1 Cybersecurity Management Programs Dr. J. Stuart Broderick, CISM, CRISC, CCSK Principal Cisco Security Solutions June 2015 Most organizations cybersecurity teams (or information security teams as they are sometimes known) struggle to communicate cybersecurity issues to senior leadership. Likewise, senior management also struggles to effectively articulate cybersecurity strategy to technical cybersecurity personnel. It is as though two parts of the same organization speak foreign languages to one another, and each party has a very limited, or no, knowledge of the other party s language. However, it does not have to be like this. Failure to communicate issues is most often revealed in grassroots cybersecurity initiatives that have evolved into corporate cybersecurity management programs. Typically, this resulted from an enterprise in startup mode implementing solutions to address specific technical challenges. Unfortunately, many organizations continue to employ a similar approach to secure much larger and more complex environments against threats that outmatch the capabilities of their original solutions. No longer simply a technical solution, cybersecurity management has become a business function in today s industry. As a business function, a greater level of integration with other business units requires a greater level of transparency and performance reporting. The evolution of grassroots cybersecurity management programs rarely results in the kind of mature cybersecurity solutions that are aligned with, and address business needs. And why should they? The initial programs were designed to solve technical challenges, such as preventing virus outbreak or infection, stopping cyber attackers from compromising or stealing valuable information. Such initial cybersecurity efforts were neither designed as business functions nor defined in business terms. Key Success Factors Many successful cybersecurity management programs share the following key success factors: Are designed, developed, and implemented in a similar way to other business functions Adopt a standard framework approach, usable for an extended period of many years with little or no changes to that framework Are measureable in terms of their performance and efficiency Cisco and/or its affiliates. All rights reserved.
2 Examining each of these factors in detail, you may find that executives initiate successful cybersecurity management programs in the same manner as other successful business initiatives. Executives succeed at this not because of industry pressure, but because each aims to improve their organization. Having identified the opportunity, executives evaluate whether the initiative poses additional risks to their organizations and decide whether to accept this additional risk or not. After accepting such risk, executive sponsors continue to evaluate initiatives toward implementation. Even when initiatives are operational, executives still employ internal audit teams to monitor the effectiveness and efficiency of these initiatives. This business approach has become institutionalized across most enterprise units with the exception of IT and cybersecurity. Key stakeholders often cite reasons, including programs are too technical, only internal-facing, or too complex, to properly evaluate or implement this same approach to cybersecurity. Analysis of the commonalities and differences between the various frameworks in use show that it is possible to create a universal cybersecurity management framework to address all countries, industries, and states. The truth is if these same IT and cybersecurity groups adopted a common framework and designed their cybersecurity management programs based on said framework, cybersecurity management would truly become a standard business function in their enterprises. Unfortunately, the cybersecurity world does not agree on a standard cybersecurity framework, much less across all countries, industries, and states. Analysis of the commonalities and differences between the various frameworks in use show that it is possible to create a universal cybersecurity management framework to address all countries, industries, and states. Such a framework is not firmly associated with any particular cybersecurity standard and can be adapted during implementation to address any specific security standard that organizations using it wish to follow. This paper introduces a cybersecurity management framework that is not too technical, addresses both internal and external concerns, and is not overly complex to implement, operationalize, and manage over the long term. Senior leadership teams (SLTs) provide greater support to, and are more confident of, the usefulness and effectiveness of their organizations cybersecurity management programs if those programs provide regular, useful, and usable metrics. Unfortunately, many cybersecurity professionals inundate their SLT with large quantities of data presented in ways that sometimes require extended explanations. A more effective approach is to first determine specific metrics most beneficial to their SLTs followed by a reporting regime that addresses those specific concerns. Simplifying SLT cybersecurity reporting can be as uncomplicated as a single number or individual letter, a colored graphic or a few sparklines on a webpage, or something less likely to grow into a really detailed report. The framework described in this paper was developed based on thousands of hours of working with organizations of all sizes and across all industries. This framework is designed to be used globally, across industry sectors, without change, and is applicable to organizations of any size Cisco and/or its affiliates. All rights reserved.
