Information Security Managing The Risk

Size: px
Start display at page:

Download "Information Security Managing The Risk"

Transcription

1 Information Technology Capability Maturity Model Information Security Managing The Risk

2 Introduction Information Security continues to be business critical and is increasingly complex to manage for the following reasons: - 72% of organizations report increased risk to information security, based on both external and internal threats. - Legal and regulatory expectations pertaining to information are also changing with increased complexity arising from organizations operating across multiple jurisdictions; key considerations here are: - Has the information been retained longer than it should have been? - Does the data follow a defined life-cycle and is it safe to delete it? - Does the business have permission to share this data with its partners? - Is it permissible for the company to use data supplied by another company? Information Security Forum November

3 Whose job is it to manage security risks? - To counter these threats and remove fear, uncertainty and doubt, organizations need to develop a comprehensive information security management capability. So whose job is that? ISO Corporate governance of information technology places responsibility for IT governance at the board of director s level. Section of ISO 38500:2008(E) states that directors could be held responsible for security policy and standards failings. Information security is not an IT only function; it is an organization responsibility in which each employee, customer, and supplier has responsibilities. - Since vast amounts of information are digitally collected, stored and processed, the IT department has a significant role to play in the protection of information. 3

4 Information Security Management Information Security Management is the capability to direct, oversee and control the actions and processes required to protect documented and digitized information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, accessibility, availability and usability of data; and to support nonrepudiation (i.e. to prevent an author denying his/her own authorship or actions). Adapted from 4

5 Scope of Information Security Management - Strategy & Governance - Identifying applicable regulations. - Establishing and maintaining security policies and controls. - Providing communication and training content on security. - Responding to security-related incidents. - Reporting on information security activities and compliance levels. - Profiling security threats, and assessing, prioritizing, handling and monitoring security risks. 5

6 Information Security Management is Complex The six categories of building blocks address: - Governance - Information Security Strategy; Security Policies, Standards, and Controls; Security Roles, Responsibilities, and Accountabilities; Communication and Training; Security Performance Reporting; and Supplier Security - Technical Security Security Architecture; IT Component Security; and Physical Environment Security. - Security Resource Management - Security Budgeting; Tools and Resources; and Resource Effectiveness - Security Risk Management Security Threat Profiling; Security Risk Assessment; Security Risk Prioritization; Security Risk Handling; and Security Risk Monitoring - Security Data Management Data Identification and Classifications; Access Rights Management; Life-cycle Management - Business Continuity Management Business Continuity Planning; and Incident Management 6

7 Summary of insights and lessons learned (1 of 6) What does mature look like? There is awareness and understanding across the enterprise of the role that effective security plays in business success i.e. security is recognized as an enabler rather than a disabler. There are clear responsibilities for security activities. There is agreement by business and IT stakeholders on risk appetite, and the level of security that is needed. Senior level sponsorship is evident. The organization has the capability to identify and address new and emerging risks and threats. There is recognition that improvements to maturity require an evolving process, with no short cuts. Business focused measures are defined, monitored and acted upon by business and IT. 7

8 Summary of insights and lessons learned (2 of 6) Why would a CIO/CEO invest in maturing this CC? To build a competent and effective organization capability to manage information security. To protect business value and business success from any adverse effects of inadequate security. To demonstrate effective security for stakeholders and regulators. 8

9 Summary of insights and lessons learned (3 of 6) What is unique, new or different about the IT- CMF approach? IVI s ISM capability is informed by academics and industry-based practitioners, and provides a toolkit to enable organizations to measure their capability maturity levels and develop a targeted improvement programme. Use of the ISM maturity curve allows organizations to set appropriate and structured security targets. Detailed ISM Practices, Outcomes and Metrics provide guidance to organizations in maturing their ISM capability, with a view to deriving business value. IVI s ISM capability is integrated with other key critical IT capabilities. The IT-CMF can be used by multiple stakeholders to discuss and assess maturity in a structured way using a common language e.g. internal audit. 9

10 Summary of insights and lessons learned (4 of 6) What are the key practices required for moving up the maturity profile? Develop security policies and awareness/understanding (level 1 to 2) Develop and agree the information security strategy, risk appetite and consistent policies (level 2 to 3). Develop and implement appropriate education and awareness programmes (level 2 to 3). Ensure structured and integrated testing of security effectiveness and independent validation (level 2 to 3). Target and test security awareness and understanding (level 3 to 4) Engage stakeholders across the enterprise and adopt business level metrics (level 3 to 4). Recognise the need to work effectively across the supply chain and the extended enterprise (level 4 to 5). Audit and verify practices to improve reach and consistency (levels 4 & 5). 10

