In the launch of this series, Information Security Management

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "In the launch of this series, Information Security Management"

Transcription

1 Information Security Management Programs: Operational Assessments Lessons Learned and Best Practices Revealed JUSTIN SOMAINI AND ALAN HAZLETON As the authors explain, a comprehensive assessment process that includes a focus on security and technology operations is critical to the development of a comprehensive information security management program. In the launch of this series, Information Security Management Programs: Lessons Learned and Best Practices Revealed, the process of developing a comprehensive information security management program ( ISMP ) was introduced. The second installment brought clar- Justin Somaini, Chief Information Security Officer for Symantec Corporation, leads its Information Security group, which is responsible for information security governance and risk management, privacy, and threat response. Most recently, he was the Director of Information Security at VeriSign, Inc., where he was responsible for all aspects of information security. Alan Hazleton, a Senior Advisor with TPI, has extensive expertise in helping clients with the full sourcing life cycle; reviewing strategic alternatives and priorities; structuring contracts; and implementing third party service provider solutions. Mr. Hazelton has a particular focus on assessing existing application development and maintenance organizations as well as information security management organizations and assisting with initial implementation and long term operational management. Mr. Hazleton can be reached at 892

2 INFORMATION SECURITY MANAGEMENT PROGRAMS; OPERATIONAL ASSESSMENTS Lesson One: The existing corporate culture, organizational roles and historical security events as well as potential response to secuity to a commonly overlooked component of a successful ISMP development process the organizational assessment a subset of the Assessment and Strategy phase. To date, the common challenges with ISMP design and implementation have been highlighted. Now the discussion turns to addressing the critical process of performing another subset of the Assessment and Strategy phase an operational assessment and the importance of this assessment s outputs for building an effective and achievable ISMP strategy. Why? A comprehensive assess- A Review and a Look Forward Article 1: Information Security Management Programs: Lessons Learned and Best Practices Revealed: Lesson One: ISMS do not typically fail due to difficulty understanding or implementing technology. Lesson Two: Comprehensive security policy is but one of the key building blocks to an effective ISMS. Lesson Three: To successfully design an ISMP, the information security team must thoroughly understand the employee and management team s opinions, attitudes and history with respect to enterprise information security. Lesson Four: To successfully design an ISMP, the information security team must thoroughly understand the current state of operational processes and tools for IT infrastructure and application development. Article 2: Information Security Management Programs: Organizational Assessment Lessons Learned and Best Practices Revealed: 893

3 PRIVACY & DATA SECURITY LAW JOURNAL ment process that includes a focus on security and technology operations is critical to the development of the ISMP strategy. A lesson from the initial piece in this series stated that ISMSs (information security management systems) do not typically fail due to difficulty understanding or implementing technology. This assertion was further clarified by an example that underscored the fact that technology rarely fails; rather, more frequently, people or processes fail. Even though an understanding of existing culture and organizational dynamics is often underesti- rity-related stimuli should be an integral part of the assessment process. Lesson Two: The charter of the organizational assessment process is to gain a detailed understanding of an organization s culture and workforce dynamics in order to effectively tailor the ISMP program to the organization. Lesson Three: To understand an organization, you must talk to its executives, managers and employees. Lesson Four: Surveys are not an acceptable replacement for interviews; but the feasibility of interviewing a relevant sample of any large, geographically distributed organization in a limited timeframe is difficult, and sometimes there are political sensitivities to interviews across geographies. ISMP Phases of Implementation Phase 1: Assessment and Strategy Phase 2: Triage and Tactical Initiatives Phase 3: Metrics and Awareness Phase 4: Technical and Process Maturity Phase 5: Assessment and Validation Phase 6: Strategic Initiatives 894

4 INFORMATION SECURITY MANAGEMENT PROGRAMS; OPERATIONAL ASSESSMENTS mated, a comprehensive operational assessment and gap analysis is an area that security professionals stress for development of a successful ISMP. Lesson One: The Operational Assessment or detailed understanding of the existing information technology services (e.g. design, operation, strategy and transition), governance, control and security processes must be a foundational component of the assessment process. There are several bodies of knowledge that have been embraced by information technology ( IT ) organizations across the world. The International Organization for Standardization, specifically, the ISO/IEC standard, is the core for an ISMP. There are very detailed controls defined in that should be used to build components of operational assessment processes. However, in order to effectively address the services, governance and control processes listed above, additional bodies of knowledge should be leveraged to complete or round out the operational assessment reference knowledge base. Governance and Control The primary IT control framework used in the United States is the CobiT 1 Framework. CobiT is an acronym for Control Objectives for Information and Related Technology, which was developed by the IT Governance Institute ( ITGI ). CobiT is an internationally recognized set of industry standards for IT governance and control practices. Although originated in the U.S., it is commonly used internationally due to the ever-increasing nature of the global economy and interrelationships between business partners. A detailed overview of CobiT is not addressed here. As a component of the operational assessment, CobiT should be leveraged to assess the existing information technology governance and control processes. The ISMP should represent an enterprise roadmap that must be tailored to meet program management guidelines, and even more importantly, to understand how all implementations of technology and process are accomplished in the organization. 895

