Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER

25 th June MFSA Why is better IS Governance needed? What drives IS Governance? How to achieve better IS Governance? Agenda IS Governance

25 th June MFSA Defining Information Security Information security covers all information processes, physical and electronic, regardless whether they involve people and technology or relationships with trading partners, customers, authorities and third parties.

25 th June MFSA Why IS Governance

25 th June MFSA Security Governance does not apply to us!!!! Information Security is being handled by IT and its their responsibility; And since I do not much know about IT, will avoid going into details as they know what they have to do in their own weird / technological world; IT management knows better than the rest of the business including Exec Mgt what to secure, how, and when; We are secure and we do not need to confirm that; Security breach??? Cannot happen to me; We’re small, we don’t need that; Yes, we have a security policy!!

25 th June MFSA But …. Needless to discuss if an organisation is dependent on the information it holds; Managing information risks is a key part of corporate governance; Information risk management and information security rarely hits the agenda of the Board of Directors and Executive Management; Information Security is seen as an IT problem, and their cost, rather than a strategic enabler for Executive Management; Board of Directors and Executive Management management do not know what they can do to ensure that they meet corporate governance requirements for information risk management; Information Security does not only apply to IT.

25 th June MFSA Common scenarios of weak security governance Isolated attempts to mitigate individual risks whilst security is continuously evolving; Information security seen as a another component of IT and not as supporting the achievement of business objectives; Reactive approach in managing information security:- “Fix it when it breaks”; Reactive approach to new regulations, and addressing the individual requirements of each regulation separately.

25 th June MFSA Security Governance in the Local Context Governance does not only apply just for larger organisations; We still don’t do away with complexity, regulation, dependency on information, and reputation. These are factors that need to be considered irrespective of the size; Does not require significant investment, but security risks might make you lose whatever investment you have made; The good news is that what needs to be done might require less effort, and may be more easily achievable; Enforcement in highly regulated industries is still in its initial phases.

25 th June MFSA What IS Governance

25 th June MFSA What drives better information security governance? The four pillars are: Senior Management Commitment, Security Vision and Strategy, Information Security Management Structure, and Training and Awareness. This is not an IT implementation exercise

25 th June MFSA How IS Governance

25 th June MFSA How to Proactively Manage Information Security Risk 1.Develop a security framework for capturing and reporting at different levels of granularity; 2.Understand current state (gap analysis) in context of industry and regulations; 3.Capture security vision and directly align with business objectives; 4.Translate the vision into strategy and action; 5.Determine a practical approach towards communicating the vision and strategy.

25 th June MFSA Use an organising framework An effective framework should: Integrate people / processes / technologies; Rather than a mere technology fix, the framework would ensure that IT security implementations will be aligned to the business objectives; Model the interdependencies between areas of security (such manual vs electronic, physical vs logical); Provide a structural hierarchy for communication to various audiences; Support monitoring, benchmarking and comparison at various levels; Integrate leading practices and widely known industry standards. 1

25 th June MFSA Measuring the performance of security management Measuring, monitoring and reporting information security governance metrics is essential to ensure that organisational objectives are achieved; Measurement of performance will assist management in the right allocation of resources; Effective information security governance cannot be established overnight and requires continuous improvement supported by adequate measurement; Various tools and methodologies are readily available on performance measurement; Measurement has to take place at various levels of the organisational structure.

25 th June MFSA Assess the Current Environment Carry out a gap analysis to answer: Is there a clear structure for reporting and decision-making within security? Are the security initiatives aligned with my business objectives? Are the security policies and standards derived from the proper sources? Does the security organisation provide sufficient architectural guidance? Is security and privacy an integrated part of IT processes? Does the security infrastructure effectively and efficiently meet the objectives? Do the operational aspects of security meet the needs of the business? 2

25 th June MFSA Develop Security Vision Aligned with Business Based on the results of the gap analysis, assess the maturity of your current enterprise security capabilities; Evaluate areas for improvement and possible high risk gaps; Identify precisely where the organisation should be committing its scarce resources; Develop an information security strategy document; Develop comprehensive policies that support this strategy. 3

25 th June MFSA Strategise and Action Translate the vision into an actionable, repeatable and reportable strategy that identifies the business case supporting project creation, project prioritisation, risk assessment, and investment optimisation; Develop along with the security policies, a comprehensive security programme through an actionable, realistic roadmap to achieve the vision; Incorporate change into the strategy as a rigid and inflexible methodology provides a poor foundation for success. 4

25 th June MFSA Effectively Communicate Vision Different levels of audiences must be recognised; Crafting the appropriate message for the target audience is critical to success; Size of Malta makes it easier to communicate; Efforts to communication should not be a one off, but has to be ongoing to be effective. Information security awareness programs can take on many different forms. Whatever the delivery, the message must be clear: Management cares about security, and the employee should as well. 5

25 th June MFSA What should better IS Governance deliver A structure to measure the performance of management of information security Executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to an acceptable level Prioritised and adequate resource allocation Alignment of security objectives to business objectives

25 th June MFSA Common tools to better governance Various tools available for the different stages of the Security Governance project such as: Guidelines provided by ITGI Established frameworks such as COBIT Best practices such as: ISO / ISO COBIT Security Baseline Information Security Forum (ISF) Good practices to information security ITIL

25 th June MFSA Thank You 