27
Rob Arnold, CISSP CISM Building your InfoSec Program: Frameworks & Benchmarks Information Security Officer, University of Kansas

Building Your Information Security Program: Frameworks & Metrics

Embed Size (px)

Citation preview

Rob Arnold, CISSP CISM

Building your InfoSec Program: Frameworks & Benchmarks

Information Security Officer, University of Kansas

75%

25%

Security is a…

Necessary cost Competitive advantage

Raytheon/Ponemon 2015 Global Megatrends in Cybersecurity, Feb 2015

Agenda

• Why use a framework?

• How do I use a framework?

• Where can I get a framework?

• What value are benchmarks?

• Where can I find benchmarks?

• How can I get started?

• What resources are there?

Why use a framework?

Use a framework to

• Ensure you have coverage(the “unknown unknown” problem)

– Frameworks are highly vetted

– Some degree of future-proofing

– Help with responding to audits

Use a framework to

• Identify areas for improvement

– Taxonomy provides structure

– Common vocabulary

– Framework defines some ideal

– You assess the gap between your reality and the ideal

– Develop a work plan

Use a framework to

• Benefit from a proven successful approach

– Repeatable approaches to problems

– Stand on the shoulders of giants

– Allow tailoring for your organization

“If I have seen further it is by standing on ye sholders of Giants.”

--Isaac Newton

Use a framework to

• Enable service delivery

– Consider your work output as services

– Move toward understanding the demand

– Move toward understanding your capacity

– Move toward knowing where your organization gets the security services it needs

How do I use a framework?

Build your security program on a framework

• Catalog of controls

– Mapped to the framework

– With a narrative description of processes

• Do feed the auditors!

– Follow the taxonomy of your framework

– Use the common vocabulary

– Design your controls to produce evidence

6.1.3 Contact with authorities

Appropriate contacts with relevant authorities shall be maintained. Requests for information by law enforcement shall be

dispatched as set forth in the Investigative Contact by Law

Enforcement, Policy and Procedures [KUIT6.1.3A].

Reporting of crimes shall occur as set forth in the Crime

Reporting Policy [KUIT6.1.6B].

6.1.4 Contact with special interest groups

Appropriate contacts with special interest groups or other specialist

security forums and professional associations shall be maintained.

IT Security Office shall maintain membership and participation

in special interest groups and information sharing groups as

deemed appropriate by the Information Security Officer. ITSO

staff are member representatives of REN-ISAC and members of

MS-ISAC [KUIT6.1.4A].

ITSO staff are members of various professional organizations

including (ISC)2, ISACA, and EC Council as a result of the

position requirement for current certification [KUIT6.1.4B].

18.2 Information security reviews

Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

18.2.1 Independent review of information security

The organization’s approach to managing information security and its

implementation (i.e. control objectives, controls, policies, processes and

procedures for information security) shall be reviewed independently at

planned intervals or when significant changes occur.

This program document shall serve as a record of the

organization’s approach to the management and

implementation of information security. This document shall be

reviewed no less than annually by the Information Security

Officer. [KU18.2.1A]

An external review of the program document shall be

performed at least every two years. [KU18.2.1B]

18.2.2 Compliance with security policies and

standards

Managers shall regularly review the compliance of information processing

and procedures within their area of responsibility with the appropriate

security policies, standards and any other security requirements.

The IT Security Office shall conduct a Risk and Vulnerability

Assessment (RVA) as a service to units. The RVA shall serve as a

unit-level review of the practices and documentation of the

unit. Issues from the review shall be reported to the unit

leadership. [KU18.2.2A]

Information security controls

• Are specific

• Are testable

• Produce evidence

• Map to your choice of framework

• Use “shall” not “should” or “may”

Where can I get a framework?

Finding frameworks

• You may be required to use one (or more) by your industry’s regulating body

• Standards bodies (NIST, ISO)

• Regulatory bodies (NERC, FISMA, HITRUST)

• Audit organizations (COBIT, CAG)

What value are benchmarks?

Are you in the lead?

• How do I compare to my competition?

• How do I compare to my industry?

• Am I paying too much for security?

• Is my attention focused correctly?

• How do I get more resources?

• What are my strategic gaps?

Where can I find benchmarks?

• Big vendors give them away

…or trade them for a lead

• Research firms sell them to you

• ISAC organizations can help, depending on industry

• Government agencies publish them (sometimes infrequently and poorly)

How can I get started?

• Read the docs in the resource section

• Use your professional contacts

– (ISC)2

– ISACA

– ISSA

• Pick a framework

• Write a program document

• Lather, rinse, repeat

What resources are there?

Thank you!

[email protected]

Image credits

Public domain• Photograph of a Workman on the Framework of the Empire State

Building (National Archives Identifier) 518290• Woolworth Bldg Library of Congress, call number LC-B2- 2416-4Creative Commons• Hindenburg Bundesarchiv, Bild 146-1986-127-05 / CC-BY-SA• Benchmark User:Nixterrimus CC-BY-SA• Peloton User:muffinn CC-BY• Countisbury Ordnance Survey Benchmark © Copyright Rachel Hunt

CC-BY-SA• It's time to get started User:The fixerupperz CC-BY-SA• Udachnaya mine User:stepanovas CC-BY-SA