3 Cybersecurity Management Framework The design of the Cybersecurity Management Framework (CMF) assumes cybersecurity management is a business function. The framework, as a business function, requires three discrete layers with each subsequent layer unfolding increasing levels of specificity as follows: Strategy is to initiate and drive the framework forward to operation. -- Requires people to identify the need for cybersecurity, consider the business issues, and then define, document, and publish the direction the required cybersecurity management program will adopt. Operational focus defines what the cybersecurity management program must address to comply with the requirements specified in the strategy. -- Requires definitions of documented operational standards, processes, procedures, and other collateral that specify what operators should do and how they should do it. Tactical security controls address specific requirements articulated in the operational documentation. -- These security controls, whether requiring technology or not, are responsible for securing all aspects of an enterprise computing environment, continuously monitoring the environment for security events, collecting and analyzing captured events, and reporting defined security metrics, some of which are provided to the SLT. Although addressing cybersecurity challenges with only these layers is perfectly possible, adopting and using it in that way is difficult and potentially prone to error or misinterpretation. To ease such issues, you must divide these higher-level layers into more manageable chunks. The CMF subdivides its three macro layers into seven discrete focus areas: Executive Sponsorship: Key accountability required to drive the program IT Risk Management: Required to identify, monitor, and address cybersecurity risks posed to the organization IT and Security Audit: Required to ensure that IT and cybersecurity teams, and an organization s user population are using information and IT resources appropriately Security Intelligence: Required to ensure IT and cybersecurity practitioners, and management are aware of both internal and external threat landscapes to further prevent or minimize the introduction of additional security-related risk to their organizations Secure Network: Required to design, implement, and manage network devices, appliances, other core components, communications channels, and management tools, whether physical or virtual, to protect the organization s critical business assets Cisco and/or its affiliates. All rights reserved.
4 Secure Systems: Required to design, implement, and manage computing systems, applications, and management tools, whether physical or virtual to protect the organization s critical business assets Secure Applications: Required to establish and monitor security controls, and secure operational features embedded in, or configured during, application deployment, whether physical or virtual to protect organizations critical business assets While these seven focus areas provide increasing granularity, the framework introduces an additional level of subdivision to ensure practitioners can readily apply and manage the CMF. This tertiary layer requires the introduction of 38 cybersecurity elements as shown in Figure 1: Figure 1: Cybersecurity Management Framework Cisco and/or its affiliates. All rights reserved.
5 Cybersecurity Management Framework Adoption and Usage The CMF (Figure 1) shows how an organization should consider its own program. In a perfect, green-field situation with little pressure to protect exposed assets, an organization may not experience any difficulty with implementing this framework. Unfortunately, few organizations fit this reality and thus are not afforded the luxury of green-field framework adoption. Existing organizations must continue to operate their businesses (that is, generate revenue) to maintain their relevance. In that light, is it possible that many may choose an unplanned approach, addressing isolated security challenges versus adopting such a framework? Truthfully, it is likely some organizations may proceed in that manner. If so, what is the point of a cybersecurity management framework? Though implementing such a framework may consume more time and resources, it is important to remember that achieving cybersecurity is not an endpoint, it s a journey. Realism Sets In The CMF, or any similar framework, supports a holistic approach to cybersecurity, which most cybersecurity professionals recommend. An organization s existing program, no matter its current state, can adopt a cybersecurity management framework to benefit from consistency of approach and integration inherent to frameworks. Though implementing such a framework may consume more time and resources, it is important to remember that achieving cybersecurity is not an endpoint, it s a journey. So, too, is transitioning a grassroots, tactically-driven approach to a business-focused cybersecurity management program based on a formal cybersecurity management framework. As with all journeys, an organization must define a starting point. This is the time at which executive management realizes cybersecurity is not simply an IT function but instead a business function employing controls (people, process, technology) to address specific security objectives. Approaching security in this way guides leaders to understand the logical next step is defining a security strategy. Moreover, it becomes clear that such a security strategy is not defined by IT or the cybersecurity team, but a strategy defined by the SLT. A business management strategy clearly articulates a risk-based approach, one that all members of the SLT and the board of directors (or equivalent) easily and readily understand. It is a strategy, defined by people, that informs an organization that information is vital to the success of the organization and mandates that protecting such assets appropriately is not just a good idea, but also essential. Protecting these information assets is a responsibility everyone shares. As the SLT defines the strategic way forward, stakeholders must evaluate and manage the risks associated with compromise, loss, or theft of information. A core SLT objective is to minimize business risk to acceptable levels or eliminate risk altogether. Is it possible for an organization to completely eliminate all risk? While it is possible, such an organization would effectively cease business operations because the cybersecurity protective controls applied would likely prevent access to information or make it very difficult to consume. Perfect cybersecurity effectively acts as a business disabler, not a business enabler. To enable and support an organization s business objectives and goals, a cybersecurity management program must allow Cisco and/or its affiliates. All rights reserved.