11 Summary of insights and lessons learned (5 of 6) Which maturity level is typical for different types of companies/ industries? Based on workgroup experiences of industry, smaller organizations would be expected to be at level 2 and larger and security sensitive organizations would be expected to be at levels 3 and 4. This indicator will be updated later based on executive assessments and again later on ISM assessments. 11

12 Summary of insights and lessons learned (6 of 6) What typically prevents companies from moving up the maturity profile? Lack of resources, typically financial and skills. Lack of visible and tangible senior management drive and endorsement. Limited recognition of the need for a strategic approach to security. Rapidly changing and an increasing volume of threats and risks resulting in organizations taking a reactive versus proactive stance. Organizational limitations including clarity and boundaries of responsibilities and potential conflicts of priorities. Lack of an easy to apply ISM framework Appropriate in-depth security measures are key to supporting confidentiality and availability of information. 12

13 Assessing Current Maturity The information security management capability as defined in the IT- CMF comes with: - On-line survey & assessment interviews identify current (ISM) maturity level - Companies can relate their maturity levels at a capability building block to benchmark levels. - Based on this knowledge and viewing their own strategic and tactical objectives, target levels can be set for the desired capability maturity level. Steps to improve - As with any journey, developing an effective information management security capability, the start and end states need to be understood. Once these are agreed a route to the destination can be selected based on the needs to optimize for cost, time or resource usage. 13

14 Using ISM s six categories, an Information Security Management capability can be matured. The six categories of building blocks address: - Governance - Information Security Strategy; Security Policies, Standards, and Controls; Security Roles, Responsibilities, and Accountabilities; Communication and Training; Security Performance Reporting; and Supplier Security - Technical Security Security Architecture; IT Component Security; and Physical Environment Security. - Security Resource Management - Security Budgeting; Tools and Resources; and Resource Effectiveness - Security Risk Management Security Threat Profiling; Security Risk Assessment; Security Risk Prioritization; Security Risk Handling; and Security Risk Monitoring - Security Data Management Data Identification and Classifications; Access Rights Management; Life-cycle Management - Business Continuity Management Business Continuity Planning; and Incident Management See also: Enterprise Architecture Management (EAM), Enterprise Information Management (EIM), Technical Infrastructure Management (TIM), Service Provisioning (SRP), and Solutions Delivery (SD) 14

15 Security Is there an app for that? - Not any time soon! - The remaining slides can be read for additional detail and retained for your notes. 15

16 Questions and Answers

17 IVI Global Community Update

18 IVI Global Community - Upcoming Events 18 February 18 Virtual Meeting, (EST) March 10 and 11 IVI Spring Summit, New York April 15 Virtual Meeting, (EST) May 20 Live event, US June 17 Virtual event, (EST) July 15 Virtual event, (EST) September 9 and 10 IVI Autumn Summit, Dublin October 21 Virtual event November 18 Live event, US Making it Real: Transforming IT with IT-CMF, Dinesh Kumar, Mitovia Delivering Business Improvement + IVI Certified Training Assessor Essentials (12 and 13 March) IT Professionalism - The international dimension of e-skills and the impact of globalisation Martin Sherry, IVI Topic TBC Innovation Management (TBC) Agility in IT Management, Gar MacCriosta, IVI Topic TBC Topic and venue TBC

19 Information Security Management Summary of key practices, outcomes, and metrics Maturity Key practices Outcomes Key metrics High 5 Optimizing Review and improve governance across the extended enterprise. Use best practice architecture, components, and physical security options. Review, improve, and manage security budget, tools, and resources. Extend security risk management to the extended enterprise. Consistently use and improve data identification and classifications, access rights management and data lifecycles across the extended enterprise. Provide industry best practice information security guidelines and advice on business continuity. Reduced likelihood of regulatory issues to be managed. Fewer security issues. Less waste and better returns for the spend on security. Holistic risk management Value return is improved based on the widespread usage of sound data management layers. Reduced impacts during incidents # Security audit issues # Compliance issues under corrective action # Security issues # Security staff turnover rates # Security resource utilization ratios # Security issues included in risk register # Effort to develop security features in new applications # Count and cost of incidents 4 Advanced Regularly review and improve all aspects of security. Implement governance criteria across the enterprise Implement technical and physical security consistently across the enterprise. Use risk assessment and value returns to guide security budget Roll data management and business continuity practices out across the enterprise Reduced risk of weak links compromising security. Locations and access points have sufficient security Security spend provides risk reduction and improves reputation Higher returns from security investment. # Incidents and adverse audit findings by site, department, and/or function # Equipment and configuration variances between HQ, Branch or end devices # Identified critical risks that are cost effectively mitigated # Security feature costs in new developments 3 Intermediate Implement documented security governance, roles, architecture, components, tools, resources, and practices aligned with some business units Identify and communicate data security classifications and life-cycles for IT and some business units Provide business continuity security plans Efficient, effective and consistent security is applied. Appropriate levels of security can be applied to business data. # Stakeholder satisfaction # Security competences being developed # Automated monitoring and screening # Availability and confidentiality issues # Cost to develop security features # Security focused elements in continuity plan 2 Basic Establish and communicate policies based on regulations and standards and risk assessment. Start to implement data security classifications, lifecycles, and access control mechanisms Raised security awareness and improved security features Aspects of security can be managed using meta-data. # Stakeholder awareness surveys # Security issues # Security meta data utilization 1 Initial Educate and raise awareness of information security. Use system and application secured options by default. Basic security problems are fixed Increased security # Staff attended awareness training # Components or suppliers not complying 19

