Leadership et Gouvernance Cap sur la création de valeur

Transcription

1 Leadership et Gouvernance Cap sur la création de valeur Telindus Trend Day , November 24th Cédric Mauny, Technology Leader, CISM, CISSP, ITIL, ISO27001 Security, Audit and Governance Services A Telindus Security department Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 1

2 Agenda Les nouveaux usages sous-tendent de nouveaux challenges pour l entreprise Comment les nouveaux besoins influencent-ils la manière dont seront délivrés les services IT? Comment s'assurer que les risques sont maîtrisés quand une majorité des systèmes, services et utilisateurs ne sont plus sous le contrôle direct et exclusif de l'entreprise? Comment intégrer les contraintes de l'entreprise dans la gouvernance sécurité de demain? Créer de la valeur métier pour soutenir la stratégie et les objectifs de l'entreprise La gouvernance en sécurité de l information Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 2

3 Agenda World has changed Era of Information Era of Risk Era of Information Security and Governance Bring Your Own Device Era of Value Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 3

4 World has changed Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 4 9/11/2013

5 World has changed Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 5

6 World has changed Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 6

7 World has changed Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 7

8 World has changed Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 8

9 World has changed Cisco Connected World Technology Report 2011 How College students and young professionals attitudes with social medias will influence job decisions, hiring and work-life balance Y-Generation Social media access / device freedom > money Some figures 66% asks about social media policies during job interviews 56% will not accept a job from a company that bans social media (or will circumvent the policy) 80% wants to choose the device for their jobs 71% thinks corporate devices should be used for social media / pers. use 63% of students want to access to corporate information and networks from home computers Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 9

10 World has changed Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 10

11 Era of Information Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 11 9/11/2013

12 Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 12

13 Era of Information World is changing quickly Use of information Access to information Value of information Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 13

14 Era of Information Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 14

15 Era of Information Any 3 Economy Anywhere, Anyhow, Anytime here & without constraints & now Mobility Connectivity BYOD Any 3 Security? Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 15

16 Era of Information Globalisation of the threats Internet does not have borderies Malicious insiders External attackers Cyberwar APT Spear attacks Theft of personal data, passwords, Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 16

17 Era of Information Globalisation of the threats need for a global securization approach Human security / user awareness Logical security Network and telecommunications security Information systems security Application security Physical security Principles + Policies + Technologies + Coordination Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 17

18 Era of Risk Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 18 9/11/2013

19 Nos entreprises doivent devenir des maisons de verre, avec tout ce que cela comporte comme opportunités de collaboration et de partage mais aussi tous les risques correspondants Maurice Levy, Président du Groupe Publicis Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 19 9/11/2013

20 Era of Risk Information systems are more and more critical increase of value complex increase of components connected and interconnected increase of interfaces used increase of number of users vulnerable Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 20

21 Manage risks is the key Manage risks To be pragmatic To efficiently and effectively protect assets Cost benefit Not too much Not too less Prioritisation Risks influence use of the information systems Enterprise risk management is influenced by risks against information systems Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 21

22 To know risks and assess risk profile Management of risks should not be based on prevision based on past events Anticipate consequences based on scenarios of risks Information needs to be protected commensurately value / impact their compromise poses to the organization Increasing legal and regulatory context Failure of an organization s security measures can have a direct impact on an organization s business and reputation Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 22

23 To want to manage risks Security is no longer an option Culture of enterprise Reluctance to change Risk management activities to be supported by Upper-Management to be integrated into every project IT and not IT-related Because information is everywhere Consider the security at the beginning Legal and Regulatory environment as incentive Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 23

24 To be able to manage risks Resources Budget TCO Time Timelines / deadlines Windows of opportunity Capabilities Expertise Skills Manage incidents Capability of detection and response to events and incidents Costs ROI / ROSI Cost-benefit approach Risk vs Cost of protection Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 24

