Download presentation
Presentation is loading. Please wait.
1
Information Security Governance
JANUS Associates Information Security Governance (A Comprehensive Approach to Information Security) Presented by: Patricia A. P. Fisher, CEO
2
Information Security Today?
What is the State of Information Security Today? Phishing breaches were 4 times higher in 2012 than in 2011 Cost of breaches has increased from $214 to $222 per breach Cyberattacks – 102 successful attacks per week, compared to 72 in 2011, 50 in 2010 (RSA) By January 2013, cyber crime had grown to 46% of all attacks (Hackmageddon.com) Symantec reports that over $114bn in cash losses was reported worldwide The number of phishing instances is rising – 400% in the past year; cost per instance has gone up 4% during this same period (according to results reported to the Ponemon Institute) The number of cyber attacks is also growing – up over 40% in each of the past 2 years – very consistent with the phishing increases According to several surveys - the type of attack that is most rapidly growing in popularity – cyber crime These problems continue to grow even though we’ve been addressing information security as an issue for over 20 years What is becoming apparent in the US is that simply buying more hardware and software is not the complete answer. Obviously, we need adequate tools but now that so many tools have become available organizations are asking how they can better utilize the tools they have and not simply continue to spend money The answer is to improve the process of securing information – not merely some of the technical mechanisms This process is called governance.
3
National Information Security Governance
What is information security governance? Leadership Framework established to ensure that all the security elements put in place to protect your data environment work efficiently, accomplish what is intended, and do so cost effectively Processes to carry out what is intended by the leadership‘ Why is it important? Provides a framework for secure business operations in an interconnected world Ensures the Country’s security resources are well spent What is information security governance? Governance implies leadership – you can’t govern without someone at the top taking responsibility – but for too long no one has wanted the responsibility of information security so each separate organization has often run its own type of program Information security governance is the framework that you establish along with the processes within that framework to ensure that all the security elements put in place to protect your data environment work together, do so efficiently, accomplish what is intended (at all levels of the government or organization), and do so in a cost effective manner What this means is that each Agency or Ministry must work in a cohesive manner with all the others to accomplish the common goals that will be defined in the law you are writing. The framework includes responsibilities, processes, risk management, and verification – all the elements that can create a successful outcome
4
National Information Security Governance
Why is it important? Provides ability to conduct secure business operations in an interconnected world Ensures the Country’s security resources are well spent Gains international respect Why is it important? 1 – A good governance program establishes the concepts and structures that allow you to conduct business throughout the world – with your partners trusting you and your transactions 2 – You are using your resources wisely – financial and people – you avoid loss of business and you are able to keep staff working on the Country’s priorities – not fixing problems that may be avoidable. 3 – A solid information security program will support you in your efforts with the international community. It says you’re serious that you’re willing to do what the other leading nations do.
5
National Information Security Governance
What does it need to include? Alignment with the information security strategy of the Nation Management of risks Efficient and effective management Verification of results As you write your law think about what the law means to those who must work with it. An example comes to mind: Recently in the US the Congress was drafting a cyber security law. In studying it, although the drafted law was advertised as a comprehensive information security law – all it really did was establish research capabilities - this law was not adopted. Your law certainly needs, and intends to, establish CERT teams. However, what else should a comprehensive law do? Does it establish a management structure to oversee it? Does it establish similar policies and practices, where possible, so that information security is comprehensive? Does it establish a way to determine if each Ministry is compliant with the law, Does it determine where weaknesses may reside, and Are there any consequences to not complying? These steps result in a comprehensive program
6
National Information Security Governance
What benefits can be gained from a security governance program? International recognition Fewer breaches to deal with/increased efficiency More effective use of resources As you move in this direction hold these elements in your minds because of the importance of what you are undertaking. You’re going to gain international recognition – trust and confidence from international partners throughout the world. And, while an information security program may appear to be expensive it’s being proven again and again throughout the world that it’s far less costly than a major breach, theft, or error – as many governments and organizations are learning. Let me give you an example of a major problem we recently dealt with: This was a very large government organization that had no significant budget for information security. However, they suffered a data breach late one Thursday evening. I received a call from the top management asking what we could do to help them through this. Their words were “we don’t care what it costs, just fix it”. It was expensive to fix and wouldn’t their funds have better be spent on the entire program, not simply cleaning up a mess? Fewer breaches or errors to deal with means that your focus can be on the Country’s business, not remediating or simply solving problems …so how do we go about setting up a governance structure here…………………………..