20 Information Security Management (ISM) Transitions to increase maturity Maturity Action Taken Value Delivered High 5. Optimized 4. Advanced 3. Intermediate 2. Basic Align security strategies across extended enterprise. Develop and adopt agile risk management practices. Promote security awareness and understanding across extended enterprise. Promote effective security designs and architectures. Implement automated responses and alerts. Regularly review and update security strategies. Standardize risk management practices. Target and test security awareness and understanding. Develop an enterprise approach to security architecture. Align and focus data classification, lifecycle and access management practices. Use advanced/targeted tools; ROI on budgets. Align information security with business security strategy and risk appetite. Standardize risk practices and threat profiling. Promote security awareness/understanding. Apply extensive architecture and security features. Develop general data classification, lifecycle and access management practices. Increase tool use and make budgets transparent Confidence in consistent security measures and reduced risk of weakest link compromising security Cost effective rapid responses to risk changes. Enhanced security is achievable only with security conscious staff. Effective security measures have little or no impact on business volumes or variety. Faster effective responses to threats limits exposure. Security measures match changing risks and threats. Training costs and learning efforts are reduced. Awareness weaknesses are identified and corrected. Security views are available showing layers and depth. Security factors are considered and factored in at data classification, lifecycle and access control design. Security spend and ROI are measured and managed. Information security measures match those the business needs. Threat profiles are interpreted consistently. Security-aware staff expand resources available to secure business assets Improved consistency and efficiency Security is applied to data and applications in accordance with business needs and priorities Tools free staff for higher value activities; increased understanding of value delivered from investments 1. Initial Develop basic risk management and threat profiling. Develop security policies and awareness/understanding. Start to implement basic architecture and security features. Start using local practices in data classification, lifecycle and access management. Start using tools and budget management. Awareness and competence grow. Immediate improvements in behaviour Concepts for a security foundation emerge Local successes on sensitive data and information act as a starting point for communities of practice Tools free people for higher value activities. 20

21 Information Security Management (ISM) Critical capability maturity profile levels Maturity Information Security Management (ISM) High 5 Optimizing The information security strategy is regularly aligned to business/it strategies and risk appetite across the extended enterprise. An effective multi-layered security architecture framework is used across the extended enterprise. A structured approach to measuring value for money is applied consistently to proposed security investments and post implementation, Intelligence is gathered and security threat profiles defined and updated in collaboration with the extended enterprise Access rights management is dynamic and can effectively address organization restructures, acquisitions and divestments. The extended enterprise works proactively to avoid security incidents occurring and incidents are effectively managed.. 4 Advance 3 Intermediate 2 Basic 1 Initial There is an established security culture with dedicated and tailored employee training and measurement of efficiency and effectiveness IT component security measures are implemented enterprise-wide for detection and mitigation of threats and attacks and tested Advanced managerial tools that monitor and alert and detect issues or non-compliances are specified to aggregate across the enterprise. Employee skill and competence levels are specified and a standardized toolset and resource management approach is adopted. A standardized security risk assessment process is consistently used across the enterprise and aligned with an enterprise risk process. Access rights processes including a movers process, are effectively implemented across the enterprise and audited. Enterprise-wide continuity planning is provided for each specific risk. IT regularly tests and confirms business restoration can be achieved There is a growing security aware culture. Detailed security requirements for procurement are defined and adhered to IT and some business units have a shared vision for security; most security architecture features are common and depth of defence and configuration management practices are evident. There is visibility of security budget requirements and allocations with consistent training programmes and an agreed approach to toolsets The security risk prioritization process is based on a repeatable evaluation of business impact, probability of occurrence, and time-horizon Access rights including joiners and leavers, are granted based on a formal authorization process. An agreed business and IT continuity plan, addressing backups, archival and system recovery, is implemented with some testing Information security policies and standards are developed by IT and reviewed after major incidents. There is some performance measurement. Physical security guidelines are emerging, and IT and facilities departments are active with restricted physical access to key locations A small number of key information security roles are identified within IT and individuals are allocated responsibility and accountability Some basic intelligence gathering and security threat profiling takes place but there is no consistent method. Data security classification guidelines are defined for key sensitive data items and processes for managing the security of data throughout its lifecycle are emerging. Access rights management is basic and is dependent on vendor supplied solutions. There is basic management of security incidents in IT and Key incidents are recorded. Information security strategy, policies and standards are defined ad hoc with little alignment to business strategies or risk appetite IT component security is addressed ad hoc or locally and mainly reflects the security bundled by primary suppliers only. The purchase specification of security tools, products and resources tends to be ad hoc. or local There is no systematic monitoring of security risks. A risk register is not present or is incomplete. Access rights are managed ad hoc, or using informal procedures. The security of data throughout its lifecycle is considered ad hoc. Business continuity planning advice and expertise is limited to local efforts with security incidents managed ad hoc. 21 Key: Breakthrough level (first level with significant interconnection between business and the IT organization )

