1. Info-Tech Research Group1 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2015 Info-Tech Research Group Inc. Headline / Subhead Vertical Spacing V4 Build a Security Governance and Management Plan Establish the missing bridge between security and the business to support tomorrow’s enterprise with minimal resources. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 - 2015 Info-Tech Research Group

2. Info-Tech Research Group2 2 This Research is Designed For:This Research Will Help You: This Research Will Assist:This Research Will Help You: This Research Is Designed For:This Research Will Help You: This Research Will Also Assist:This Research Will Help Them: Our understanding of the problem CISOs, CSOs, CEOs, CIOs, IT leaders, and business leaders who would like to improve alignment between security and business activities, optimize security resources, implement an effective risk mitigation strategy, and improve the transparency of security initiatives. CISOs, CSOs, and CIOs who would like to better support the business. Develop a customized comprehensive information security governance and management framework. Apply your security governance framework to your organization and create a roadmap for implementation. Develop a measurement program to continuously improve your security governance. CEOs, CFOs, and other business leaders. Business stakeholders that are continually affected by security. Understand the value of information security governance and management, as it has the ability to close any security gaps.

3. Info-Tech Research Group3 3 Resolution Situation Complication Info-Tech Insight Executive summary Security programs tend to focus on technology to protect organizations, while often neglecting the people, processes, and policies needed to manage the program. It seems like a daunting and almost useless project to undertake. This leads to several problems: o The security team doesn’t know whether it’s supporting business goals. o The organization has no sense of direction in terms of what security’s priorities or initiatives should be. o Risks are not treated appropriately. To bring your security program to the next level, security governance and management is needed. Your security governance and management program needs to be customized to your organization’s needs. This project will guide you through the process of creating a customized security governance and management plan that is comprehensive enough to cover all your bases, while keeping costs to a minimum. Begin defining your needs through a security pressure posture analysis and use best practices to determine what your security program should include. Conduct a gap analysis to collect the initiatives you need to reach your target state. Create an action plan and implement this project with the tools and templates provided by Info-Tech. Technology is not enough alone – security governance and management is needed. Governance and management ensures that your processes, people, and policies support organizational security. It provides a unifying direction and vision for the entire program, instead of having ad hoc controls for each new initiative.

4. Info-Tech Research Group4 4 Use these icons to help direct you as you navigate this research This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project. This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization. Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

5. Info-Tech Research Group5 5 Info-Tech offers various levels of support to best suit your needs Consulting “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” Guided Implementation “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” DIY Toolkit “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” Workshop “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” Diagnostics and consistent frameworks used throughout all four options

6. Info-Tech Research Group6 6 Best-Practice Toolkit 1.1 Understand the value of security governance and management 1.1 Create a convincing business case 2.1 Define your risk tolerance 2.2 Determine your security pressure posture 3.1a Understand the different components of a security governance and management program 3.1b Self-assess your security governance and management capabilities and maturity levels 3.2 Define the governance and management target state 4.1 Identify existing gaps 4.2 Build initiatives to bridge the gap 4.3 Estimate the resources needed 4.4 Build an effort map 4.5 Determine start time and accountability 5.1 Finalize roadmap and action plan 5.2 Build out governance and management deliverables 6.1 Develop your security metrics 6.5 Develop a cycle of continuous improvement through your measurement program Guided Implementations Understand the value and challenges of security governance and management to create your business case. Define your risk tolerance and determine your security pressure posture. Perform a current state assessment of your capabilities and maturity levels. Establish the governance and management target state. Identify where there are existing gaps and where initiatives should be built. Prioritize the gaps based on resources and efforts to create an implementation timeline. Review and finalize the governance and management roadmap and action plan. Build out your governance and management deliverables. Onsite Workshop Module 1: Assess security requirements Module 2: Perform a gap analysis Module 3: Develop gap initiatives Module 4: Implement gap initiatives Phase 1 Results: Understanding of the pressure posture and security governance. Phase 2 Results: Identified gaps in the program. Phase 3 Results: Actionable initiatives to continue building out security governance. Phase 4 Results: Completed governance and management deliverables. Assess security requirements Perform a gap analysis Develop gap initiatives Implement gap initiatives Security Governance and Management Project Overview