5 PRIVACY & DATA SECURITY LAW JOURNAL Information Technology Infrastructure Library The Information Technology Infrastructure Library ( ITIL ) 2 is a widely adopted collection of published processes and techniques for managing IT infrastructure, development, and operations. ITIL includes detailed definitions of a series of critical IT practices that are designed to be tailored to any IT organization. ITIL is published by the United Kingdom s Office of Government Commerce ( OGC ) and includes comprehensive checklists, tasks and procedures. As a component of the operational assessment, ITIL should be leveraged to assess existing IT services. To be successful, the ISMP should represent a series of initiatives that must be tailored to integrate with existing services. Key areas including Change Management, Configuration Management, Incident Management and Service Management must be assessed for level of maturity and impact to the overall ISMP design. Lesson Two: The Operational Assessment should leverage a gap analysis model that enforces the consistency of the review process across multiple dimensions including industry best practices and existing organizational processes, controls and technology. Process and Control Framework The information security ( Infosec ) organization must be able to successfully analyze existing process and control hierarchy and rapidly define the gap between leading practices and existing policies, procedures and security architecture. Providing the ability to rapidly analyze maturity of processes against leading practices and drive analysis efforts from multiple dimensions, the use of best practices to develop a gap analysis will greatly enhance the quality of the strategy process. The Infosec team should strive to bring as much consistency as possible to the gap analysis model to define relationships between corporate business processes and leading practices that include CobiT, ISO27001 and ITIL standards. The operational assessment will benefit greatly from a relational approach to mapping leading practices, business require- 896

6 INFORMATION SECURITY MANAGEMENT PROGRAMS; OPERATIONAL ASSESSMENTS ments (regulatory and other) to corporate process and control hierarchies. Upon detailed review of CobiT, ISO27001 and ITIL, the redundancy, or overlap, in certain areas will become obvious. The use of an operational assessment framework will allow the reviewer to select the most appropriate best practices for their organization and maturity level. Lesson Three: The Operational Assessment should leverage a gap analysis model that ensures the discovery of all technology components utilized across existing information technology processes. Technical Architecture A common method used in the IT industry for describing the impact of new technology implementations (e.g. change) is to reference three dimensions: people, process and technology. Here and in previous installments, a great deal of focus has been placed on the analysis of culture and organizational process. The second column in this series emphasized the people aspect of ISMP design. The process and control framework approach described herein emphasizes the process aspects of ISMP design. What about technology? Why have we not focused on the review and assessment of technology and the security architecture for the organization? The answer is simple, but often misunderstood. The assessment of technology can be effectively accomplished through the lens of process review and cultural review. When asked what technology is planned for implementation over the next year, any good security professional s eyes will light up, and they will begin a long and colorful discussion, piece by piece, of how the network, server, storage and application infrastructure will be improved through technology. But the discussion can turn to interesting but sometimes misleading attributes of technology solutions, including Security Information Management, Intrusion Detection and Prevention, Data Encryption, Data Loss Prevention, Host Security, Endpoint Security and Mobile Security. The Infosec professional s leap to technology as the solution to specific issues is as natural as an IT infrastructure professional s leap to the next 897

7 PRIVACY & DATA SECURITY LAW JOURNAL level of server virtualization. The astute Infosec professional, however, will weave the technology implementations into a series of people and process changes with the overall goal of reducing risk to the organization. Lesson Four: The charter of the gap analysis process is to document the maturity level of the existing culture (people), processes and technology in order to identify where there is doubt in the ability of current state processes to effectively address risk to the organization. Operational Assessment and Gap Analysis The development of a comprehensive gap analysis of the current state of security in any organization is critical to the development of a security strategy. The phased journey to a destination or future state can only be accurately planned if the definition of that destination is well defined. The operational assessment and gap analysis process varies significantly from the organizational assessment described in the previous article. The operational assessment is primarily oriented to a quantitative analysis approach, while the organizational assessment includes a significant level of qualitative analysis. What is the difference? The simple view is that qualitative analysis involves words and quantitative analysis involves numbers. During the organizational assessment, qualitative analysis involves active participation of the reviewer in the process and immersion in the analysis (e.g. interviews). In addition, one of the key goals of the organizational assessment is to build relationships of trust between Infosec (reviewers) and IT (participants). During the operational assessment, quantitative analysis involves objective observation wherein the reviewer does not participate directly in processes being reviewed nor significantly influence those processes. Since Infosec is involved in many IT processes and usually exerts some influence on the process execution, this pure approach is not strictly followed, but the use of quantitative principles in the operational assessment and gap analysis still applies. The accompanying table outlines the high-level tasks and order of operations for completing the gap analysis process for IT operations. 898