7
Organizational Governance
Governance Model Organizational Governance Security Governance IT Governance Financial Governance So, --What are the components of information security governance? 1st – It needs to be well-thought through so that each component of the program works with the others. 2nd - It’s various parts must be tightly coupled and integral to management of the organization so that all the operations of the organization work together. If governance is separate or simply an add-on it will have little effect and we find from practical experience that people will circumvent the process. 3rd – The governance function cannot be subordinate to other Ministerial functions or it will be disregarded or forgotten. We observe this regularly. An organization wants to improve information security but because leaders often don’t understand this technical discipline they regularly push it way down into the organization – the result is that it has no ability to make higher up people adhere to the established rules. 4th – It must include a framework that everyone adheres to or the security of information will be weak or ineffective. There can be no exceptions. We often see programs where the entire staff is told they must adhere to the rules – but the top officials refuese to – this tells staff that the leaders do not believe this is important. 5th – It must tell people what is expected of them so they can adhere to what the organization wishes. These are policies and how to undertake them (procedures). 6th – It must have a way to determine if it is effective, what we term verification. This is a critical step. If you do not verify how do you know the true status of anything? It’s like sending a child to school and never testing him on his knowledge. If you ask any child if he understands the topic he’ll probably say yes – but only thru testing will you know how well he understands and what actions your need to take to help him understand better. 7th – It must provide mechanisms for reporting to management so that continuous improvements can be made. In the example we just used this would be like reporting to the parents the results of academic tests. Does the child need special classes to improve learning or is he doing fine? The report card shows what he knows and tells you what improvements have occurred from period to period. So it is with information security. If no one is paying attention there is no way to know what is really taking place inside those computers. Policies & Procedures Verification Reporting
8
Who Does What In Governance?
Governance Responsibility Country Government Level Organization Strategy Risk Management Ministry A Ministry B Policies Function Function Function As we establish the information security governance program who do we assign responsibility to for various portions of the program? We’re separated this example into 2 sections Responsibility – or – what needs to be done Government organization – or – who does what and at what level of government? Once a comprehensive law is written and top officials in the government decide who, at the very top of the govt. will be responsible for all the components of the cyber security program, not only its implementation and functioning, but also its governance, we can begin to establish the details of the program. following assignment of overall responsibility, to develop an overall strategy and risk management capability an assignment can be made at the Ministry level. This is appropriate because all the same elements may not be applicable to the Ministry of Culture as are to Defense. Once the strategy and or specific design to manage risk is complete, each Ministry can assign specific governmental depts. Within the Ministry to develop consistent policies. Further down in the organization procedres should be developed so all staff follow the same process to accomplish specific tasks. Procedures ……...Departments……..