7. Info-Tech Research Group7 7 Workshop overview Contact your account representative or email Workshops@InfoTech.com for more information.Workshops@InfoTech.com Workshop Day 1Workshop Day 2Workshop Day 3Workshop Day 4Workshop Day 5 Activities Assess security requirements 1.1 Understand the value of security governance and management 1.2 Create a convincing business case 1.3 Define your risk tolerance 1.4 Determine your security pressure posture Perform a gap analysis 2.1 Understand the different components of a security governance and management program 2.2 Self-assess your security governance and management capabilities and maturity levels 2.3 Define the governance and management target state Develop gap initiatives 3.1 Identify existing gaps 3.2 Build initiatives to bridge the gap 3.3 Estimate the resources needed 3.4 Build an effort map 3.5 Determine start time and accountability Implement initiatives 4.1 Finalize roadmap and action plan 4.2 Build out governance and management deliverables 4.3 Develop your security metrics 4.4 Develop a cycle of continuous improvement through your measurement program Communicate and continue to implement 5.1 Finalize deliverables 5.2 Support communication efforts 5.3 Identify resources in support of priority initiatives Deliverables 1.Business case for security governance and management. 2.Defined risk tolerance. 3.Defined security pressure posture. 1.Current maturity levels of the security governance and management capabilities. 2.Established target state for the capabilities. 1.Identified gaps in the existing security program. 2.Gap initiatives in order to close the gaps. 3.Prioritization of the gaps, assisting in implementation. 1.Finalized roadmap and action plan. 2.Completed governance and management deliverables. 3.Developed security metrics. 1.Security governance and management plan and roadmap. 2.Mapping of Info-Tech resources against individual initiatives.

8. Info-Tech Research Group8 8 PHASE 321 Phase Assess Security Requirements 1 4

9. Info-Tech Research Group9 9 Phase 1 outline Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2- 3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships. Guided Implementation 1: Assess security requirements Proposed Time to Completion: 1 week Step 1.1: Create a convincing business caseStep 2.1-2.2: Define your risk tolerance and determine your security pressure posture Start with an analyst kick off call: Understand the value and challenges of security governance and management. Understand your organizational risk: Determine the organization’s risk tolerance exercise with the help of an analyst. Determine your inherent risk through a pressure posture analysis. Then complete these activities… Create your business case by documenting your goals, objectives, and challenges. Then complete these activities… Determine the risk tolerance and define the security pressure posture. With these tools & templates: Security Governance and Management Challenge Analysis Tool Information Security Governance and Management Business Case Template With these tools & templates: Security Pressure Posture Analysis Tool Phase 1 Results & Insights: Assessment of the organization’s requirements for a security governance and management program. Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.GuidedImplementations@InfoTech.com

10. Info-Tech Research Group10Info-Tech Research Group10 Step 1: Make the Case This step will walk you through the following activities:This step involves the following participants: Launch a business case for your security governance and management. Understand the main challenges facing security governance and management. CISO/Head of Security Security Engineer CIO Outcomes of this step Understanding of what security governance and management means for your organization. Goals behind implementing a proper framework in place. Identified challenges facing the organization. 1 2 3 456 Determine the security pressure posture Establish target state Conduct a gap analysis Implement governance initiatives Develop metrics Make the case

11. Info-Tech Research Group11 Info-Tech Research Group Helps IT Professionals To: Sign up for free trial membership to get practical solutions for your IT challenges www.infotech.com Quickly get up to speed with new technologies Make the right technology purchasing decisions – fast Deliver critical IT projects, on time and within budget Manage business expectations Justify IT spending and prove the value of IT Train IT staff and effectively manage an IT department “Info-Tech helps me to be proactive instead of reactive – a cardinal rule in a stable and leading edge IT environment. - ARCS Commercial Mortgage Co., LP Toll Free: 1-888-670-8889