6 authorized users access to information. This means organizational leadership must accept and manage risk concerning information compromise, loss, or theft. In short, the SLT must evaluate, understand, and accept some amount of risk when users access information assets. The question is, how much? Accepting risk may not be a path an SLT is comfortable navigating. Typically, this is where an SLT might hand off the problem to a corporate risk-management committee, or team, who, together with the chief information officer (CIO) or chief information security officer (CISO), define and agree on an overarching cybersecurity policy and potentially a cybersecurity charter. These documents articulate the general need for a risk-based cybersecurity management program, who or which teams are responsible for its definition, and which individuals and/or teams have responsibility for supporting or taking actions according to a charter, or policy, mandate. The highest level of corporate leadership (chief executive officer (CEO) or board of directors) must approve and endorse these documents. Requirements specified in these documents should be business relevant and only change as business goals and objectives change. Organizations should always require a cybersecurity policy, but some CEOs prefer to endorse a cybersecurity charter that outlines the need for cybersecurity, but delegates responsibility and authority for the cybersecurity management program s policy definition. Program strategy is the starting point from which an organization migrates its existing program to the new program based on a cybersecurity management framework. It doesn t matter what an organization s current level of sophistication is, or its complexity or maturity with regard to its cybersecurity program. Any organization is able to, and should, commit to a business-focused cybersecurity management program addressing SLT concerns as mandated, endorsed, and expressly articulated in the cybersecurity charter and policy. Transforming an Existing Cybersecurity Management Program As stated earlier, achieving a specific cybersecurity maturity level is a journey. When planning any journey, you cannot proceed without identifying a starting point and an endpoint. Given these parameters, you then determine a timeline between these two points and categorize constraining variables, if any, that can impact the journey. Security policy, to a large degree, defines the endpoint to the journey and protects the organization s information assets. The policy should only contain evergreen statements that will not require changes due to timelines, budgets, or other business variables as the approved and endorsed policy content should remain static and require few, if any, changes. Each of these is a risk that stakeholders must consider when developing their organization s cybersecurity management program. Initially, IT and cybersecurity teams own responsibility for reviewing existing cybersecurity standards and processes. They are responsible for determination of whether documented requirements comply with the policy or need to be modified to do so. Following that, the stakeholders (IT, cybersecurity, and often business unit owners of data and applications) meet with the risk committee, and/or steering Cisco and/or its affiliates. All rights reserved.
