Information Security Managing The Risk
|
|
- Matthew Stokes
- 8 years ago
- Views:
Transcription
1 Information Technology Capability Maturity Model Information Security Managing The Risk
2 Introduction Information Security continues to be business critical and is increasingly complex to manage for the following reasons: - 72% of organizations report increased risk to information security, based on both external and internal threats. - Legal and regulatory expectations pertaining to information are also changing with increased complexity arising from organizations operating across multiple jurisdictions; key considerations here are: - Has the information been retained longer than it should have been? - Does the data follow a defined life-cycle and is it safe to delete it? - Does the business have permission to share this data with its partners? - Is it permissible for the company to use data supplied by another company? Information Security Forum November
3 Whose job is it to manage security risks? - To counter these threats and remove fear, uncertainty and doubt, organizations need to develop a comprehensive information security management capability. So whose job is that? ISO Corporate governance of information technology places responsibility for IT governance at the board of director s level. Section of ISO 38500:2008(E) states that directors could be held responsible for security policy and standards failings. Information security is not an IT only function; it is an organization responsibility in which each employee, customer, and supplier has responsibilities. - Since vast amounts of information are digitally collected, stored and processed, the IT department has a significant role to play in the protection of information. 3
4 Information Security Management Information Security Management is the capability to direct, oversee and control the actions and processes required to protect documented and digitized information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, accessibility, availability and usability of data; and to support nonrepudiation (i.e. to prevent an author denying his/her own authorship or actions). Adapted from 4
5 Scope of Information Security Management - Strategy & Governance - Identifying applicable regulations. - Establishing and maintaining security policies and controls. - Providing communication and training content on security. - Responding to security-related incidents. - Reporting on information security activities and compliance levels. - Profiling security threats, and assessing, prioritizing, handling and monitoring security risks. 5
6 Information Security Management is Complex The six categories of building blocks address: - Governance - Information Security Strategy; Security Policies, Standards, and Controls; Security Roles, Responsibilities, and Accountabilities; Communication and Training; Security Performance Reporting; and Supplier Security - Technical Security Security Architecture; IT Component Security; and Physical Environment Security. - Security Resource Management - Security Budgeting; Tools and Resources; and Resource Effectiveness - Security Risk Management Security Threat Profiling; Security Risk Assessment; Security Risk Prioritization; Security Risk Handling; and Security Risk Monitoring - Security Data Management Data Identification and Classifications; Access Rights Management; Life-cycle Management - Business Continuity Management Business Continuity Planning; and Incident Management 6
7 Summary of insights and lessons learned (1 of 6) What does mature look like? There is awareness and understanding across the enterprise of the role that effective security plays in business success i.e. security is recognized as an enabler rather than a disabler. There are clear responsibilities for security activities. There is agreement by business and IT stakeholders on risk appetite, and the level of security that is needed. Senior level sponsorship is evident. The organization has the capability to identify and address new and emerging risks and threats. There is recognition that improvements to maturity require an evolving process, with no short cuts. Business focused measures are defined, monitored and acted upon by business and IT. 7
8 Summary of insights and lessons learned (2 of 6) Why would a CIO/CEO invest in maturing this CC? To build a competent and effective organization capability to manage information security. To protect business value and business success from any adverse effects of inadequate security. To demonstrate effective security for stakeholders and regulators. 8
9 Summary of insights and lessons learned (3 of 6) What is unique, new or different about the IT- CMF approach? IVI s ISM capability is informed by academics and industry-based practitioners, and provides a toolkit to enable organizations to measure their capability maturity levels and develop a targeted improvement programme. Use of the ISM maturity curve allows organizations to set appropriate and structured security targets. Detailed ISM Practices, Outcomes and Metrics provide guidance to organizations in maturing their ISM capability, with a view to deriving business value. IVI s ISM capability is integrated with other key critical IT capabilities. The IT-CMF can be used by multiple stakeholders to discuss and assess maturity in a structured way using a common language e.g. internal audit. 9