9
Existing Problems Governments are often working at the tactical level without a strategic framework Examples: Security tools Incident response Lack of regular feedback to executive management Ad hoc testing occurs without a pre-defined structure Few requirements for action plans to provide solutions Now that we know what we should do, what do we typically observe is actually happening? Most governments would say that they have a governance model. However, when its components are not well-aligned the following often manifest themselves. Department security personnel are installing tools, setting firewall/router rules, configuring systems, and monitoring incidents. No one really knows how effective all these are because there’s often not a well-formed set of policies and processes that everyone uses or guidance that requires reporting appropriate results. Nor is there often a requirement for written action plans with completion dates that get reported to department, division, or ministry management when issues are assigned to be solved. In addition, rarely is there any feedback to the Ministry or at top levels of the government regarding results of security efforts. In the US, there is now an annual grading system that establishes a letter grade (A-F) for each governmental agency. While this is a first step, it has been focused on compliance with rules and policies, and not significantly focused on verifying what problems exist. The US government is beginning to change this orientation and do more technical observation and testing because officials are starting to understand the US agencies can be compliant but not secure – and the US govt. Needs to refocus them Let’s use an example: if Security Governance resides at the Technology Agency, how can we ensure that: the Ministry of Industry and Trade the Ministry of Education, or other ministries Also use the same framework or policies and procedures Yet, it the framework is at the top of the government, and the program is driven down through all agencies, there will be a consistent focus What we still see regularly in in organizations in the US is the following………………
10
Security of Operations
Stove-pipe management Ministry of Finance Ministry of Agriculture Ministry of Education Ministry for Resources We call this way of operating ---- stovepipe operations Historically, security has been decentralized, with managers in each business function, here represented by your Ministries, responding to security requirements based on their own interpretation or best judgment or not at all. For example, often lines of business such as your ministries might have completely different information sec. policies and procedures Within each of those ministries people might change jobs but not have access to specific data removed, so their access grows until a security problem might result. In addition, Data Center controls regularly are based on what Data Center management perceives is needed within the organization. Yet, because this originates from a narrow technical perspective it may not meet the entire needs of the organization. What’s the result of this approach? Ambiguity of ownership of shared resources between different organizations regularly results in either duplicated information security policies used in each or, if some organizations buy something from another one some portions of security may be left out due to an assumption the other organization is responsible (this second issue is the most common)
11
Make Security Strategic
Stove-pipe management leads to gaps G A P G A P G A P Ministry of Finance Ministry of Agriculture Ministry of Education Ministry for Resources Gaps between the operational areas (stove-pipes) regularly result in vulnerabilities that, in turn, cause data breaches as well as audit findings. At the top of the government, for example, Country management (the President or the Prime Minister or Parliament) has no way of knowing that good security practices are being followed, because each stovepipe may be using a slightly different standard or policy or procedure and no one knows what may be left out. This type of security process means that security monitoring is rarely optimal for the organization, that consistency does not occur, and that improvements in overall quality are hindered because there is insufficient tracking of trends or adherence to standards. For example, If a security vulnerability was found in the Agriculture Ministry, who (in the rest of the government) would know the details of it and ensure that it was not pervasive throughout the government or why it might be important? Conversely, if the same situation occurred in the finance Ministry, at what point would that become a concern for the other ministries? Is this clearly defined?
12
A Holistic Approach to Governance
Ministry of Finance Ministry of Agriculture Ministry of Education Ministry for Resources Security Risk Management Security governance needs to take a holistic approach JANUS works with its clients to get their organizations to view security in a holistic way. Such a view forms a matrix across the government or organization, instead of stove-pipes. The gaps become closed. In addition, we have found that this way of thinking at the top level of the government lends itself to improvements that benefit more than simply the security function. It also improves quality, cost efficiency, and greater job satisfaction since many recurring problems are solved with this comprehensive view. How do we move to a governance model? First, we define who does what within the model…….
13
Governance Implementation
The Role of Government Executive Management - Strategic Commit To Holistic Security Excellence Set a common vision Establish principles to guide the program The first of these is Executive Management at the top levels of the Czech government Executive Management must project a vision. This can be defined by the security management but top government officials need to agree and set the tone if governance is to be successful and if the Country is to reap its benefits. In order to transform security into an effective function, each Line of Business – the various ministries – (the stovepipe) in the organization needs to see Country officials setting what is called the “tone at the top”. This consists of a clear vision statement, that Security is everyone’s job. Each person needs to have the same focus. Along with that we need to create a unified security program, and allocate or acquire appropriate resources. Security