8 INFORMATION SECURITY MANAGEMENT PROGRAMS; OPERATIONAL ASSESSMENTS Step Preparation Identify Analysis Scope Identify Analysis Gaps Select Analysis Approach Select Analysis Population Conduct Assessment and Gap Analysis Distribute Results and Gain Consensus Distribute Final Results Description Select the best practice knowledge bases Identify redundant coverage and select knowledge base of record for each topic area Select, refine and confirm the components of those best practices that will be used in the gap analysis process Identify coverage gaps Select additional knowledge bases of record for each gap, or supplement with additional content For each component, identify the most appropriate analysis approach Develop analysis response definitions (e.g., binary response selection definitions, or multiple choice selection definitions) Develop analysis response weightings (e.g., level of importance indicators) For each component, identify the most appropriate people, processes and technology Confirm assessment and analysis participants Complete gap analysis process Distribute results to participants and provide for feedback mechanism Make modifications where analysis was incomplete or inaccurate Distribute results to executive management 899

9 PRIVACY & DATA SECURITY LAW JOURNAL Security Goals and Objectives (Strategy) In order to develop an achievable strategy for security in any organization, the Infosec professional must be able to define in detail the endstate goals to be achieved. The process of developing a gap analysis is to define the people, process and technology changes that must be prioritized, designed, implemented, measured and managed over the course of a phased implementation approach. The phased implementation approach (for example, security strategy), must be carefully tailored to the organization s unique requirements and process maturity. The organization must be secured, risks must be mitigated, and the business must continue to operate while the security strategy is in process. In the next installment in this series, the process of developing a comprehensive security strategy will be defined, including leveraging the outputs of the organizational assessment and operational assessment processes. Constraints to the implementation of the strategy will be addressed in order to tailor the strategy to the current state of the organization. Although frequently a component of process improvement in the strategy itself, the use of enterprise risk management disciplines to tailor the strategy will also be introduced. NOTES 1 Control Objectives for Information and Related Technology ( CobiT ), IT Governance Institute ( ITGI ). 2 Information Technology Infrastructure Library ( ITIL ), United Kingdom s Office of Government Commerce ( OGC ). 900

In the first three installments of our series on Information Security

In the first three installments of our series on Information Security Information Security Management Programs: Assessment Analysis Lessons Learned and Best Practices Revealed JUSTIN SOMAINI AND ALAN HAZLETON This article, the fourth in a series, expands on the overlooked

More information

The relationship between technology advancements and business

The relationship between technology advancements and business Security Information Management Programs: Lessons Learned and Best Practices Revealed JUSTIN SOMAINI AND ALAN HAZLETON This article introduces the often overlooked aspects of an end-to-end, organizational

More information

Certified Information Security Manager (CISM)

Certified Information Security Manager (CISM) Certified Information Security Manager (CISM) Course Introduction Course Introduction Domain 01 - Information Security Governance Lesson 1: Information Security Governance Overview Information Security

More information

ITIL Service Lifecycles and the Project Manager

ITIL Service Lifecycles and the Project Manager 1 ITIL Service Lifecycles and the Project Manager The intersection of IT Service and Project Delivery Presented to: Kansas City Mid-America PMI Chapter Mark Thomas January 17, 2011 1 Agenda 2 Introduction

More information

BADM 590 IT Governance, Information Trust, and Risk Management

BADM 590 IT Governance, Information Trust, and Risk Management BADM 590 IT Governance, Information Trust, and Risk Management Information Technology Infrastructure Library (ITIL) Spring 2007 By Po-Kun (Dennis), Tseng Abstract: This report is focusing on ITIL framework,

More information

IT Services Management Service Brief

IT Services Management Service Brief IT Services Management Service Brief Capacity Management Prepared by: Rick Leopoldi May 25, 2002 Copyright 2002. All rights reserved. Duplication of this document or extraction of content is strictly forbidden.

More information

BERSIN & ASSOCIATES STRATEGIC SERVICES. WhatWorks in Enterprise Learning and Talent Management

BERSIN & ASSOCIATES STRATEGIC SERVICES. WhatWorks in Enterprise Learning and Talent Management BERSIN & ASSOCIATES STRATEGIC SERVICES WhatWorks in Enterprise Learning and Talent Management Decisions related to corporate learning and talent management have far-reaching impact. They can influence

More information

ITIL Foundation Course 2 - Introduction to ITSM

ITIL Foundation Course 2 - Introduction to ITSM ITIL Foundation Course 2 - Introduction to ITSM Lesson Slide 1 ITSM as a Practice Topics Discussed The Practice of IT Service Management Good Practice Service Service Management Process Model Practice

More information

One Part ITIL, One Part COBIT The ingredients for repeatable and controlled processes to support IT services

One Part ITIL, One Part COBIT The ingredients for repeatable and controlled processes to support IT services One Part ITIL, One Part COBIT The ingredients for repeatable and controlled processes to support IT services Mark Thomas, COBIT SIG President June 15, 2012 Pittsburgh Local Interest Group LIG Name goes

More information

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY WHITE PAPER GRC Simplified... Finally. A Guide to Successfully Implementing the NIST Cybersecurity Framework Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY

More information

Agile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners

Agile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners Agile Master Data Management TM : Data Governance in Action A whitepaper by First San Francisco Partners First San Francisco Partners Whitepaper Executive Summary What do data management, master data management,

More information

IT Services Management Service Brief

IT Services Management Service Brief IT Services Management Service Brief Release Management Prepared by: Rick Leopoldi May 25, 2002 Copyright 2002. All rights reserved. Duplication of this document or extraction of content is strictly forbidden.