10 Summary of insights and lessons learned (4 of 6) What are the key practices required for moving up the maturity profile? Develop security policies and awareness/understanding (level 1 to 2) Develop and agree the information security strategy, risk appetite and consistent policies (level 2 to 3). Develop and implement appropriate education and awareness programmes (level 2 to 3). Ensure structured and integrated testing of security effectiveness and independent validation (level 2 to 3). Target and test security awareness and understanding (level 3 to 4) Engage stakeholders across the enterprise and adopt business level metrics (level 3 to 4). Recognise the need to work effectively across the supply chain and the extended enterprise (level 4 to 5). Audit and verify practices to improve reach and consistency (levels 4 & 5). 10
11 Summary of insights and lessons learned (5 of 6) Which maturity level is typical for different types of companies/ industries? Based on workgroup experiences of industry, smaller organizations would be expected to be at level 2 and larger and security sensitive organizations would be expected to be at levels 3 and 4. This indicator will be updated later based on executive assessments and again later on ISM assessments. 11
12 Summary of insights and lessons learned (6 of 6) What typically prevents companies from moving up the maturity profile? Lack of resources, typically financial and skills. Lack of visible and tangible senior management drive and endorsement. Limited recognition of the need for a strategic approach to security. Rapidly changing and an increasing volume of threats and risks resulting in organizations taking a reactive versus proactive stance. Organizational limitations including clarity and boundaries of responsibilities and potential conflicts of priorities. Lack of an easy to apply ISM framework Appropriate in-depth security measures are key to supporting confidentiality and availability of information. 12
13 Assessing Current Maturity The information security management capability as defined in the IT- CMF comes with: - On-line survey & assessment interviews identify current (ISM) maturity level - Companies can relate their maturity levels at a capability building block to benchmark levels. - Based on this knowledge and viewing their own strategic and tactical objectives, target levels can be set for the desired capability maturity level. Steps to improve - As with any journey, developing an effective information management security capability, the start and end states need to be understood. Once these are agreed a route to the destination can be selected based on the needs to optimize for cost, time or resource usage. 13
14 Using ISM s six categories, an Information Security Management capability can be matured. The six categories of building blocks address: - Governance - Information Security Strategy; Security Policies, Standards, and Controls; Security Roles, Responsibilities, and Accountabilities; Communication and Training; Security Performance Reporting; and Supplier Security - Technical Security Security Architecture; IT Component Security; and Physical Environment Security. - Security Resource Management - Security Budgeting; Tools and Resources; and Resource Effectiveness - Security Risk Management Security Threat Profiling; Security Risk Assessment; Security Risk Prioritization; Security Risk Handling; and Security Risk Monitoring - Security Data Management Data Identification and Classifications; Access Rights Management; Life-cycle Management - Business Continuity Management Business Continuity Planning; and Incident Management See also: Enterprise Architecture Management (EAM), Enterprise Information Management (EIM), Technical Infrastructure Management (TIM), Service Provisioning (SRP), and Solutions Delivery (SD) 14
15 Security Is there an app for that? - Not any time soon! - The remaining slides can be read for additional detail and retained for your notes. 15
16 Questions and Answers
17 IVI Global Community Update
18 IVI Global Community - Upcoming Events 18 February 18 Virtual Meeting, (EST) March 10 and 11 IVI Spring Summit, New York April 15 Virtual Meeting, (EST) May 20 Live event, US June 17 Virtual event, (EST) July 15 Virtual event, (EST) September 9 and 10 IVI Autumn Summit, Dublin October 21 Virtual event November 18 Live event, US Making it Real: Transforming IT with IT-CMF, Dinesh Kumar, Mitovia Delivering Business Improvement + IVI Certified Training Assessor Essentials (12 and 13 March) IT Professionalism - The international dimension of e-skills and the impact of globalisation Martin Sherry, IVI Topic TBC Innovation Management (TBC) Agility in IT Management, Gar MacCriosta, IVI Topic TBC Topic and venue TBC
19 Information Security Management Summary of key practices, outcomes, and metrics Maturity Key practices Outcomes Key metrics High 5 Optimizing Review and improve governance across the extended enterprise. Use best practice architecture, components, and physical security options. Review, improve, and manage security budget, tools, and resources. Extend security risk management to the extended enterprise. Consistently use and improve data identification and classifications, access rights management and data lifecycles across the extended enterprise. Provide industry best practice information security guidelines and advice on business continuity. Reduced likelihood of regulatory issues to be managed. Fewer security issues. Less waste and better returns for the spend on security. Holistic risk management Value return is improved based on the widespread usage of sound data management layers. Reduced impacts during incidents # Security audit issues # Compliance issues under corrective action # Security issues # Security staff turnover rates # Security resource utilization ratios # Security issues included in risk register # Effort to develop security features in new applications # Count and cost of incidents 4 Advanced Regularly review and improve all aspects of security. Implement governance criteria across the enterprise Implement technical and physical security consistently across the enterprise. Use risk assessment and value returns to guide security budget Roll data management and business continuity practices out across the enterprise Reduced risk of weak links compromising security. Locations and access points have sufficient security Security spend provides risk reduction and improves reputation Higher returns from security investment. # Incidents and adverse audit findings by site, department, and/or function # Equipment and configuration variances between HQ, Branch or end devices # Identified critical risks that are cost effectively mitigated # Security feature costs in new developments 3 Intermediate Implement documented security governance, roles, architecture, components, tools, resources, and practices aligned with some business units Identify and communicate data security classifications and life-cycles for IT and some business units Provide business continuity security plans Efficient, effective and consistent security is applied. Appropriate levels of security can be applied to business data. # Stakeholder satisfaction # Security competences being developed # Automated monitoring and screening # Availability and confidentiality issues # Cost to develop security features # Security focused elements in continuity plan 2 Basic Establish and communicate policies based on regulations and standards and risk assessment. Start to implement data security classifications, lifecycles, and access control mechanisms Raised security awareness and improved security features Aspects of security can be managed using meta-data. # Stakeholder awareness surveys # Security issues # Security meta data utilization 1 Initial Educate and raise awareness of information security. Use system and application secured options by default. Basic security problems are fixed Increased security # Staff attended awareness training # Components or suppliers not complying 19
20 Information Security Management (ISM) Transitions to increase maturity Maturity Action Taken Value Delivered High 5. Optimized 4. Advanced 3. Intermediate 2. Basic Align security strategies across extended enterprise. Develop and adopt agile risk management practices. Promote security awareness and understanding across extended enterprise. Promote effective security designs and architectures. Implement automated responses and alerts. Regularly review and update security strategies. Standardize risk management practices. Target and test security awareness and understanding. Develop an enterprise approach to security architecture. Align and focus data classification, lifecycle and access management practices. Use advanced/targeted tools; ROI on budgets. Align information security with business security strategy and risk appetite. Standardize risk practices and threat profiling. Promote security awareness/understanding. Apply extensive architecture and security features. Develop general data classification, lifecycle and access management practices. Increase tool use and make budgets transparent Confidence in consistent security measures and reduced risk of weakest link compromising security Cost effective rapid responses to risk changes. Enhanced security is achievable only with security conscious staff. Effective security measures have little or no impact on business volumes or variety. Faster effective responses to threats limits exposure. Security measures match changing risks and threats. Training costs and learning efforts are reduced. Awareness weaknesses are identified and corrected. Security views are available showing layers and depth. Security factors are considered and factored in at data classification, lifecycle and access control design. Security spend and ROI are measured and managed. Information security measures match those the business needs. Threat profiles are interpreted consistently. Security-aware staff expand resources available to secure business assets Improved consistency and efficiency Security is applied to data and applications in accordance with business needs and priorities Tools free staff for higher value activities; increased understanding of value delivered from investments 1. Initial Develop basic risk management and threat profiling. Develop security policies and awareness/understanding. Start to implement basic architecture and security features. Start using local practices in data classification, lifecycle and access management. Start using tools and budget management. Awareness and competence grow. Immediate improvements in behaviour Concepts for a security foundation emerge Local successes on sensitive data and information act as a starting point for communities of practice Tools free people for higher value activities. 20
