ISMS2 - Security Interest Group Switzerland · Top Management Shareholders Board Governing Body ......

C O N F I D E N T I A L ©2017 KUDELSKI GROUP / All rights reserved.

ISMSHow to Manage Complex ISMS Programs

2

2©2017 KUDELSKI GROUP / All rights reserved. | C O N F I D E N T I A L

The Context

• Client need:

• 60+ ISMSes across

• ISO 27001 Certified

• 18 months

• An ISMS, by itself, is a complex challenge

• How do we scale that up?

• So let’s have a look at how we did it…

• Recap on single ISMSes challenges

• Overview of ISMS program challenges

• Emerging ISMS program best practices

• Then Q&A and complementary concepts if we have time


Single ISMS Challenges

A Short Recap


Why an ISMS?

Ref.: ISO 27001 Governance Report 2016 by IT Governance


ISMS

CISO

Hi, I’m Joe, the CISO.

I’m responsible to implement

and manage the ISMSOthers47%

IT Mgr19%

CISO18%

FTE16%

Managed by…

Ref.: ISO 27001 Governance

Report 2016 by IT Governance

SME


Context

CCO

Legal

DPOCRO

CFOCIO

CEO

COO

Top ManagementShareholders

Board

Governing Body

3rd Parties

Vendors

Suppliers

Clients

Business

Partners

External Stakeholders

Risk

Owners

Internal

ReviewersSecurity

OrganizationControl

Owners

IT

Asset

Owners

Employees

Executives

Internal Stakeholders

Government

Independent

Auditor

Standards

External Authorities

CISO

Products &

Services

Processes Systems


Stakeholders Needs

CCO

Legal

DPOCRO

CFOCIO

CEO

COO

Top ManagementShareholders

Board

Governing Body

3rd Parties

Vendors

Suppliers

Clients

Business

Partners

External Stakeholders

Risk

Owners

Internal

ReviewersSecurity

OrganizationControl

Owners

IT

Asset

Owners

Employees

Executives

Internal Stakeholders

Government

Independent

Auditor

Standards

External Authorities

Protect our brand / goodwill

Fix this

Comply with that

Lower

costs

Comply

with lawLeave me

alone

Implement

my new

strategy

Restructure with

my new org chart

Lower your

pricesBuy my

products &

services Comply with

your SLAs

and contracts

Don’t overload me

I have

different

priorities

Firefighting

I don’t want to be

held accountable

for that

I’m not

responsible

for this

CISO

Products &

Services

Processes Systems

Buy me the latest cool techno


Challenges

CISO

Challenges

Ref.: ISO 27001 Governance Report 2016 by IT Governance


Implementation

CISO

Timeline6-12 months

ISO 27001

ACME 2017


Management

New Strategy

ReorgsTechnological

Obsolescence

Turnover

Market

Disruption

CISO

Technological

Disruption


ISMS Program Challenges


ISMS Program Hi, this is Joe, again.

I’ve been promoted to manage a

global ISMS program.

CISO


Entities Heterogeneity

CISO

• Multiple Sizes

• Multiple Natures

• Headquarters

• Regional Management

• Competency Centers

• Manufactures

• Sales Representations

• IT Services Organizations

• Data Centers

• Multiple Relationships &

Dependencies


Integration Dimension

CISO

• Acquisitions

• Divestments

• Joint Ventures / Partnerships

• Varying Degrees of Finances /

Processes / Policies / IT / etc.

