Relevant Impact Building an Enterprise Security Program Tech Security ConferenceMinneapolis April 10, 2014.

Slides:



Advertisements
Similar presentations
Business Improvement Review Knowledge Understanding Action.
Advertisements

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Auditing Governance Functions
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.
Own Risk & Solvency Assessment (ORSA): The heart of Risk & Capital Management John Spencer Director, Ultimate Risk Solutions.
Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.
It’s Time to Talk About Risk and Control
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Page 1 Business Architecture – From Business Strategy to the Alignment of IT Rich Waller An Insurance Industry Case Study April 15, 2009.
Improving Your Business Results Six Sigma Qualtec Six Sigma Qualtec Six Sigma Qualtec – All Rights Reserved June 26, 2002 BEYOND SIX SIGMA: A HOLISTIC.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
IT Governance and Management
Human and Technology Capital Advisors, LLC “Where Financial Accretion Intersect with People and Technology” April 3, 2008.
Alba Project Partners Introduction Presentation. Typically what people say … We have too many projects –no real priorities We used to know what was going.
COBIT® 5 for Risk Introduction
Information Technology Audit
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
What is Business Analysis Planning & Monitoring?
Operational Risk Management + Six Sigma = Success Presenter: Roberta Pek Director of Operational Risk Freddie Mac 2012 ASQ Lean and Six Sigma Conference.
Thomas Hacker Barb Fossum Matthew Lawrence Open Science Grid May 19, 2011.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
Successfully Managing Change To Realise STP Adam Stern Ibacas Consultancy Ltd.
Social Media Jeevan Kaur, Michael Mai, Jing Jiang.
COMMON CHALLENGES AND SOLUTIONS IN ERM IMPLEMENTATION TO IMPROVE MUNICIPAL CLEAN ADMINISTRATION PROCESS. M.J. RAMAKGOLO (CCSA)
Equity Housing Group Risk Management. 05 August 2002 © MazarsEquity Housing Group: Risk Management 2 Agenda Introduction: what is Risk Management? The.
© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved. 1 Differing Roles of Internal Auditor and Risk.
Enterprise Risk Management & IT Compliance March 30, 2010 Presented by: Ken Rowe, Director Enterprise Systems Assurance & Chief Security Officer University.
Roles and Responsibilities
CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
TI Tata Kelola Sistem dan Teknologi Informasi BISNIS &
Assessing ERM Practices ERM Working Group North Carolina State University Raleigh, February 24 th 2006 Copyright © 2005 Standard & Poor's, a division of.
Improving Integration of Learning and Management Systems Paul Shoesmith Director of Technical Strategy Becta.
Enterprise Risk Management Chapter One Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Strategic framework – a framework for change and growth Improve Infrastructure and Organisation Integrated systems and digital capabilities Aligned and.
Red Deer College February 8, 2010 William Miles, CISSP.
Connecting with Your Peers IT Challenges and Opportunities in 2012 A Facilitated Group Discussion Thursday, January 12, 2012.
RISK MANAGEMENT : JOURNEY OR DESTINATION ?. What is Risk? “ Any uncertain event that could significantly enhance or impede a Company’s ability to achieve.
WEC MADRID 18 TH MARCH 2004 ASTRAZENECA’S APPROACH TO SUPPLIER RISK MANAGEMENT.
SAFE KNOWLEDGEwww.zondex.com SAFE KNOWLEDGE GEOFF ROBERTS Implementation Partner AUSTRALIAN PROJECTS PTY LIMITED IT Security and Data Protection.
NEACS: CRO Perspective William Feher Vice President, Internal Audit and Chief Risk Officer October 27, 2015.
1 Techniques for Effectively Managing Credit Relationships: Achieving the “Right” Rating Next Page To Advance: Click Screen Anywhere or Click Next To Return.
1 Planning and Programming for Effective Use of External Audit Resources Victor Rezendes Managing Director Strategic Issues U.S. General Accounting Office.
Program Management Office ͏ Project Management
Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.
ITIL ♥ PM ITIL and Project Management: Friends Throughout the Lifecycle.
IS Security Policies and Strategies Dr Gurpreet Dhillon Virginia Commonwealth University.
Five Risk Management Best Practices Scott Moss, CIS P/C Trust Director ERM – ISO
Driving Value from IT Services using ITIL and COBIT 5 July 24, 2013 Gary Hardy ITWinners.
Info-Tech Research Group1 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine.
Contents Playbook Objectives Playbook Value Details Playbook Design
E-commerce Strategy Ing. Athanasios Podaras, Ph.D Faculty of Economics
Defining a World-Class Finance Organization
ENTERPRISE RISK MANAGEMENT IN THE CASE OF THE FINANCIAL SERVICE SECTOR
Data Architecture World Class Operations - Impact Workshop.
Securing Critical Assets: Arizona’s Security & Privacy Initiatives
E-Commerce Strategy, Implementation
ITSM Governance is Imperative to Succeed
Bridging the ITSM Information Gap
Presentation transcript:

