Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Bruce Forman
Chief Information Security Officer UMass Memorial
INFORMATION SECURITY
Presenting to the Board of Directors
Congratulations! You’re a ____________
• CIO • CISO • Director Information Technology • Directory Information Security
Agenda
I. Board Purpose and Function
II. The “Basics”
III. Preparation
IV. Presentation
V. References
VI. Take-Aways
What this Presentation is NOT:
A comprehensive one size fits all approach.
The ONLY solution.
What this Presentation IS… • A proposed framework for presenting to the
Board of Directors
• Some things that have worked for me
• Some things that have worked for some of my peers
Board Purpose and Function As it relates to Information Security… Delegate responsibility to the CISO to:
• Establish Policy
• Monitor and Report
• Regulatory Compliance
• Security Awareness
“The Board’s purpose is or should be governance”
The “Basics” • Talk in Business Terms
• Establish Credibility
• Present Security as a Value Proposition
• Be viewed as an enabler not as “Dr No.” (Yes, and here’s how)
• Borrow from other department heads to determine appropriate level of detail
• Know your customer
• Act as translator from regulatory language
• Advocate for “correct” (reasonable) degree for managing security & compliance
Preparation • REALLY IMPORTANT! Review the recommendations with the
Executive Team first. No surprises!
• Talk to an advocate such as the VP of internal audit about the Board members backgrounds and what they want to hear.
• Review key issues with any Board member known to be an advocate of a particular issue or aligned with the issue
• Determine what you need to communicate.
• Focus the presentation to meet their needs and backgrounds
• Answer the questions from Midwest checklist
Recognize that 80% of the time they will ask questions about something you think they won’t ask about.
Preparation (Midwest Checklist - Sample)
• What percent of our IT budget is dedicated to IT risk/security? (Note: typical range is between 4-10% based on industry in a steady/mature state. Higher for financial services/technology, lower for manufacturing)
• How has the security budget changed in recent years? How much change has been driven by or allocated to emerging risk areas (e.g., APT, cloud computing, mobile devices)?
• What is the level of access among our executives? Do the executives have too much access to the company’s systems? How does that affect the risk profile of the company?
Presentation
• What is or what has changed in the current risk and regulatory environment?
• What is your Organization’s current risk profile and how are you going to reduce the Organization’s risk profile?
• What is the current status of the projects for which investments have been made?
…any presentation to the Board will address one or more of these topics.
Regulatory and Risk Environment
• Review changes such as enforcement actions and new regulatory
requirements
• Address up and coming issues they might hear about and how they relate to the organization
• Identify any security incidents or breaches and the current status of the incident response.
Regulatory and Risk Environment
Organizational Risk Profile Develop Organizational Heat Map
• Use ISO 27001 (or other Standard)
• Describe how are you assessing risk.
• Provide “drill-down” to show what makes up risk ratings
Provide detailed information for each individual risk to include:
• Description of the risk and potential impact
• Business Area affected
• Trending = same, getting better, or getting worse.
• Reason 1-2 sentences why this is up or why it’s down
• Action Plan to reduce risk
Organizational Risk Profile 1. Organization of
Information Security 2. Asset Management 3. Human Resources
Security 4. Physical and
Environmental Security: 5. Communications and
Operations Management
6. Access Control 7. Security Auditing and
Monitoring 8. Information Systems
Acquisition Development and Maintenance
9. Information Security Incident Management
10. Business Continuity Management
11. Contracts for Information Systems or Technology Resources
12. Compliance
Communications & Operations Management 1. Wireless Security 2. Data Loss Prevention 3. Social Engineering 4. Unauthorized Access to
EPHI 5. Intrusion Detection
Unauthorized Access to EPHI
Finding: Although logs are collected there are no proactive monitoring, alerting and response activities.
Impact:
For compliance and reporting, access to EPHI is difficult or impossible to monitor effectively with manual processes.
Business Area: HealthCare System
Trending -
Action Plan:
Identified and ordered appliance based solution to aggregate EMR log events. When implemented by January 2013, will allow reporting and automated alerting for primary EMR systems.
Unauthorized Access to ePHI
Performance Against Metrics
• Major projects accomplished and planned
• Performance metrics related to the
Security Team, the Organization, or both
Performance Against Metrics
What is your effectiveness as a group? For Example:
1. Identify capital expense and headcount
2. Metrics measure things that you can count:
a. # of vendor security assessments this year b. # of security awareness presentations this year c. # of issues in annual penetration test
Performance Against Metrics
Takeaways
1. Review with Executive team first.
2. Know your Board and tailor presentation to their needs.
3. Review the “Midwest Checklist”
4. Know what you want to communicate.
References • Epstien Becker Green 2012 Privacy and Security Year in Review • Questions the audit committee should ask the CIO and CISO • Source for ISO 27001 Standard
Special thanks to…
Robert Weaver
Former CISO, ING Direct
Chris Schroeder Vice President, Information Security
Enterprise Risk at Lowe's Companies, Inc.