© ITGI, ISACA - not for commercial use. John R. Robles Guidance for Information Security Managers Isaca - Information Security Governance “This information is copyrighted by the IT Governance Institute and Information Systems Audit and Control Association. Any commercial use is strictly forbidden. It may, however, be used for educational or promotional purposes by ISACA members and chapters on a not- for-profit basis.”

© ITGI, ISACA - not for commercial use. Isaca Puerto Rico  Serving IT Audit, Security, and Controls Professionals in Puerto Rico since 1984 (Celebrating our 25 th Anniversary in 2009)  More than 300 members  Provide Certification … CISA (139), CISM (13), CGEIT (6)  Provide Education and Conferences… Monthly educational meetings and yearly Symposium  Standards…ITAF™: A Professional Practices Framework for IT Assurance  Research…The IT Governance Institute (ITGI)

© ITGI, ISACA - not for commercial use. Isaca Puerto Rico  Publications… The Bookstore, Isaca Journal  Downloads…  Review Courses… for the CISA, CISM, CGEIT Exams twice a year…  Join a Growing and Dynamic Professional Association!!   

© ITGI, ISACA - not for commercial use. Introduction u u Information Security has become a matter for consideration at the highest organizational level u u ‘It is no longer enough to communicate to the world of stakeholders why we exist and what constitutes success, we must also communicate how we are going to protect our existence’. - Kiely, Laree; Terry Benzel; Systemic Security Management, Libertas Press, USA, 2006 u u This publication discusses how to develop an information security strategy within the organization's governance framework and how to drive that strategy through an information security program.

© ITGI, ISACA - not for commercial use. Information Security Governance Guidance Firms operating at best-in-class (security) levels are lowering financial losses to less than 1 percent of revenue, whereas other organizations are experiencing loss rates that exceed 5 percent. - Aberdeen Group, ‘Best Practices in Security Governance’, USA, 2005

© ITGI, ISACA - not for commercial use. Information Security Program Requirements

© ITGI, ISACA - not for commercial use. u u Executive Management u u Steering Committee u u Chief Information Security Officer Roles and Responsibilities

© ITGI, ISACA - not for commercial use. What the Board, Executive Management and Security Management Should Do?

© ITGI, ISACA - not for commercial use. Information Security Metrics and Monitoring u u Information Security Metrics u u Governance Implementation Metrics u u Strategic Alignment u u Risk Assessment u u Value Delivery u u Resource Management u u Performance Measurement u u Assurance Process Integration (Convergence)

© ITGI, ISACA - not for commercial use. Establishing Information Security Governance u u An Information Security Strategy Corporate strategy is the pattern of decisions in a company that determines and reveals its objectives, purposes, or goals, produces the principal policies and plans for achieving those goals, and defines the range of business the company is to pursue, the kind of economic and human organization it is or intends to be, and the nature of the economic and non-economic contribution it intends to make to its shareholders, employees, customers and communities. - Andrews, Kenneth; The Concept of Corporate Strategy, 2 nd Edition, Dow-Jones Irwin, USA, 1980

© ITGI, ISACA - not for commercial use. u u The Goal u u Classification and Valuation u u Deferred Information Maintenance Information Security Objectives

© ITGI, ISACA - not for commercial use. u u Defining Objectives u u The Desire State u u Risk Objectives u u Number of Controls u u Current State of Security Strategy

© ITGI, ISACA - not for commercial use. Strategy

© ITGI, ISACA - not for commercial use. Strategy

© ITGI, ISACA - not for commercial use. u u Elements of a Strategy u u Policies u u Standards u u Processes u u Controls u u Technologies u u People, Training, Etc. u u Gap Analysis – Basic for an Action Plan u u Annual or more frequently The Strategy

© ITGI, ISACA - not for commercial use. u u Create/Modify Policies u u Create/Modify Standards Action Plan

© ITGI, ISACA - not for commercial use. u u Action Plan Metrics u u General Metrics Considerations u u Summary – Take into consideration u u What is important to information security operations u u Requirements of IT Management u u Requirements of business process owners u u Requirements of senior management Action Plan Intermediate Goals

© ITGI, ISACA - not for commercial use. u u An Example Using the ITGI and CobiT Maturity Scale u u Sample Policy Statement u u Sample Standard u u Additional Sample Policy Statements u u Conclusions Establishing Information Security Governance

© ITGI, ISACA - not for commercial use.. Conclusion “Although regulatory compliance has been a major driver in improving information security overall, recent studies have also shown that nearly half of all companies are failing to initiate meaningful compliance efforts.”

© ITGI, ISACA - not for commercial use. Appendix A – Critical Success Factors For Effective Information Security u u Performance Measures u u Determine whether Information Security is succeeding u u Determine whether Information Security Governance is succeeding

© ITGI, ISACA - not for commercial use. Appendix B – Self Assessment and Maturity Model u u Self – Assessment for Information Security Governance u u Maturity Levels – Detailed Descriptions u u Purpose - Determine your Information Security Maturity Level

© ITGI, ISACA - not for commercial use. Appendix  Appendix C – A Generic Approach to Information Security Initiative Scoping  Determine Task Steps  Determine Task Step Activities  Determine Task Step Deliverables  Appendix D – An Approach to Information Security Metrics  “NIST special publication provides an approach to security metrics”

© ITGI, ISACA - not for commercial use.   Glossary   References   Other Publications Appendix

© ITGI, ISACA - not for commercial use.