14
Governance Implementation
The Role of Ministry Executive Management - Strategic Commit To a Program Create the security program plan Apply the necessary resources Manage Change Drive transformation through organization Measure Success Internal testing and measurement Audit improvement At the Ministry level, top level officials also have a strategic responsibility – although slightly different from the Country’s top leaders. They need to set a Ministry vision that complements that established at the Country level. Once these program elements are in place, we need to follow through, and ensure that all areas of the organization agree with and comply with the directives and processes defined by the security program. Such a centralized information security program will also enable centralized monitoring of results, which is essential to improving quality and efficiency. Monitoring of quality can take many forms, as we will see a little later in this presentation. Chief among them is of course, a reduction in the number and severity of audit findings, data breach incidents, or rework. Lets move now to what the specific steps are to implement a successful security governance program, and, in turn, effective security. Security
15
Governance Implementation
Governance Requirements Centralized leadership Scalability and agility Comprehensive planning Management of risk Continuous improvement in quality Before we discuss specific the steps for implementing a security governance program lets also discuss general requirements that any such program needs to address, including any growth issues combined with escalating needs or expectations for security compliance. The security plan should address these five requirements: 1st – Appropriate levels of centralization of security leadership. Without a leader a program will not be successful. Government programs also need their leaders as well as international needs. 2nd – Today, every organization needs scalability and agility, with an information security governance structure that can expand and adjust to a rapidly changing organizational structure 3rd – The Security program needs to be much more comprehensive than in the past, gaps must be closed, and the full range of security requirements must be included. 4th – This includes an ongoing risk management program that actively identifies risks, makes pragmatic choices about how and where to remediate, takes action and monitors for effectiveness of results. 5th – It also includes analysis of the effectiveness of security policies and infrastructure by tracking measures of risk and compliance, and making adjustments in a continuous cycle of improvement in quality. Now we’re going to go a little deeper. How do we actually put such a program in place? …………………………we now know what we need to do but………………………….
16
Best Practices Security Governance
Approve Operations Operational Governance Enterprise Policy and Standards Executive Leadership – Ministry Level Executive Mgmt/ CIO CISO Line of Business Human Resources Datacenter Who does what? As we begin to think about security governance, at what level of the organization do various program components occur. This organizational chart combines centralized leadership with a flexible and scalable governance structure. While executive Ministry leadership drives the entire governance program for the organization, the CIO tracks the health of the information security program, and tracks risks to the organization’s information assets. The CIO provides final approval for information security policy, and receives reports of risk and compliance from the CISO The CISO establishes security policies and standards for the entire organization at the Ministry level. This is where the new holistic approach really takes hold. The CISO monitors reports on risk and compliance, and assembles executive summaries on risk. The CISO leads mitigation efforts to reduce gaps and audit findings. The CISO assumes leadership of the response to security incidents. The CISO’s office includes senior engineers who provide subject matter expertise in technical aspects of security. Often, we find that organizations do not have a centralized security engineering function, and do not take leadership during security incidents. To make this change happen, managers must be found who have significant subject matter expertise or who can be trained to have such expertise. And appropriate relationships need to be established and enforced with third parties and business partners. At the Line of Business level, various managers assigned security repsonsibilities should interpret organizational security policy and standards, in the context of their local or departmental operation. These managers oversee compliance with standards, in the datacenters, finance, in personnel, and other functional areas so they must be encouraged to gain enough understanding with which to fulfill this mission. System engineers in the datacenter and operational areas respond to security directives by establishing work plans and procedures for security, and performing daily operations according to policy. To make this happen executive leadership needs to ensure that third party personnel at the Datacenters do not have divided loyalty. Vender agreements need to be clear, and the organization needs to be perceived as in charge when it comes to security. Leadership needs to make clear to all parties that security policy at the datacenter level must be in accordance with policies established by the Ministry CISO. This is a significant change from many current situations we find throughout organizations. When these layers are in place, a risk management framework can be established which will be a core process for improvements in quality. Define Interpret Implement
17
Tiered Security Process