Integration

• Autonomous Entities

• Partially Integrated Entities

• Fully Integrated Entities

• Time evolution of the above

• Impact authority and leadership style


Cultural Diversity

CISO

• Values & Attitude

• Ethics

• Notions of Modesty

• Courtesy

• Communication Styles

• Taboos

• Languages

• Religion / Beliefs

• Education

• Management Styles

• Work Customs

• Social Organization

• Notions of Time


Geopolitical Dimension

CISO

• Government stability

• Rule of law

• Laws diversity (e.g. labour code)

• Disasters

• Conflicts / wars / terrorism

• Embargos

Key takeaway: in global operations,

there is always a severe catastrophe

going on


InfoSec Maturity Dimension

CISO

Chaotic

entitiesAdvanced

entities

Flock

entities

HINTS:

• A majority of stakeholders

simply don’t want to

become best-in-class

• It would be economically

unwise to bring all entities

to an advanced maturity

stage

• Low maturity is not bad, low

maturity coupled with high

inherent risk is bad

• Think in terms of

optimization and overall risk

efficiency

Or InfoSec Capability Dimension


First Conclusions

• Dramatic increase in complexity

• E.g. cloud, 3rd party mgmt, etc.

• Scaling issues

• Identities, assets, etc.

• Multi-year time frame

• Individual ISMSes are your tools to

regain control and implement the

strategy

• To exert influence, necessity to shift

from hard power (managerial

posture) to soft power (leadership

skill)

Be

co

st

effic

ient

Be flexible

Pre

se

rve

w

ha

t wo

rksLead rather

than manage

THE

CHALLENGE


Emerging ISMS Program Best Practices

Or How We Pulled It Out!


Think “Program”

Your Value Proposition• Strategy Execution

• Visibility & Understanding

• Maneuverability

• Efficiency

• Managed Interdependencies


Accept Reality

CISO

HARRY POTTER

• ISMS

• Best-in-class

• Visibility

• Control

• Launching pad for continuous improvement

• Writing a policy has no magical effect

• Document reality, not what we want

• Keep it simple


Staged Approach

• Use gamification, think “journey”, think

“levels”

• Design a staged approach

• Start: identification of a new scope

• Give early quick wins

• ISMS readiness assessment

• Target: ISO 27001 certification

• Monitor the journey with metrics and

dashboard

• Remember that not everyone wants to

be best-in-class, but nobody wants to

be at the end of the pack

ISMS Program

ISO27K1

Certified

GRC Platform

OnboardedIdentified Gap

Analysis

ABCD

EFGH

UVST

QR

OP

MN

KL

IJ

XY

CISO

You are here,

move on!


The ISMS Coaches

• A global team of trained ISMS coaches

• Key part of your communication plan

• Establish a continuous dialogue

between the local ISMSes and the

ISMS program

• Listen to issues

• Provide support

• Share knowledge

• Transmit your message

• Promote & develop regional champions

ISMS Coaches CISO


Agile Industrialization

• Distinguish Unique from Generic

• Pursue the equilibrium between

undercontrol & overcontrol

• Embrace feedbacks

• Manage A Central Repository

• Taxonomies, Templates, Checklists, Tools,

etc.

• A great example: the Control Library

LOCALDIVERGENCE

•Tactically Efficiency

•Field-Proven Experience

•Creative

•Habits / Inertia

•Resistance

GLOBAL CONVERGENCE

•Strategically Efficiency

•Theoretical

•Holistic

•Habits / Inertia

•Resistance


Manage fractal dimensions with levels

• Controls

• Asset Level Controls

• Managerial Level Controls

• Program Level Controls

• Risks

• Local Risks

• Intermediary Risks

• Global Risks

• Applications, Policies, etc., etc.


• Flexible!

• Fine-grained access controls

• Make it easy to link objects

• Wide functional scope

• Business Entities

• Processes

• Risks

• Controls

• Incidents

• Policies

• Assets (any kind of)

• ISMS specific features, e.g. SoA

• Metrics & KxIs

• Documents (ISMS Management Reviews, etc.)

• Custom Objects

Ref.: OCEG 2016

A centralized technological platform


Conclusion


Where we are now

• A single ISMS process

• 58+ individually certified ISMSes

• Spanning 40+ local IT organizations, + regional offices, etc.