7 committee, to consider whether adoption of the proposed standards and procedures will present unacceptable risk to the organization s information assets or users. Additionally, stakeholders introduce supporting technologies, or updated tactical configurations, that are needed to address specific cybersecurity concerns. Without such preexisting programs in place, transitions are typically too burdensome and likely will result in a cybersecurity management program that does not satisfy senior leadership team defined requirements. Some organizations may try to achieve a best-in-class level of cybersecurity by implementing the framework through a single-step transition (from their current level of cybersecurity maturity). In all likelihood, this approach will fail unless organizations have, for the most part, already achieved their desired maturity levels. Without such preexisting programs in place, transitions are typically too burdensome and likely will result in a cybersecurity management program that does not satisfy SLT-defined requirements. Prudent organizations should properly assess their cybersecurity management program s current status or maturity, and subsequently use assessment results to define a baseline position from which the organization is capable of executing incremental improvements over 2 to 5 years while continuing to manage an acceptable level of risk. It is worth noting that any desire to reach optimal levels of cybersecurity concerning each element within the framework has the propensity to consume significant resources, be overly expensive, be slower to achieve, and, as such, result in an unsatisfactory ROI. Setting and achieving lower but risk-acceptable levels of cybersecurity maturity across the framework will result in compliance with requirements in a much shorter timeframe, provide enhanced ROI, and strongly limit the window of opportunity during which successful cyber attacks can occur. Cybersecurity Maturity Any cybersecurity transformation process, such as the one this paper describes, requires an organization to measure and monitor improvement for a given cybersecurity element in terms of its maturity level. The authors of this CMF adapted the Carnegie Mellon University (CMU) Capability Maturity Model (CMM) to better suit cybersecurity management programs. Carnegie Mellon University introduced its CMM to drive improvements in software development together with similar approaches documented by ISACA. In all cases, the term maturity refers to the degree of formality and optimization of processes from unplanned or initial practices to formally defined steps to managed results metrics to active optimization of the processes used during application and program development. The CMF uses predefined maturity-level requirements for each security element to objectively assess the sophistication or maturity of the documented approach. Each maturity level assigned to each element is a numeric value. Focus-area maturity values are a combination of maturity values for elements associated with a given focus area. The focus-area s maturity scores can then be combined to provide an overall maturity score for the CMF layer and finally convey an overall cybersecurity management program maturity level Cisco and/or its affiliates. All rights reserved.
8 In practice, the authors of the CMF have experienced that most organizations using this approach usually ignore layer-level and total program-maturity scores and concentrate solely on the focus area and individual cybersecurity element maturity scores. This is most likely because responsibility for specific cybersecurity elements or focus areas is far easier and more effective to delegate and manage than it is for a layer of the model or indeed the whole model. The CMF uses predefined maturity-level requirements for each security element to objectively assess the sophistication or maturity of the documented approach. Although the CMU and ISACA CMM maturity descriptions consist of five levels, the authors here found it essential to add a sixth level applicable to the cybersecurity world. This was necessary because some countries, industries, and organizations do not include certain cybersecurity elements in their programs. Allocating such elements, those not considered or implemented by an organization, a zero value ensures that the mathematics behind the model remain consistent and are not skewed by false level 1 maturity scores. At a high level, the maturity definitions defined with the CMF are summarized in Figure 2. Figure 2: CMF Maturity Levels Level 0 Absent: No identifiable controls Level 1 Initial: Acknowledgement that controls and improvements are necessary, some work has been initiated Level 2 Repeatable: Some processes/controls documented, most controls managed via tribal knowledge Level 3 Defined: Control requirements documented and managed Level 4 Managed: Very good control set, effectively managed across the enterprise Level 5 Optimal: Best in class, refined process controls Every element in the CMF contains multiple sub-elements, each of which is associated with a pre-defined set of maturity definitions. As such, the CMF has a maturity-level-definition library consisting of several hundred entries. In addition to the number of unique entries, cybersecurity elements often possess multiple interdependencies between one another. These resulting relationships drive analysis of findings from a simple maturity assessment to one that takes into consideration these multidimensional aspects. This approach also applies to development of recommendations necessary to improve maturity of a given cybersecurity element Cisco and/or its affiliates. All rights reserved.
