Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Governance

Published byGeorgina Ross Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security Governance"— Presentation transcript:

1 Information Security Governance
an Agency’s evolution towards SECURITY maturity Texas Comptroller of Public Accounts Texas Comptroller of Public Accounts An agency’s evolution towards security maturity Dave Gray CyberSecurity Program Manager DIR Information Security Forum - May 2015

2 Who is Dave Gray ? CISSP, PMP, CAP, Security+, ITIL, CEH, EnCE, MCSE, MCSA – Texas Army National Guard Texas Unit Commander, National Guard CERT Team Pilot Program (1 of 5) Information Assurance Manager – US Army Computer Emergency Response Team (CERT) National Guard Detachment Commander, Fort Belvoir, Washington, DC – Texas Army National Guard Information Technology Operations Manager Senior Information Assurance Officer (SIAO / CISO) – Texas Comptroller of Public Accounts Senior Information Security Risk Analyst (Consultant) 2014-Present – Texas Comptroller of Public Accounts CyberSecurity Program Manager Dave Gray is a CISSP, CAP and PMP certified Information Technology Leader focused on securing information systems to achieve confidentiality, integrity and availability. Promotes information security as a key enabler for organizational and enterprise success. Focuses on Governance, Risk Management and Compliance (GRC) Retired in 2011 from the Texas Army National Guard as a Lieutenant Colonel where he managed IT Operations and Information Security for 5,000 network users spread across Texas Established one of the first (one of five) Computer Emergency Response Teams (CERT) in the country for the National Guard Worked for Texas Instruments and Raytheon as an Oracle Database Administrator and Project Manager Currently works for Texas Comptroller of Public Accounts as the CyberSecurity Program Manager Teaches local community college information security classes (CISSP) Holds multiple security and project management certifications: CISSP, CAP, PMP, Security Plus, ITIL, CEH, and EnCE

3 The Information Security Challenge
The biggest challenge for an information society Organizations Are unique in their security requirements Are unique in their level of information security maturity Have different starting points for securing data and information Information security The protection of an organization’s data, information and intellectual property Includes data and information maintained on behalf of customer and business partners Has become one of today’s biggest challenges for our information society Organizations Are unique in their requirements and their level of information security maturity Have different starting points for securing data based on their current information security culture

4 Notable Security Breaches
Anthem Blue Cross Chase Bank Dairy Queen Goodwill Heartland Payment Systems Home Depot Jimmy John’s Michaels Neiman-Marcus P.F. Chang’s Sally Beauty Supply Sony Staples Target The White House TJX Companies United States Postal Service US Investigative Services (USIS)

5 The InfoSec Journey Progress over Perfection Where to start?
Executive Leadership Adopt Governance Frameworks Policies and Standards Subject Matter Experts Self-Assessment Strategy Progress over Perfection Where to Start? Executive Leadership Demonstrates support Recognizes that information security is a business responsibility Adopt Governance Frameworks NIST – National Institute of Standards and Technology ISO – International Organization for Standardization TAC – Texas Administrative Code 202 Policies and Standards Establish policies and standards for the organization Documents expected behaviors for members of the organization Subject Matter Experts Knowledgeable staffs with information security responsibility Focus on security awareness and developing a security culture Self-assessment - Evaluate security culture, tools and practices Strategy – Develop a roadmap for implementation

6 Information Security Roles
Security roles described in the Texas Administrative Code (TAC) Agency Head (Executive Leadership) Designated Information Security Officer (ISO or CISO) Information Owner (i.e. Business Owner) Information Custodian (i.e. “IT”) User Agency Head (Executive Leadership) Designate an ISO/CISO, Allocate resources, Ensure collaboration among all roles, Approve high level decisions, Approve the overall information security program, Ensure security is integrated into agency processes Designated Information Security Officer (ISO or CISO) Report to executive level management, Have information security authority for entire agency, Address security plan, training, guidance, info system inventory and verify requirements Information Owner (i.e. Business Owner) Classify information, Approve access, Coordinate security requirements with ISO, Approve information custodians to implement security controls Information Custodian (i.e. “IT”) Implement security controls, Provide appropriate training, Ensure information is recoverable User Comply with information security controls

7 CEO Perspective of InfoSec
“The InfoSec tugboat is plenty big enough to push the agency to better information security” Agency Barge

8 CISO Perspective of InfoSec
“The InfoSec tugboat is barely big enough to guide the agency to better information security” Agency Battleship