22 Security Risk Management Capability Building Blocks Category Governance Capability Building Block Information Security Strategy Security Policies, Standards, and Controls Security Roles, Responsibilities, and Accountabili Communication and Training Security Performance Reporting Supplier Security Description Develops, communicates, and supports the organization s IT security objectives so they fit the organization s business model and risk appetite. Establishes and maintains security policies and controls incorporating relevant security standards, regulatory and legislative security requirements; ensuring they fit the organization s business model and security objectives. Identifies and establishes information security roles including allocation and enforcement of security responsibilities. Agrees and / or assigns responsibilities and accountability to allocated resources. Disseminates security processes, policies and other relevant information. Provides training content in security practices and develops security knowledge and skills. Reports on the levels of compliance achieved, and the effectiveness and efficiency of the security activities. Defines security requirements and expectations pertaining to the procurement and supply of hardware, software, services and data. 22

23 Information Security Management Capability Building Blocks Category Technical Security Security Resource Management Capability Building Block Security Architecture IT Component Security Physical Environment Security Security Budgeting Tools and Resources Resource Effectiveness Description Establishes and applies criteria and practices in designing security solutions with the aim of achieving appropriate cost effective protection. Defines security layers to provide depth of defence and configuration management of security features. Defines and implements the measures to protect physical and virtual IT, servers, networks, and end-points such as peripherals and mobile devices. Specifies and procures specific security tools/ products and resources. Establishes and maintains measures to control access into and protect the physical infrastructure from threats and environmental factors (e.g. extreme temperatures, flooding, fire). Provides security related budget criteria. This includes concepts such as new equipment must be purchased with specific security features e.g. virus protection. Specifies and procures specific security tools/ products and resources. Manages the tools, security solutions and the staff assigned for security purposes. Measures value for money from security investments. Captures feedback from stakeholders and other sources on the effectiveness of security resource management procedures, tools and activities. 23

24 Security Risk Management Capability Building Blocks Category Security Risk Management Capability Building Block Security Threat Profiling Security Risk Assessment Security Risk Prioritization Security Risk Handling Security Risk Monitoring Description Gathers intelligence on threats and vulnerabilities from internal and external sources. Identifies and documents the security threat profiles by their potential impact on business objectives and activities. Runs assessments to identify, document and quantify/ score securityrelated risks and their components. Assessments include the evaluation of exposure to risks, and measurement of their likely impact. Prioritizes security risks and risk handling strategies, based on residual risks, acceptable risk levels and changes to the business/ IT environment or operating environment such as outsourcing, mergers and acquisitions. Implements risk handling strategies, where risks can be deferred, accepted, mitigated, transferred or eliminated, and risk ownership allocated. Interacts with Incident Management functions. Tracks changes to the identified security risks, and validates the effectiveness of risk handling strategies/ controls. 24

25 Security Risk Management Capability Building Blocks Category Security Data Management Business Continuity Management Capability Building Block Data Identification and Classifications Access Rights Management Life-cycle Management Business Continuity Planning Incident Management Description Defines security classifications and provides guidance for associated protection levels and access control. Manages the lifecycle of user accounts and certificates, and the granting, denial and revocation of access rights. Matches access control procedures to data classifications. Provides the security expertise and guidance to ensure that data throughout its lifecycle is appropriately available, adequately preserved and/ or destroyed to meet business, regulatory and/ or security requirements. Provides expertise and guidance to ensure that business continuity planning is effective in ensuring data integrity, confidentiality and availability. This may include input on backup management, archiving management, and systems recovery policies and procedures. Establishes and implements procedures for handling incidents and near incidents. Evaluates the nature and impact of incidents. Supports protection of the organization by providing feedback and reports on security aspects of incidents. 25

