- Information Security Strategy Template May 2015 1.

download - Information Security Strategy Template May 2015 1.

If you can't read please download the document

Transcript of - Information Security Strategy Template May 2015 1.

  • Slide 1
  • - Information Security Strategy Template May 2015 1
  • Slide 2
  • - Outline Why develop a security strategy Business drivers Information Security Ecosystem Organization of Information Security Incident Summary Current Priorities Risk Landscape Investment Roadmap Next Steps
  • Slide 3
  • Why Develop a Security Strategy? 3 Could Do Should Do Work We Must Do Baseline protection Proactive management New business drivers Help the determine acceptable levels of risk and how much investment is needed. Manage Compliant- Ready Services Legally Defensible Security Risk-Based Decisions to Achieve Business Goals
  • Slide 4
  • 4 Information Technology risks are identified, understood, and managed to an acceptable level across the Enterprise. Business units have the tools, resources, and expertise to make optimal decisions for business success. Develop and measure IT security standards while enabling business autonomy and agility. Deliver value through identification of threats, assessment of risk, expert consulting, and providing foundational security services to prevent, detect, and respond to disruptions. Top Business Drivers Business drivers associated with IT Risks Brand Earn and maintain Customer trust Online presence with content integrity and availability Brand Earn and maintain Customer trust Online presence with content integrity and availability Competitive Advantage Protect sensitive information to continue growth in established markets, enable global expansion Competitive Advantage Protect sensitive information to continue growth in established markets, enable global expansion Compliance Identify and efficiently manage regulations Compliance Identify and efficiently manage regulations Customer & Employee Privacy Protect Customer and Employee data from theft or disclosure Customer & Employee Privacy Protect Customer and Employee data from theft or disclosure Vision (sample) Mission
  • Slide 5
  • Data WorkforceApplicationsDevicesNetworks Physical Data is classified, known, & protected throughout its lifecycle How We Think About IT Security 5 Defining an IT Security ecosystem helps organize security risks across the Business. Applications are developed and managed securely A diverse collection of devices configured and managed for security Networks are available, monitored, and resilient Facilities are safe and accessible Workforce is trained and empowered to protect data
  • Slide 6
  • Anomalies, Event Monitoring, Detection Processes (alt.) How We Think About IT Security 6 Defining an IT Security framework helps organize security risks across the Enterprise. Asset Management, Governance, Risk Management Access Control, Training, Data Protection, Maintenance, Protective Technology Planning, Communications, Analysis, Mitigation, Improvements Recovery Planning, Improvements, Communications CorporateBusiness Segment (NIST CSF view)
  • Slide 7
  • Organization of Information Security 7 Risk Assessment Information Security Information Technology Compliance Ready Resourced, not complete Investment Required Disaster Recovery Security Policy Security Awareness Audit Mngt. Firewall/IDS Mngt. Access Mngt. User Provisioning Remote Access Event Monitoring Incident Response Data Loss Prevention Sys. Implementation System Updates Technical Standards Change Mngt. Capacity Mngt. Data Inventory Vendor Mngt. Mobile Mngt. H/W, S/W Inventory Security Architecture Security Engineering Legend Analyst & Operational Responsibilities Vulnerability Mngt. Mngt. & Reporting Tier 1 Investigation Business Units Access Mngt. Data Encryption Secure Programming Audit Oversight Purchasing Internal Consulting Data Analytics Compliance Application Mngt. Business Continuity Unknown Operations Show ownership across security services
  • Slide 8
  • Incident Summary Significant Incident summaries 8
  • Slide 9
  • Security Visibility & Posture (Example) Service Objective: Foster and support an appropriate security posture aligned with business goals Monitor control effectiveness & visibility Develop baseline standards where needed 9 Partial Full No/Limited ? Control Visibility Key Short Term Gaps Meet Standards Long Term Gaps Control Posture Key No Standard Defined Can use ecosystem elements
  • Slide 10
  • Current State Summary 10 wins Need help 1. Next Steps Progress Challenges
  • Slide 11
  • Risks Grouped By Business Driver (example) Protect Brand Focus: Incident Response, Device Support & Vulnerabilities Impact estimates: loss of service or data affecting patient adoption & retention 6 High risks Privacy Focus: Malware & Unencrypted Data Enable Business Meet Partner requirements Strengthen remote authentication Compliance 7 risks across foundational controls 11 AcceptEvaluateAct 3 4 5 6 7 8 9 10 3456789 Compliance Protect Brand Privacy Enable Business