21 Information Security Management (ISM) Critical capability maturity profile levels Maturity Information Security Management (ISM) High 5 Optimizing The information security strategy is regularly aligned to business/it strategies and risk appetite across the extended enterprise. An effective multi-layered security architecture framework is used across the extended enterprise. A structured approach to measuring value for money is applied consistently to proposed security investments and post implementation, Intelligence is gathered and security threat profiles defined and updated in collaboration with the extended enterprise Access rights management is dynamic and can effectively address organization restructures, acquisitions and divestments. The extended enterprise works proactively to avoid security incidents occurring and incidents are effectively managed.. 4 Advance 3 Intermediate 2 Basic 1 Initial There is an established security culture with dedicated and tailored employee training and measurement of efficiency and effectiveness IT component security measures are implemented enterprise-wide for detection and mitigation of threats and attacks and tested Advanced managerial tools that monitor and alert and detect issues or non-compliances are specified to aggregate across the enterprise. Employee skill and competence levels are specified and a standardized toolset and resource management approach is adopted. A standardized security risk assessment process is consistently used across the enterprise and aligned with an enterprise risk process. Access rights processes including a movers process, are effectively implemented across the enterprise and audited. Enterprise-wide continuity planning is provided for each specific risk. IT regularly tests and confirms business restoration can be achieved There is a growing security aware culture. Detailed security requirements for procurement are defined and adhered to IT and some business units have a shared vision for security; most security architecture features are common and depth of defence and configuration management practices are evident. There is visibility of security budget requirements and allocations with consistent training programmes and an agreed approach to toolsets The security risk prioritization process is based on a repeatable evaluation of business impact, probability of occurrence, and time-horizon Access rights including joiners and leavers, are granted based on a formal authorization process. An agreed business and IT continuity plan, addressing backups, archival and system recovery, is implemented with some testing Information security policies and standards are developed by IT and reviewed after major incidents. There is some performance measurement. Physical security guidelines are emerging, and IT and facilities departments are active with restricted physical access to key locations A small number of key information security roles are identified within IT and individuals are allocated responsibility and accountability Some basic intelligence gathering and security threat profiling takes place but there is no consistent method. Data security classification guidelines are defined for key sensitive data items and processes for managing the security of data throughout its lifecycle are emerging. Access rights management is basic and is dependent on vendor supplied solutions. There is basic management of security incidents in IT and Key incidents are recorded. Information security strategy, policies and standards are defined ad hoc with little alignment to business strategies or risk appetite IT component security is addressed ad hoc or locally and mainly reflects the security bundled by primary suppliers only. The purchase specification of security tools, products and resources tends to be ad hoc. or local There is no systematic monitoring of security risks. A risk register is not present or is incomplete. Access rights are managed ad hoc, or using informal procedures. The security of data throughout its lifecycle is considered ad hoc. Business continuity planning advice and expertise is limited to local efforts with security incidents managed ad hoc. 21 Key: Breakthrough level (first level with significant interconnection between business and the IT organization )
22 Security Risk Management Capability Building Blocks Category Governance Capability Building Block Information Security Strategy Security Policies, Standards, and Controls Security Roles, Responsibilities, and Accountabili Communication and Training Security Performance Reporting Supplier Security Description Develops, communicates, and supports the organization s IT security objectives so they fit the organization s business model and risk appetite. Establishes and maintains security policies and controls incorporating relevant security standards, regulatory and legislative security requirements; ensuring they fit the organization s business model and security objectives. Identifies and establishes information security roles including allocation and enforcement of security responsibilities. Agrees and / or assigns responsibilities and accountability to allocated resources. Disseminates security processes, policies and other relevant information. Provides training content in security practices and develops security knowledge and skills. Reports on the levels of compliance achieved, and the effectiveness and efficiency of the security activities. Defines security requirements and expectations pertaining to the procurement and supply of hardware, software, services and data. 22