More information

ISO 20000: What s an Organization to Do?

ISO 20000: What s an Organization to Do? ISO 20000: What s an Organization to Do? best practices WHITE PAPER Table of Contents Abstract 1 a Natural Next Step 2 ITIL 3 COBIT 3 BS 15000 3 A Closer Look at ISO 20000 3 the Impact of ISO 20000 4 Should

More information

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and

More information

Sound Transit Internal Audit Report - No. 2014-3

Sound Transit Internal Audit Report - No. 2014-3 Sound Transit Internal Audit Report - No. 2014-3 IT Project Management Report Date: Dec. 26, 2014 Table of Contents Page Background 2 Audit Approach and Methodology 2 Summary of Results 4 Findings & Management

More information

Frameworks and related products that help professionals attain value from information systems.

Frameworks and related products that help professionals attain value from information systems. Frameworks and related products that help professionals attain value from information systems. Dear valued professional, In today s business landscape, executives must ensure that their IT is working as

More information

Combine ITIL and COBIT to Meet Business Challenges

Combine ITIL and COBIT to Meet Business Challenges Combine ITIL and COBIT to Meet Business Challenges By Peter Hill, Director, IT Governance Network, and Ken Turbitt, Best Practices Director, BMC Software BEST PRACTICES WHITE PAPER Table of Contents ABSTRACT...

More information

Process-Based Business Transformation. Todd Lohr, Practice Director

Process-Based Business Transformation. Todd Lohr, Practice Director Process-Based Business Transformation Todd Lohr, Practice Director Process-Based Business Transformation Business Process Management Process-Based Business Transformation Service Oriented Architecture

More information

Assessing Your Information Technology Organization

Assessing Your Information Technology Organization Assessing Your Information Technology Organization Are you running it like a business? By: James Murray, Partner Trey Robinson, Director Copyright 2009 by ScottMadden, Inc. All rights reserved. Assessing

More information

GoodData Corporation Security White Paper

GoodData Corporation Security White Paper GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share

More information

ADM The Architecture Development Method

ADM The Architecture Development Method ADM The Development Method P Preliminary Phase Preliminary Phase Determine the Capability desired by the organization: Review the organizational context for conducting enterprise architecture Identify

More information

SITA Service Management Strategy Implementation. Presented by: SITA Service Management Centre

SITA Service Management Strategy Implementation. Presented by: SITA Service Management Centre SITA Service Management Strategy Implementation Presented by: SITA Service Management Centre Contents What is a Service? What is Service Management? SITA Service Management Strategy Methodology Service

More information

Consultants Alliance LLC. Professional Development Programs

Consultants Alliance LLC. Professional Development Programs Consultants Alliance LLC Professional Development Programs About CA: Consultants Alliance (CA) is a local organization dedicated to promote the culture of Service Excellence in public and private sectors.

More information

White Paper Case Study: How Collaboration Platforms Support the ITIL Best Practices Standard

White Paper Case Study: How Collaboration Platforms Support the ITIL Best Practices Standard White Paper Case Study: How Collaboration Platforms Support the ITIL Best Practices Standard Abstract: This white paper outlines the ITIL industry best practices methodology and discusses the methods in

More information

ITIL's IT Service Lifecycle - The Five New Silos of IT

ITIL's IT Service Lifecycle - The Five New Silos of IT The workable, practical guide to Do IT Yourself Vol. 4.01 January 1, 2008 ITIL's IT Service Lifecycle - The Five New Silos of IT By Rick Lemieux In my last article I spoke about IT s evolution from its

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all

More information

Benchmark of controls over IT activities. 2011 Report. ABC Ltd

Benchmark of controls over IT activities. 2011 Report. ABC Ltd www.pwc.com/cy Benchmark of controls over IT activities 2011 Report ABC Ltd... 2012 Scope and approach We wish to provide you with our IT Benchmarking report over IT activities at ABC Ltd (the Company)

More information

IT Service Management Vision and Strategy Summary / Roadmap

IT Service Management Vision and Strategy Summary / Roadmap IT Service Vision and Strategy Summary / Roadmap Lyle Nevels, Deputy Chief Information Officer Presented at the One IT Summer Gathering August 13, 2014 University Profile and Mission The University of

More information

EMA CMDB Assessment Service

EMA CMDB Assessment Service The Promise of the CMDB The Configuration Management Database (CMDB) provides a common trusted source for all IT data used by the business and promises to improve IT operational efficiency and increase

