Download presentation
Presentation is loading. Please wait.
Published byElfreda Norman Modified over 9 years ago
1
© ITGI, ISACA - not for commercial use. John R. Robles 787-647-3961 jrobles@coqui.net john.robles@gmail.com www.johnrrobles.com Guidance for Information Security Managers Isaca - Information Security Governance “This information is copyrighted by the IT Governance Institute and Information Systems Audit and Control Association. Any commercial use is strictly forbidden. It may, however, be used for educational or promotional purposes by ISACA members and chapters on a not- for-profit basis.”
2
© ITGI, ISACA - not for commercial use. Isaca Puerto Rico Serving IT Audit, Security, and Controls Professionals in Puerto Rico since 1984 (Celebrating our 25 th Anniversary in 2009) More than 300 members Provide Certification … CISA (139), CISM (13), CGEIT (6) Provide Education and Conferences… Monthly educational meetings and yearly Symposium Standards…ITAF™: A Professional Practices Framework for IT Assurance Research…The IT Governance Institute (ITGI)
3
© ITGI, ISACA - not for commercial use. Isaca Puerto Rico Publications… The Bookstore, Isaca Journal Downloads… Review Courses… for the CISA, CISM, CGEIT Exams twice a year… Join a Growing and Dynamic Professional Association!! www.isaca.org www.isaca.org www.isacapuertorico.com www.isacapuertorico.com isaca_pr@yahoo.com isaca_pr@yahoo.com
4
© ITGI, ISACA - not for commercial use. Introduction u u Information Security has become a matter for consideration at the highest organizational level u u ‘It is no longer enough to communicate to the world of stakeholders why we exist and what constitutes success, we must also communicate how we are going to protect our existence’. - Kiely, Laree; Terry Benzel; Systemic Security Management, Libertas Press, USA, 2006 u u This publication discusses how to develop an information security strategy within the organization's governance framework and how to drive that strategy through an information security program.
5
© ITGI, ISACA - not for commercial use. Information Security Governance Guidance Firms operating at best-in-class (security) levels are lowering financial losses to less than 1 percent of revenue, whereas other organizations are experiencing loss rates that exceed 5 percent. - Aberdeen Group, ‘Best Practices in Security Governance’, USA, 2005
6
© ITGI, ISACA - not for commercial use. Information Security Program Requirements
7
© ITGI, ISACA - not for commercial use. u u Executive Management u u Steering Committee u u Chief Information Security Officer Roles and Responsibilities
8
© ITGI, ISACA - not for commercial use. What the Board, Executive Management and Security Management Should Do?
9
© ITGI, ISACA - not for commercial use. Information Security Metrics and Monitoring u u Information Security Metrics u u Governance Implementation Metrics u u Strategic Alignment u u Risk Assessment u u Value Delivery u u Resource Management u u Performance Measurement u u Assurance Process Integration (Convergence)
10
© ITGI, ISACA - not for commercial use. Establishing Information Security Governance u u An Information Security Strategy Corporate strategy is the pattern of decisions in a company that determines and reveals its objectives, purposes, or goals, produces the principal policies and plans for achieving those goals, and defines the range of business the company is to pursue, the kind of economic and human organization it is or intends to be, and the nature of the economic and non-economic contribution it intends to make to its shareholders, employees, customers and communities. - Andrews, Kenneth; The Concept of Corporate Strategy, 2 nd Edition, Dow-Jones Irwin, USA, 1980
11
© ITGI, ISACA - not for commercial use. u u The Goal u u Classification and Valuation u u Deferred Information Maintenance Information Security Objectives
12
© ITGI, ISACA - not for commercial use. u u Defining Objectives u u The Desire State u u Risk Objectives u u Number of Controls u u Current State of Security Strategy
13
© ITGI, ISACA - not for commercial use. Strategy
14
© ITGI, ISACA - not for commercial use. Strategy
15
© ITGI, ISACA - not for commercial use. u u Elements of a Strategy u u Policies u u Standards u u Processes u u Controls u u Technologies u u People, Training, Etc. u u Gap Analysis – Basic for an Action Plan u u Annual or more frequently The Strategy
16
© ITGI, ISACA - not for commercial use. u u Create/Modify Policies u u Create/Modify Standards Action Plan
17
© ITGI, ISACA - not for commercial use. u u Action Plan Metrics u u General Metrics Considerations u u Summary – Take into consideration u u What is important to information security operations u u Requirements of IT Management u u Requirements of business process owners u u Requirements of senior management Action Plan Intermediate Goals
18
© ITGI, ISACA - not for commercial use. u u An Example Using the ITGI and CobiT Maturity Scale u u Sample Policy Statement u u Sample Standard u u Additional Sample Policy Statements u u Conclusions Establishing Information Security Governance
19
© ITGI, ISACA - not for commercial use.. Conclusion “Although regulatory compliance has been a major driver in improving information security overall, recent studies have also shown that nearly half of all companies are failing to initiate meaningful compliance efforts.”
20
© ITGI, ISACA - not for commercial use. Appendix A – Critical Success Factors For Effective Information Security u u Performance Measures u u Determine whether Information Security is succeeding u u Determine whether Information Security Governance is succeeding
21
© ITGI, ISACA - not for commercial use. Appendix B – Self Assessment and Maturity Model u u Self – Assessment for Information Security Governance u u Maturity Levels – Detailed Descriptions u u Purpose - Determine your Information Security Maturity Level
22
© ITGI, ISACA - not for commercial use. Appendix Appendix C – A Generic Approach to Information Security Initiative Scoping Determine Task Steps Determine Task Step Activities Determine Task Step Deliverables Appendix D – An Approach to Information Security Metrics “NIST special publication 800-55 provides an approach to security metrics”
23
© ITGI, ISACA - not for commercial use. Glossary References Other Publications Appendix
24
© ITGI, ISACA - not for commercial use.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.