23 Information Security Management Capability Building Blocks Category Technical Security Security Resource Management Capability Building Block Security Architecture IT Component Security Physical Environment Security Security Budgeting Tools and Resources Resource Effectiveness Description Establishes and applies criteria and practices in designing security solutions with the aim of achieving appropriate cost effective protection. Defines security layers to provide depth of defence and configuration management of security features. Defines and implements the measures to protect physical and virtual IT, servers, networks, and end-points such as peripherals and mobile devices. Specifies and procures specific security tools/ products and resources. Establishes and maintains measures to control access into and protect the physical infrastructure from threats and environmental factors (e.g. extreme temperatures, flooding, fire). Provides security related budget criteria. This includes concepts such as new equipment must be purchased with specific security features e.g. virus protection. Specifies and procures specific security tools/ products and resources. Manages the tools, security solutions and the staff assigned for security purposes. Measures value for money from security investments. Captures feedback from stakeholders and other sources on the effectiveness of security resource management procedures, tools and activities. 23
24 Security Risk Management Capability Building Blocks Category Security Risk Management Capability Building Block Security Threat Profiling Security Risk Assessment Security Risk Prioritization Security Risk Handling Security Risk Monitoring Description Gathers intelligence on threats and vulnerabilities from internal and external sources. Identifies and documents the security threat profiles by their potential impact on business objectives and activities. Runs assessments to identify, document and quantify/ score securityrelated risks and their components. Assessments include the evaluation of exposure to risks, and measurement of their likely impact. Prioritizes security risks and risk handling strategies, based on residual risks, acceptable risk levels and changes to the business/ IT environment or operating environment such as outsourcing, mergers and acquisitions. Implements risk handling strategies, where risks can be deferred, accepted, mitigated, transferred or eliminated, and risk ownership allocated. Interacts with Incident Management functions. Tracks changes to the identified security risks, and validates the effectiveness of risk handling strategies/ controls. 24
25 Security Risk Management Capability Building Blocks Category Security Data Management Business Continuity Management Capability Building Block Data Identification and Classifications Access Rights Management Life-cycle Management Business Continuity Planning Incident Management Description Defines security classifications and provides guidance for associated protection levels and access control. Manages the lifecycle of user accounts and certificates, and the granting, denial and revocation of access rights. Matches access control procedures to data classifications. Provides the security expertise and guidance to ensure that data throughout its lifecycle is appropriately available, adequately preserved and/ or destroyed to meet business, regulatory and/ or security requirements. Provides expertise and guidance to ensure that business continuity planning is effective in ensuring data integrity, confidentiality and availability. This may include input on backup management, archiving management, and systems recovery policies and procedures. Establishes and implements procedures for handling incidents and near incidents. Evaluates the nature and impact of incidents. Supports protection of the organization by providing feedback and reports on security aspects of incidents. 25
26 Limitation of Liability Innovation Value Institute. All rights reserved. - The material contained herein may not be copied, photocopied, reproduced, translated, or - reduced to any electronic medium or machine-readable form, in whole or in part, without - prior written consent of the Innovation Value Institute, except in the manner described in the - documentation. - All other brand names, product names, and trademarks are copyright of their respective - owners. - While every reasonable precaution has been taken in the preparation of this document, the - author and publishers assume no responsibility for errors or omissions, nor for uses made - of the material contained herein and the decisions based upon such use. No warranties are - made, express or implied, with regards to either the contents of this work, its - merchantability, or fitness for a particular purpose. Neither the author nor the publishers - shall be liable for direct, indirect, special, incidental, or consequential damages arising out of - the use or the inability to use the contents of this text.
27 For more information visit
Sytorus Information Security Assessment Overview
Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationPractical Overview on responsibilities of Data Protection Officers. Security measures
Practical Overview on responsibilities of Data Protection Officers Security measures Manuel Villaseca Spanish Data Protection Agency mvl@agpd.es Security measures Agenda: The rol of DPO on security measures
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationStepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
More informationCRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data
CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical
More informationENTERPRISE RISK MANAGEMENT FRAMEWORK
ENTERPRISE RISK MANAGEMENT FRAMEWORK COVENANT HEALTH LEGAL & RISK MANAGEMENT CONTENTS 1.0 PURPOSE OF THE DOCUMENT... 3 2.0 INTRODUCTION AND OVERVIEW... 4 3.0 GOVERNANCE STRUCTURE AND ACCOUNTABILITY...
More informationLeveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs
IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government
More informationEnterprise Information Management in IT-CMF
Enterprise Information Management in IT-CMF Input for IVI EIM workgroup 25 September 2013 Agenda Overview of things we like to improve Detailed proposals for improvements Overview of accumulated decisions
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationA NEW APPROACH TO CYBER SECURITY
A NEW APPROACH TO CYBER SECURITY We believe cyber security should be about what you can do not what you can t. DRIVEN BY BUSINESS ASPIRATIONS We work with you to move your business forward. Positively
More informationBusiness Continuity Position Description
Position Description February 9, 2015 Position Description February 9, 2015 Page i Table of Contents General Characteristics... 2 Career Path... 3 Explanation of Proficiency Level Definitions... 8 Summary
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationGUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012
GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental
More informationCourse: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management
Course: Information Security Management in e-governance Day 1 Session 3: Models and Frameworks for Information Security Management Agenda Introduction to Enterprise Security framework Overview of security
More informationConvercent Predictive Analytics
September 2015 Convercent Predictive Analytics Innovation in User Experience for Issue Reporting & Management SOLUTIONPERSPECTIVE Governance, Risk Management & Compliance Insight 2015 GRC 20/20 Research,
More informationCloud Security Trust Cisco to Protect Your Data
Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive
More informationwww.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14
www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationISMS Implementation Guide
atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-615-7300 Fax: 512-615-7301 www.atsec.com ISMS Implementation Guide atsec information security ISMS Implementation
More informationTapping the benefits of business analytics and optimization
IBM Sales and Distribution Chemicals and Petroleum White Paper Tapping the benefits of business analytics and optimization A rich source of intelligence for the chemicals and petroleum industries 2 Tapping
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationProcurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment
Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Project Management Self-Assessment Contents Introduction 3 User Guidance 4 P3M3 Self-Assessment Questionnaire
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationNSW Government Digital Information Security Policy
NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core
More informationOCC 98-3 OCC BULLETIN
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
More informationP3M3 Portfolio Management Self-Assessment
Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Portfolio Management Self-Assessment P3M3 is a registered trade mark of AXELOS Limited Contents Introduction
More informationUF Risk IT Assessment Guidelines
Who Should Read This All risk assessment participants should read this document, most importantly, unit administration and IT workers. A robust risk assessment includes evaluation by all sectors of an
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationeeye Digital Security and ECSC Ltd Whitepaper
Attaining BS7799 Compliance with Retina Vulnerability Assessment Technology Information Security Risk Assessments For more information about eeye s Enterprise Vulnerability Assessment and Remediation Management
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationIT Risk & Security Specialist Position Description
Specialist Position Description February 9, 2015 Specialist Position Description February 9, 2015 Page i Table of Contents General Characteristics... 1 Career Path... 2 Explanation of Proficiency Level
More informationGOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011
APPENDIX 1 GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT January 7, 2011 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto TABLE OF CONTENTS
More informationInformation Security in Business: Issues and Solutions
Covenant University Town & Gown Seminar 2015 Information Security in Business: Issues and Solutions A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information
More informationCopyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience
Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Management Model (CERT-RMM), both developed at Carnegie
More informationSecurity & Privacy Current cover and Risk Management Services
Security & Privacy Current cover and Risk Management Services Introduction Technological advancement has enabled greater working flexibility and increased methods of communications. However, new technology
More informationInformation Security Program CHARTER
State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information
More informationInformation Security Policies and Procedures Development Framework for Government Agencies. First Edition - 1432 AH
Information Security Policies and Procedures Development Framework for Government Agencies First Edition - 1432 AH 6 Contents Chapter 1 Information Security Policies and Procedures Development Framework
More informationCisco Unified Communications and Collaboration technology is changing the way we go about the business of the University.
Data Sheet Cisco Optimization s Optimize Your Solution using Cisco Expertise and Leading Practices Optimizing Your Business Architecture Today, enabling business innovation and agility is about being able
More informationADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0
ADRI Advice on managing the recordkeeping risks associated with cloud computing ADRI-2010-1-v1.0 Version 1.0 29 July 2010 Advice on managing the recordkeeping risks associated with cloud computing 2 Copyright
More informationHow does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1
How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 2 How does IBM deliver cloud security? Contents 2 Introduction 3 Cloud governance 3 Security governance, risk management
More informationPart A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...
Part A OVERVIEW...1 1. Introduction...1 2. Applicability...2 3. Legal Provision...2 Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...3 4. Guiding Principles...3 Part C IMPLEMENTATION...13 5. Implementation
More informationProcuring Penetration Testing Services
Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat
More informationThe IBM data governance blueprint: Leveraging best practices and proven technologies
May 2007 The IBM data governance blueprint: Leveraging best practices and proven technologies Page 2 Introduction In the past few years, dozens of high-profile incidents involving process failures and
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationCISM ITEM DEVELOPMENT GUIDE
CISM ITEM DEVELOPMENT GUIDE TABLE OF CONTENTS CISM ITEM DEVELOPMENT GUIDE Content Page Purpose of the CISM Item Development Guide 2 CISM Exam Structure 2 Item Writing Campaigns 2 Why Participate as a CISM
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationIT Governance Regulatory. P.K.Patel AGM, MoF
IT Governance Regulatory Perspective P.K.Patel AGM, MoF Agenda What is IT Governance? Aspects of IT Governance What banks should consider before implementing these aspects? What banks should do for implementation
More informationCrosswalk Between Current and New PMP Task Classifications
Crosswalk Between Current and New PMP Task Classifications Domain 01 Initiating the Project Conduct project selection methods (e.g., cost benefit analysis, selection criteria) through meetings with the
More informationInformation Security Management System Policy
Information Security Management System Policy Public Version 3.3 Issued Document Name Owner P079A ISMS Security Policy Information Security Security Policies, Standards and Procedures emanate from the
More informationHow To Protect Your Network From Attack From A Network Security Threat
Cisco Security Services Cisco Security Services help you defend your business from evolving security threats, enhance the efficiency of your internal staff and processes, and increase the return on your
More informationImproving Service Asset and Configuration Management with CA Process Maps
TECHNOLOGY BRIEF: SERVICE ASSET AND CONFIGURATION MANAGEMENT MAPS Improving Service Asset and Configuration with CA Process Maps Peter Doherty CA TECHNICAL SALES Table of Contents Executive Summary SECTION
More informationGOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts
GOVERNANCE DEFINED Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts Governance over the use of technology assets can be seen
More informationINSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.
