Robert Fullagar CISSP CISM CRISC Clas CEH “Security is everyone’s responsibility”
-
Upload
sybil-griffith -
Category
Documents
-
view
221 -
download
5
Transcript of Robert Fullagar CISSP CISM CRISC Clas CEH “Security is everyone’s responsibility”
Robert Fullagar CISSP CISM CRISC Clas CEH
“Security is everyone’s responsibility”
Security Programme Structure and Methodology
Contents
• People Structure– Key positions– Roles of individuals
• Methodology/Approach– Deliverables
PeopleSenior
Manager/Board Member
Senior Security SME
Business Representatives
Business Representatives
Business Representatives
Business Representatives
Programme Manager
Project Managers
Delivery TeamsExternal
ResourceSecurity SME
Delivery Team Structure
Security SME
Programme Manager
Project Manager
Infrastructure Lead
External Resource
Do’ers
Other People
Security Architects
Legal Specialist PMO Support
Technical Architects
Procurement HR
Etc
Roles
• Influencer• Has a vested interest in improving security• Can keep the momentum going• Able to procure budget
SeniorManager/Board
Member
Roles
• Set/agree scope for the business area• Set priority based on risk for the business area• Monitor progress• They are decision makers
Business Representatives
Business Representatives
Business Representatives
Business Representatives
Roles
Senior Security SME
Programme Manager
Project Managers
• Action the decisions of the business representatives• Translate the business and technical requirements• Bring resource and structure to deliver the scope• Provide budgetary figures to the programme board• Select and evaluate solutions
Roles
• These are the do’ers, the engine room• The detail people, they bring to bear that detailed
specific knowledge• They do the actual work, hands on work• They help make the projects boards scope a reality
Delivery TeamsExternal
ResourceSecurity SME
Initiator
• Legislative• Contractual• External standards• Business driver or direction• Infrastructure replacement project• Consolidate security in finished project• Because its “Best Practice”
What happens when
Phase 0Discovery 6-18 Months
Risk Assessment provides Input to phase 1
Phase 1Foundation 18 months – 2 years
Phase 2Leverage 2-5 Years +
Delivery phase 1 scope
Delivery phase 2 scope
Phase 0 – Eye on Phase 1 scope and long term strategy
Phase 1 – Define long term strategy
BAU Security Cycle
Board DeliverablesSenior
Manager/Board Member
Business Representatives
Business Representatives
Business Representatives
Business Representatives
Phase 0 - Scope– Business area – Drivers – why– Financial commitment– Time and resource commitment– Draft strategy
Phase 0 – Plan – Resource and tasks– Budget +/- 100%– Approach– Quick wins
• Minimal cost
– Risk Assessment
Programme Deliverables
Senior Security SME
Programme Manager
Project Managers
Delivery TeamsExternal
ResourceSecurity SME
Board DeliverablesSenior
Manager/Board Member
Business Representatives
Business Representatives
Business Representatives
Business Representatives
Phase 1– Priorities the items from the risk assessment– Financial support– Allocate and commit resource– Long term strategy
Phase 1 – Risk assessment– Proposals to remediate – Accurate costs– Plan, time and resource– Deliver agreed scope
Programme Deliverables
Senior Security SME
Programme Manager
Project Managers
Delivery TeamsExternal
ResourceSecurity SME
Board
Summary
Programme
Phase 0Phase 0
– Business Driver• Vision
– Initial Budget– Commitment
Phase 0– Plan– Budget– Approach– Quick wins
Board
Summary
Programme
Phase 0
Board
Summary
Phase 1
GO
Phase 1– Risk Assessment– Remediation actions– Budget to remediate– Outline plan
Board
Summary
Programme
Phase 1
Board
Summary
Programme
Phase 1Phase 1
– Priorities Risks– Financial support– Commitment– Agree plans
Board
Summary
Phase 1
Long term strategy
BAU Security
Plan
Do
Check
Act
Thank You
Questions