25 Era of Information Security and Governance Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 25 9/11/2013

26 IT Security vs Information Security IT Security Ensure Confidentiality, Integrity and Availability of information systems Information Security Ensure Confidentiality, Integrity and Availability of everything that manage information Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 26

27 Information Security Governance Information Security Governance Information Security Governance Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 27

28 Relationship with other Governance models Several governance models exist within an organization Importance of alignment with business objectives Make the Information Security Governance as integrated part of the Enterprise Governance Enterprise Governance Financial Governance IT Governance IS Governance Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 28

29 Information Security Governance Information Security Governance is the link between Board of Directors Executive Management Teams responsible for implementing and operating the security provides the mandate essential for driving information security initiatives throughout the organization defines the set of responsibilities and practices exercised by the Board of Directors and Executive Management in relation to information security ensures the Board of Directors receives relevant (business centric) reporting about information security-related activities to enable pertinent and timely decisions about information security issues in support of the strategic objectives of the organization Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 29

30 Tests Rules administration BCP DRP Policies Information Security Governance framework S Requirements Corporate/IT policy IT/Security policy S T T O Usage policy BUSINESS LINE Security needs Information, Systems and Services Policy design O Administration IT/SECURITY LINE Security means, tools and measures Business Impacts analysis Threats preventions/protections Technology/threats watch Intrusion Security policy assessments and audits Risks analysis - Baseline Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 30

31 Information Security Governance framework Information Security Governance framework Business Strategy & Objectives Expectations & Interests Legal & Regulatory & Ethical Strategic alignment Risk management Value delivery Resource management Performance measurement Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 31

32 Information Security Governance framework Information Security Governance framework Provides the basis for the development and management of a cost effective information security program that support organization s business goals Defines activities to provide assurance that information assets are appropriately protected Consider different values, needs and requirements of Stakeholders Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 32

33 Information Security Governance Objectives Align the information security strategy with business strategy / objectives Ensure that information risks are managed appropriately Deliver value to Stakeholders and the Board of Directors Ensures enterprise information resources are used responsibly Monitors information security to ensure the objectives of the organization are achieved Desired outcomes Visibility of the Board of Directors on the information security status Decision-making about information risks Efficient and effective investments on information security Compliance with external requirements Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 33

34 Goals of Information Security Governance framework Strategic alignment The rational for the Information Security Governance Align information security with business strategy to support business objectives Consider enterprise culture, technology and structure of the organization Security investments to be aligned with the strategy (and risk profile) Security objectives should be based on business needs and expectations First to be described in business terms / expectations / requirements Then to be translated into policies, standards, procedures, processes and technologies Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 34

35 Goals of Information Security Governance framework Risk management To define what to protect and how to protect Define, implement and maintain appropriate security measures to mitigate risks and reduce potential impacts of incidents to an acceptable level Organization's threat, vulnerability and risk profile Risk exposure and risk appetite Assign priorities based on potential consequences Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 35

36 Goals of Information Security Governance framework Value delivery The ultimate goal of the Information Security Governance being cost-effective Optimise security investments in support of business objectives Priority to areas with highest business impact and greatest business benefit Optimal when strategic goals for security are achieved + acceptable risk posture is attained + lowest possible cost Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 36

37 Goals of Information Security Governance framework Resource management BYOD is at the heart of this topic Improve the efficiency and effectiveness of business solutions by allocating and controling resources People Process Technology Track security controls back to specific business requirements Resources to be proportionate to risk and potential impact Effective and efficient use information security knowledge Ensure that knowledge is created, available and updated Document processes and practices Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 37

38 Goals of Information Security Governance framework Performance measurement You cannot manage what you cannot measure Monitoring and reporting on information security processes To ensure that objectives are achieved Metrics / KPIs To be aligned with strategic objectives To be meaningful To provide the information needed for effective decisions To target the appropriate audience Independent assurance by internal / external assessments and audits Continous improvement Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 38

39 Principles of Information Security Governance framework Principles of Governance of information security Accepted rules for governance action or conduct Meeting the needs and expectations of Stakeholders Delivering value to each of them Provide a good foundation for the implementation of governance activities Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 39

