- Information Security Strategy Template May 2015 1
Slide 2
- Outline Why develop a security strategy Business drivers
Information Security Ecosystem Organization of Information Security
Incident Summary Current Priorities Risk Landscape Investment
Roadmap Next Steps
Slide 3
Why Develop a Security Strategy? 3 Could Do Should Do Work We
Must Do Baseline protection Proactive management New business
drivers Help the determine acceptable levels of risk and how much
investment is needed. Manage Compliant- Ready Services Legally
Defensible Security Risk-Based Decisions to Achieve Business
Goals
Slide 4
4 Information Technology risks are identified, understood, and
managed to an acceptable level across the Enterprise. Business
units have the tools, resources, and expertise to make optimal
decisions for business success. Develop and measure IT security
standards while enabling business autonomy and agility. Deliver
value through identification of threats, assessment of risk, expert
consulting, and providing foundational security services to
prevent, detect, and respond to disruptions. Top Business Drivers
Business drivers associated with IT Risks Brand Earn and maintain
Customer trust Online presence with content integrity and
availability Brand Earn and maintain Customer trust Online presence
with content integrity and availability Competitive Advantage
Protect sensitive information to continue growth in established
markets, enable global expansion Competitive Advantage Protect
sensitive information to continue growth in established markets,
enable global expansion Compliance Identify and efficiently manage
regulations Compliance Identify and efficiently manage regulations
Customer & Employee Privacy Protect Customer and Employee data
from theft or disclosure Customer & Employee Privacy Protect
Customer and Employee data from theft or disclosure Vision (sample)
Mission
Slide 5
Data WorkforceApplicationsDevicesNetworks Physical Data is
classified, known, & protected throughout its lifecycle How We
Think About IT Security 5 Defining an IT Security ecosystem helps
organize security risks across the Business. Applications are
developed and managed securely A diverse collection of devices
configured and managed for security Networks are available,
monitored, and resilient Facilities are safe and accessible
Workforce is trained and empowered to protect data
Slide 6
Anomalies, Event Monitoring, Detection Processes (alt.) How We
Think About IT Security 6 Defining an IT Security framework helps
organize security risks across the Enterprise. Asset Management,
Governance, Risk Management Access Control, Training, Data
Protection, Maintenance, Protective Technology Planning,
Communications, Analysis, Mitigation, Improvements Recovery
Planning, Improvements, Communications CorporateBusiness Segment
(NIST CSF view)
Slide 7
Organization of Information Security 7 Risk Assessment
Information Security Information Technology Compliance Ready
Resourced, not complete Investment Required Disaster Recovery
Security Policy Security Awareness Audit Mngt. Firewall/IDS Mngt.
Access Mngt. User Provisioning Remote Access Event Monitoring
Incident Response Data Loss Prevention Sys. Implementation System
Updates Technical Standards Change Mngt. Capacity Mngt. Data
Inventory Vendor Mngt. Mobile Mngt. H/W, S/W Inventory Security
Architecture Security Engineering Legend Analyst & Operational
Responsibilities Vulnerability Mngt. Mngt. & Reporting Tier 1
Investigation Business Units Access Mngt. Data Encryption Secure
Programming Audit Oversight Purchasing Internal Consulting Data
Analytics Compliance Application Mngt. Business Continuity Unknown
Operations Show ownership across security services
Slide 8
Incident Summary Significant Incident summaries 8
Slide 9
Security Visibility & Posture (Example) Service Objective:
Foster and support an appropriate security posture aligned with
business goals Monitor control effectiveness & visibility
Develop baseline standards where needed 9 Partial Full No/Limited ?