26 Limitation of Liability Innovation Value Institute. All rights reserved. - The material contained herein may not be copied, photocopied, reproduced, translated, or - reduced to any electronic medium or machine-readable form, in whole or in part, without - prior written consent of the Innovation Value Institute, except in the manner described in the - documentation. - All other brand names, product names, and trademarks are copyright of their respective - owners. - While every reasonable precaution has been taken in the preparation of this document, the - author and publishers assume no responsibility for errors or omissions, nor for uses made - of the material contained herein and the decisions based upon such use. No warranties are - made, express or implied, with regards to either the contents of this work, its - merchantability, or fitness for a particular purpose. Neither the author nor the publishers - shall be liable for direct, indirect, special, incidental, or consequential damages arising out of - the use or the inability to use the contents of this text.

27 For more information visit

Sytorus Information Security Assessment Overview

Sytorus Information Security Assessment Overview Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)

More information

The Value of Vulnerability Management*

The Value of Vulnerability Management* The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda

More information

Practical Overview on responsibilities of Data Protection Officers. Security measures

Practical Overview on responsibilities of Data Protection Officers. Security measures Practical Overview on responsibilities of Data Protection Officers Security measures Manuel Villaseca Spanish Data Protection Agency mvl@agpd.es Security measures Agenda: The rol of DPO on security measures

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and

More information

A NEW APPROACH TO CYBER SECURITY

A NEW APPROACH TO CYBER SECURITY A NEW APPROACH TO CYBER SECURITY We believe cyber security should be about what you can do not what you can t. DRIVEN BY BUSINESS ASPIRATIONS We work with you to move your business forward. Positively

More information

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT FRAMEWORK ENTERPRISE RISK MANAGEMENT FRAMEWORK COVENANT HEALTH LEGAL & RISK MANAGEMENT CONTENTS 1.0 PURPOSE OF THE DOCUMENT... 3 2.0 INTRODUCTION AND OVERVIEW... 4 3.0 GOVERNANCE STRUCTURE AND ACCOUNTABILITY...

More information

ISMS Implementation Guide

ISMS Implementation Guide atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-615-7300 Fax: 512-615-7301 www.atsec.com ISMS Implementation Guide atsec information security ISMS Implementation

More information

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical

More information

Convercent Predictive Analytics

Convercent Predictive Analytics September 2015 Convercent Predictive Analytics Innovation in User Experience for Issue Reporting & Management SOLUTIONPERSPECTIVE Governance, Risk Management & Compliance Insight 2015 GRC 20/20 Research,

More information

Tapping the benefits of business analytics and optimization

Tapping the benefits of business analytics and optimization IBM Sales and Distribution Chemicals and Petroleum White Paper Tapping the benefits of business analytics and optimization A rich source of intelligence for the chemicals and petroleum industries 2 Tapping

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

Enterprise Information Management in IT-CMF

Enterprise Information Management in IT-CMF Enterprise Information Management in IT-CMF Input for IVI EIM workgroup 25 September 2013 Agenda Overview of things we like to improve Detailed proposals for improvements Overview of accumulated decisions

More information

Business Continuity Position Description

Business Continuity Position Description Position Description February 9, 2015 Position Description February 9, 2015 Page i Table of Contents General Characteristics... 2 Career Path... 3 Explanation of Proficiency Level Definitions... 8 Summary

More information

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Project Management Self-Assessment Contents Introduction 3 User Guidance 4 P3M3 Self-Assessment Questionnaire

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14 www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the

More information

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government

More information

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012 GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

Procuring Penetration Testing Services

Procuring Penetration Testing Services Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat

More information

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011 APPENDIX 1 GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT January 7, 2011 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto TABLE OF CONTENTS

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management Course: Information Security Management in e-governance Day 1 Session 3: Models and Frameworks for Information Security Management Agenda Introduction to Enterprise Security framework Overview of security

More information

Security & Privacy Current cover and Risk Management Services

Security & Privacy Current cover and Risk Management Services Security & Privacy Current cover and Risk Management Services Introduction Technological advancement has enabled greater working flexibility and increased methods of communications. However, new technology

More information

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 2 How does IBM deliver cloud security? Contents 2 Introduction 3 Cloud governance 3 Security governance, risk management

More information

UF Risk IT Assessment Guidelines

UF Risk IT Assessment Guidelines Who Should Read This All risk assessment participants should read this document, most importantly, unit administration and IT workers. A robust risk assessment includes evaluation by all sectors of an

