/definition/programme
Formal DefinitionA Visual Definition
39©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
ISMS Definition
INFORMATION SECURITY
Preservation of confidentiality, integrity and availability of
information
Note 1 to entry: In addition, other properties, such as authenticity, accountability, non-
repudiation, and reliability can also be involved
MANAGEMENT SYSTEM
Set of interrelated or interacting elements of an
organization to establish policies and objectives and
processes to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several
disciplines.
Note 2 to entry: The system elements include the organization’s structure, roles and
responsibilities, planning, operation, etc.
Note 3 to entry: The scope of a management system may include the whole of the
organization, specific and identified functions of the organization, specific and
identified sections of the organization, or one or more functions across a group of
organizations.
Ref.: ISO/IEC 27000:2014(E)
INFORMATION SECURITY
MANAGEMENT SYSTEM
Set of interrelated or interacting
elements of an organization to
establish policies and objectives
related to the preservation of the
confidentiality, integrity and
availability of information and
processes to achieve those
objectives.
41©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
Our ambition: to become the reference GRC competence center in Switzerland
2014Practice
established
4FTE
Consultants
+15years work
experience
+20successful
projects
THE KUDELSKI GRC CONSULTING PRACTICEOpRisk
BIA
Audit
ISMS
FINMA
42©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L
3 OFFERINGS TO ENHANCE YOUR GRC PROGRAM
OCEG GRC training• OCEG GRC Professional
RSA ARCHER training• Admin, Advanced Admin
A tailored engagement
to improve your GRC
program.
Assess and evaluate your
GRC program
Design a strategy and
develop a GRC roadmap
Improve the efficiency and
effectiveness of your GRC
processes
Training Advisory Professional
Services
Automate your GRC
program with RSA Archer
Implementation• Strategy & Planning
• Installation
• Use Case Deployment
• Custom Quoted Solution
• Upgrade
On-demand Support• Maintenance & configuration
• Change management
• Knowledge transfer
• Documentation
• On-demand expertise
• General support