Chapter 4 of the Executive Guide manual

Slides:

Advertisements

Similar presentations

Board Governance: A Key to Quality Organizations

Advertisements

Module N° 7 – SSP training programme

Module N° 4 – ICAO SSP framework

Organizational Governance

Business Partnership Model Aligning HR Service with organisation strategy.

SAFE AND WELL Angela McKinnon Feb What is Safe and Well? A document building on previous guidance - part of the SE reform programme Supplement.

B B1 We are the champions Louise Brent, risk manager, London Borough of Lambeth.

CUPA-HR Strong – together!

Administration, Management, and Coordination of Supportive Housing: Guidelines from CSH’s Dimensions of Quality MHSA TA Operations Call September 1, 2010.

Outsourcing – Managing for Success Stuart Payne, Morgan Chambers Copyright © 1999 Morgan Chambers plc Copyright © 1999 Morgan.

Security and Personnel

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

IT Governance and Management

Software Development Contracts and Legal Issues Cost plus Fixed price Combined.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

Vendor Management Frequent regulatory findings:

Presented By: Donna Denker, CPA Donna Denker & Associates.

Legal & Administrative Oversight of NGOs Establishing and Monitoring Performance Standards.

SCC EHR Workshop for Contractors: Implementation Considerations May 25, 2011.

M&A Toolkit for HR 06/04/08.

Tan Jenny 23 September 2009 SESSION 4: Understanding Your IT Control Environment & Its Readiness.

The future shape of business is being redefined through outsourcing.

Emerging Latino Communities Initiative Webinar Series 2011 June 22, 2011 Presenter: Janet Hernandez, Capacity-Building Coordinator.

Control environment and control activities. Day II Session III and IV.

Complying With The Federal Information Security Act (FISMA)

Vendor Risk: Effective Management is Essential

Mark B. Mitchell, MBA, CIA, CGFM Director of Internal Audit NYSERDA November 12, 2008 Understanding the Importance of Soft Controls in Improving Operations.

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group.

The Institutionalization of Business Ethics

Continual Service Improvement Process

Matching PMBOK Section

Chapter 3 Internal Controls.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Organize to improve Data Quality Data Quality?. © 2012 GS1 To fully exploit and utilize the data available, a strategic approach to data governance at.

Internal controls. Session objectives Define Internal Controls To understand components of Internal Controls, control environment and types of controls.

Monitoring Internal Control Systems Johann Rieser Senior Auditor, Ministry of Finance, Vienna.

Introduction In 1992, the Committee Of Sponsoring Organizations of the Treadway Commission (COSO) published Internal Control-Integrated Framework (1992.

Internal Control in a Financial Statement Audit

© 2008 IBM Corporation Challenges for Infrastructure Outsourcing July 29, 2011 Atul Gupta Vice President, Strategic Outsourcing, IBM.

ISM 5316 Week 3 Learning Objectives You should be able to: u Define and list issues and steps in Project Integration u List and describe the components.

Roadmap For An Effective Compliance And Ethics Program The Top Ten Things the Board Must Know [Name of Presenter] [Title] [Date]

Aligning HR & Business Strategy. “The long-held notion that HR would become a truly strategic function is finally being realized.”

OUTSOURCING PLANNING. Group Members Sumeet Rao 39 Aastha Salaskar 59 Krunal Madia 58 Dhanashree Kalamkar 18 Ritesh Karunakar 19.

S3: Understanding the Business. Session objective To explain why understanding of the business of the entity is important for the auditor To explain why.

S5: Internal controls. What is Internal Control Internal control is a process Internal control is a process Internal control is effected by people Internal.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

1 Planning and Programming for Effective Use of External Audit Resources Victor Rezendes Managing Director Strategic Issues U.S. General Accounting Office.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Business Continuity Planning 101

#327 – Legal and Regulatory Risk: Silent and Possibly Deadly Deborah Frazer, CPA CISA CISSP Senior Director, Internal Audit PalmSource, Inc.

