CISM Study Notes Overview of Onformation Security Governance

Protecting and enabling our dependance upon data endowedwith significant meaning and purpose IT Security adresses - Universe of risk (what risk is, how does it apply to the business), Benifits of processes, driving factors, laws and regulations (HIPAA, SOX etc.), and governance Dependance upon IT is escalating changing the definition of a "Capital Resource"

IT Security - Data in storage, data in transit, ip security, IPS, firewall, AV, ACLs Information Security Governance - Securing fax area, background checks on staff, making sure paper docs are shredded, CCTV, armed guards, working with law enforcement. IT Security is a subset of Information Security Governance!

InforSec Governance criticality increases in proportion to dependence Increased potential for civil or legal liabilty To provide assurance of policy compliance Reduce uncertainty of business operations Framework for optimising resouce allocations Foundation for risk management, incident response, process maximisation Improve reputation and relationships

!! 6 Key Results Of InfoSec Governance !! 1. Strategic Alignment (alignment of InfoSec in supprt of all business/organisation objectives) 2. Risk Management (Ultimate objective - process of executing the right measures to mitigate against risks and reduce any potential impacts on information resources to an acceptable level) 3. Value Delivery (When investments made on security are optimised to support organisational objectives - get maximum output/results for lowest cost possible) 4. Resource Management (the processes that go into planning, allocating and managing infosec resources - people, technology, logical proccess, methodologies. Minimal reoccuring problems. Capturing and spreadng knowlege. Standardised processes) 5. Performance Analysis (process or measuring, reporting, monitoring infosec processes. IMPROVEMENT!! Can not manage what you can not measure. Need standard metrics) 6. Integration (process of convergence - converging infosec process with business processes - practical aspect of alignment)

Senior Management Responsibilities Board of Directors/SNR Management - Answer to shareholders. Periodically delivered high level results of risk assessment and business impact analysis. Endorse basic security requirements and strategic alignment with business objectives. Executive Management - Responsible for day to day high level management of processes. Ultimately responsible! Must align with business objectives. Evaluate whether accepatble level of impact Steering Committee - Specialised knowlege of different areas. Compile reports, do measuring and monitoring. Pervasive throughout the enterprise. Communicate to executive mgmt. Change overall culture or behaviour of organisation. CISO - Reports to exec mgmt.

INFOSEC MANAGER - In charge of IT Security Depts - Handling complex protection of systems, critical data, processes - Most CISO's report to CEO, CIO, B of D, Speciality Officers - Must have support, buy-in, commitment from Senior management - Inforsec manager should - Develop/Report security stratagy input - make presentations to senior management - construct teams/commitees and develop team leaders - intergrate 3rd parties and vendors, consultants

InfoSec Governance Scope and Charter Any medium whether its create, stored, destroyed etc. (not technological) - Annual Infosec evaluation (review results with all staff, key employees etc. report goes to exec) - Periodic Risk Assessment (of all information objects) - Policies and procedures - Security management Structure - Develop Action Plans (to ensure adequate cover) - Intergrate into System Life Cycle - Provide awareness training (ensure everyone is properly trained) - conduct periodic audits (testing/evaluation - policies and procedures) - plan for remedial action (remediate anything from gap analysis) - develop incident response plans - continuity of ops procedures (DR - not only for disaster, for merger or late project etc) - best practices implementation : ISO17799 (guidelines for security) InfoSec Metrics

Measurement based on a reference. Effective metrics - downtime due to DOS, trojan infection. The number of penetrations from outside through firewall. loss of time or data due to a threat or attack .. recovery time etc. number of vulnerabilities due to pen testing. how many servers have we applied security patches to/not applied to. etc etc.

4 Components of Security metrics (NIST 800-55)

1. result-orientated metrics analysis (must be used for analysis or it's a waste of time) 2. quantifiable performance metrics 3. practical security policies and procedures (based on day to day realistic processes) 4. strong upper-level management support

KGI & KPI Key Goal Indicator (macro) Key Performance Indicator (micro) !! usually done with a balanced scorecard!! SMART Specific Measurable Achievable Repeatable Time-bound InfoSec Stratagey Goals and Objectives Stratagy Defined InfoSec Stratagy development model Developing the Strategy