Ministry Management CIO CISO Business Processes Systems and Infrastructure Security Awareness Policies Guidelines Standards Drive the Program Risks Audit Results Vulnerability Assessments Continuous Monitoring While the Country government sets the vision, at the Ministry level the executive management must drive the security program. We can illustrate this in a 3-tiered structure This three tiered management structure is a typical “leading practices” information security structure. The CISO drives security awareness down and across the organization. Business processes at the mid tier are adapted to security directives. At the systems and infrastructure level, security controls are implemented through work orders, procedures, and investment in technology. The health of the network is monitored, success of work orders is monitored, and vulnerabilities are identified during vulnerability assessments and audits, and these results are fed back up through the organization to the CISO. To understand how this applies to risk management, let’s review some common terms and concepts for risk management. Feedback Page 12
18
Likelihood X Impact = RISK
Risk Rating Very small Impact Moderate Impact Significant Impact Huge Impact Unlikely Low Risk Realistic Possibility Moderate Risk Strong Likelihood High Risk Near Certainty Drive to the left When we set up a security program we do so to ensure that our risk is only as great as our organization is comfortable with. Obviously, the Ministry of Finance or Defense is far less tolerant of risk than, perhaps the Ministry of Culture This chart illustrates the concept of risk that each Ministry needs to consider. Risk is equal to the likelihood of an impact times the size of the impact. This is where risk management comes in. Every organization has vulnerabilities. No organization would even want to be totally free of risk, because having no risk is too expensive. In business, some risk is part of making a profit. In technology, there will be risks that are acceptable, because the risk is so small or inconsequential that addressing the risk is not cost justified. There are other risks where investment to address the risk is a required cost of doing business. Information Security risk management is the process by which you can make informed decisions to prioritize which risks should be addressed. In this table you see that a risk that has little expected impact and little likelihood of occurring is ranked as a low risk. On the other hand, some very unlikely risks have a huge expected impact. What would happen if a meteor struck? The likelihood is so small that protecting against a meteor strike is not justified. There is a strong likelihood of fraud, if financial applications accessible by the Internet do not have proper password management, and the impact of fraud can be grave, so an absence of appropriate password management in financial systems could be a High Risk. A well-structured information Security Program will reduce the number of high risks by first identifying the risks, prioritizing them, and investing in solutions to remove the high risks. Page 14
19
Risk Management Plan Act DO Check Risk Analysis Audits
Plan of Action and Milestones Check Continuous Monitoring “After-Action” Reports Act Revise Policy & Program Redirect Risk Analysis As part of the governance program, managing risk is a required element. In this diagram, we use a chart called a Plan Do Check Act cycle, as applied to risk management. Starting at the Planning Stage, the Ministry conducts a risk analysis of its entire infrastructure, including business processes. The risks are then ranked in terms of priority, and project plans are developed to address top priority risks, often called a Plan of Actions and Milestones. The POAM describes what remediation is planned and assigns dates for each step along the way and also with what will occur on that date. In the DO stage, the CISO will drive the process to remediate risks, with each project in the Plan of Actions and Milestones. Executive Ministry Leadership should work with the CIO and CISO to ensure that ownership for remediation efforts is clear, remediation is properly funded, and a schedule for closing findings is tracked. This is an area where security often fails because of ambiguity of ownership. Executive leadership needs to ensure that responsible parties accept ownership and responsibility for remediation. The CISO should have immediate, on demand access to the current status of all remediation projects, as well as ongoing access to monitoring reports. In the CHECK stage, the effectiveness of remediation is monitored, through ongoing monitoring and reports on security intrusions, vulnerability assessments, and many other sources. Metrics ae gathered and reporting occurs. On the right side of the cycle, the DO stage, technology and process is improved. On the left side of the cycle, the ACT stage, higher level considerations come into play and the security program is improved. When persistent vulnerabilities continue to appear despite best efforts with existing resources, the CISO may determine that changes to policy, standards, staff, or to the program structure may be required. Changes in the Ministry’s business environment, including new functions or changes to requirements may also require a change in how risk is assessed. And the cycle starts again, with a refreshed understanding of risks and approaches to risk. Improvements to quality will be achieved by moving repeatedly through this cycle. Next, let’s look at one of the most common reasons why organizations do not always see an improvement in quality. Page 16
20
Vendor Risk Management