9 Staff Perspective of InfoSec
“We’re going to need a bigger boat” Agency Iceberg

10 Information Security Governance
What is Information Security Governance? Sample Governance Milestones Organizing Security Processes Create a Foundation Know Your Data Strategize & Prioritize Apply Frameworks Certify & Authorize Measure Agenda for the day What is Information Security Governance? Governance Milestones Organizing Security Processes Create a Foundation Know Your Data Strategize & Prioritize Apply Frameworks Certify & Authorize Measure

11 What is Information Security Governance?
Enterprise risk management policies, standards and procedures Continuous monitoring for proper implementation Ensures accountability, fairness, and transparency Serves as a system of checks-and-balances Enterprise risk management policies, standards and procedures Continuous monitoring for proper implementation Ensures accountability, fairness, and transparency Serves as a system of checks-and-balances

12 Governance Foundation
Information Security Governance Policies, Standards & Procedures Compliance Requirements (TAC, IRS, FISMA, HIPAA, etc.) Information security governance is built upon a foundation of related frameworks including State and National CyberSecurity Frameworks Compliance Laws and Regulations Agency Policies, Standards and Procedures Texas CyberSecurity Framework National Institute of Standards & Technology Framework Governance Foundation

13 Sample Governance Milestones
SGC – Security Governance Council ISSP – Information Security Strategic Plan IPPS – Information Protection Policies & Standards SIP – Security Initiatives Program GSS – General Support Systems MA – Major Applications C&A – Certification & Authorization SAP – Security Authorization Package POAM – Plan of Actions & Milestones ASP – Agency Security Plan (Performance Scorecard) SGC – Security Governance Council ISSP – Information Security Strategic Plan IPPS – Information Protection Policies & Standards SIP – Security Initiatives Program GSS – General Support Systems MA – Major Applications C&A – Certification & Authorization SAP – Security Authorization Package POAM – Plan of Actions & Milestones ASP – Agency Security Plan (Performance Scorecard)

14 One Agency’s Approach 2012 2013 2014 2015 Pre-2012
Independe nt Assessmen t CISO Office CPO Office 2012 Security Initiatives Security Council Data Loss Prevention Separation of Duties NIST Adopted Pen Test 2013 Certificati on & Authorizat ion System Delivery Lifecycle Risk Mgmt Framewor k SEIM / SETA Enhanced Firewall IT Operations Security Division Plan of Action & Milestones NIST Policy Alignment Pen Test 2014 General Support Systems Managed Security Agency Security Plan Office 365 Encryption Independe nt Assessmen t 2015 Security Policy Published Security Strategy Published Procedure Verificatio n Identity Access Mgmt Assessmen t Data Classificati on Inventory Asset Mgmt Configurat ion Mgmt Pre-2012 Independent Assessment, CISO Office, CPO Office 2012 Security Initiatives, Security Council, Data Loss Prevention, Separation of Duties, NIST Adopted, Pen Test 2013 Certification & Authorization, System Delivery Lifecycle, Risk Mgmt Framework, SEIM / SETA, Enhanced Firewall, IT Operations Security Division, Plan of Action & Milestones, NIST Policy Alignment, Pen Test 2014 General Support Systems, Managed Security, Agency Security Plan, Office 365, Encryption, Independent Assessment 2015 Security Policy Published, Security Strategy Published, Procedure Verification, Identity Access Mgmt Assessment, Data Classification, Inventory Asset Mgmt, Configuration Mgmt

15 Organizing Security Processes
Incident Response Certification & Authorization Security Education Awareness Continuity of Operations Chief Information Security Officer (CISO) EA CyberSecurity Program Manager Deputy CISO & Privacy Officer By assigning responsibility and assigning accountability organizations can improve their ability to address a wide range of security processes including but not limited to - Certification & Authorization Incident Response Security Education & Awareness Continuity of Operations Regulatory Compliance Enterprise Risk Management Privacy Data Loss Prevention Regulatory Compliance Enterprise Risk Management Privacy Data Loss Prevention

16 Know Your Data Protecting data requires knowing where your data is
Leased Facilities DR Site NSOC FTP VPN IRS Laptops SQL Server Agency 1 City Data IRS Agency 2 Accounting County Data BYOD PII Agency 3 Protecting data requires knowing where your data is Inventorying and mapping your data becomes a critical step in protecting information Expect that data boundaries will be breached Mitigate lateral movement of malicious actors within the network through increased segmentation ACH Financial Transactions Mainframe San Angelo Tablets PCI B2B Field Offices USB Cell Phones PDA