Symantec Corporation TM Symantec Product Vulnerability Management Process Best Practices Roles & Responsibilities INSIDE Vulnerabilities versus Exposures Roles Contact and Process Information Threat Evaluation
More informationDirector, Value Engineering
Director, Value Engineering April 25 th, 2012 Copyright OpenText Corporation. All rights reserved. This publication represents proprietary, confidential information pertaining to OpenText product, software
More informationCLASSIFICATION SPECIFICATION FORM
www.mpi.mb.ca CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information
More informationCyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
More informationRisk Management Policy and Framework
Risk Management Policy and Framework December 2014 phone 1300 360 605 08 89589500 email info@centraldesert.nt.gov.au location 1Bagot Street Alice Springs NT 0870 post PO Box 2257 Alice Springs NT 0871
More informationInformation Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
More informationThe PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis
More informationState Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4
State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes
More informationInformation & Asset Protection with SIEM and DLP
Information & Asset Protection with SIEM and DLP Keeping the Good Stuff in and the Bad Stuff Out Professional Services: Doug Crich Practice Leader Infrastructure Protection Solutions What s driving the
More information2011 Forrester Research, Inc. Reproduction Prohibited
1 2011 Forrester Research, Inc. Reproduction Prohibited Information Security Metrics Present Information that Matters to the Business Ed Ferrara, Principal Research Analyst July 12, 2011 2 2009 2011 Forrester
More informationGuidelines 1 on Information Technology Security
Guidelines 1 on Information Technology Security Introduction The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical
More informationCENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT
CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14
More informationInformation Security Governance:
Information Security Governance: Designing and Implementing Security Effectively 2 nd Athens International Forum on Security 15 16 Jan 2009 Anestis Demopoulos, CISA, CISSP, CIA President of ISACA Athens
More informationW H I T E P A P E R I m p a c t o f C y b e r s e c u r i t y A t t a c k s a n d N e w - A g e S e c u r i t y S t r a t e g i e s
W H I T E P A P E R I m p a c t o f C y b e r s e c u r i t y A t t a c k s a n d N e w - A g e S e c u r i t y S t r a t e g i e s IDC Middle East, Africa, and Turkey, Al Thuraya Tower 1, Level 15, Dubai
More informationCloud Computing and Records Management
GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version
More informationRisk mitigation for business resilience White paper. A comprehensive, best-practices approach to business resilience and risk mitigation.
Risk mitigation for business resilience White paper A comprehensive, best-practices approach to business resilience and risk mitigation. September 2007 2 Contents 2 Overview: Why traditional risk mitigation
More informationCA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.
TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. Table of Contents Executive
More informationAddressing Cyber Risk Building robust cyber governance
Addressing Cyber Risk Building robust cyber governance Mike Maddison Partner Head of Cyber Risk Services The future of security The business environment is changing The IT environment is changing The cyber
More informationLeveraging a Maturity Model to Achieve Proactive Compliance
Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationInfrastructure consulting. Global Infrastructure
Infrastructure consulting Global Infrastructure Services Operational costs systems availability compliance and security energy and power usage disaster recovery all contribute to today s increasingly complex
More informationCISM Certified Information Security Manager
CISM Certified Information Security Manager Firebrand Custom Designed Courseware Chapter 4 Information Security Incident Management Exam Relevance Ensure that the CISM candidate Establish an effective
More informationThe Business Case for Security Information Management
The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un
More informationHow To Manage Risk On A Scada System
Risk Management for Industrial Control Systems (ICS) And Supervisory Control Systems (SCADA) Information For Senior Executives (Revised March 2012) Disclaimer: To the extent permitted by law, this document
More informationRSA ARCHER OPERATIONAL RISK MANAGEMENT
RSA ARCHER OPERATIONAL RISK MANAGEMENT 87% of organizations surveyed have seen the volume and complexity of risks increase over the past five years. Another 20% of these organizations have seen the volume
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationApplying ITIL v3 Best Practices
white paper Applying ITIL v3 Best Practices to improve IT processes Rocket bluezone.rocketsoftware.com Applying ITIL v. 3 Best Practices to Improve IT Processes A White Paper by Rocket Software Version
More informationCreating a Catalog for ILM Services. Bob Mister Rogers, Application Matrix Paul Field, Independent Consultant Terry Yoshii, Intel
Creating a Catalog for ILM Services Bob Mister Rogers, Application Matrix Paul Field, Independent Consultant Terry Yoshii, Intel SNIA Legal Notice The material contained in this tutorial is copyrighted
More informationBusiness Continuity / Disaster Recovery Context
Capability Business Continuity / Disaster Recovery Context What is Business Continuity? The Business Continuity Program Life Cycle Copyright: Virtual Corporation, 1994 2006 Modified U.S. DoD Graphic Normal
More informationManaged Services. Business Intelligence Solutions
Managed Services Business Intelligence Solutions Business Intelligence Solutions provides an array of strategic technology services for life science companies and healthcare providers. Our Managed Services
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationInformation Security Management System Information Security Policy
Management System Policy Version: 3.4 Issued Document Name: Owner: P079A - ISMS Security Policy Classification: Public Security Policies, Standards and Procedures emanate from the Policy which has been
More informationNational Approach to Information Assurance 2014-2017
Document Name File Name National Approach to Information Assurance 2014-2017 National Approach to Information Assurance v1.doc Author David Critchley, Dave Jamieson Authorisation PIAB and IMBA Signed version
More informationCisco Security Optimization Service
Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless
More informationData Governance. Unlocking Value and Controlling Risk. Data Governance. www.mindyourprivacy.com
Data Governance Unlocking Value and Controlling Risk 1 White Paper Data Governance Table of contents Introduction... 3 Data Governance Program Goals in light of Privacy... 4 Data Governance Program Pillars...
More informationINFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION
INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,
More informationPromotion Model. CVS SUITE QUICK GUIDE 2009 Build 3701 February 2010. March Hare Software Ltd
CVS SUITE QUICK GUIDE 2009 Build 3701 February 2010 March Hare Software Ltd Legal Notices Legal Notices There are various product or company names used herein that are the trademarks, service marks, or
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationGuide for the Role and Responsibilities of an Information Security Officer Within State Government
Guide for the Role and Responsibilities of an Information Security Officer Within State Government Table of Contents Introduction 3 The ISO in State Government 4 Successful ISOs Necessary Skills and Abilities
More informationPOLICY. Number: 7311-10-005 Title: Enterprise Risk Management. Authorization
POLICY Number: 7311-10-005 Title: Enterprise Risk Management Authorization [ ] President and CEO [ X] Vice President, Finance and Corporate Services Source: Director, Enterprise Risk Management Cross Index:
More informationInformation Security: Business Assurance Guidelines
Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies
More informationPrivacy and Security Framework, February 2010
Privacy and Security Framework, February 2010 Updated April 2014 Our Vision Better data. Better decisions. Healthier Canadians. Our Mandate To lead the development and maintenance of comprehensive and
More informationThe Cybersecurity Journey How to Begin an Integrated Cybersecurity Program. Version 1.0 March 2005
The Cybersecurity Journey How to Begin an Integrated Cybersecurity Program March 2005 Legal and Copyright Notice The Chemical Industry Data Exchange (CIDX) is a nonprofit corporation, incorporated in the
More informationRisk Management Framework
Risk Management Framework Mandate and commitment Design of framework for managing risks Continual improvement of the framework Implementing risk management Monitoring and review of the framework Source:
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationRisk Management Frameworks
Effective Security Practices Series Driven by a wave of security legislation and regulations, many IT risk management frameworks have surfaced over the past few years. These frameworks attempt to help
More information