Control Visibility Key Short Term Gaps Meet Standards Long Term
Gaps Control Posture Key No Standard Defined Can use ecosystem
elements
Slide 10
Current State Summary 10 wins Need help 1. Next Steps Progress
Challenges
Slide 11
Risks Grouped By Business Driver (example) Protect Brand Focus:
Incident Response, Device Support & Vulnerabilities Impact
estimates: loss of service or data affecting patient adoption &
retention 6 High risks Privacy Focus: Malware & Unencrypted
Data Enable Business Meet Partner requirements Strengthen remote
authentication Compliance 7 risks across foundational controls 11
AcceptEvaluateAct 3 4 5 6 7 8 9 10 3456789 Compliance Protect Brand
Privacy Enable Business
Slide 12
Current Risk Landscape 12 Risks Needing Decision Count: xx
Foundational controls missing or partially implemented Mitigation
In Progress Count: x Key risks: managing vulnerabilities,
backup-restore, upgrade software Mitigated Count: x Vendor managed
assessed and managed 3 4 5 6 7 8 9 10 3456789 Shared ID's
Backup-restore Unencrypted Data No 2-Factor Sanction Policy DoS
Media destruction Terminated Users Data inventory Password Policies
Validate Access Wireless controls Vuln. mngt. Business continuity
Incident Response Risk management Vendor Compromise Background
checks Appropriate access Partner Requirements Attack Chain:
malware Obsolete Software Phishing victims Device Malware/Abuse
ActiveIn ProgressMitigated
Slide 13
IT Security Performance Measuring xx Performance indicators
across Business Units 13
Slide 14
NIST Cyber Security Framework Each step required Detect and
Respond provide immediate value when prevention is not mature
Reduce impact of breaches Prevention takes time, even then not 100%
14 IdentifyProtectDetectRespondRecover
Slide 15
Security Roadmap Funding Priorities Investment priorities
evaluated by Risk Priority Business Support IT Capacity Cost
(internal labor & Op. Ex.) Top Priorities- Funding Approval
Request (blue icons) Incident Response Plan Mature Vulnerability
Mngt. Device Malware Management IT Risk Management Update Security
Policy Next Priorities Back-up Restore Remote 2-Factor Replace
Obsolete Systems Access Mngt. (terminated users) 15 0 20 40 60 80
100 $0$25$50$75$100 Unique IDs Plan Backup-Restore Encrypt Data at
rest Business Impact Analysis Sanction Policy Mature Vuln. Mngt,
Anti-DoS Update Policy Media Destruction Access Management
Inventory Data Replace Obsolete Software Strengthen Wireless Plan
Incident Response Proposal Plan IT Risk Mngt. Remote Access:
2-Factor Background Checks Replace Obsolete Software Plan
Anti-phishing program Device Standards/Mngt.
Slide 16
Next Steps Execute current commitments Formalize Organization
of Information Security Fund priority investment requests Complete
3 year roadmap during FYxx planning 16
Primary Services: Current State 19 ServiceMaturityCapacityOrg.
Alignment Primary Service1 (from previous slide) Select a light
and/or short description (see notes) Select a light or short
description Primary Service2 Optional: show process maturity,
capacity, or org. alignment visuals
Data Related Threats Threats Regulatory Costs Fines associated
with accidental loss or theft of Data Initiated by report or
compliant to Office of Civil Rights (OCR) Criminal Organizations
Data theft and discovery Complaint from OCR, Health & Human
Services (HHS), or patient OCR Fines, Audit, and Remediation Costs
Required annual compliance program and audit regardless of breach
volume Subjective fine determination based on knowledge of loss,
control awareness, and effectiveness (see notes for references)
Fines range from $2 to $5,208 per record Avg. fine $255 per record
Examples Wellpoint: Inadequate general controls, loss of 612,402
records, $1.7M fine North Idaho Hospice: unsecured Data,
Calibrated Risk Scale Definitions 23 ValueDirect CostsIndirect
CostsExamples 10. Revenue: Missed Targets of $xxx,xxx Regulatory:
Fines & Audits of... Competitive: Differentiator of...
Goodwill: Customer departure of... Focus: Mitigate Risk e.g.
material loss estimated above $xx,xxx,xxx. 6Revenue: Limited to
department... Regs: Increased scrutiny... Goodwill: Customer churn
of 5-10%... Focus : Owner Judgment e.g. business considerations.
ValueDescriptionARO GuideExamples 10. Strong evidence of imminent
realization, precedent exists, reliable intelligence. > 1
annually, see risk details for estimates Known control weaknesses
of..., confirmed agent... 6Difficult to exploit without internal...