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Preemptive security solutions for healthcare

Preemptive security solutions for healthcare Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare

More information

IT Risk & Security Specialist Position Description

IT Risk & Security Specialist Position Description Specialist Position Description February 9, 2015 Specialist Position Description February 9, 2015 Page i Table of Contents General Characteristics... 1 Career Path... 2 Explanation of Proficiency Level

More information

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Management Model (CERT-RMM), both developed at Carnegie

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

P3M3 Portfolio Management Self-Assessment

P3M3 Portfolio Management Self-Assessment Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Portfolio Management Self-Assessment P3M3 is a registered trade mark of AXELOS Limited Contents Introduction

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core

More information

Crosswalk Between Current and New PMP Task Classifications

Crosswalk Between Current and New PMP Task Classifications Crosswalk Between Current and New PMP Task Classifications Domain 01 Initiating the Project Conduct project selection methods (e.g., cost benefit analysis, selection criteria) through meetings with the

More information

Provisions and Guidelines for Information Security Management. Dhr. C. Walters

Provisions and Guidelines for Information Security Management. Dhr. C. Walters Provisions and Guidelines for Information Security Management Dhr. C. Walters 1 Why impose rules for Information Security Management? Supervised institutions have been requesting rules; Rules promotes

More information

eeye Digital Security and ECSC Ltd Whitepaper

eeye Digital Security and ECSC Ltd Whitepaper Attaining BS7799 Compliance with Retina Vulnerability Assessment Technology Information Security Risk Assessments For more information about eeye s Enterprise Vulnerability Assessment and Remediation Management

More information

Director, Value Engineering

Director, Value Engineering Director, Value Engineering April 25 th, 2012 Copyright OpenText Corporation. All rights reserved. This publication represents proprietary, confidential information pertaining to OpenText product, software

More information

The IBM data governance blueprint: Leveraging best practices and proven technologies

The IBM data governance blueprint: Leveraging best practices and proven technologies May 2007 The IBM data governance blueprint: Leveraging best practices and proven technologies Page 2 Introduction In the past few years, dozens of high-profile incidents involving process failures and

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

Part A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

Part A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES... Part A OVERVIEW...1 1. Introduction...1 2. Applicability...2 3. Legal Provision...2 Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...3 4. Guiding Principles...3 Part C IMPLEMENTATION...13 5. Implementation

More information

Information Security in Business: Issues and Solutions

Information Security in Business: Issues and Solutions Covenant University Town & Gown Seminar 2015 Information Security in Business: Issues and Solutions A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information

More information

Creating a Catalog for ILM Services. Bob Mister Rogers, Application Matrix Paul Field, Independent Consultant Terry Yoshii, Intel

Creating a Catalog for ILM Services. Bob Mister Rogers, Application Matrix Paul Field, Independent Consultant Terry Yoshii, Intel Creating a Catalog for ILM Services Bob Mister Rogers, Application Matrix Paul Field, Independent Consultant Terry Yoshii, Intel SNIA Legal Notice The material contained in this tutorial is copyrighted

More information

The Business Case for Security Information Management

The Business Case for Security Information Management The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un

More information

Information Security Management System Policy

Information Security Management System Policy Information Security Management System Policy Public Version 3.3 Issued Document Name Owner P079A ISMS Security Policy Information Security Security Policies, Standards and Procedures emanate from the

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition - 1432 AH

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition - 1432 AH Information Security Policies and Procedures Development Framework for Government Agencies First Edition - 1432 AH 6 Contents Chapter 1 Information Security Policies and Procedures Development Framework

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

UF IT Risk Assessment Standard

UF IT Risk Assessment Standard UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved

More information

Improving Service Asset and Configuration Management with CA Process Maps

Improving Service Asset and Configuration Management with CA Process Maps TECHNOLOGY BRIEF: SERVICE ASSET AND CONFIGURATION MANAGEMENT MAPS Improving Service Asset and Configuration with CA Process Maps Peter Doherty CA TECHNICAL SALES Table of Contents Executive Summary SECTION

More information

Cisco Unified Communications and Collaboration technology is changing the way we go about the business of the University.