  • Slide 12
  • Current Risk Landscape 12 Risks Needing Decision Count: xx Foundational controls missing or partially implemented Mitigation In Progress Count: x Key risks: managing vulnerabilities, backup-restore, upgrade software Mitigated Count: x Vendor managed assessed and managed 3 4 5 6 7 8 9 10 3456789 Shared ID's Backup-restore Unencrypted Data No 2-Factor Sanction Policy DoS Media destruction Terminated Users Data inventory Password Policies Validate Access Wireless controls Vuln. mngt. Business continuity Incident Response Risk management Vendor Compromise Background checks Appropriate access Partner Requirements Attack Chain: malware Obsolete Software Phishing victims Device Malware/Abuse ActiveIn ProgressMitigated
  • Slide 13
  • IT Security Performance Measuring xx Performance indicators across Business Units 13
  • Slide 14
  • NIST Cyber Security Framework Each step required Detect and Respond provide immediate value when prevention is not mature Reduce impact of breaches Prevention takes time, even then not 100% 14 IdentifyProtectDetectRespondRecover
  • Slide 15
  • Security Roadmap Funding Priorities Investment priorities evaluated by Risk Priority Business Support IT Capacity Cost (internal labor & Op. Ex.) Top Priorities- Funding Approval Request (blue icons) Incident Response Plan Mature Vulnerability Mngt. Device Malware Management IT Risk Management Update Security Policy Next Priorities Back-up Restore Remote 2-Factor Replace Obsolete Systems Access Mngt. (terminated users) 15 0 20 40 60 80 100 $0$25$50$75$100 Unique IDs Plan Backup-Restore Encrypt Data at rest Business Impact Analysis Sanction Policy Mature Vuln. Mngt, Anti-DoS Update Policy Media Destruction Access Management Inventory Data Replace Obsolete Software Strengthen Wireless Plan Incident Response Proposal Plan IT Risk Mngt. Remote Access: 2-Factor Background Checks Replace Obsolete Software Plan Anti-phishing program Device Standards/Mngt.
  • Slide 16
  • Next Steps Execute current commitments Formalize Organization of Information Security Fund priority investment requests Complete 3 year roadmap during FYxx planning 16
  • Slide 17
  • Additional Content Appendix (additional stories) 17
  • Slide 18
  • Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4 FY17 FY16FY15 Priority Initiative 18 Security Roadmap Template Current Focus FY 17 Investments Project Sustained Process FY16 Investments Transition Planning
  • Slide 19
  • Primary Services: Current State 19 ServiceMaturityCapacityOrg. Alignment Primary Service1 (from previous slide) Select a light and/or short description (see notes) Select a light or short description Primary Service2 Optional: show process maturity, capacity, or org. alignment visuals
  • Slide 20
  • GroupTitleScore Protect BrandBackup-restore68 Protect BrandDenial of Service45 Protect BrandTerminated Users68 Protect BrandVuln. mngt.85 Protect BrandBusiness continutity38 Protect BrandIncident Response78 Protect Brand Attack Chain: malware 65 Protect BrandObsolete Software73 Protect BrandPhishing victims55 PrivacyUnencrypted Data71 PrivacyMedia distruction41 PrivacyData inventory48 Privacy inventory59 PrivacyAppropriate access35 Privacy Device Malware/Abuse 64 Enable BusinessNo 2-Factor64 Enable BusinessPartner Requirements59 ComplianceShared ID's35 ComplianceSanction Policy36 CompliancePassword Policies42 ComplianceValidate Access37 ComplianceWireless controls41 ComplianceRisk management55 ComplianceBackground checks35 20 Risk By Business Driver AcceptEvaluateAct 3 4 5 6 7 8 9 10 3456789 Compliance Protect Brand Privacy Enable Business
  • Slide 21
  • Data Related Threats Threats Regulatory Costs Fines associated with accidental loss or theft of Data Initiated by report or compliant to Office of Civil Rights (OCR) Criminal Organizations Data theft and discovery Complaint from OCR, Health & Human Services (HHS), or patient OCR Fines, Audit, and Remediation Costs Required annual compliance program and audit regardless of breach volume Subjective fine determination based on knowledge of loss, control awareness, and effectiveness (see notes for references) Fines range from $2 to $5,208 per record Avg. fine $255 per record Examples Wellpoint: Inadequate general controls, loss of 612,402 records, $1.7M fine North Idaho Hospice: unsecured Data,
  • Calibrated Risk Scale Definitions 23 ValueDirect CostsIndirect CostsExamples 10. Revenue: Missed Targets of $xxx,xxx Regulatory: Fines & Audits of... Competitive: Differentiator of... Goodwill: Customer departure of... Focus: Mitigate Risk e.g. material loss estimated above $xx,xxx,xxx. 6Revenue: Limited to department... Regs: Increased scrutiny... Goodwill: Customer churn of 5-10%... Focus : Owner Judgment e.g. business considerations. ValueDescriptionARO GuideExamples 10. Strong evidence of imminent realization, precedent exists, reliable intelligence. > 1 annually, see risk details for estimates Known control weaknesses of..., confirmed agent... 6Difficult to exploit without internal... Realized once in 4 years... Private system, agent unconfirmed Impact Frequency