9 Successful CMP Development: Ten Key Success Factors Organizations should not underestimate the difficulty of developing and implementing a cybersecurity management program (CMP). The introduction of a CMP affects virtually every individual or group in an organization, so it is essential that the final cybersecurity management program best address everyone s needs. The introduction of a CMP affects virtually every individual or group in an organization, so it is essential that the final cybersecurity management program best address everyone s needs. Cisco Services experience in developing CMPs indicates there are 10 key success factors. If organizations apply these statements in the order given, it has the highest probability for successfully developing, implementing, and managing a CMP: 1. Identify and gain support and commitment from a member of the SLT to introduce a CMP. 2. Develop an enterprisewide cybersecurity management program charter (effectively the cybersecurity strategy for your organization) and submit to the CMP sponsor for socialization with the SLT and endorsement by the CEO, or higher. 3. Create a CMP project work plan, the first task of which is to develop the cybersecurity policy. In larger enterprises, it is likely that multiple PMs may be necessary. 4. Establish and mandate use of a document review and version management system to support ongoing management of CMP documentation. 5. Complete work on the Cybersecurity Management Framework s strategic elements first. Note: it is also likely that multiple elements may be developed in parallel especially where there are no or few dependencies between the elements. 6. Define elements so that each element contains at least one security metric definition and identifiable data source to support metrics generation. 7. Identify and treat as high-priority development efforts key elements with enterprise wide impact such as architecture related elements and core elements that are a foundation to many other elements. 8. Develop all remaining elements having dependency on key elements followed by elements having no dependencies. Ensure all documented elements for consistency, accuracy, and elemental dependencies. 9. Ensure all current and future security-related initiatives to the agreed upon by the organization s crisis management team are taken into consideration and included in the appropriate CMF elements. 10. Dedicate time and effort to develop consistent, congruent and easily understood documentation that clearly describes the what, why, when, where, how, and who is responsible for every action required by the program. You should notice that just applying these 10 key success factors to cybersecurity management program efforts does not necessarily guarantee short-term success. It is more likely that following this framework and applying the 10 key success factors will enable a successful cybersecurity management program to emerge over the long term Cisco and/or its affiliates. All rights reserved.
10 Summary Development, implementation, and maintenance of a cybersecurity management program for an organization is no small undertaking. However, the overall benefit that organizations achieve through development and implementation of such programs based on a strong cybersecurity management framework is consistency and reduced instances of successful cyber attacks. Moreover, a cybersecurity management program often reduces a successful attack s impact on an organization s bottom line due to its programmatic predefined approach for identifying and responding to cybersecurity incidents. As a trusted partner, Cisco Security Services can assess the maturity of your CMP and, if required, help you improve your CMP, or create and deploy a CMP tailored to your organization s needs, based on a proven Cybersecurity Management Framework. The resulting program will be developed using expertise and experience gained from assessment and development of numerous CMP initiatives across different industries. Read more about cybersecurity management programs and Cisco Security Services at Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) DEC15CS /15
The Cybersecurity Journey How to Begin an Integrated Cybersecurity Program March 2005 Legal and Copyright Notice The Chemical Industry Data Exchange (CIDX) is a nonprofit corporation, incorporated in the
State of Minnesota Enterprise Security Strategic Plan Fiscal Years 2009 2013 Jointly Prepared By: Office of Enterprise Technology - Enterprise Security Office Members of the Information Security Council
An Executive Brief from Cisco Cybersecurity: A View from the Boardroom In the modern economy, every company runs on IT. That makes security the business of every person in the organization, from the chief
Using PRINCE2 and MSP Together Andy Murray, Director, Outperform White Paper October 2010 2 Using PRINCE2 and MSP Together Contents 1 Purpose of this White Paper 3 2 Project and programme management context
The optimization maturity model Know where you are so you can move forward Table of contents 1 Digital optimization 2 Optimization maturity model 2 Five levels of optimization maturity 5 Benefits of becoming
Office of the Auditor General AUDIT OF IT GOVERNANCE Tabled at Audit Committee March 12, 2015 This page has intentionally been left blank Table of Contents Executive Summary... 1 Introduction... 1 Background...
Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................