More information

Information Technology Auditing for Non-IT Specialist

Information Technology Auditing for Non-IT Specialist Information Technology Auditing for Non-IT Specialist IIA Pittsburgh Chapter October 4, 2010 Agenda Introductions What are General Computer Controls? Auditing IT processes controls Understanding and evaluating

More information

CMS Policy for Configuration Management

CMS Policy for Configuration Management Chief Information Officer Centers for Medicare & Medicaid Services CMS Policy for Configuration April 2012 Document Number: CMS-CIO-POL-MGT01-01 TABLE OF CONTENTS 1. PURPOSE...1 2. BACKGROUND...1 3. CONFIGURATION

More information

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance Applying Integrated Risk Management Scenarios for Improving Enterprise Governance János Ivanyos Trusted Business Partners Ltd, Budapest, Hungary, ivanyos@trusted.hu Abstract: The term of scenario is used

More information

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

Enhancing IT Governance, Risk and Compliance Management (IT GRC) Enhancing IT Governance, Risk and Compliance Management (IT GRC) Enabling Reliable eservices Tawfiq F. Alrushaid Saudi Aramco Agenda GRC Overview IT GRC Introduction IT Governance IT Risk Management IT

More information

Enterprise Architecture

Enterprise Architecture Enterprise Architecture Dr. Adnan Albar Faculty of Computing & Information Technology King AbdulAziz University - Jeddah 1 Overview Enterprise Architecture and Other Governance Instruments Methods and

More information

Program Lifecycle Methodology Version 1.7

Program Lifecycle Methodology Version 1.7 Version 1.7 March 30, 2011 REVISION HISTORY VERSION NO. DATE DESCRIPTION AUTHOR 1.0 Initial Draft Hkelley 1.2 10/22/08 Updated with feedback Hkelley 1.3 1/7/2009 Copy edited Kevans 1.4 4/22/2010 Updated

More information

2005 Kasse Initiatives, LLC version 1.2. ITIL Overview - 1

2005 Kasse Initiatives, LLC version 1.2. ITIL Overview - 1 ITIL IT Infrastructure Library Overview ITIL Overview - 1 Vocabulary Incident - any event which is not part of the standard operation of a service and which causes or may cause an interruption to or reduction

More information

By: NABIOLLAH ELYASI. Principal Auditor. Sun City, South Africa

By: NABIOLLAH ELYASI. Principal Auditor. Sun City, South Africa 20 th Meeting of INTOSAI Working Group on IT Audit Country Paper of Supreme Audit Court of Islamic Republic of Iran By: NABIOLLAH ELYASI Principal Auditor Sun City, South Africa 14-17 April 2011 1 DEVELOPING

More information

Achieving Business Imperatives through IT Governance and Risk

Achieving Business Imperatives through IT Governance and Risk IBM Global Technology Services Achieving Business Imperatives through IT Governance and Risk Peter Stremus Internet Security Systems, an IBM Company Introduction : Compliance Value Over the past 15 years

More information

Employing ITSM in Value Added Service Provisioning

Employing ITSM in Value Added Service Provisioning RL Consulting People Process Technology Organization Integration Employing ITSM in Value Added Service Provisioning Prepared by: Rick Leopoldi January 31, 2015 BACKGROUND Service provisioning can oftentimes

More information

Effectively Using CobiT in IT Service Management

Effectively Using CobiT in IT Service Management Effectively Using CobiT in IT Service Management Crown copyright material is reproduced with the permission of the Controller of HMSO and Queen s Printer for Scotland. ITIL is a Registered Trade Mark of

More information

EMA Service Catalog Assessment Service

EMA Service Catalog Assessment Service MORE INFORMATION: To learn more about the EMA Service Catalog, please contact the EMA Business Development team at +1.303.543.9500 or enterpriseit@enterprisemanagement.com The IT Service Catalog Aligning

More information

Data Governance. Unlocking Value and Controlling Risk. Data Governance. www.mindyourprivacy.com

Data Governance. Unlocking Value and Controlling Risk. Data Governance. www.mindyourprivacy.com Data Governance Unlocking Value and Controlling Risk 1 White Paper Data Governance Table of contents Introduction... 3 Data Governance Program Goals in light of Privacy... 4 Data Governance Program Pillars...

