Implementing Practical Information Security Programs

Transcription

1 Implementing Practical Information Security Programs CISO Summit March 17-19, 2013 Presented by: David Cass, SVP & Chief Information Security Officer, Elsevier Information Security & Data Protection Office (ISDP)

2 Agenda Assessing the Current State Methods for Determining Maturity Communication at the Executive Level Achieving the Future State Budget & Strategy: Working Smart

3 Assessing the Current State Enabling Capabilities Security Awareness, Education and Training Information System Architecture, Development and Maintenance Due Diligence (3rd Party Vendors, M&A, Business Case Review) Information Security Incident Management Logging and Monitoring Identity Management Strategy Sensitive Data and Asset Inventory Information Security Resources Information Security Governance Foundational Capabilities

4 Assessing Maturity Understand the External Factors What is disrupting the current Information Security design? Emerging Markets Increased need for business agility Tech skills/expectations of workforce Increased focus on Risk Management Outsourcing Cloud Mobile Apps & BYOD Big Data Social

5 Assessing Maturity Institution Issue Interest Information

6 Assessing Maturity Understand the organization structure (Institution) Centralized Decentralized Federated

7 Assessing Maturity Issue Well defined Impact Meaning

8 Assessing Maturity Interest Stakeholders Impact Meaning

9 Assessing Maturity Information What kind do I need to collect? What do I need to disseminate? Meaning

10 Approach Objective Approach Have to be able to measure what you need to communicate Quantitative Approach

11 Need for an Objective Approach Should answer: Prioritization What are my most valuable assets? Where is the most IT risk concentrated? Are my controls effectively enforcing the behaviors we want? Mitigation Do I have plans for identified issues? What is my coverage?

12 Need for a Quantitative Approach Should provide: Consistency/Reliability Ability to model: How will my risk change if I reweight my portfolio? Ability to benchmark: how do I compare to my peers?

13 Communication at the Executive Level Communication: Conveying the importance Answering the right questions?

14 Communication at the Executive Level Key Security Risks (Examples) Regulatory Non Compliance (HIPAA, PCI, EU Directives) System/ Application Downtime Customer Information Breach Theft of Proprietary Content

15 Communication at the Executive Level What are the right questions? How effective are my controls/processes? How do I compare to last year? Am I spending the right amount of $? What options do I have to transfer risk? How do I compare to my peers?

16 Communication at the Executive Level Communication & Visualization: Data should speak for itself So what test Perception Must mean something The 51% Rule

17 Communication at the Executive Level Visualization: Data should speak for itself Clean and Clear Charts Labeling

18 Communication at the Executive Level How? Use Process Driven Metrics Have a measure of time or money Well understood across the company Consistently measured Objectively calculated Create categories that are aligned to business process

19 Communication at the Executive Level Examples of Process Driven Metrics: Workstations & Laptops covered by AV(#, %) Unplanned downtime (%) Unplanned downtime impact ($) Vulnerabilities per application (#) % critical assets/functions with documented risk assessment % critical assets/functions with documented risk mitigation plan # regulatory audits successfully completed

20 Budget & Strategy: Working Smart Application Security Risk and Assurance Training Awareness, Communications, & Program Management Legal, Regulatory Compliance

21 Questions? Thank you David Cass SVP & CISO, Elsevier