Symantec Security Program Assessment

Transcription

1 Leverage security maturity to prioritize achievement of enterprise goals The Symantec Security Program Assessment evaluates the maturity of your information security program providing an understanding of anticipated exposure to information security risk likely to result from gaps within that program. The service is designed to support enterprise executives by evaluating, prioritizing and managing their portfolio of security controls. It maps current security capabilities, establishes the desired state of security maturity, and develops an overall program strategy and prioritized roadmap for achieving enterprise information security goals. [The service] really provides a comprehensive picture of each of the different pieces to the larger security landscape. Not only do I find it useful, but I ve shown it to the audit committee and to other executives to explain our current security state and our direction over the next year. Using a well-defined methodology, Symantec consultants provide advice in the context of your business and technical goals. Symantec leverages its extensive information security knowledge base to examine specific areas of control design through structured interviews, documentation reviews, threat modeling, and a series of focused workshops conducted with both business and technical stakeholders. The service provides guidance on the optimum deployment of limited resources so as to raise your level of information security maturity to meet your business needs. Overview Symantec developed the Symantec Security Management Model to facilitate wide-ranging discussions about your information security program. Although clearly aligned to established standards, such as CoBIT and ISO 27002, this provides a simpler model that assists in understanding and evaluating your existing information security management environment. Dave Cullinane, CISO, ebay Marketplaces CIO Digest Magazine, October 2007 Page 1 of 5

2 Using a well-defined methodology and the Security Management Model: Symantec consultants identify the level of capability and maturity you require Establish priorities for achieving that level within a clear information security program Advice is provided in the context of your business and technical goals As can be seen in the figure above, the Symantec Security Management Model is based on seven focus areas, these are: Security Strategy, Security Organization, Secure Operations, Business Continuity, Network & System Security, Application Security, and Data Security. These are divided into forty-two elements that apply to one or more of the focus areas. Each element in the model is evaluated on multiple axes to provide a complete picture of information security for the customer. Industry Best Practices This model is not intended to be exhaustive, but does provide an understanding of the breadth of information security capabilities that should exist within your organization. The service allows you to benchmark your organization against others in your sector. It also helps you to visualize and measure your overall information security program. For each of the elements, Symantec has developed a set of good practices to help you achieve the level of maturity that your organization requires. This is done by showing five maturity level controls for each element, how each element relates to others and the potential risk if an element is not in place. Using the Security Program Assessment approach and methodology, Symantec will engage with you and your executives to determine your optimum approach to information security management, based on your strategic goals and objectives, timeline, budget, and other delivery requirements. Interviews, Documentation Reviews, Threat Modeling and Workshops Symantec consultants help you to understand and manage the design of your information security program through interviews, documentation reviews, threat modeling, and a series of focused workshops conducted with both business and technical stakeholders. Supporting questionnaires and requests for related documentation will be distributed in advance of the engagement and are intended to gather information about your environment across a broad range of topics. The Assessment begins with a Security Program Objectives Workshop so the consulting team can better understand the business needs and objectives that drive your information security program and your risk tolerance profile. Consultants will then conduct a Business Profiling Workshop to discuss your information security risk exposure and the current and desired levels of capability maturity you need to address these. The workshops are followed by a series of facilitated group sessions and operational and technical interviews with various functional teams including security, network, host, support, application, and operations. These will identify additional areas of exposure and capture the current maturity level of your information security program. The data collected through questionnaires, workshops and interviews will provide the Symantec consultants with the information needed to conduct the analysis phase of the engagement. Page 2 of 5

3 Mapping to the Security Management Model and the Capability Maturity Model Who s using the Symantec Security Program Assessment? Financial Services Correlation and analysis of the information gathered involves relating your organization s current and required capability maturity levels to the forty-two elements of the Security Management Model. This enables the production of a prioritized action plan, mapped to the Capability Maturity Model (illustrated below). This demonstrates how the required levels of maturity can be attained, while ensuring that investment in your program aligns with your organization s strategic direction. Maturity Assessments of Information Security Program to measure improvements in capabilities Insurance Utilized the Symantec Security Management Model to compare and contrast improvements from key security initiatives Security Program Assessment Detailed Findings At the conclusion of the Security Program Assessment, Symantec delivers a written report which includes an executive summary, showing the high level analysis and findings, industry benchmarking, maturity mapping to the Capability Maturity Model, and prioritized action plan for moving to required levels of maturity. A summary chart is illustrated below. Page 3 of 5

4 Who s using the Symantec Security Program Assessment? The report includes a management summary that highlights objectives and process information for the engagement. In addition, there is a detailed section that includes the findings and analysis for your information security program against the forty-two elements of the Symantec Security Management Model, as illustrated by the diagram below. Retail Maturity Assessments of core and subsidiary business units to align program objectives. Identified and prioritized future program initiatives using the model Government Used the model to establish IT Security Program and to communicate / collaborate on security initiatives across divisions The appendices will include details of the interviews conducted, the data and documentation collected, relevant raw data, output, and reports from the analysis tools used during the engagement. Page 4 of 5

5 History and Experience in Security Program Management Symantec s broad security footprint includes: Services engagement with 95% of Fortune 500 Extensive services engagements each year across Americas, EMEA, APAC, Japan Manage security devices in over 70 countries 1800 analysts, 6200 managed security devices 40,000 registered sensors in over 200 countries Over 25,000 vulnerabilities in the Symantec vulnerability database 120 million threat and virus submission systems Symantec is the global leader in information security, and through its acquisition in late 2004, has become the leader in network and application security and third party security assessments. The challenge of managing risk, cost, and complexity cuts across all elements of the information infrastructure. To address these challenges at their source, the Symantec Advisory practice has established best practices and proven methodologies. The Symantec Security Program Assessment is our flagship offering in management consulting for information technology executives. These executives face daily challenges of managing risk, cost, and complexity across all elements of the information infrastructure. To meet the requirements of critical security initiatives, Symantec engages and utilizes resources from its Security Management Services practice to ensure delivery of the in-depth Symantec Security Program Assessment and follow-on recommendations. Successful businesses need a well-planned, comprehensive information security strategy that matches their digital risk needs and tolerances. Creating such a strategy requires careful risk assessment and analysis by a team that has experience with a wide array of information environments and business objectives. Symantec professionals use that experience to strengthen information infrastructures and meet the digital security goals of any organization. Contact Us Today For more information, please call 1 (800) Visit our Web site About Symantec Symantec is a global leader in providing security, storage, and systems management solutions to help businesses and consumers secure and manage their information. Headquartered in Cupertino, Calif., Symantec has operations in 40 countries. More information is available at Symantec World Headquarters Stevens Creek Boulevard Cupertino, CA USA +1 (408) (800) Copyright 2008 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries.. Other names may be trademarks of their respective companies. Printed in the U.S.A. 11/ Page 5 of 5