An Introduction to the Information Security Program Model (ISPM)

Transcription

1 SECURELY ENABLING BUSINESS An Introduction to the Information Security Program Model (ISPM) Presented by: Nick Puetz VP of Strategic Services, FishNet Security David Robinson CIO, Lockton Companies

2 AGENDA Information Security Program Model (ISPM) Overview Why the ISPM Goals of the ISPM ISPM Overview ISPM Deliverables

3 GAP ANALYSIS GAPS Client asks: How mature is my security program? What do I need to fix first? What does my long-term roadmap look like? How do I manage and measure my program once you leave? What traditional Gap Analysis projects are missing? Findings are overly tactical; very black and white. Lacks actionable and prioritized remediation roadmap. Provides very little program level analysis or direction.

4 PURPOSE OF THE ISPM Provide a foundation to build and develop an Information Security Program. Identify the gaps in your security program, evaluate its maturity and better manage your security strategy. Ensure priority is placed on the most valued aspects of your security program. Articulate information security program s value and progress to executives. Continually measure the maturity of one s information security program against best practices and/or industry vertical peers.

5 ISPM OVERVIEW FishNet Security Information Security Program Model Developed: January 2012 Authors: 12+ contributors Model consists of: 3 Pillars (Governance & Policy, Risk, and Operations Management) 23 Programs 157 Strong Characteristics Based on Info Security Best Practices (ISO 27002:2005, CoBIT 4.1, CoBIT 5, NIST PS Series, NERC-CIP, and PCI) Delivery: ISPM Workshop ISPM Assessment ISPM Continuous Engagement

6 INFORMATION SECURITY PROGRAM MODEL 2014 FishNet Security Inc. All rights reserved.

7 ISPM MATURITY VOTING RANKING LEGEND

8 SECURELY ENABLING BUSINESS Information Security Program Model (ISPM) Deliverables

9 ISPM HANDBOOK Detailed narrative document that includes an explanation of the ISPM including descriptions of all Pillars and Elements. Provide guidance for ongoing management of the ISPM Annual Program that enables the customer take control of the program after the initial 12-months of the program.

10 ISPM COMPARISON DASHBOARDS Current State Self-Evaluation INFORMATION SECURITY PROGRAM MODEL (ISPM) PILLARS { Governance & Policy Risk Operations Management PROGRAMS { n/a

11 ISPM VALUE VS. PRIORITY MAP

12 DETAILED INITIATIVE PLANNING Develop an effective logging and Initiative: Target Completion End of Q Importance HIGH monitoring program INITIATIVE SUMMARY: Related Initiatives None Current Maturity (CMMI): 2.25 ABC Inc. will undertake an initiative to develop an enterprise wide approach to the collection and management of log files for key systems within the ABC, Inc. computing environment. This will include Sub-Initiatives Develop a log management framework Develop business, staffing and Conduct a software monitoring / management tool inventory Executive Sponsor Project Manager Key Staff Members Key Skillsets Required CIO IT Delivery Manager IT, Security, Audit Information Security SMEs, product SME(s) Complexity High Resources Required Executive stakeholder involvement and buy in (CEO, CIO, CISO) Resource and expertise availability Business unit buy-in RESULT OF COMPLETED INITIATIVE Future Maturity (CMMI): 4.25 ABC Inc. will have the ability to take a proactive approach to addressing network and access issues. Compliance mandates will be addressed FUNDING/RESOURCE REQUIREMENTS Internal Labor Yes SME input for technical and business requirements. Industry average: Minimum 9 resources to manage SNOC External Labor Yes - Solution specific expertise Other Costs Capital Yes: Product Expense Yes: Ongoing maintenance / support, staffing, and product owner training RISKS Impact to business operations due to a data breach or service outage ABC Company could be in violation of compliance mandates Increase time to identify and resolve network and access issues Inability to answer the why question during a post incident review KEY TASKS/OWNERS Identify compliance mandate requirements Conduct staffing feasibility assessment Develop business and technical solution requirements Develop Gain support Conduct a Determine the Roll out the

13 ISPM STRATEGIC ROADMAP

14 TARGETED ROADMAP Ref# Recommendation Program Priority Initiative Start Resource Product Component Cost ST-01 ST-02 Develop and effective Logging and Monitoring program Build a BYOD strategy and plan Operations Management High Q Internal Yes $ Strategic Business Alignment High Q Blended Yes $$ ST-03 ST-04 Migrate to a unified compliance approach for audit and assessment activities Develop the security Risk Management Communications High Q Blended Yes $$$ High Q Internal No $$$$ ST-05 Conduct a data security associated with the data types used throughout ABC Inc. Communications Medium Q Blended Possible $$$ ST-07 Define business requirements for a enterprise wide GRC solution Policy Management / Risk Management Medium Q Internal Yes $$$

15 ISPM VS. GAP ANALYSIS Executive Summary Detailed Security Controls Analysis Maturity Dashboard Future Initiatives/Remediation Roadmap Provides Executive Reporting Tools Continuous Model Refresh Option Detailed Remediation Recommendations Gap Analysis ISPM Workshop Full ISPM Assessment

16 Q&A DAVID ROBINSON Tell us a little bit about yourself and where you are from.

17 Q&A DAVID ROBINSON Why did you decide to engage FishNet Security for a security review project?

18 Q&A DAVID ROBINSON Had Lockton traditionally used any standards or frameworks to measure and drive security initiatives?

19 Q&A DAVID ROBINSON How do these standards or frameworks stack up when compared to the ISPM?

20 Q&A DAVID ROBINSON Describe what the ISPM provided that traditional gap analysis projects have not.

21 Q&A DAVID ROBINSON What did you like about the data gathering process during the onsite workshop?

22 Q&A DAVID ROBINSON What value did you get out of the final set of deliverables that were provided by FishNet Security?

23 Q&A DAVID ROBINSON How did Lockton use the information that came out of the workshop?

24 Q&A DAVID ROBINSON How does Lockton plan to leverage the ISPM beyond the project that FishNet Security conducted?

25 Q&A DAVID ROBINSON Were there any unexpected side benefits realized by Lockton during the ISPM engagement?

26 THANK YOU Nick Puetz VP, Strategic Services FishNet Security facebook.com/fishnetsecurity twitter.com/fishnetsecurity