40 Principles of Information Security Governance framework Establish organization-wide security Adopt a risk-based approach Set the direction of investment decisions Ensure conformance with internal and external requirements Foster a security-positive environment Review performance in relation to business outcomes Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 40

41 Principles of Information Security Governance framework Principle 1: Establish organization-wide security Take into account business, information security and appropriate IT perspectives Convergence physical security / logical security Consider storage and transfer to/by external parties Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 41

42 Principles of Information Security Governance framework Principle 2: Adopt a risk-based approach Integrate and make consistent the information security risk management approach with the organization s overall risk management approach Acceptable level of risk to be defined and accepted Determine the sufficient level of security Based on the risk appetite Consider loss of competitive advantage, compliance and liability risks, operational disruptions, reputational harm, financial loss, Allocate appropriately resources to implement agreed risk management strategy Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 42

43 Principles of Information Security Governance framework Principle 3: Set the direction of investment decisions Strategy of security investments to be based on achieving business outcomes To meet the needs of Stakeholders Map business requirements with security requirements Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 43

44 Principles of Information Security Governance framework Principle 4: Ensure conformance with internal and external requirements Policies and practices (mandatory) Legislation and regulations Independent security audits as support Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 44

45 Principles of Information Security Governance framework Principle 5: Foster a security-positive environment Information security is a people problem Security-positive environment to be built upon human behavior Coordinate Stakeholders activities to achieve a coherent direction for information security Security education, training and awareness programs Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 45

46 Principles of Information Security Governance framework Principle 6: Review performance in relation to business outcomes Ensure that the approach taken to protect information is convenient to the organization Maintain security performance at levels required to meet current and future business requirements Quality of service Performance of information security to be evaluated in regard of business impact Link information security performance to business performance Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 46

47 Now we have Information Security Governance Requirements Goals Principles Business Strategic alignment Establish organization-wide security Strategy & Objectives Risk management Adopt a risk-based approach Expectations & Interests Value delivery Set the direction of investment decisions Legal & Regulatory & Ethical Resource management Ensure conformance with internal and external requirements Performance measurement Foster a securitypositive environment Review performance in relation to business outcomes Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 47

48 Bring Your Own Device Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 48 9/11/2013

49 BYOD for Bring You Own Device Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 49

50 BYOD > Main concerns PROS CONS Merge private / Enable staff to work corporate life + from anywhere associated legal and regulatory issues Meet employees demands for the most up-to-date device More productive employees by using devices with which they re comfortable Reduce hardware costs Difficult to register, control, manage, update all employee devices (remote-wiping ) Risk management Increase Security risks concerns (malware to the corporate network, theft, ) Require to revoke distant access when no longer applicable Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 50

51 BYOD > Make a choice Tight Control Flexible & Open Anywhere, Anyhow, Anytime at Anycost? at Anyrisk? Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 51

52 BYOD > Main concerns solved Security vs flexibility? 2 ways to deal with this situation 1. Close eyes and leave employees doing 2. Forbid BYOD initiative from employees Best way is to balance the two above Control usage instead of blocking it Policy to address and mitigate risks Define with HRD new behaviour standards Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 52

53 New use brings new challenges Information value Security needs and issues Risk posture Compliance requirements Information Security Governance Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 53

54 BYOD Consumerization of IT / BYOD Brings numerous financial and technological advantages for organizations Introduces additional risk management and security concerns ipad (2010?) has quickly accelerated the era of BYOD BYOD is close to the mobility topic BYOD and Mobility changed habits of users habits of companies security and risk posture of companies Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 54

55 BYOD and Mobility changed the habits of users Merge private / work life 24/7 connected to the workplace Europeans citizens have specific approach to the work/life balance issue Country-specific legal and regulatory issues make BYOP complicated to implement Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 55