More information

Symantec Control Compliance Suite. Overview

Symantec Control Compliance Suite. Overview Symantec Control Compliance Suite Overview Addressing IT Risk and Compliance Challenges Only 1 in 8 best performing organizations feel their Information Security teams can effectively influence business

More information

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing Contents Introduction Why GRC Assessment Benefits of Cloud computing and Problem Statement Key Speculations & Problems faced by Cloud service user s in Today s time Threats, Vulnerabilities and related

More information

(Instructor-led; 3 Days)

(Instructor-led; 3 Days) Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of

More information

IIA Super Conference

IIA Super Conference www.pwc.com IIA Super Conference Software Asset Management (SAM) Internal Audits Agenda Introduction Software Asset Management (SAM) overview Potential Internal Audit Approach Example Risk Areas Summary

More information

Governance For Compliance The Convergence of Central and Distributed IT Compliance Presented to VASCAN Conference 2009

Governance For Compliance The Convergence of Central and Distributed IT Compliance Presented to VASCAN Conference 2009 Governance For Compliance The Convergence of Central and Distributed IT Compliance Presented to VASCAN Conference 2009 JASON C. RICHARDS CHIEF INFORMATION SECURITY OFFICER VIRGINIA COMMUNITY COLLEGE SYSTEM

More information

IBM and the IT Infrastructure Library.

IBM and the IT Infrastructure Library. IBM Global Services September 2004 IBM and the IT Infrastructure Library. How IBM supports ITIL and provides ITIL-based capabilities and solutions Page No. 2 Contents ITIL Planning for Service 2 Executive

More information

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015 Office of the Auditor General AUDIT OF IT GOVERNANCE Tabled at Audit Committee March 12, 2015 This page has intentionally been left blank Table of Contents Executive Summary... 1 Introduction... 1 Background...

More information

The IT Infrastructure Library (ITIL)

The IT Infrastructure Library (ITIL) IT service management is often equated with the Information Technology Infrastructure Library (ITIL), even though there are a variety of standards and frameworks contributing to the overall ITSM discipline.

More information

Strategy and Tactics to Achieve Effective IT Governance

Strategy and Tactics to Achieve Effective IT Governance Strategy and Tactics to Achieve Effective IT Governance By Kerry Litten BT Senior Principal BT Compute Services that adapt Introduction IT governance is currently a hot topic and has been for some time.

More information

Improving residual risk management through the use of security metrics

Improving residual risk management through the use of security metrics Improving residual risk management through the use of security metrics Jonathan Pagett Technical Report RHUL MA 2010 08 31st March 2010 Department of Mathematics Royal Holloway, University of London Egham,

More information

Trends in Information Technology (IT) Auditing

Trends in Information Technology (IT) Auditing Trends in Information Technology (IT) Auditing Padma Kumar Audit Officer May 21, 2015 Discussion Topics Common and Emerging IT Risks Trends in IT Auditing IT Audit Frameworks & Standards IT Audit Plan

More information

Designing & Implementing. Programs. MBA Bank Expo 2012 April 11, 2012

Designing & Implementing. Programs. MBA Bank Expo 2012 April 11, 2012 Designing & Implementing Enterprise Security Programs MBA Bank Expo 2012 April 11, 2012 Session Purpose G R O U P Premise: Security is institutionalized, but the enterprise is evolving. the enterprise

More information

Contents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface.

Contents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface. iii Contents List of figures List of tables OGC s foreword Chief Architect s foreword Preface Acknowledgements v vii viii 1 Introduction 1 1.1 Overview 4 1.2 Context 4 1.3 Purpose 8 1.4 Usage 8 2 Management

More information

Governance and Management of Information Security

Governance and Management of Information Security Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information

More information

P.O. box 1796 Atlas, Fes, 30000, Morocco 2 ENSA, Ibn Tofail University, P.O 141, Kenitra, 14000, Morocco

P.O. box 1796 Atlas, Fes, 30000, Morocco 2 ENSA, Ibn Tofail University, P.O 141, Kenitra, 14000, Morocco Volume 5, Issue 6, June 2015 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Information Technology

More information

Frameworks for IT Management

Frameworks for IT Management Frameworks for IT Management Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net 18 ITIL - the IT Infrastructure

More information

Information Technology Infrastructure Library (ITIL)

Information Technology Infrastructure Library (ITIL) Information Technology Infrastructure Library (ITIL) Bruce Amato - BAA, LLC Dr. Mimi Struck Multithreads, LLC Tim Clifford, Horizon Industries, LTD 2 February 2010 baa Agenda Background/Introduction ITIL

More information

2.1 MBI Framework 2.2 ITIL 2.3 COBIT

2.1 MBI Framework 2.2 ITIL 2.3 COBIT Extending MBI Model using ITIL and COBIT Processes DOI: 10.20470/jsi.v6i4.244 Sona Karkoskova 1, George Feuerlicht 1,2 1 Faculty of Informatics and Statistics University of Economics, Prague 2 Unicorn

More information

Blackhawk Technical College. Information Technology Services. Process Improvement Visioning Document

Blackhawk Technical College. Information Technology Services. Process Improvement Visioning Document Blackhawk Technical College Information Technology Services Process Improvement Visioning Document December 12, 2008 Steven Davidson Chief Information Officer Blackhawk Technical College sdavidson@blackhawk.edu

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

AN OVERVIEW OF INFORMATION SECURITY STANDARDS AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information

Risk mitigation for business resilience White paper. A comprehensive, best-practices approach to business resilience and risk mitigation.

