Embed Size (px)
Citation preview
Information Security Governance25th June 2007
Gordon MicallefVice President – ISACA MALTA CHAPTER
25th June 2007 - MFSA
• Why is better IS Governance needed?
• What drives IS Governance?
• How to achieve better IS Governance?
AgendaIS Governance
25th June 2007 - MFSA
Defining Information Security
• Information security covers all information processes, physical and electronic, regardless whether they involve people and technology or relationships with trading partners, customers, authorities and third parties.
25th June 2007 - MFSA
WhyIS Governance
25th June 2007 - MFSA
Security Governance does not apply to us!!!!• Information Security is being handled by IT and its their
responsibility;• And since I do not much know about IT, will avoid going
into details as they know what they have to do in their own weird / technological world;
• IT management knows better than the rest of the business including Exec Mgt what to secure, how, and when;
• We are secure and we do not need to confirm that;• Security breach??? Cannot happen to me;• We’re small, we don’t need that;• Yes, we have a security policy!!
25th June 2007 - MFSA
But …. • Needless to discuss if an organisation is dependent on the
information it holds;• Managing information risks is a key part of corporate governance;• Information risk management and information security rarely hits
the agenda of the Board of Directors and Executive Management;• Information Security is seen as an IT problem, and their cost,
rather than a strategic enabler for Executive Management;• Board of Directors and Executive Management management do
not know what they can do to ensure that they meet corporate governance requirements for information risk management;
• Information Security does not only apply to IT.
25th June 2007 - MFSA
Common scenarios of weak security governance• Isolated attempts to mitigate individual risks whilst
security is continuously evolving;• Information security seen as a another component of IT
and not as supporting the achievement of business objectives;
• Reactive approach in managing information security:- “Fix it when it breaks”;
• Reactive approach to new regulations, and addressing the individual requirements of each regulation separately.
25th June 2007 - MFSA
Security Governance in the Local Context• Governance does not only apply just for larger
organisations;• We still don’t do away with complexity, regulation,
dependency on information, and reputation. These are factors that need to be considered irrespective of the size;
• Does not require significant investment, but security risks might make you lose whatever investment you have made;
• The good news is that what needs to be done might require less effort, and may be more easily achievable;
• Enforcement in highly regulated industries is still in its initial phases.
25th June 2007 - MFSA
WhatIS Governance
25th June 2007 - MFSA
What drives better information security governance?The four pillars are:• Senior Management Commitment,
• Security Vision and Strategy,
• Information Security Management Structure,
• and Training and Awareness.
This is not an IT implementation exercise
25th June 2007 - MFSA
HowIS Governance
25th June 2007 - MFSA
How to Proactively Manage Information Security Risk1. Develop a security framework for capturing
and reporting at different levels of granularity;
2. Understand current state (gap analysis) in context of industry and regulations;
3. Capture security vision and directly align with business objectives;
4. Translate the vision into strategy and action;
5. Determine a practical approach towards communicating the vision and strategy.
25th June 2007 - MFSA
Use an organising frameworkAn effective framework should:• Integrate people / processes / technologies;• Rather than a mere technology fix, the framework would ensure
that IT security implementations will be aligned to the business objectives;
• Model the interdependencies between areas of security (such manual vs electronic, physical vs logical);
• Provide a structural hierarchy for communication to various audiences;
• Support monitoring, benchmarking and comparison at various levels;
• Integrate leading practices and widely known industry standards.
1
25th June 2007 - MFSA
Measuring the performance of security management• Measuring, monitoring and reporting information security
governance metrics is essential to ensure that organisational objectives are achieved;
• Measurement of performance will assist management in the right allocation of resources;
• Effective information security governance cannot be established overnight and requires continuous improvement supported by adequate measurement;
• Various tools and methodologies are readily available on performance measurement;
• Measurement has to take place at various levels of the organisational structure.
25th June 2007 - MFSA
Assess the Current EnvironmentCarry out a gap analysis to answer:• Is there a clear structure for reporting and decision-making within
security?• Are the security initiatives aligned with my business objectives?• Are the security policies and standards derived from the proper
sources?• Does the security organisation provide sufficient architectural
guidance?• Is security and privacy an integrated part of IT processes?• Does the security infrastructure effectively and efficiently meet the
objectives?• Do the operational aspects of security meet the needs of the
business?
2
25th June 2007 - MFSA
Develop Security Vision Aligned with Business• Based on the results of the gap analysis, assess the
maturity of your current enterprise security capabilities;• Evaluate areas for improvement and possible high risk
gaps;• Identify precisely where the organisation should be
committing its scarce resources;• Develop an information security strategy document;• Develop comprehensive policies that support this
strategy.
3
25th June 2007 - MFSA
Strategise and Action
• Translate the vision into an actionable, repeatable and reportable strategy that identifies the business case supporting project creation, project prioritisation, risk assessment, and investment optimisation;
• Develop along with the security policies, a comprehensive security programme through an actionable, realistic roadmap to achieve the vision;
• Incorporate change into the strategy as a rigid and inflexible methodology provides a poor foundation for success.
4
25th June 2007 - MFSA
Effectively Communicate Vision
• Different levels of audiences must be recognised;• Crafting the appropriate message for the target audience
is critical to success;• Size of Malta makes it easier to communicate;• Efforts to communication should not be a one off, but
has to be ongoing to be effective.• Information security awareness programs can take on
many different forms. Whatever the delivery, the message must be clear: Management cares about security, and the employee should as well.
5
25th June 2007 - MFSA
What should better IS Governance deliver• A structure to measure the performance of
management of information security• Executing appropriate measures to manage and
mitigate risks and reduce potential impacts on information resources to an acceptable level
• Prioritised and adequate resource allocation• Alignment of security objectives to business
objectives
25th June 2007 - MFSA
Common tools to better governanceVarious tools available for the different stages of the Security Governance project such as:
• Guidelines provided by ITGI• Established frameworks such as COBIT• Best practices such as:
• ISO 17799 / ISO 27002• COBIT Security Baseline• Information Security Forum (ISF) Good practices to
information security• ITIL
