Practical IT Research that Drives Measurable Results Develop & Deploy a Security Policy.

Slides:



Advertisements
Similar presentations
Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.
Advertisements

Quality evaluation and improvement for Internal Audit
Opportunities & Implications for Turkish Organisations & Projects
Enterprise Architecture
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
Module N° 8 – SSP implementation plan. SSP – A structured approach Module 2 Basic safety management concepts Module 2 Basic safety management concepts.
The Instructional Decision-Making Process 1 hour presentation.
The Scottish Association of BUILDING STANDARDS MANAGERS Incorporating the Scottish Association of Chief Building Control Officers and representing Local.
Strategies for Knowledge Management Success SCP Best Practices Showcase March 18, 2004.
The Implementation of BPR Pertemuan 9 Matakuliah: M0734-Business Process Reenginering Tahun: 2010.
Practical IT Research that Drives Measurable Results Manage Help Desk Staffing 1Info-Tech Research Group.
Practical IT Research that Drives Measurable Results Get Started Bringing Order to Help Desk Request Chaos.
Impact Research 1 Deploying Wireless LANs for Business Benefit Summary Document.
Practical IT Research that Drives Measurable Results Maximize Vendor Performance.
Practical IT Research that Drives Measurable Results Document the IT Service Catalog.
Info-Tech Research Group Practical IT Research that Drives Measurable Results Reduce Telecom Expenses.
Practical IT Research that Drives Measurable Results 1Info-Tech Research Group Get Moving with Server Virtualization.
Info-Tech Research Group1 V3.1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services.
Plan for Application Consolidation. Successful application consolidation relies on assessment of the application portfolio to determine the best candidates.
Practical IT Research that Drives Measurable Results Make the Case for IP Telephony 1Info-Tech Research Group.
Practical IT Research that Drives Measurable Results Establish an Effective IT Steering Committee.
Info-Tech Research Group1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine.
Info-Tech Research Group1 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine.
Info-Tech Research Group1 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine.
Practical IT Research that Drives Measurable Results Vendor Landscape Plus: Enterprise Content Management Suite ECM: A vendor marketing concept, not an.
Info-Tech Research Group1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine.
Info-Tech Research Group1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine.
Info-Tech Research Group1 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine.
Info-Tech Research Group1 Make the Decision to Upgrade to Microsoft Exchange 2010 It’s Time for a Change: Let’s Talk about Exchange Info-Tech's products.
Practical IT Research that Drives Measurable Results Build Security Architecture & Roadmap Implementation.
Build an IT Strategy for the Small Enterprise
What is ISO 9001? ISO 9001 is a standard that sets out the requirements for a quality management system. It helps businesses and organizations to be more.
Build an Enterprise IT Security Training Program
Renovate the Data Center
Vendor Landscape Plus: IP Telephony Vendors
Application Outsourcing: Achieving Success & Avoiding Risk
Abolish the Annual Performance Appraisal and Move to an Agile System
Redesign IT Governance to Drive Optimal Business Results
Select the Right Vendor for Desktop Virtualization
Design an EA Strategy to Articulate the Value Proposition of the EA Function Maximize the likelihood of EA success by communicating EA’s expected contributions.
Integrated Management Systems
Data Architecture World Class Operations - Impact Workshop.
Empower Managers to Take Ownership of Employee Engagement
Create Data Strategies for the Small Enterprise
Bridge IT and the Business with Business Architecture
SAMPLE Develop a Comprehensive Competency Framework
Identify the Risk of Not Doing BA
Select an EA Tool Based on Business and User Need
CMMI Overview Quality Frameworks.
Optimize the BI Program for a Better ROI
Design & Build a User-Facing Service Catalog
Unified Process Source & Courtesy: Jing Zou.
Continuous Improvement through Accreditation AdvancED ESA Accreditation MAISA Conference January 27, 2016.
Improve Business Satisfaction by 10% Through Business Relationship Management Relationship management is the #1 driver of business satisfaction with IT.
What will you receive today?
Establish a Right-Sized Incident Management Process
Making Information Security Manageable with GRC
Grievance, Discipline & Dismissal
Making Information Security Actionable with GRC
Our new quality framework and methodology:
Project Management Process Groups
Cyber security Policy development and implementation
Document the IT Service Catalog
Management By Objective – Dashboard Management
Investing in Data Management Capabilities
Basic Systems Management Employing Security Policies
Presentation transcript:

Practical IT Research that Drives Measurable Results Develop & Deploy a Security Policy

Introduction Many organizations have no formal documentation that indicates how employees should act to uphold security. Regulatory pressure is making this deficiency a business inhibitor due to the fines and sanctions that can be levied against enterprises that fail audits. On average, Security Policy development takes 12 months and costs $50,000; a major inhibitor to Policy development and adoption. This solution set eliminates those costs This solution set addresses Security Policy development and deployment in three steps: Policy Implementation and Enforcement Establish a Baseline of Understanding Build the Policies This set will define an appropriate set of Security Policies. These documents will improve security while saving the enterprise the expenditure of precious resources. This set is targeted at enterprises that have no formal Policies, but is equally applicable to those looking to improve what they already have.

Executive Summary Security Policy demonstrably improves overall enterprise security: Security Policy defines the enterprise’s security intent and the methods it will use to achieve that intent. Building Policy is shown to reduce the occurrence of breaches by as much as 93%. Build Policy in a structured manner that involves all stakeholders: Using an iterative process allows for the deployment of Policies as they are created, rather than waiting for the full package to be developed. This improves security during the development process, not just at the end. The Policy must support, not inhibit, the enterprise’s business units. If business leaders are not involved in the process, the Policies may be inappropriate to the way the enterprise works. Policy creation only the start; implement and enforce to realize value: Staggered implementations that balance security impact against user impact result in more successful rollouts. Security concepts will be new to many users though so remember to train before things get too complex. The work doesn’t end with implementation – enforcement required to make even acceptable Policy stick and dedicated tools are the key to successful enforcement.