Learning Objectives Functions of Human Resource Management

Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

Primary Responsibilities of a Human Resource Manager 403, Atlanta Tower, Gulbai Tekra Road, Ambawadi Ahmedabad , Gujarat, India Phone numbers:

Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.

Roadmap For An Effective Compliance And Ethics Program

Understanding the Principles and Their Effect on the Audit

Auditing Cloud Services

Building an Organization Capable of Good Strategy Execution

IS4550 Security Policies and Implementation

2017 Administration and Finance Conference

Project Management Process Groups

ACCREDITATION PROCESS

Mr Mirco Barbero European Commission, IAS.C1

Establishing a Strategic Process Roadmap

KEY INITIATIVE Finance Function Management

Presentation transcript:

Chapter 4 of the Executive Guide manual PEOPLE

Overview People are the most important component of effective info security program 3 key areas for security evaluation framework Strategy Components Administrations

People Strategy Information security strategy must be updated regularly due to new daily challenges/threats Measuring prevented security breaches helps to quantify the effectiveness of your security program Ensure compliance with regulations (HIPPA, Gram Leach Bliely, PCI, etc) Certifications for your Security Program is an indication of program best practice

People Components Assess personnel skills & credentials to ensure program’s success. Having dedicated information security org. indicates that Mngt is committed to a quality security program. Leaders who is qualified, informed and flexible to adapt to increasing security challenges.

People Administrations Must have well defined roles & responsibilities Have authority to enforce policies Commitment from C suites Regular reporting to Executives and Board ensure appropriate oversight. SOD Support & involvement of key organizations (legal, HR, audit, etc. )

People Administrations Cont. Global program Must include Risk management Aligns with business goals by understanding risk associated with existing and new products & services Have right people in the org. is paramount to overall success of the security program. Review table 4-1 for people evaluation of your security program.

Strategy Provide adequate training & have accountabilty Identify a baseline and hire the right people with the skills and credential to ensure program success 2 staffing strategies Built in-house ( hire into the co) Outsource (3rd party ) What must NOT be outsourced?

In-House vs Outsources In-House Pros & Cons Outsources Pros & Cons Challenges in finding skilled staff Retained knowledge Robust security functions Training SLA Ensure compliance with increasing regulations Enable Co to concentrate on core competencies Must have effective vendor governance process Knowledge transfers Vendor financial stability Service Level Agreement (SLA) Auditable clause Exit strategy

Components Invest resources to hire & develop security team 3 categories of personnel Management Technical Audit staff Individuals needs to be both technical and business savy

Who has the ultimate responsibility to ensure customer data is secure Outsourced vendor or Company?

Management Staff Need broad understanding of info security and business operations Need breath & depth experiences Needs to have education & credentials CISSP, CISM, CISA, GIAC etc..

Technical Staff Have the knowledge and skills for specific area of expertise & some business knowledge Be certified in the specific areas of concentrations (see SAN list) Continued education to stay abreast on current events & technology changes

Administrations Everyone plays a role in information security Tone at the top is critical for the success of the program Policy & procedures provides guidance for people to execute security programs Review Info Security Roles & responsibilities table 4-3

Roles & Responsibility Matrix

Organizational Structure Functional/Centralized Geographic/Decentralized Personnel remain w/in area of expertise Better utilization of scare resources Recourse are not close to customer/user Specialized expertises Closer relationships with clients Can encourage personnel to adhered to security program Jack of all trades

SOD Matrix

Information Security Governance Ideal to have a board Responsibilities include Define goals/directions of a security program Establish polices Provide resources Review KPI/Metrics on IT Operations Make critical decisions regarding security systems Sr. Management from Key Operations ( IT, HR Legal, Audit, etc.

Governance cont. Security program align w/ Co. strategy IT investments align w/ business priorities Perform benchmark to ensure best practices Audit security program periodically

Summary Key Points People are ??? Reporting relationship btw Information Security management and Executives & Board is important because it give enforcement power to support security program Pro & Cons of in-house vs outsource security program People skills, training, certifications are important Having appropriate governance in place ensure support system is place.