View
2.597
Download
9
Tags:
Embed Size (px)
DESCRIPTION
GOVERNANCE FRAMEWORK, ENTERPRISE SECURITY, VISION, GOALS, BUSINESS BENEFITS, CRITICAL SSUCESS FACTORS, KEY PERFORMANCE INDICATORS, ROLES & RESPONSIBILITIES
Citation preview
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor,
CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
GOVERNANCE FRAMEWORK
ENTERPRISE SECURITY
VISION
GOALS
BUSINESS BENEFITS
CRITICAL SSUCESS FACTORS
KEY PERFORMANCE INDICATORS
ROLES & RESPONSIBILITIES
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Governance Framework Defined
A Vision is a broadly defined, clear and compelling statement
about the Enterprise’s purpose for Enterprise Security.
Strategic Objectives are a set of goals that are necessary and
sufficient to move the Enterprise towards its vision for
Enterprise Security.
Critical Success Factors (CSF) are a set of outcomes that are
necessary to achieve the strategic objectives for Enterprise
Security.
Key Performance Indicators (KPI) are concrete metrics
tracked to ensure that Enterprise Security’s critical success
factors are being achieved.
Key actions and business changes are the initiatives to be
delivered in order to achieve the Enterprise Vision and
Strategic Objectives for Enterprise Security.
Strategic
objectives CSFs KPIs / targets Key actions /
business changes
Vis
ion
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
“We will build and implement an information security program which will identify threats and risks to the Enterprise’s
information assets, systems resources including human assets before they become an employee or management concern.”
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Develop an innovative Information Security Program that identifies risks and
implements safeguards to mitigate those risks.
The Information Security Program must meet all of the Enterprise’s expectations
while having little impact on existing budgets and/or schedules.
Develop an effective, efficient Information Security Program that will enhance all
services provided by the Enterprise while not impeding existing services to our
clients.
Isolate and mitigate potential risks and/or threats prior to an issue developing into an
employee, or management concern or problem.
Enhance the Enterprise’s ability to attract and maintain customers, investors and
partners because of its ability to efficiently and effectively protect information.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Reduce risks and threats to the Confidentiality, Integrity and Availability of the Enterprise’s
Information Assets and System Resources by providing policies, practices and standards designed to
mitigate or eliminate all known risks and threat.
Improve the effectiveness and efficiency of Information Security Management by implementing a
world class best practice and framework for consistent, concise security administration.
Improve effectiveness and efficiencies of existing security mechanisms by formalizing new practices
to monitor compliance and maintain sensitive data awareness.
Improve reassurance testing and validation outcomes by Internal Audit and External Auditors to
further assure the Enterprise’s Investors, Board of Directors and Executive Management Team that
the Enterprise’s Information Assets and System Resources are secure.
Reduce the likelihood that an accidental incident caused by Enterprise staff potentially resulting in
an adverse affect on the Enterprise’s reputation or liabilities potentially leading to financial losses, by
providing an ongoing information security education and awareness program.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Information security policy, objectives, and activities that reflect business objectives
An approach and framework to implementing, maintaining, monitoring, and improving information security that is consistent with the Enterprise’s culture
Visible support and commitment from all levels of management, especially Executives
A good understanding of the information security requirements, risk assessment, and risk management
Effective marketing of information security to all managers, employees, and other parties to achieve awareness
Distribution of guidance on information security policy and standards to all managers, employees and other parties
Provision to fund information security management activities
Providing appropriate awareness, training, and education
Establishing an effective information security incident management process
Implementation of a measurement system that is used to evaluate performance in information security management and feedback suggestions for improvement.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Strategic Alignment Enterprise Security Office activities do not materially hinder business
The Enterprise Security Office program enables business activities
Enterprise Security Office activities have provided predictable, robust operations
Enterprise Security Office incidents have not significantly impacted business operations
Trends for adverse impacts are continuously improving
The Enterprise Security Office organization is responsive to business requirements
The cost of Enterprise Security Office measurers are appropriate and generally track the degree of risk and value of
assets
The Enterprise Security Office group understands the business objectives
Risk Management Cost effectiveness of risk mitigation
Reduction in residual risk
Reduction in open vulnerabilities
Reduction of significant risks
Reduction in adverse impacts
Improved response time to new risks
Systematic, continuous risk management
Periodic risk assessments
Tested business continuity planning (BCP) , disaster recovery (DR)
Completeness of asset valuation and assignment of ownership
Meeting RTO objectives during testing
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Business Process Assurance • No gaps exist in information asset protection
• All assurance activities are demonstrably integrated
• Roles and responsibilities that are well defined with concise interface
• Responsibility and accountability are clearly defined
• The steering committee has representatives of all assurance functions
Value Delivery • Enterprise Security Office activities achieve strategic objectives on budget
• The cost of Enterprise Security Office is proportional to the value of assets
• Enterprise Security Office resources are allocated by degree of assessed risk
• Aggregate protection costs that are a function of revenues or asset valuation