• 85 countries

• From initial workshop to certification: 12-16 weeks

• External audits from 8 to 4 days

• Multiple ISMS extensions

• Hundreds of metrics that we are just starting to leverage

• Multiple continuous improvement initiatives


What we learned

We all knew it but we rediscovered it:

• STRONG support from top management is vital

• Communication is key

A new discipline: ISMS Program Management

• Emerging best practices

• Agile industrialization

• Embracing feedback

Promising future developments

• Data analytics, etc.

CISO

Any

question?


Thank You

David DORET

GRC Consulting Practice Lead

Mobile: +41 79 726 48 82

Email: [email protected]


Useful Concepts

If we have time…


Program Risk Management Theory

Program

Threshold

Strategic

Threshold

STRATEGY

PROGRAM

PROJECTS

Strategic Risks

Program Risks

Project Risks

Risk Aggregation

Strategic

Risk

Delegation


Risk Routing• Definition: To transfer pertinent risks to the appropriate level up

(Escalation) or down (Delegation) in the organizational layers for

desirable mitigation at the right level

• Risk Responses: Avoid / Transfer / Mitigate / Accept

• In practice, this is not a mechanical but a complex decision based on

numerous inter-related factors, e.g. expected risk values, treatment

capabilities, resource dependencies, expertise, time frame,

managerial preferentialism, politics, etc.

• Horizontal Routing: If another program is better positioned to

manage it

• Possible overlaps: e.g. managed by program but outstanding parts

delegated or escalated or reported

(Ref.: Rasheed, Shahid, ChangFeng Wang, and Bruno Lucena. “Risk Leveling in Program Environments—A Structured

Approach for Program Risk Management.” Sustainability 7, no. 5 (May 13, 2015): 5896–5919. doi:10.3390/su7055896.)

STRATEGY

PROJECTS

ESCA

LATE

DELEG

ATE

PROGRAM

Subsidiarity Principle: definition: (politics) the principle that a central

authority should have a subsidiary function, performing only those

tasks which cannot be performed at a more local level.

Ref.: https://en.oxforddictionaries.com/definition/subsidiarity


The Added Value of Risk Assessment

Risk Perception (After)Risk Perception (Before) Apply Risk Analysis ToolChoose Tool From

Risk Analysis ToolboxUncertainty Too HighFor Given Risk Level

? Better Risk Response Ideas

UncertaintyReduction

InherentUncertainty

ResidualUncertainty

CorrectedRiskRange&Level

InitialRiskRange

CostDeeperUnderstanding

• Risk assessment methods are numerous but just tools, be agnostic!

• Map to Common Scales

• Risk Filtering: Definition: Qualification for Detailed / Advanced / Comprehensive Analysis at

this stage of the process

• Risk Filtering Criteria: nature of risk / uncertainty, process phase, timeframe, available

resources, managerial preferential, expected returns, regulatory implications, etc.


Process-based

Approach

Ref.:Knut, Haufe, Ricardo Colomo-Palacios, and

Et Al. “A Process Framework for Information

Security Management.” IJISPM - International

Journal of Information Systems and Project

Management, no. 4 (2016): 27–47.

doi:10.12821/ijispm040402.


• Non-linear

• Highly sensitive to initial conditions

• Fractal-like

• Feedback

• Cascading effects

• Exhibits emergent behaviors

• IT IS UNPREDICTABLE

To learn more: Santa Fe Institute, Introduction to Complexity (MOOC)

https://www.complexityexplorer.org/courses/74-introduction-to-complexity-spring-2017

A

BC

D

What is complexity?

https://www.complexityexplorer.org/courses/74-introduction-to-complexity-spring-2017


Mindset Shift To Embrace Complexity

Viewed through lens of complexity theory

Viewed as dynamic, self-organising and non-linear

Treated from a holistic view point

Normal

Addressed by embracing diversity

Turbulent

Continuous

Full of opportunities and unleashes creativity

Uncontrollable hence emphasis on networks and not hierarchical

Normal

Imprecise and vague

Revolutionary and incremental hence patterning

Viewed through traditional classical science philosophy

Treated essentially as mechanistic and linear

Dealt with using reductionist methods

Disruptive

Addressed by seeking uniformity

Incremental

An event

Calamitous

Controllable therefore seek centralised and hierarchical strategy

Abnormal

Precise and objective

Cause & Effect thus seek correlations

Change is...