Realized once in 4 years... Private system, agent unconfirmed
Impact Frequency
Slide 24
Strategy Communication 24 Mission success requires stakeholder
awareness, support, & participation
StakeholderCommunicationMeansFrequency Board of Directors State
& Compliance Summary BoD SummarySemi-Annual Executive Team
State, Compliance, & Initiative Summary Executive Summary
Metric Summary Quarterly Business Lines State, Compliance, &
Initiative Detail IT Intranet Brown bags Metrics Semi-Annual IT
State, Compliance, & Initiative Detail IT Intranet Brown bags
Metrics Monthly Employees/Customers Awareness Training &
Measurement Awareness Training User Intranet Engagement Portal
Semi-Annual
Slide 25
Key Performance Indicators Security Incidents Access Management
Device Security Application Security IT/Biz Project Support
Security Program No. critical & emergency incidents No. of
moderate incidents % accounts de- provisioned within standard % of
production servers compliant to minimum standards % apps with
security assessment completed # Critical vulns in production #
Long-term engagements # Medium & Short term engagements # of
unplanned, short projects % security initiatives completed on time
25 (Reference Master Metrics List - starter set below)
Slide 26
26 Risk Impact Direct Regulatory Recovery Revenue Indirect
Goodwill Scrutiny Competitive Corrective Capability Frequency Vuln.
Attributes Complexity Vector Access Availability Control
Effectiveness Roles Awareness Tools Policy & Process
Detect/Deter Agent Capability- motivation Occurrence Complete Risk
Statements
Slide 27
Basic AAA Align Controls To Agent Impacts 27 Controls: Spending
& Process Maturity Hactivists Criminals Advanced Adversary For
IP Basic SDL Vuln Scans Fraud Detection Advanced SDL Full Packet
Capture Analysis Response & Forensics Expertise DoS Script
Kiddie Malicious Insider Device Mngt. Advanced AAA 12345 IRM Custom
Malware Detection Motive: Skill & Perseverance Adv. Awareness
Edu.
Slide 28
Executive Discussion Example (unsorted) QuestionAnswer (in
strategy deck) Balanced Score Card Category High Level Measurements
Has anything bad happened? # High incidents # Medium incidents #
Near misses Financial # High incidents # Medium incidents # Near
misses What are the top risks? Top risk estimates e.g. Heat Map
Financial % risks with treatment decisions % unacceptable risks
under mitigation +/- % Annual budget What are we doing about them?
Funded initiatives Future initiatives Learning & Growth +/- %
Initiative budget (amount) $ estimate future initiatives Are we
improving internally? Target process maturity Learning & Growth
% Processes at target maturity +/- # Process improvement
initiatives (count) How are we helping the business? Strategy
alignment Training Consulting Customer % business strategies
aligned with Security % training objectives met # business & IT
consulting projects Is our environment resilient? Control metrics
Internal Business % key controls with metrics % metrics at/above
target Are we compliant? Passed last year Overdue findings Repeat
findings Internal Business # overdue findings # repeat findings Are
we efficient? Initiatives on time & budget Internal Business
Budget to Forecast variance % Initiatives completed on time &
budget 28
Slide 29
Balanced Security Scorecard (Example) 29 Financial Risks %
risks with treatment decisions % unacceptable risks under
mitigation +/- % Annual budget Incidents # High incidents # Medium
incidents # Near misses Financial Risks % risks with treatment
decisions % unacceptable risks under mitigation +/- % Annual budget
Incidents # High incidents # Medium incidents # Near misses
Internal Business Resiliency % Key controls with metrics % Metrics
at/above target Compliance # Overdue findings # Repeat findings
Efficiency Budget to forecast variance % Initiatives completed on
time & Budget Internal Business Resiliency % Key controls with
metrics % Metrics at/above target Compliance # Overdue findings #
Repeat findings Efficiency Budget to forecast variance %
Initiatives completed on time & Budget Learning & Growth $
Initiative budget (+/- last year) # process improvement initiatives
(+/- last year) $ Estimate future initiatives % Processes at target
maturity Learning & Growth $ Initiative budget (+/- last year)
# process improvement initiatives (+/- last year) $ Estimate future
initiatives % Processes at target maturity Customer % Business
strategies aligned with Security Services % Training objectives met
# Business & IT consulting projects (+/- % budgeted) Customer %
Business strategies aligned with Security Services % Training
objectives met # Business & IT consulting projects (+/- %
budgeted)