Download presentation
1
Chapter 4 of the Executive Guide manual
PEOPLE
2
Overview People are the most important component of effective info security program 3 key areas for security evaluation framework Strategy Components Administrations
3
People Strategy Information security strategy must be updated regularly due to new daily challenges/threats Measuring prevented security breaches helps to quantify the effectiveness of your security program Ensure compliance with regulations (HIPPA, Gram Leach Bliely, PCI, etc) Certifications for your Security Program is an indication of program best practice
4
People Components Assess personnel skills & credentials to ensure program’s success. Having dedicated information security org. indicates that Mngt is committed to a quality security program. Leaders who is qualified, informed and flexible to adapt to increasing security challenges.
5
People Administrations
Must have well defined roles & responsibilities Have authority to enforce policies Commitment from C suites Regular reporting to Executives and Board ensure appropriate oversight. SOD Support & involvement of key organizations (legal, HR, audit, etc. )
6
People Administrations Cont.
Global program Must include Risk management Aligns with business goals by understanding risk associated with existing and new products & services Have right people in the org. is paramount to overall success of the security program. Review table 4-1 for people evaluation of your security program.
7
Strategy Provide adequate training & have accountabilty
Identify a baseline and hire the right people with the skills and credential to ensure program success 2 staffing strategies Built in-house ( hire into the co) Outsource (3rd party ) What must NOT be outsourced?
8
In-House vs Outsources
In-House Pros & Cons Outsources Pros & Cons Challenges in finding skilled staff Retained knowledge Robust security functions Training SLA Ensure compliance with increasing regulations Enable Co to concentrate on core competencies Must have effective vendor governance process Knowledge transfers Vendor financial stability Service Level Agreement (SLA) Auditable clause Exit strategy
9
Components Invest resources to hire & develop security team
3 categories of personnel Management Technical Audit staff Individuals needs to be both technical and business savy
10
Who has the ultimate responsibility to ensure customer data is secure
Outsourced vendor or Company?
11
Management Staff Need broad understanding of info security and business operations Need breath & depth experiences Needs to have education & credentials CISSP, CISM, CISA, GIAC etc..
12
Technical Staff Have the knowledge and skills for specific area of expertise & some business knowledge Be certified in the specific areas of concentrations (see SAN list) Continued education to stay abreast on current events & technology changes
13
Administrations Everyone plays a role in information security
Tone at the top is critical for the success of the program Policy & procedures provides guidance for people to execute security programs Review Info Security Roles & responsibilities table 4-3
14
Roles & Responsibility Matrix
15
Organizational Structure
Functional/Centralized Geographic/Decentralized Personnel remain w/in area of expertise Better utilization of scare resources Recourse are not close to customer/user Specialized expertises Closer relationships with clients Can encourage personnel to adhered to security program Jack of all trades
16
SOD Matrix
17
Information Security Governance
Ideal to have a board Responsibilities include Define goals/directions of a security program Establish polices Provide resources Review KPI/Metrics on IT Operations Make critical decisions regarding security systems Sr. Management from Key Operations ( IT, HR Legal, Audit, etc.
18
Governance cont. Security program align w/ Co. strategy
IT investments align w/ business priorities Perform benchmark to ensure best practices Audit security program periodically
19
Summary Key Points People are ???
Reporting relationship btw Information Security management and Executives & Board is important because it give enforcement power to support security program Pro & Cons of in-house vs outsource security program People skills, training, certifications are important Having appropriate governance in place ensure support system is place.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.