56 BYOD and Mobility changed the habits of companies Challenges in supporting your mobile workforce? Cost (41%) Managing mobile devices (37%) Corporate network security (31%) Protecting corporate data on devices (29%) Ensuring compliance (11%) Growth of ipad and Android comes with increase of these challenges N=136 IDC EMEA Enterprise Mobility Bi-Annual Survey 2011 Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 56

57 BYOD and Mobility changed the habits of companies Enterprise Mobility is a hot topic Development, deployment and use of mobile apps Business interest in mobility is high Companies have to deal with mobility governance Best practices for managing mobility risks Mobile policy IT needs a support for managing mobile devices and for managing added security risks associated with these devices and associated ecosystems Involve HRD Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 57

58 BYOD and Mobility changed the security and risk posture of companies Need for new approach to mobile security to address risk management requirements Mobile device management Application management Mobile security Compliance & Regulation Regulation influences / governs use of professional information on mobile devices Data protection Privacy Use and protection to be based on risk management decisions Company sensitive data stored onto personal device Who is responsible for their protection? Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 58

59 Security professional point of view on BYOD and associated risks 2011 ISACA Shopping on the Job Survey Online Holiday Shopping and BYOD Security (October 2011) Most risked activity An employee loses/misplaces a work-supplied computer or smartphone (66%) What about risks on BYOD? 30% 21% 50% Legend Benefits outweigh risks Risks outweigh benefits Risk and benefits are appropriately balanced Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 59

60 Adopting a BYOD Strategy for Mobile Devices 1. The user has the final word on what happens on the mobile device Users can modify the configuration, applications and technical controls on the device itself 2. Update policies and standards to incorporate BYOD specificities Guidance on how a company expects users to operate and behave when connecting and interacting with Corporate network and systems 3. Certify mobile devices and associated capabilities for Corporate use Test and certify mobile devices, OS and apps for their ability to meet an organization s information risk management and security capabilities Communicate an alternative list of popular mobile devices, operating systems and applications which evaluated but not certified Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 60

61 Adopting a BYOD Strategy for Mobile Devices 4. Limit access for employee-owned mobile devices compared to corporateissued and -managed mobile devices Limit the access of users using personal mobile devices only to low-risk activities , employee directories, internal web browsing, Issue corporate-owned and -managed mobile devices to individuals who have business needs to access sensitive data or applications 5. Inform and educate users Company s technical security control capabilities User concerns about the level of access and restrictions of organization s technical security controls enabled on their personal devices Consider the local regulations User concerns are about technical controls on personal mobile devices Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 61

62 Era of Value Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 62 9/11/2013

63 Era of Value Information Security Governance Governance Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 63

64 Era of Value Globalisation of the threats need for a global securization approach Rise of cybercrime and threats to organization s critical information assets mandates an effective information security governance strategy to enable secure business operations The use of the information is value creation for the organisation Information is the most valuable asset of the organisation From Risk vs Cost of protection To Cost + Risk vs Value Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 64

65 Era of Value Information Security Governance Develop / align Information Security Strategy and Program with business goals to support business activities by designing an effective organization of Information Security Align information security program activities with business goals and priorities Effectively manage information security risk (ROSI) Optimize resource management by utilizing information security knowledge and infrastructure efficiently and effectively Increase the value of information security activities for your organization New usage brings new risks BYOD Consider a risk management approach for balancing value, use, expectations and risks Y-Generation is coming Need for new approach to mobile security to address risk management requirements Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 65

66 La gouvernance de la sécurité de l information n est pas qu une affaire de moyens et d outils mais bien plus de cohérence, de volonté, de ténacité dans la conduite d un changement annoncé et inéluctable Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 66 9/11/2013

67 Questions & Answers Click to add chapter title Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 67

68 Evaluation forms Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 68

69 Our strategic partners Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 69

70 Thank you for your attention Click to add chapter title Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 70

71 For more information Cédric Mauny (+352) Click to add chapter title Classification: Public Telindus Trend Day 2011 Leadership et Gouvernance - Cap sur la création de valeur 2011, November 24 th Slide 71