• Utilization of controls – rarely used controls are not likely to be cost-effective
• The number of controls to achieve acceptable risk and impact levels. Fewer effective controls can be expected to be
more cost-effective than less effective-controls
• The effectiveness of controls as determined by testing. Marginal controls are not likely to be cost-effective
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Resource Management The frequency of problem rediscovery
The effectiveness of knowledge capture and dissemination
Clearly defined roles and responsibilities for IT security functions
IT security functions are incorporated into every project plan
Information assets and related threats that are covered by security resources
Performance Management The time it takes to detect and report incidents
The number and frequency of unreported incidents
Benchmarking security costs against comparable organizations
Effectiveness and efficiency of controls
Trends in audit findings
Compliance metrics
Time for variance resolutions
Trends in impacts
Downtime for critical systems
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Adopt Information Security framework
Implement Enterprise Security Governance
Facilitate adoption of Risk Management Methodology
Implement Security Monitoring System
Facilitate harmonization of Access Control and Identity processes
Led Implementation of Continuous Improvement process
Develop and implement Communications Strategy including Awareness
Training
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Management
Level
Strategic
Alignment
Risk
Management
Value
Delivery
Performance
Measurement
Resource
Management
Process
Assurance
Board of
Directors
Require demonstrable
Alignment
Institute a policy of
risk management in
all activities and
ensure regulatory
compliance
Require
reporting of
Enterprise
Security activity
costs
Require reporting
of Enterprise
Security activity
effectiveness
Institute a policy
of knowledge
management
and resource
utilization
Institute a policy of
assurance process
Integration
Executive
Management
Institute processes to
Integrate Enterprise
Security With business
objectives
Ensure roles and
responsibilities
include risk
management in
all activities and
monitor regulatory
compliance
Require
business case
studies of
Enterprise
Security
Initiatives
Require monitoring
and metrics for
Enterprise Security
Activities
Ensure
processes for
knowledge
capture and
efficiency
metrics
Provide oversight of
all assurance
functions and plans
for integration
Management
Review
Committee
Review Enterprise
Security strategy and
integration efforts,
and ensure business
owners support
integration
Identify emerging
risks, promote
business unit
Enterprise & Security
practices and identify
compliance issues
Review
Accuracy of
Enterprise
Security
initiatives
to serve
business
functions
Review and advise
according to
Enterprise Security
Initiatives and
ensure they meet
business
objectives
Review
processes for
knowledge
capture and
dissemination
Identify critical
business processes
and assurance
providers, and direct
integration
assurance efforts
Enterprise
Security
Office
Develop Enterprise
Security strategy,
oversee the
Enterprise Security
program and initiatives,
and liaise with
business process
owners for ongoing
alignments
Ensure risk and
business impact
assessments,
develop
risk mitigation
strategies, and
enforce policy
and regulatory
compliance
Monitor
utilization
and
effectiveness
of Enterprise
Security
resources
Develop and
implement
monitoring and
metrics
approaches, and
direct and monitor
Enterprise Security
activities
Develop
methods
for knowledge
capture and
dissemination,
and metrics for
effectiveness
and efficiency
Liaise with other
assurance
providers, and
ensure that gaps
and overlaps are
identified and
Addressed
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Purpose: Management shall review the Enterprise’s ISMS at planned intervals (at least
once a year) to ensure its continuing suitability, adequacy and effectiveness. This review
shall include assessing opportunities for improvement and the need for changes to the
ISMS, including the information security policy and information security objectives. The
results of the reviews shall be clearly documented and records shall be maintained, (ISO27k
clause 4.3.3).
Goals: The ISMS Management Review Committee has been formed to provide an
effective joint forum which will contribute to the following goals:
• Decision making which supports the Enterprise Security Program
• Balanced and informed review and advisory services contributing to a range of
Enterprise Security Office (ESO) planning, service delivery and issue resolution
activities
• Proactive ESO alignment with higher level joint governance functions to improve the
effectiveness and efficiency within the ESO domain
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Committee Functions: Review input (ISO27k clause 7.2)
The input to a management review shall include:
a). results of ISMS audits and reviews;
b). feedback from interested parties;
c). techniques, products or procedures, which could be used in the
organization to improve the ISMS performance and effectiveness;
d). status of preventive and corrective actions;
e). vulnerabilities or threats not adequately addressed in the previous risk
assessment;
f). results from effectiveness measurements;
g). follow-up actions from previous management reviews;
h). any changes that could affect the ISMS; and
i). recommendations for improvement.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Review output (ISO27k clause 7.3)
The output from the management review shall include any decisions and actions related to
the following.
a). Improvement of the effectiveness of the ISMS.
b). Update of the risk assessment and risk treatment plan.
c). Modification of procedures and controls that effect information security, as necessary,
to respond to internal or external events that may impact on the ISMS, including changes
to: 1). business requirements;
2). security requirements;
3). business processes effecting the existing business requirements;
4). regulatory or legal requirements;
5). contractual obligations; and
6). levels of risk and/or criteria for accepting risks.
d). Resource needs.
e). Improvement on how the effectiveness of controls is being measured
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
For more information contact
Skype; Mark_E_S_Bernard
Twitter; @MESB_TechSecure
LinkedIn; http://ca.linkedin.com/in/markesbernard