Policy Implementation and Enforcement Establish a Baseline The value of PolicyWhat goes in a Policy? Build the Policies

Defining enterprise security intentions is the only way to demonstrably achieve them; Policy is that definition Enterprises with Policies report greater sense of security Security Policy is the document that defines overall enterprise intentions in regards to providing a secure computing environment. Security Policy indicates the “what” and the “how” of enterprise security: What is going to be secured. How security will be achieved. By following the rules as set out in a Security Policy, an enterprise is able to achieve a higher level of security because it is able to more thoroughly and consistently make day-to-day security decisions. Survey data shows that when comparing enterprises with Policy against those without, the former group are more than twice as likely to report a high overall sense of security than the latter. Further, they are ten times less likely to report a low overall sense of security than their peers with no Policy.

Establishing security objectives is the tip of the iceberg when it comes to Policy development Objectives outline high-level enterprise security goals. They must be easy to digest but are not generally prescriptive. Standards offer prescriptive guidance that govern actions. They expand upon policies to indicate specific expectations and requirements. Baselines and guidelines are the enterprise’s security specifications. These are the “speeds and feeds” of enterprise security and the most likely component to change over time. Procedures are the step-by-steps by which security is enacted. They tell employees the “how to” of security, not just the “what”. Security Policy a hierarchy of related documents Info-Tech’s twenty distinct Security Policy templates (see Appendix I) provide combined objectives & standards, include procedures, and suggest basic baselines. This set streamlines the development of a comprehensive Security Policy. Security Policy contents are not all the same; different types of information have different currency and relevancy. Structuring Policy into a series of documents, each with a focused intent, allows for more granular maintenance and keyed distribution of information.

More complete Policy sets provide better guidance in how to be secure, leading to better enterprise security Full Policy reduces the likelihood of a security breach By themselves “thou shalt/shalt not” objectives don’t do enough to protect the enterprise; they may indicate “what” needs to be done, but don’t provide enough context to discern the “why” and “how”. Without these factors enterprises find it difficult to enact security. Only a full Policy set (objectives, standards, baselines/guidelines and procedures) provides sufficient information to implement appropriate protection, which is key to avoiding breaches. Survey data shows that having objectives leads to a reduction in breach occurrence of anywhere from 19 to 46% (depending on breach type). However, having full Policies results in a total reduction of 57 to 93%. Clearly, knowing what to do and how to do it improves security more than just knowing what to do. n=114 “Policy is ineffective without procedures to guide users on how to adhere. Procedures are required so that everyone interprets and acts on the Policy in a consistent manner.” - IT Director of a small Not For Profit

Policy Implementation and Enforcement Establish a Baseline of Understanding Build the Policies Follow a framework during document creation Negotiate stringency with the Business

Big bang not the answer; phased Policy development and deployment improves security faster While it may seem ideal to first fully create and then implement the entire Security Policy, doing so slows down adoption and leaves security gaps during the process. A phased approach allows for the deployment of individual Policies as they are developed, but calls for care that Policies are built and distributed in an order that makes sense. Start the work by first determining what Policies the enterprise needs. Previously completed audits are a good guide as they highlight areas of weakness. Group closely related Policies where the development of one links with the development of the others to gain economies of effort. Groups will be individual and enterprise specific. Find natural relationships between groups so that the entire Policy can be laid out as “layers” in a framework. Layer structure also individual to each enterprise. Build all the Policies in a individual “layer” at the same time. Once complete, roll them out before moving on to subsequent “layers”. Determine required Policies Determine number of framework layers Assign Policies to framework layersDevelop and distribute Policies

Policy frameworks Case Study; a complex sample based on a large set of Policies Company ABC, a large multi-national, determined it needed a very complete ISO-based Policy. Development was projected at 12 plus months. Benefits were needed sooner. Company ABC grouped those Policies specific to basic infrastructure and data security into layer 1 (the dark blue layer) and started work there. Building these Policies first put fundamental controls in place and gave management a sense of basic protection with only a couple of months of work effort. Next they tackled Policies related to Account Management and Application Security (the mid- blue layer), as a natural connection between the basic l security they had built and personnel- focused security to come. The user-related Polices (the red layer) became layer 3. These took time to get accepted, but the in-place controls were already providing solid protection. The final components were tackled on an “as needs” basis over a period of months rather than as a specifically numbered layer. Each box in this diagram represents a complete set of policies, standards, baselines/guidelines and standards.

Policy frameworks, a simpler sample based on a reduced set of Policies Framework design is individual to the enterprise and governed by factors such as corporate culture, staff ability and the number of Policies to be developed Not all enterprises need as complex a framework as the previous example. Smaller Policy sets can use simpler frameworks. This represents a theoretical example. As before layer 1 (dark blue layer) represents the Policy development start point and continues to include infrastructure and data security. It supplements these with core user management Policies to create a strong base. The light blue mid-layer (layer 2) comes next and adds more user-focused Policies that will ensure user activity adds to, rather than detracts from, enterprise security. Enterprises could finish with the assessment and response Policies as layer 3. These complete the set as a whole by allowing for ongoing verification of the security stance that the earlier Policies have created. Each box in this diagram represents a complete set of policies, standards, baselines/guidelines and standards.

Info-Tech Helps Professionals To: Sign up for free trial membership to get practical Solutions for your IT challenges “Info-Tech helps me to be proactive instead of reactive - a cardinal rule in stable and leading edge IT environment.” - ARCS Commercial Mortgage Co., LP