  • Slide 24
  • Strategy Communication 24 Mission success requires stakeholder awareness, support, & participation StakeholderCommunicationMeansFrequency Board of Directors State & Compliance Summary BoD SummarySemi-Annual Executive Team State, Compliance, & Initiative Summary Executive Summary Metric Summary Quarterly Business Lines State, Compliance, & Initiative Detail IT Intranet Brown bags Metrics Semi-Annual IT State, Compliance, & Initiative Detail IT Intranet Brown bags Metrics Monthly Employees/Customers Awareness Training & Measurement Awareness Training User Intranet Engagement Portal Semi-Annual
  • Slide 25
  • Key Performance Indicators Security Incidents Access Management Device Security Application Security IT/Biz Project Support Security Program No. critical & emergency incidents No. of moderate incidents % accounts de- provisioned within standard % of production servers compliant to minimum standards % apps with security assessment completed # Critical vulns in production # Long-term engagements # Medium & Short term engagements # of unplanned, short projects % security initiatives completed on time 25 (Reference Master Metrics List - starter set below)
  • Slide 26
  • 26 Risk Impact Direct Regulatory Recovery Revenue Indirect Goodwill Scrutiny Competitive Corrective Capability Frequency Vuln. Attributes Complexity Vector Access Availability Control Effectiveness Roles Awareness Tools Policy & Process Detect/Deter Agent Capability- motivation Occurrence Complete Risk Statements
  • Slide 27
  • Basic AAA Align Controls To Agent Impacts 27 Controls: Spending & Process Maturity Hactivists Criminals Advanced Adversary For IP Basic SDL Vuln Scans Fraud Detection Advanced SDL Full Packet Capture Analysis Response & Forensics Expertise DoS Script Kiddie Malicious Insider Device Mngt. Advanced AAA 12345 IRM Custom Malware Detection Motive: Skill & Perseverance Adv. Awareness Edu.
  • Slide 28
  • Executive Discussion Example (unsorted) QuestionAnswer (in strategy deck) Balanced Score Card Category High Level Measurements Has anything bad happened? # High incidents # Medium incidents # Near misses Financial # High incidents # Medium incidents # Near misses What are the top risks? Top risk estimates e.g. Heat Map Financial % risks with treatment decisions % unacceptable risks under mitigation +/- % Annual budget What are we doing about them? Funded initiatives Future initiatives Learning & Growth +/- % Initiative budget (amount) $ estimate future initiatives Are we improving internally? Target process maturity Learning & Growth % Processes at target maturity +/- # Process improvement initiatives (count) How are we helping the business? Strategy alignment Training Consulting Customer % business strategies aligned with Security % training objectives met # business & IT consulting projects Is our environment resilient? Control metrics Internal Business % key controls with metrics % metrics at/above target Are we compliant? Passed last year Overdue findings Repeat findings Internal Business # overdue findings # repeat findings Are we efficient? Initiatives on time & budget Internal Business Budget to Forecast variance % Initiatives completed on time & budget 28
  • Slide 29
  • Balanced Security Scorecard (Example) 29 Financial Risks % risks with treatment decisions % unacceptable risks under mitigation +/- % Annual budget Incidents # High incidents # Medium incidents # Near misses Financial Risks % risks with treatment decisions % unacceptable risks under mitigation +/- % Annual budget Incidents # High incidents # Medium incidents # Near misses Internal Business Resiliency % Key controls with metrics % Metrics at/above target Compliance # Overdue findings # Repeat findings Efficiency Budget to forecast variance % Initiatives completed on time & Budget Internal Business Resiliency % Key controls with metrics % Metrics at/above target Compliance # Overdue findings # Repeat findings Efficiency Budget to forecast variance % Initiatives completed on time & Budget Learning & Growth $ Initiative budget (+/- last year) # process improvement initiatives (+/- last year) $ Estimate future initiatives % Processes at target maturity Learning & Growth $ Initiative budget (+/- last year) # process improvement initiatives (+/- last year) $ Estimate future initiatives % Processes at target maturity Customer % Business strategies aligned with Security Services % Training objectives met # Business & IT consulting projects (+/- % budgeted) Customer % Business strategies aligned with Security Services % Training objectives met # Business & IT consulting projects (+/- % budgeted)