17 Strategize & Prioritize
SAMPLE Importance Data Classification InfoSec Strategy Policy and Standards Network Zoning Data Loss Prevention Role Based Access Controls Identity Access Management Managed Security Services Urgency in flight planned complete Business Continuity Web Application Firewall Disaster Recovery Implementing information security projects is resource intensive and normally requires specific funding and subject matter expertise By mapping out priorities in a Gartner style magic quadrants, organizations can strategize relative importance and urgency Information Security Continuous Monitoring Configuration Management Security Education

18 Apply Security Frameworks
Select e.g. National Institute of Standards and Technology (NIST) Tailor Select Classes, Families, Controls Document Policy and standards for each control Communicate Policies & Standards Align Procedures to Policy & Standards Select a credible information security framework, e.g. NIST, ISO etc. Tailor the framework to the organization’s specific requirements. Document policies and standards the organization should use. Communicate policies and standards to the organization at all levels. Align and map procedures used at the organization with relevant policies and standards.

19 Specific, Measurable, Attainable, Relevant, Time Framed
Policy & Standards SMART Clearly state policies and standards in easy to understand language Tailor and customize the wording for your audience i.e. organizational leaders, managers and staffs Number each policy and standard to facilitate mapping procedures to enterprise requirements Use SMART standards Specific Measurable Attainable Relevant Time Framed Specific, Measurable, Attainable, Relevant, Time Framed

20 Procedures

21 Procedure Essential Elements
Table of Contents Purpose Author Audience Summary Limitations Documented i.e. logging Compliance measurement Approval Related policies, standards and procedures Header/footer with version # and effective date Maturity level Document granular procedures with “Essential Elements” Table of Contents Purpose Author Audience Summary Limitations Documented i.e. logging Compliance measurement Approval Related policies, standards and procedures Header/footer with version #, effective date & page # Maturity level

22 Risk Management Framework aligned to System Development Life Cycle
CATEGORIZE Information System Initiation & Acquisition SELECT Security Controls Development Implementation MONITOR Security Controls Maintenance Risk Management Framework aligned to System Development Life Cycle AUTHORIZE Information System Operation IMPLEMENT Security Controls Implementation The NIST Risk Management Framework emphasizes an orderly approach to system development life cycle management of an information system Categorize security impact and determine data classification during SDLC initiation and acquisition Select appropriate security controls as part of system development and implementation Implement security controls simultaneously with implementing the information system Assess security control effectiveness while implementing the information system Authorize and certify the information system in conjunction with placing it into operation Monitor security controls continuously for the lifetime of the system Eventually disposal of information systems as they become obsolete and ensure appropriate media sanitization efforts are completed ASSESS Security Controls Implementation SDLC Disposal

23 Framework Aligned Policy Procedures Measurable Steps Direction
2 4 Policy Procedures Measurable Steps Framework Aligned Direction Guidance & Oversight Acceptable Criteria Performance Information security is a direct result of specific steps taken in a specific order The steps below demonstrate cause and effect resulting in alignment to the selected framework Governance – Guidance & Oversight Policy – Direction Standards – Acceptable Criteria Procedures – Measurable Steps Measures – Performance related i.e. successful or not Governance Standards Measures 1 3 5

24 Certification & Authorization
General Support Systems (GSS) Active Directory, Data Center, Network etc. Major Applications (MA) ERP, HR, etc. Security Authorization Package (SAP) Executive Overview System Security Plan (SSP) Plan of Actions & Milestones (POAM) Authorization to Operate (ATO) General Support Systems (MA) e.g. Active Directory, Data Center, Network etc. GSS provide a common backbone used by multiple information systems GSS C&A provides greater efficiencies than assessing similar areas multiple times Major Applications (MA) e.g. ERP, HR, etc. MA C&A addresses overarching security aspects that many times represent multiple minor applications Security Authorization Package (SAP Executive Overview – not technical, intended for the business owner System Security Plan (SSP) describes specific security controls in place Plan of Actions & Milestones (POAM) addresses gaps where controls require additional coverage Authorization to Operate (ATO) documents business owner acceptance of residual risk