Mechanistic View Dynamic View

Ref.: A Complexity Science Based Approach to Programme Risk Management, Smith, Bower & Aritua, 2008


Program

• PMI: “A group of related projects

managed in a coordinated way to obtain

benefits and control not available from

managing them individually. Programs

may include elements of related work

outside of the scope of the discrete

projects in the program.”

• Some use Programme to designate the

organizational structure that manages the program.

• Program (US) or Programme (UK)

• Oxford Dictionary: “A set of related measures or

activities with a particular long-term aim” Ref.: https://en.oxforddictionaries.com/definition/programme

Formal DefinitionA Visual Definition

https://en.oxforddictionaries.com/definition/programme


ISMS Definition

INFORMATION SECURITY

Preservation of confidentiality, integrity and availability of

information

Note 1 to entry: In addition, other properties, such as authenticity, accountability, non-

repudiation, and reliability can also be involved

MANAGEMENT SYSTEM

Set of interrelated or interacting elements of an

organization to establish policies and objectives and

processes to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several

disciplines.

Note 2 to entry: The system elements include the organization’s structure, roles and

responsibilities, planning, operation, etc.

Note 3 to entry: The scope of a management system may include the whole of the

organization, specific and identified functions of the organization, specific and

identified sections of the organization, or one or more functions across a group of

organizations.

Ref.: ISO/IEC 27000:2014(E)

INFORMATION SECURITY

MANAGEMENT SYSTEM

Set of interrelated or interacting

elements of an organization to

establish policies and objectives

related to the preservation of the

confidentiality, integrity and

availability of information and

processes to achieve those

objectives.


Who We Are?


Our ambition: to become the reference GRC competence center in Switzerland

2014Practice

established

4FTE

Consultants

+15years work

experience

+20successful

projects

THE KUDELSKI GRC CONSULTING PRACTICEOpRisk

BIA

Audit

ISMS

FINMA


3 OFFERINGS TO ENHANCE YOUR GRC PROGRAM

OCEG GRC training• OCEG GRC Professional

RSA ARCHER training• Admin, Advanced Admin

A tailored engagement

to improve your GRC

program.

Assess and evaluate your

GRC program

Design a strategy and

develop a GRC roadmap

Improve the efficiency and

effectiveness of your GRC

processes

Training Advisory Professional

Services

Automate your GRC

program with RSA Archer

Implementation• Strategy & Planning

• Installation

• Use Case Deployment

• Custom Quoted Solution

• Upgrade

On-demand Support• Maintenance & configuration

• Change management

• Knowledge transfer

• Documentation

• On-demand expertise

• General support

http://sharepoint.hq.k.grp/sites/cybersec/EMEA_services/intelligence/Corporate pictures/iStock-510224467.jpg

http://sharepoint.hq.k.grp/sites/cybersec/EMEA_services/intelligence/Corporate pictures/iStock-517703860.jpg

https://www.google.ch/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjR4dSB9P_SAhWKlxoKHSDTAGAQjRwIBw&url=https://www.linkedin.com/company/open-compliance-%26-ethics-group-oceg-&psig=AFQjCNGf7XTRwbLfiHEE9nsu_PSvaLH6hQ&ust=1491020910684055

ISMS2 - Security Interest Group Switzerland · Top Management Shareholders Board Governing Body ......

Documents

Transcript of ISMS2 - Security Interest Group Switzerland · Top Management Shareholders Board Governing Body ......