Cisco Unified Communications and Collaboration technology is changing the way we go about the business of the University. Data Sheet Cisco Optimization s Optimize Your Solution using Cisco Expertise and Leading Practices Optimizing Your Business Architecture Today, enabling business innovation and agility is about being able

More information

OCC 98-3 OCC BULLETIN

OCC 98-3 OCC BULLETIN To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel

More information

Infrastructure consulting. Global Infrastructure

Infrastructure consulting. Global Infrastructure Infrastructure consulting Global Infrastructure Services Operational costs systems availability compliance and security energy and power usage disaster recovery all contribute to today s increasingly complex

More information

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures. Symantec Corporation TM Symantec Product Vulnerability Management Process Best Practices Roles & Responsibilities INSIDE Vulnerabilities versus Exposures Roles Contact and Process Information Threat Evaluation

More information

CLASSIFICATION SPECIFICATION FORM

CLASSIFICATION SPECIFICATION FORM www.mpi.mb.ca CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information

More information

Risk Management Policy and Framework

Risk Management Policy and Framework Risk Management Policy and Framework December 2014 phone 1300 360 605 08 89589500 email info@centraldesert.nt.gov.au location 1Bagot Street Alice Springs NT 0870 post PO Box 2257 Alice Springs NT 0871

More information

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4 State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes

More information

Cisco Security Optimization Service

Cisco Security Optimization Service Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

Guidelines 1 on Information Technology Security

Guidelines 1 on Information Technology Security Guidelines 1 on Information Technology Security Introduction The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical

More information

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14

More information

CISM ITEM DEVELOPMENT GUIDE

CISM ITEM DEVELOPMENT GUIDE CISM ITEM DEVELOPMENT GUIDE TABLE OF CONTENTS CISM ITEM DEVELOPMENT GUIDE Content Page Purpose of the CISM Item Development Guide 2 CISM Exam Structure 2 Item Writing Campaigns 2 Why Participate as a CISM

More information

Information Security Governance:

Information Security Governance: Information Security Governance: Designing and Implementing Security Effectively 2 nd Athens International Forum on Security 15 16 Jan 2009 Anestis Demopoulos, CISA, CISSP, CIA President of ISACA Athens

More information

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0 ADRI Advice on managing the recordkeeping risks associated with cloud computing ADRI-2010-1-v1.0 Version 1.0 29 July 2010 Advice on managing the recordkeeping risks associated with cloud computing 2 Copyright

More information

Data Governance. Unlocking Value and Controlling Risk. Data Governance. www.mindyourprivacy.com

Data Governance. Unlocking Value and Controlling Risk. Data Governance. www.mindyourprivacy.com Data Governance Unlocking Value and Controlling Risk 1 White Paper Data Governance Table of contents Introduction... 3 Data Governance Program Goals in light of Privacy... 4 Data Governance Program Pillars...

More information

Managed Services. Business Intelligence Solutions

Managed Services. Business Intelligence Solutions Managed Services Business Intelligence Solutions Business Intelligence Solutions provides an array of strategic technology services for life science companies and healthcare providers. Our Managed Services

More information

Business Continuity / Disaster Recovery Context

Business Continuity / Disaster Recovery Context Capability Business Continuity / Disaster Recovery Context What is Business Continuity? The Business Continuity Program Life Cycle Copyright: Virtual Corporation, 1994 2006 Modified U.S. DoD Graphic Normal

More information

Information Security Program CHARTER

Information Security Program CHARTER State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information

More information

IT Governance Regulatory. P.K.Patel AGM, MoF

IT Governance Regulatory. P.K.Patel AGM, MoF IT Governance Regulatory Perspective P.K.Patel AGM, MoF Agenda What is IT Governance? Aspects of IT Governance What banks should consider before implementing these aspects? What banks should do for implementation

More information

Proven LANDesk Solutions

Proven LANDesk Solutions LANDesk Solutions Descriptions Proven LANDesk Solutions IT departments face pressure to reduce costs, reduce risk, and increase productivity in the midst of growing IT complexity. More than 4,300 organizations

More information

Risk mitigation for business resilience White paper. A comprehensive, best-practices approach to business resilience and risk mitigation.

Risk mitigation for business resilience White paper. A comprehensive, best-practices approach to business resilience and risk mitigation. Risk mitigation for business resilience White paper A comprehensive, best-practices approach to business resilience and risk mitigation. September 2007 2 Contents 2 Overview: Why traditional risk mitigation

More information

RSA ARCHER OPERATIONAL RISK MANAGEMENT

RSA ARCHER OPERATIONAL RISK MANAGEMENT RSA ARCHER OPERATIONAL RISK MANAGEMENT 87% of organizations surveyed have seen the volume and complexity of risks increase over the past five years. Another 20% of these organizations have seen the volume

More information

Leveraging a Maturity Model to Achieve Proactive Compliance

Leveraging a Maturity Model to Achieve Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Cisco Security Services

Cisco Security Services Cisco Security Services Cisco Security Services help you defend your business from evolving security threats, enhance the efficiency of your internal staff and processes, and increase the return on your