25 Measure Focusing on ways to improve, efficient, cost-effective
5 Optimized 4 Managed 3 Defined 2 Repeatable 1 Initial Non-Existent Focusing on ways to improve, efficient, cost-effective Exec Mgmt Measure Established risk management framework, integrates improvements Management Documented, detailed, compliant, procedures exist Managed, consistent, repeatable undocumented, reactive practices Staff Security maturity is Scored based on use of documented procedures Tied directly to repeatability and standardization Depends on following an established framework Should be used to self-assess maturity and continuous improvement Ad hoc, reactive, inconsistent Procedures do not exist

26 Maturity Metrics Identify Protect Protect (continued) Detect Respond
1. Privacy & Confidentiality 2. Data Classification 3. Critical Information Asset Inventory 4. Enterprise Security Policy, Standards and Guidelines 5. Control Oversight and Safeguard Assurance 6. Information Security Risk Management 7. Security Oversight and Governance 8. Security Compliance and Regulatory Requirements Mgmt 9. Cloud Usage and Security 10. Security Assessment and Authorization 11. External Vendors and Third Party Providers Protect 12. Enterprise Architecture, Roadmap & Emerging Technology 13. Secure System Services, Acquisition and Development 14. Security Awareness and Training 15. Privacy Awareness and Training 16. Cryptography 17. Secure Configuration Management 18. Change Management 19. Contingency Planning 20. Media 21. Physical and Environmental Protection Protect (continued) 22. Personnel Security 23. Third-Party Personnel Security 24. System Configuration & Patch Management 25. Access Control 26. Account Management 27. Security Systems Management 28. Network Access and Perimeter Controls 29. Internet Content Filtering 30. Data Loss Prevention 31. Identification & Authentication 32. Spam Filtering 33. Portable & Remote Computing 34. System Communications Protection Detect 35. Vulnerability Assessment 36. Malware Protection 37. Security Monitoring and Event Analysis Respond 38. Cyber-Security Incident Response 39. Privacy Incident Response Recover 40. Disaster Recovery Procedures Maturity Metrics Based on the NIST CyberSecurity Framework Tailored to represent the Texas CyberSecurity Framework Consist of 40 Security Objectives divided into 5 functional areas Identify Protect Detect Respond Recover

27 Security Maturity Scorecard
Submitted with Biennial Agency Security Plan (ASP) Grades CPA on process (i.e. procedure) maturity 0 – Non-Existent (procedures do not exist) 1 – Initial (Ad hoc, inconsistent practices) 2 – Repeatable (mostly undocumented reactive practices) 3 – Defined (documented procedures exist) 4 – Managed (procedures reflect “Risk Management Framework” 5 – Optimized (procedures continually evaluated for improvement) Security maturity is based on standardization, repeatability and continuous improvement. Each Biennial Agency Security Plan (ASP) is the equivalent of a scorecard or report card The scorecard provides An indication of how an agency perceives their security maturity Guidance for where to apply additional training and resources A standard metric for DIR to report security status to the Governor Grades the organization on security process (i.e. procedure) maturity 0 – Non-Existent (procedures do not exist) 1 – Initial (Ad hoc, inconsistent practices) 2 – Repeatable (mostly undocumented reactive practices) 3 – Defined (documented procedures exist) 4 – Managed (procedures reflect “Risk Management Framework” 5 – Optimized (procedures continually evaluated for improvement)

28 Communicate Scores to Exec
Identify security areas needing additional focus Communicate challenges to executive leadership

29 Security Success Security Governance Established
Governance Milestones Achieved Security Processes in Place Building Upon a Solid Foundation Data Identified and Inventoried Strategy in Place Frameworks Applied Systems Certified & Authorized Information Security Continuous Monitoring Established Ultimately, information security success indicators include: Security Governance Established Governance Milestones Achieved Security Processes in Place Building Upon a Solid Foundation Data Identified and Inventoried Strategy in Place Frameworks Applied Systems Certified & Authorized Information Security Continuous Monitoring Established

30 Contact Information Dave Gray CyberSecurity Program Manager / CPA Information Security Dave Gray CyberSecurity Program Manager / CPA Information Security

Download ppt "Information Security Governance"

Similar presentations

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Information Security Policies and Standards

Information Security Policies and Standards
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
D ECEMBER 12, 2014 The State of the State of Cybersecurity.

D ECEMBER 12, 2014 The State of the State of Cybersecurity.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Peer Information Security Policies: A Sampling Summer 2015.

Peer Information Security Policies: A Sampling Summer 2015.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Framework & Standards

Information Security Framework & Standards
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Security Update CTC 18 March 2015 Julianne Tolson.

Similar presentations

Ads by Google