OPTIMUS SBR CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE. Optimizing Results with Business Intelligence Governance This paper investigates the importance of establishing a robust Business Intelligence (BI)
TECHNOLOGY BRIEF: SERVICE ASSET AND CONFIGURATION MANAGEMENT MAPS Improving Service Asset and Configuration with CA Process Maps Peter Doherty CA TECHNICAL SALES Table of Contents Executive Summary SECTION
Cisco Virtual Desktop Infrastructure Strategy Service Build a Comprehensive Business Case for a Virtual Desktop Infrastructure Implementation The Cisco Virtual Desktop Infrastructure Strategy Service helps
I D C A N A L Y S T C O N N E C T I O N Robert Westervelt Research Manager, Security Products T h e R o l e a nd Value of Continuous Security M o nitoring August 2015 Continuous security monitoring (CSM)
DATA SHEET Extreme Networks Security Analytics G2 Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution HIGHLIGHTS Help prevent security breaches by discovering
Global Technology Services Research Report Risk Management The economics of IT risk and reputation What business continuity and IT security really mean to your organization Findings from the IBM Global
Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless
[project.headway] I N T E G R A T I O N S E R I E S Integrating Project HEADWAY And CMMI P R O J E C T H E A D W A Y W H I T E P A P E R Integrating Project HEADWAY And CMMI Introduction This white paper
January IIA / ISACA Joint Meeting Pre-meeting Cybersecurity Update for Internal Auditors Matt Wilson, Risk Assurance Director Introduction and agenda Themes from The Global State of Information Security
1 2011 Forrester Research, Inc. Reproduction Prohibited Information Security Metrics Present Information that Matters to the Business Ed Ferrara, Principal Research Analyst July 12, 2011 2 2009 2011 Forrester
SOLUTION BRIEF Heeding FISMA s Call for Security Metrics and Continuous Network Monitoring Addressing FISMA Assessment Requirements Using RedSeal november 2011 WHITE PAPER RedSeal Networks, Inc. 3965 Freedom
ORACLE ENTERPRISE GOVERNANCE, RISK, AND COMPLIANCE MANAGER FUSION EDITION KEY FEATURES AND BENEFITS Manage multiple GRC initiatives on a single consolidated platform Support unique areas of operation with
Lecture 8 About Quality and Quality Management Systems Kari Systä 10.03.2014 10.03.2014 TIE-21100/21106; K.Systä 1 Content of today s lecture Two weeks ago we discussed about testing and inspections, that
Pragmatic Business Service Management Written by Quest Software, Inc. White Paper Copyright Quest Software, Inc. 2007. All rights reserved. This guide contains proprietary information, which is protected
SOA policy management White paper April 2009 Realizing business flexibility through integrated How integrated management supports business flexibility, consistency and accountability John Falkl, distinguished
Managing Change, LLC Identifying Intangible Assets to Produce Tangible Results Toll Free: 877-880-0217 Seven Principles of Change: Excerpt from the new book, Change Management: the people side of change
RSA ARCHER OPERATIONAL RISK MANAGEMENT 87% of organizations surveyed have seen the volume and complexity of risks increase over the past five years. Another 20% of these organizations have seen the volume
PCI White Paper Series Compliance driven security Table of contents Compliance driven security... 3 The threat... 3 The solution... 3 Why comply?... 3 The threat... 3 Benefits... 3 Efficiencies... 4 Meeting
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
THOUGHT LEADERSHIP WHITE PAPER In partnership with Portfolio Management 101: Moving from Just Project Management to True PPM A lot of organizations claim that they carry out project & portfolio management
SAP Solution in Detail SAP BusinessObjects Enterprise Performance Management Solutions SAP BUSINESSOBJECTS SUPPLY CHAIN PERFORMANCE MANAGEMENT IMPROVING SUPPLY CHAIN EFFECTIVENESS The SAP BusinessObjects
Copyright 2007 ISACA. All rights reserved. www.isaca.org. Developing for Effective John P. Pironti, CISA, CISM, CISSP, ISSAP, ISSMP Information security governance has become an essential element of overall
TECHNOLOGY BRIEF: SERVICE CATALOG MANAGEMENT Catalog : A CA Process Map JULY 2009 Enrico Boverino SR PRINCIPAL CONSULTANT, TECHNICAL SALES ITIL SERVICE MANAGER ITAC CERTIFIED Table of Contents Executive
An Oracle White Paper November 2011 Financial Crime and Compliance Management: Convergence of Compliance Risk and Financial Crime Disclaimer The following is intended to outline our general product direction.
Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Portfolio Management Self-Assessment P3M3 is a registered trade mark of AXELOS Limited Contents Introduction
Cisco EnergyWise and CA ecosoftware: Deliver Energy Optimization for the Data Center Executive Summary Managing energy consumption and power loads in the data center, as part of Data Center Infrastructure
Cisco Cloud Comprehensive, enterprise cloud enablement services help you realize a secure, agile, and highly automated infrastructure-as-a-service (IaaS) environment for cost-effective, rapid IT service
Office of the Chief Information Officer Business Plan: 2012 2015 Department / Ministère: Executive Council Date: November 15, 2012 1 P a g e This Page Left Intentionally Blank 2 P a g e Contents The Business
White Paper IT Service Process Maps Select Your Route to ITIL Best Practice Brian Johnson VP and WW ITIL Practice Manager, CA Inc. Nancy Hinich Solution Manager, Technical Services, CA Inc. Pete Waterhouse
white paper Measure. Manage. Improve: Unlocking the Business Value of Software Development Optimization EXECUTIVE SUMMARY In 2011 the Standish Group s CHAOS Manifesto showed that 37% of software projects
Information Technology Capability Maturity Model Information Security Managing The Risk Introduction Information Security continues to be business critical and is increasingly complex to manage for the
Blending Corporate Governance with Information Security WHAT IS CORPORATE GOVERNANCE? Governance has proved an issue since people began to organise themselves for a common purpose. How to ensure the power
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
ANALYTICS & CHANGE Keys to Building Buy-In Many organizations are poised to take full advantage of analytics to drive mission and business success using analytics not just to understand past events, but
Vulnerability Risk Management 2.0 Best Practices for Managing Risk in the New Digital War In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90 minutes. This consistent
Banking Application Modernization and Portfolio Management Key Challenges and Success Factors As part of their long-term strategic plans, banks are seeking to capitalize on their legacy applications. Acquired
ISACA S CYBERSECURITY NEXUS (CSX) October 2015 DO2 EXECUTIVE OVERVIEW Will you be a Cyber defender? ISACA launched the Cybersecurity Nexus (CSX) program earlier this year. CSX, developed in collaboration
Cyber Risk as a Component of Business Risk: Communicating with the C-Suite Jigar Kadakia DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily
ANALYTICS & CHANGE KEYS TO BUILDING BUY-IN by Ezmeralda Khalil Principal Katherine Wood Susan Michener Many organizations are poised to take full advantage of analytics to drive mission and business success
FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication
WHITE PAPER: DATA ENCRYPTION BEST PRACTICES FOR MAINFRAME TAPE Employing Best Practices for Mainframe Tape Encryption JUNE 2008 Stefan Kochishan CA MAINFRAME PRODUCT MARKETING John Hill CA MAINFRAME PRODUCT
CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY INTRODUCTION Information security has evolved. As the landscape of threats increases and cyber security 1 management becomes
Agile Master Data Management TM : Data Governance in Action A whitepaper by First San Francisco Partners First San Francisco Partners Whitepaper Executive Summary What do data management, master data management,
Managing Security Risks in Modern IT Networks White Paper Table of Contents Executive summary... 3 Introduction: networks under siege... 3 How great is the problem?... 3 Spyware: a growing issue... 3 Feeling
AN INTERTHINK CONSULTING WHITE PAPER Making A Case For Project Management An Overview Of Interthink Consulting's Project Management Business Case Approach Contents: Introduction Defining Organizational
The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only Agenda Introduction Basic program components Recent trends in higher education risk management Why
Visible Solutions Critical Success Factors for Enterprise Architecture Engineering By Alan Perkins Chief Solutions Architect ASG Federal This paper describes critical success factors for developing, implementing,
GRC Stack Research Sponsorship Overview Achieving Governance, Risk Management and Compliance (GRC) goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary
The Art of Architecture Transformation Oracle Safe Harbor The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into
WHITE PAPER November 2010 IT Financial Management and Cost Recovery Patricia Genetin Sr. Principal Consultant/CA Technical Sales David Messineo Sr. Services Architect/CA Services Table of Contents Executive
Feature Developing an Information Security and Risk Management Strategy John P. Pironti, CISA, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC. He has designed and implemented enterprisewide
5 FAM 670 INFORMATION TECHNOLOGY (IT) PERFORMANCE MEASURES FOR PROJECT MANAGEMENT (CT:IM-92; 08-01-2007) (Office of Origin: IRM/BPC/PRG) 5 FAM 671 WHAT ARE IT PERFORMANCE MEASURES AND WHY ARE THEY REQUIRED?