Risk mitigation for business resilience White paper. A comprehensive, best-practices approach to business resilience and risk mitigation. Risk mitigation for business resilience White paper A comprehensive, best-practices approach to business resilience and risk mitigation. September 2007 2 Contents 2 Overview: Why traditional risk mitigation

More information

ITIL: Continual Service Improvement Course 02 Continual Service Improvement

ITIL: Continual Service Improvement Course 02 Continual Service Improvement ITIL: Continual Service Improvement Course 02 Continual Service Improvement Lesson Slide 1 Introduction to CSI Topics Discussed CSI & the Service Lifecycle Managing Across the Lifecycle Purpose Objectives

More information

Creating a Catalog for ILM Services. Bob Mister Rogers, Application Matrix Paul Field, Independent Consultant Terry Yoshii, Intel

Creating a Catalog for ILM Services. Bob Mister Rogers, Application Matrix Paul Field, Independent Consultant Terry Yoshii, Intel Creating a Catalog for ILM Services Bob Mister Rogers, Application Matrix Paul Field, Independent Consultant Terry Yoshii, Intel SNIA Legal Notice The material contained in this tutorial is copyrighted

More information

Business Architecture Guild Body of Knowledge Handbook 2.0

Business Architecture Guild Body of Knowledge Handbook 2.0 Guild Body of Knowledge Handbook 2.0 ------------------------ Section 1: Introduction The Guild has made this Introduction section of its Body of Knowledge Handbook 2.0 ( Handbook ) publicly available

More information

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material,

More information

Data Governance Update. BOE workshop January 30, 2014

Data Governance Update. BOE workshop January 30, 2014 Data Governance Update BOE workshop January 30, 2014 IT Leadership Brett Miller, Chief Technology Officer Dave Reid, Director Enterprise Application Architecture Chris Paschke, Manager Information Security

More information

Overview of Frameworks: Cobit, Jennifer F. Alfafara, CISA Consultant

Overview of Frameworks: Cobit, Jennifer F. Alfafara, CISA Consultant Overview of Frameworks: Cobit, COSO, ITIL, ISO, and more Jennifer F. Alfafara, CISA Consultant Frameworks vs Standards What is a Framework? Main Entry: frame work Pronunciation: \frām- wərk\ Function:

More information

Information Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer

Information Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer Information Security Management Systems Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer atsec information security, 2013 ISO/IEC 27001 and related

More information

ITIL: Managing Across the Lifecycle

ITIL: Managing Across the Lifecycle ITIL: Managing Across the Lifecycle Course Introduction Course Introduction Chapter 01 - Course Introduction Lesson: Course Organization Welcome to the Course! Mentoring Community Introductions Why Are

More information

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES Aligning information with business and operational objectives ESSENTIALS Leverage EMC Consulting as your trusted advisor to move your and compliance

More information

Information Security Risk Management

Information Security Risk Management Information Security Risk Management Based on ISO/IEC 17799 Houman Sadeghi Kaji Spread Spectrum Communication System PhD., Cisco Certified Network Professional Security Specialist BS7799 LA info@houmankaji.net

More information

Development, Acquisition, Implementation, and Maintenance of Application Systems

Development, Acquisition, Implementation, and Maintenance of Application Systems Development, Acquisition, Implementation, and Maintenance of Application Systems Part of a series of notes to help Centers review their own Center internal management processes from the point of view of

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

Advanced Topics for TOGAF Integrated Management Framework

Advanced Topics for TOGAF Integrated Management Framework Instructor: Robert Weisman MSc, PEng, PMP CD Robert.weisman@buildthevision.ca Advanced Topics for TOGAF Integrated Management Framework ROBERT WEISMAN CEO BUILD THE VISION, INC. WWW.BUILDTHEVISION.CA EMAIL:

More information

Solutions. Master Data Governance Model and the Mechanism

Solutions. Master Data Governance Model and the Mechanism Solutions Master Data Governance Model and the Mechanism Executive summary Organizations worldwide are rapidly adopting various Master Data Management (MDM) solutions to address and overcome business issues

More information

Gartner, Inc. DIR-SDD-2042

Gartner, Inc. DIR-SDD-2042 Texas Department of Information Resources STATEMENT OF WORK (SOW) FOR DELIVERABLES-BASED INFORMATION TECHNOLOGY SERVICES Identity & Access Management Analysis IT Assessment & Planning Gartner, Inc. DIR-SDD-2042

More information

Improving Service Asset and Configuration Management with CA Process Maps

Improving Service Asset and Configuration Management with CA Process Maps TECHNOLOGY BRIEF: SERVICE ASSET AND CONFIGURATION MANAGEMENT MAPS Improving Service Asset and Configuration with CA Process Maps Peter Doherty CA TECHNICAL SALES Table of Contents Executive Summary SECTION

More information

PRIORITIZING CYBERSECURITY

PRIORITIZING CYBERSECURITY April 2016 PRIORITIZING CYBERSECURITY Five Investor Questions for Portfolio Company Boards Foreword As the frequency and severity of cyber attacks against global businesses continue to escalate, both companies

