Developing an Information Security Program
Transcript of Developing an Information Security Program
![Page 1: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/1.jpg)
2011 National BDPA Technology Conference
Developing an Information Security Program
Shauna Cox
August 3 – 6, 2011
Chicago, IL
![Page 2: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/2.jpg)
2
Presentation Objectives
• Understand the components of an Information Security Program.
• Understand the internal & external factors that impact Information Security Program development.
• Describe the various approaches used to develop an Information Security Program.
![Page 3: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/3.jpg)
3
Agenda
I. Need for Information Security ProgramII. Program ComponentsIII. Methodologies / StandardsIV. Information Security Program
Development ProcessV. A Day In The Life
![Page 4: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/4.jpg)
4
Reality
A Hacker has to be successful once.
A Security Professional must be successful every time.
![Page 5: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/5.jpg)
5
Why is an Information Security Program Needed?
• Technology & Business Cycle Changes
• Regulatory Requirements
• Potential Security Threats
• Sophistication of Attacks / Attackers
• Strategic Necessity
![Page 6: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/6.jpg)
6
Technology & Business Cycle Changes
• Decentralization of computing resources• Accessibility of technology for novices &
experts alike• Technology dependency• Layers of technology architecture
![Page 7: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/7.jpg)
7
Regulatory Requirements
• FISMA • HIPAA• SOX• Computer Security Act• U.S. Privacy Act
![Page 8: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/8.jpg)
8
Potential Threats
• Terrorism / Cyber-Terrorism
• Uninformed Users (Social Engineering)
• Disgruntled Users / Employees
• Intentional Hackers
![Page 9: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/9.jpg)
9
Sophistication of Attacks
• Availability of Technology• Greater Modes of Organization (i.e.,
social networking)• Enhanced Technical Skills• Easier to Maintain Anonymity• Potentially Lucrative (e.g., organized
criminals)
![Page 10: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/10.jpg)
10
Strategic Necessity
• Competitive Survival & Advantage • Business / Technology Alignment
![Page 11: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/11.jpg)
11
Myth
Information Security Policy =
Information Security Program
![Page 12: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/12.jpg)
12
Information Security Principles
![Page 13: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/13.jpg)
13
People, Places & Things
• Roles & Responsibilities• Scope of Authority• Tools & Techniques
![Page 14: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/14.jpg)
14
Roles & Responsibilities
• Information Security Function• Executive Management• Organizational (Line) Management• Users
![Page 15: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/15.jpg)
15
Information Security Function
• Develop, maintain & help enforce information security policies, procedures and controls.
• Oversee the deployment and integration of security solutions.
• Serve as an advisor on IT security-related issues.
![Page 16: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/16.jpg)
16
Executive Management
• Provide the strategic vision for an information security program.
• Approve strategic goals and ensure information security is integrated into management processes.
• Ensure enterprise compliance with applicable regulatory directives.
![Page 17: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/17.jpg)
17
Management
• Ensure compliance & help facilitate awareness of organizational information security policies & procedures.
• Enforce rules for appropriate use and protection of organization’s systems.
• Ensure proper segregation of duties in operational areas.
• Follow appropriate procedures and provide first-line authorization for system access.
![Page 18: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/18.jpg)
18
Users
• Adhere to organizational policies and procedures.
• Protect individual user accounts and passwords used to access systems.
• Report known or suspected IT security breaches to appropriate personnel.
• Treat all information with the sensitivity necessary in accordance with applicable information classification systems.
![Page 19: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/19.jpg)
19
Scope of Authority & Need
![Page 20: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/20.jpg)
20
Tools & Techniques
• Standards• Security Monitoring Tools• Organizational Process Assets (policies,
procedures, etc.)
![Page 21: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/21.jpg)
21
Information Security Program Components
• Executive Commitment• Policies & Procedures• Monitoring Processes /
Metrics• Governance Structure• Awareness Training
![Page 22: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/22.jpg)
22
Executive Commitment
• Executives must understand the strategic impact of information security.
• Executive management articulates the priority of information security in word & in deed.
• The role of the information security function must adhere to a level of independence (i.e., reporting structure should be appropriate).
![Page 23: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/23.jpg)
23
Policies & Procedures
• Acceptable Use• Incident Handling• Security Violations• Identity Management• Physical Security
![Page 24: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/24.jpg)
24
Metrics
• Financial• Application-based• Incident Management• Change Management• Vulnerability Management
![Page 25: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/25.jpg)
25
Governance Structure
Governance: “…a set of responsibilities & practices exercised by the Board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly”.
Source: IT Governance Institute (Board Briefing on IT Governance, 2nd Edition)
![Page 26: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/26.jpg)
26
Awareness Training
Who?
How?
![Page 27: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/27.jpg)
27
Methodologies / Standards
• ISO 17799 developed by ISO includes 10 domains
• CobiT developed by ISACA derived from COSO
![Page 28: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/28.jpg)
28
ISO 17799 Domains
• Information Security Policy• Information Security Infrastructure• Asset Classification & Control• Personnel Security• Physical & Environmental Security• Communications & Operations
Management• Access Control• System Development & Maintenance• Business Continuity Management• Compliance
![Page 29: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/29.jpg)
29
Program Development Process
![Page 30: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/30.jpg)
30
Program Development Process
• Plan & Organize• Implement• Operate & Maintain• Monitor & Evaluate
Source: All-In-One CISSP Exam Guide, 4th Edition, by Shon Harris
![Page 31: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/31.jpg)
31
Plan & Organize
• Establish commitment & oversight• Conduct risk assessment• Develop security architecture• Identify solutions
![Page 32: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/32.jpg)
32
Implement
• Assign roles & responsibilities• Develop & implement policies,
procedures, etc.• Implement security blueprints• Implement security solutions• Develop audit & monitoring mechanisms• Establish SLAs
![Page 33: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/33.jpg)
33
Operate & Maintain
• Ensure baselines are met based on blueprints
• Conduct audits• Manage SLAs
![Page 34: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/34.jpg)
34
Monitor & Evaluate
• Review logs, audit results, metrics• Assess goal accomplishments• Evaluate via governance structure
![Page 35: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/35.jpg)
35
A Day in the Life
Conduct Self- Assessments
Respond to Audits
Train & Educate
Provide Expertise
Monitor Systems
Manage Projects
Track Compliance
Gauge SLA Adherence
![Page 36: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/36.jpg)
36
Game Changers
• Cloud Computing• Mobile Computing• Social Networking
![Page 37: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/37.jpg)
37
Resources
• NIST• ISC2
• ISACA• SANS Institute
![Page 38: Developing an Information Security Program](https://reader033.fdocuments.net/reader033/viewer/2022060205/55a0b8e61a28abf0608b4704/html5/thumbnails/38.jpg)
38
Questions