Relevant Impact Building an Enterprise Security Program Tech Security ConferenceMinneapolis April 10, 2014

a few thoughts about all this security…

Most North American Enterprises and Government Agencies have experienced a breach…

Meet John, a successful, seasoned information security practitioner

His understanding of regulation, best practice and technical subjects allows him to solve any issue his organization may face.

… he was asked to be CISO

Build a security program guaranteeing effective protection and compliance of the organization at all times.

“It’s about the data. Security professionals have to start taking a data view of their organizations. It’s all around ‘Where is the data?’ and ‘Who is supposed to do what with it?’ which, in a huge corporation, is a huge challenge.” Marlene N. Allison, Worldwide Vice President of Information Security, Johnson & Johnson

Appropriate Content Control = Web Proxy + Filtering + SIM DDoS Prevention = Redundant links + Specialized Routers + HA Applications Privacy Compliance = DB Controls + Policies + File Inventory + DLP + SIM + Ticketing System + Enterprise Policies + Training Program…

Then the inevitable… Technology Changes Old clients New vendors

The auditor said policy violations had been “ENABLED” by bad technology, chosen through a flawed process that was based on poor logic.

Frustration set in as he tried to go back to the drawing board… ….then the unexpected.

He was notified that the organization may have an APT in the environment…

John thought about his predicament…

…and had an epiphany.

“This shouldn’t be my problem...”

…an effective security program starts with a strategy and must be aligned to the business.

Creating an Effective Security Program Strategy 1. Impact based approach 2.Establish business context 3.Develop strategic services

An impact approach identifies scenarios relevant to organizational assets Impact Based Approach

Risk Context Business Attributes Overall likelihood of loss Likelihood of threat materialising Likelihood of weakness exploited Negative Outcomes Threats Loss Event Positive Outcomes Opportunities Beneficial Event Overall loss value Asset value Negative impact value Overall benefit value Asset value Positive impact value Overall likelihood of benefit Likelihood of opportunity materialising Likelihood of strength exploited

Risk & opportunities are assessed with owners focusing on impact and enablement CBA B C BC CC LowMediumHigh Likelihood Business Impact Low Medium High A Beyond our risk appetite B Warning C Within risk appetite

How do you develop a security program that focuses on what is important to the business? Establishing Business Context

Identify business relations and owners impacted by threats to information assets Customers Suppliers Partners Others… Your Organization

Working with the business owners abstract requirements into measurable “assets”

Establishing understood metrics created by owner’s appropriate accountability, managing to impact can be facilitated Enterprise Level Strategic Business Attributes Profile Change Program Business Attributes Profile Project Business Attributes Profile Operational Processes and Systems Business Attributes Profile

How can you map required functionality for any security service to a continually changing, improving environment until the end of your operational days? Developing Strategic Services

Based on identified impacts to the attributes, a multi-tiered control strategy can be used to define security services the organization required

Enterprise security architecture builds traceability and justifications for services, processes and technologies implemented.

John had been asked to build a security program guaranteeing effective protection and compliance of the enterprise at all times.

He used: An impact-based approach to assess risk & opportunities with owners. Enterprise Security Architecture techniques to articulate the complete business requirements and prioritize the program. Enterprise Security Architecture processes to build tractability to and justify implementations of security services.

Lessons Learned Threat-based approaches will not work long term Impact based accountability is key Enterprise Security requires an Enterprise Strategy Strategy must drive services and the technologies in a traceable, justified manner

Great things to think about… Does your organization have clear definition and executive ownership over business impacts? Are there clear linkages from the security program metrics to business performance? Does your organization have a strategic view of the services your Security Program is delivering the organization?

Patrick M. Hayes Managing Director THANK YOU

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.