- Information Security Strategy Template February 2016 1.

- Information Security Strategy Template February 2016 1.

IT Strategy template

IT Strategy template

Security Assessment Plan (Template)

Security Assessment Plan (Template)

Social Security: 508 template

Social Security: 508 template

Test Strategy Template

Test Strategy Template

Change Communication Strategy template

Change Communication Strategy template

Template for marketing strategy

Template for marketing strategy

Customer Success Strategy Template

Customer Success Strategy Template

ISACA Security Template for Contracts file · Web viewISACA Security Template for Contracts

ISACA Security Template for Contracts file · Web viewISACA Security Template for Contracts

Sourcing STraTegy TemplaTe

Sourcing STraTegy TemplaTe

Strategy Map Powerpoint Template - SlideWorld

Strategy Map Powerpoint Template - SlideWorld

Performance Engineering Strategy Template

Performance Engineering Strategy Template

Job Search Strategy Template

Job Search Strategy Template

Test Strategy Template-

Test Strategy Template-

Evolution of US National Security Strategy. US Strategies National Security Strategy (Pres) National Security Strategy National Defense Strategy (SecDef)

Evolution of US National Security Strategy. US Strategies National Security Strategy (Pres) National Security Strategy National Defense Strategy (SecDef)

Content Micro-Strategy (including template)

Content Micro-Strategy (including template)

Business Unit Strategy Plan Template

Business Unit Strategy Plan Template

Strategy and Template Pattern

Strategy and Template Pattern

Physical Security Plan Template

Physical Security Plan Template

Strategy In Business Powerpoint Template

Strategy In Business Powerpoint Template