More information

Information Security Management System for Microsoft s Cloud Infrastructure

Information Security Management System for Microsoft s Cloud Infrastructure Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

GOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts

GOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts GOVERNANCE DEFINED Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts Governance over the use of technology assets can be seen

More information

ENTERPRISE MANAGEMENT AND SUPPORT IN THE TELECOMMUNICATIONS INDUSTRY

ENTERPRISE MANAGEMENT AND SUPPORT IN THE TELECOMMUNICATIONS INDUSTRY ENTERPRISE MANAGEMENT AND SUPPORT IN THE TELECOMMUNICATIONS INDUSTRY The Telecommunications Industry Companies in the telecommunications industry face a number of challenges as market saturation, slow

More information

Promotion Model. CVS SUITE QUICK GUIDE 2009 Build 3701 February 2010. March Hare Software Ltd

Promotion Model. CVS SUITE QUICK GUIDE 2009 Build 3701 February 2010. March Hare Software Ltd CVS SUITE QUICK GUIDE 2009 Build 3701 February 2010 March Hare Software Ltd Legal Notices Legal Notices There are various product or company names used herein that are the trademarks, service marks, or

More information

Total Protection for Compliance: Unified IT Policy Auditing

Total Protection for Compliance: Unified IT Policy Auditing Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.

More information

PEOPLESOFT IT ASSET MANAGEMENT

PEOPLESOFT IT ASSET MANAGEMENT PEOPLESOFT IT ASSET MANAGEMENT KEY BENEFITS Streamline the IT Asset Lifecycle Ensure IT and Corporate Compliance Enterprise-Wide Integration Oracle s PeopleSoft IT Asset Management streamlines and automates

More information

Using MSBA as the Foundation for SOA

Using MSBA as the Foundation for SOA SOA Challenges Why is Business Architecture Important What is MSBA Using MSBA as the Foundation for SOA SOA in context 1 SOA holds out enormous promise to revitalise the business value of IT... but early

More information

Information Security Management System Information Security Policy

Information Security Management System Information Security Policy Management System Policy Version: 3.4 Issued Document Name: Owner: P079A - ISMS Security Policy Classification: Public Security Policies, Standards and Procedures emanate from the Policy which has been

More information

Information & Asset Protection with SIEM and DLP

Information & Asset Protection with SIEM and DLP Information & Asset Protection with SIEM and DLP Keeping the Good Stuff in and the Bad Stuff Out Professional Services: Doug Crich Practice Leader Infrastructure Protection Solutions What s driving the

More information

2011 Forrester Research, Inc. Reproduction Prohibited

2011 Forrester Research, Inc. Reproduction Prohibited 1 2011 Forrester Research, Inc. Reproduction Prohibited Information Security Metrics Present Information that Matters to the Business Ed Ferrara, Principal Research Analyst July 12, 2011 2 2009 2011 Forrester

More information

Risk Management Framework

Risk Management Framework Risk Management Framework Mandate and commitment Design of framework for managing risks Continual improvement of the framework Implementing risk management Monitoring and review of the framework Source:

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Outsourcing and Information Security

Outsourcing and Information Security IBM Global Technology Services Outsourcing and Information Security Preparation is the Key However ultimately accountability cannot be outsourced February 2009 page 2 1. Introduction 3 1.1 Reason for outsourcing

More information

BSM for IT Governance, Risk and Compliance: NERC CIP

BSM for IT Governance, Risk and Compliance: NERC CIP BSM for IT Governance, Risk and Compliance: NERC CIP Addressing NERC CIP Security Program Requirements SOLUTION WHITE PAPER Table of Contents INTRODUCTION...................................................

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

HSS Specific Terms HSS SOFTWARE LICENSE AGREEMENT

HSS Specific Terms HSS SOFTWARE LICENSE AGREEMENT HSS Specific Terms HSS SOFTWARE LICENSE AGREEMENT 1. LICENSE 2. TERMINATION Subject to the terms and conditions of this HSS Software License Agreement (the Agreement ), HSS hereby grants to Client (herein

More information

National Approach to Information Assurance 2014-2017

National Approach to Information Assurance 2014-2017 Document Name File Name National Approach to Information Assurance 2014-2017 National Approach to Information Assurance v1.doc Author David Critchley, Dave Jamieson Authorisation PIAB and IMBA Signed version

More information

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013 IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Information Security: Business Assurance Guidelines

Information Security: Business Assurance Guidelines Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies

More information

Risk Management Frameworks

Risk Management Frameworks Effective Security Practices Series Driven by a wave of security legislation and regulations, many IT risk management frameworks have surfaced over the past few years. These frameworks attempt to help

More information