More information

IA Metrics Why And How To Measure Goodness Of Information Assurance

IA Metrics Why And How To Measure Goodness Of Information Assurance IA Metrics Why And How To Measure Goodness Of Information Assurance Nadya I. Bartol PSM Users Group Conference July 2005 Agenda! IA Metrics Overview! ISO/IEC 21827 (SSE-CMM) Overview! Applying IA metrics

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

Creating a Process Map for Incident Management

Creating a Process Map for Incident Management Creating a Process Map for Incident Management CERT Coordination Center Networked Systems Survivability Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 2004 Carnegie

More information

Partnering for Project Success: Project Manager and Business Analyst Collaboration

Partnering for Project Success: Project Manager and Business Analyst Collaboration Partnering for Project Success: Project Manager and Business Analyst Collaboration By Barbara Carkenord, CBAP, Chris Cartwright, PMP, Robin Grace, CBAP, Larry Goldsmith, PMP, Elizabeth Larson, PMP, CBAP,

More information

HKITPC Competency Definition

HKITPC Competency Definition HKITPC Competency Definition for the Certification copyright 2011 HKITPC HKITPC Competency Definition Document Number: HKCS-CD-L1L2 Version: 1.0 Date: June 2011 Prepared by Hong Kong IT Professional Certification

More information

The Secret Sauce of ILM The ILM Assessment Core. Bob Rogers, Application Matrix

The Secret Sauce of ILM The ILM Assessment Core. Bob Rogers, Application Matrix The Secret Sauce of ILM The ILM Assessment Core Bob Rogers, Application Matrix SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individuals may

More information

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Certified Identity and Access Manager (CIAM) Overview & Curriculum Identity and access management (IAM) is the most important discipline of the information security field. It is the foundation of any information security program and one of the information security management

More information

Notice of Inquiry Response. October 31, 2012 V1.0

Notice of Inquiry Response. October 31, 2012 V1.0 Notice of Inquiry Response National Telecommunications and Information Administration Chapter 1 FNN Conceptual Network Design Model Department of Commerce National Telecommunications and Information Administration

More information

Enterprise Security Tactical Plan

Enterprise Security Tactical Plan Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise

More information

IT Service Management

IT Service Management RL Consulting IT Service Management ITSM/ITIL Best Practice Process Overview Primer A Policy Based, Service Provider Approach Prepared by: Rick Leopoldi February 13, 2003 Copyright 2003. All rights reserved.

More information

PMO Continuous Improvement

PMO Continuous Improvement 1.0 Purpose The Project Management Office (PMO) is committed to eliminating the status quo. The goal is to develop an environment where the team is encouraged to continuously improve what we do and how

More information

IT GOVERNANCE TRANSITION ANALYSIS FROM ITIL TO COBIT: CASE STUDY BANKING INDUSTRY IN THAILAND

IT GOVERNANCE TRANSITION ANALYSIS FROM ITIL TO COBIT: CASE STUDY BANKING INDUSTRY IN THAILAND IT GOVERNANCE TRANSITION ANALYSIS FROM ITIL TO COBIT: CASE STUDY BANKING INDUSTRY IN THAILAND Saksri Zuurbier, Kasetsart University, THAILAND Pornthep Anussornnitisarn, Kasetsart University, THAILAND Bordin

More information

Description of Program Management Processes (Initiating, Planning) 2011 PROGstudy.com. All rights reserved

Description of Program Management Processes (Initiating, Planning) 2011 PROGstudy.com. All rights reserved Description of Program Management Processes (Initiating, Planning) Topics Covered Program Management Process Groups salient features Description of all processes in Initiating Process Group: Initiate Program

More information

Information Security Management Systems

Information Security Management Systems Information Security Management Systems Øivind Høiem CISA, CRISC, ISO27001 Lead Implementer Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector

More information

Analysis of the ITIL Mapping with COBIT over the Business Process Continuity Management

Analysis of the ITIL Mapping with COBIT over the Business Process Continuity Management Computer Technology and Application 2 (2011) 513-521 Analysis of the ITIL Mapping with COBIT over the Business Process Continuity Management Melita Kozina University of Zagreb, Faculty of Organization

More information

STATEMENT OF MARK A.S. HOUSE OF REPRESENTATIVES

STATEMENT OF MARK A.S. HOUSE OF REPRESENTATIVES STATEMENT OF MARK A. FORMAN ASSOCIATE DIRECTOR FOR INFORMATION TECHNOLOGY AND ELECTRONIC GOVERNMENT OFFICE OF MANAGEMENT AND BUDGET BEFORE THE COMMITTEE ON GOVERNMENT REFORM SUBCOMMITTEE ON GOVERNMENT

More information

Cybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity

Cybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

Four Top Emagined Security Services

Four Top Emagined Security Services Four Top Emagined Security Services. www.emagined.com Emagined Security offers a variety of Security Services designed to support growing security needs. This brochure highlights four key Emagined Security

More information