Risk Can Not Be Outsourced Boundaries of ownership for security controls must be crystal clear Continuous security monitoring and reporting back Integration of incident response between the vendor and your organizations We see organizations trying to rid themselves of risk by outsourcing. Many organizations depend heavily on suppliers, service providers, and other third party business associates and this dependence is growing throughout the world. Ownership of RISK for systems, network, applications cannot be outsourced. It is perfectly reasonable to have a third party manage systems and applications but if anything should happen to the data within those systems and applications the organization that outsourced the functions still owns the risk. If government or citizens’ information is mistakenly published on the internet, or if critical systems fail, the Ministry or organization that outsourced will be held responsible, and the Czech public will also hold it responsible. System management of functions can be outsourced, but system risk cannot be. What we see occurring in the US presently is that agencies are working to clarify boundaries of ownership for systems and for security controls. If things are outsourced (including to the cloud which is so popular today), the agency or organization that outsourced the function is beginning to establish agreements to monitor systems and processes that occur at the place where the systems reside and if security incidents occur at that outsourcer, because we know for certain that security incidents will occur, the originator’s information security team needs to be immediately informed and involved in the response to the incident. You should not rely solely on someone else to identify and manage all your security incidents without your involvement. Your executives should drive this in several ways: Page 17
21
The Role of Executives Set Example: Set Expectations:
“Tone from the Top” Role Model Accountability Set Expectations: Security expectations must be explicit in vendor agreements As each Ministry establishes its program to meet the Country’s vision of security, top officials in each Ministry need to ensure that everyone knows what is expected. 1st - They need to continue to set the example of country officials by being role models and adhering to security themselves. This is a large component of “tone at the top”. 2nd - Set expectations among all business partners outside the Ministry, and codify those expectations with explicit security requirements written into vendor agreements, memoranda of understanding, and service level agreements. Do not let your vendors and contractors tell you what they do, or worse, not tell you everything until there is a problem 3rd - Establish ongoing oversight of third parties. The CISO’s office needs authority and cooperation to conduct independent security assessments and monitoring of the various departments and all other areas in scope for the security program. Your executives must also ensure that the security program is properly staffed, with the appropriate tools and resources to effectively conduct monitoring of third parties. Telling staff to do this with no resources with which to undertake the task is going to fail. However, this does not mean that an open checkbook need be available. Far from this, careful expenditures are called for – your koruna should be able to buy more by coordinated spending. Establish Oversight: Vendors should submit to independent security assessments and audits Page 17
22
Information Security Measures
of Performance Program is Effective Investment reduces the number of findings in audit reports Success rate in closing items in the Plan of Action and Milestones Impacts from security incidents trend lower Policies Are Followed and Effective Procedures should generate evidence of performance Continuous monitoring: antivirus, intrusion detection Vulnerability assessments After action reports on disaster recovery, incident response Once the risk management program is in place, through verification and reporting you can ensure that the program is effective, and also that the policies and standards of the program are also effective. At the Program level, the CISO should gather metrics on the number and severity of risks and findings, which should begin to trend lower over time, The success of the program is also measured by how effectively projects are managed to close high-risk findings. For example, metrics might include how many projects to close risk are completed on time, and estimated vs actual cost expended. It is critically important not to punish reporters of security incidents. Increases in the number of incidents is not an indication of a failure of the program. Quite the opposite is true. An alert and well trained CIRT team will identify more incidents than a poorly trained or poorly motivated team. An increase in security maturity is often followed by an increase in security incidents being reported. Impact, not number of security incidents is the important metric to track. At the Policy Level, the CISO will gather two types of metrics: one form of metric determines if policies are followed, the second form of metric determines if policies are effective. Work orders should be designed to generate audit logs or records, which can be monitored for completion and adherence to policy The number and nature of findings in vulnerability assessments are a useful metric for determining if policies are both followed and effective At this point the use of tools is appropriate – Note how much thought has gone into developing the Program before we even consider tools. The number of incidents reported by monitoring - such as antivirus or intrusion detection – is a common way to determine if policies are effective, as are “after action” reports and lessons learned from actual events or disaster recovery testing. All of these metrics should be generated by the datacenters and operational areas, and provided to the security managers and/or the Ministry CISO for analysis. With these actions you will establish and maintain an effective security governance program. Page 18
23
Become best in class to improve
In Summary Security Governance Set information security vision – Country level Establish strategy – Ministry level Bring in experienced employees/advisors Drive the vision Verify Improve security and lower levels of risk Become best in class to improve quality, lower costs Security governance starts at the top….. Get Country and executive management to accept the vision. Establish the strategy to better control overall risk Bring in experienced employees and advisors to speed the process for improvement Drive the vision of risk management throughout the organization Verify This is how you can achieve an internationally respected information security program.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.