IT Performance Management: The Framework Initiating an IT Performance Management Program February 2007 IT Performance Management Group Bethel, Connecticut Executive Summary This Insights Note will provide
April 2016 PRIORITIZING CYBERSECURITY Five Investor Questions for Portfolio Company Boards Foreword As the frequency and severity of cyber attacks against global businesses continue to escalate, both companies
ONLINE REPORT SPONSORED BY: SNAPSHOT: FORGE A PERSONAL CONNECTION EMPLOY CRM IN HIGHER EDUCATION TO STREAMLINE AND SOLIDIFY STUDENT RECRUITING AND RETENTION. INSIDE P2 DEPLOY AN INTEGRATED CRM SYSTEM P3
Cisco Security Services Cisco Security Services help you defend your business from evolving security threats, enhance the efficiency of your internal staff and processes, and increase the return on your
COMPREHENSIVE ASSET MANAGEMENT STRATEGY APPROVED BY SENIOR MANAGEMENT COMMITTEE ON AUGUST 23, 2012 (TO BE FINALIZED AFTER APPROVAL OF CAM POLICY BY COUNCIL) August 2012 Contents CONTENTS EXECUTIVE SUMMARY
NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 31, No. 2, Summer, 2012 C1 is customer provided Data Analysis
Rebooting IT Asset Management: Enabling IT Cost Optimization in a World of Ever-Increasing Complexity A SCALABLE SOFTWARE POSITION PAPER Introduction The established practice of IT asset management (ITAM)
SOLUTION OVERVIEW SAS Solutions for Enterprise Risk Management A holistic view of risk of risk and exposures for better risk management Overview The principal goal of any financial institution is to generate
Building the EDM Roadmap An Innovation Platform for New Product Development & Regulatory Compliance Mark Cowan firstname.lastname@example.org 416 917 7531 January 16, 2008 Outline 1. Mark Cowan Quick Backgrounder 2.
Module 1: Introduction to Designing Security Table of Contents Module Overview 1-1 Lesson 1: Overview of Designing Security for Microsoft Networks 1-2 Lesson 2: Introducing Contoso Pharmaceuticals: A Case
Enterprise Program Management Office (EPMO): "Best Practices and PMOs" Stephen C. Hawald - CISM, PMP Our EPMO Ship Has Been Selected For Our Journey! Our PMO is shipworthy and ready to sail across complex
IBM Software Thought Leadership White Paper September 2010 Build an effective data integration strategy to drive innovation Five questions business leaders must ask 2 Build an effective data integration
Operations Excellence in Professional Services Firms Published by KENNEDY KENNEDY Consulting Research Consulting Research & Advisory & Advisory Sponsored by Table of Contents Introduction... 3 Market Challenges
THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Collaboration and communication between technical
IIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK MANAGEMENT Revised: Page 1 of 8 Introduction The importance to strong corporate governance of managing risk has been increasingly
WHY DO I NEED A PROGRAM MANAGEMENT OFFICE (AND HOW DO I GET ONE)? Due to the often complex and risky nature of projects, many organizations experience pressure for consistency in strategy, communication,
An ESRI White Paper July 2009 Creating and Maintaining a Geoportal Management Considerations ESRI 380 New York St., Redlands, CA 92373-8100 USA TEL 909-793-2853 FAX 909-793-5953 E-MAIL email@example.com WEB
White Paper Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape Financial services organizations have a unique relationship with technology: electronic data and transactions
IBM Security QRadar Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution Highlights Help prevent security breaches by discovering and highlighting high-risk
Advanced Persistent Threats and Real-Time Threat Management The Essentials Series Beyond the Hype: Advanced Persistent Threats sponsored by Dan Sullivan Introduction to Realtime Publishers by Don Jones,
Cisco SAFE: A Security Reference Architecture The Changing Network and Security Landscape The past several years have seen tremendous changes in the network, both in the kinds of devices being deployed
From Information Management to Information Governance: The New Paradigm By: Laurie Fischer Overview The explosive growth of information presents management challenges to every organization today. Retaining
IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government
PMI Virtual Library 2011 Daniel D. Magruder Assessing the Appropriate Level of Project, Program, and PMO Structure By Daniel D. Magruder, PMP Executive Summary Does your organization have in-flight projects