Information Security Governance

Information Security Governance Aart Bitter Aart.Bitter@information-security-governance.com Agenda Governance & Compliance Information Security Governance Aanpak om information security governance in organisaties in te voeren en te borgen Relaties tussen information security en service management Service Manager Dag 2006 2 Aart.Bitter@Information-Security-Governance.com 1

Governance & Compliance Doelstellingen Sturen Beheersen In accordance with legislation, guidelines, or specifications Governance Compliance Derived from Latin origins that suggest the notion of 'steering' Verantwoorden Toezicht houden Verantwoordelijkheden Service Manager Dag 2006 3 Agenda Governance, Compliance Information Security Governance Aanpak om information security governance in organisaties in te voeren en te borgen Relaties tussen information security en service management Service Manager Dag 2006 4 Aart.Bitter@Information-Security-Governance.com 2

Information Security Governance Verantwoordelijkheden Doelstellingen VERANTWOORDEN COMPLIACE BEHEERSEN Risico Risico management management Implementeren Implementeren STUREN GOVERNANCE TOEZICHT HOUDEN Service Manager Dag 2006 5 Agenda Governance, Compliance Information Security Governance Aanpak om information security governance in organisaties in te voeren en te borgen Relaties tussen information security en service management Service Manager Dag 2006 6 Aart.Bitter@Information-Security-Governance.com 3

Information Security Governance aanpak Beleid Wet- en regelgeving Alignment Act Plan Scorecards Assessments Audits Evaluation COMPLIANCE COMPLIANCE Risico management Risico management Invoeren Invoeren GOVERNANCE GOVERNANCE Planning Risk Mgt. Normen Performance- & Risk Indicators Check Implementation Maatregelen Processen Procedures Do Service Manager Dag 2006 7 Security Governance processen Business objectives Strategic Security strategy Alignment Tactical Risk Planning Policies Implementation Operational Measure Monitor Identification Manage Implementation Evaluation Service Manager Dag 2006 8 Aart.Bitter@Information-Security-Governance.com 4

Alignment - Beveiligingsbeleid Beleid Doelstellingen voor informatiebeveiliging Wettelijke eisen en regels Informatiebeveiliging en risicoanalyse Risicomanagement Beveiligingsorganisatie Service Manager Dag 2006 9 Planning - Risicomanagement Risicomanagement: Welke risico s accepteert u Welke maatregelen gaat u nemen Hoe gaat u meetregelen invoeren Hoe gaat u informatiebeveiliging meten Kans H M L Reduce Risico matrix Avoid accept Move L M H Impact Service Manager Dag 2006 10 Aart.Bitter@Information-Security-Governance.com 5

Implementation - Invoeren IT - processen Functieprofielen Planning & Control Kennis & Vaardigheden Kennis in de organisatie (zichtbaar) Houding Normen en Waarden Motieven Politiek Persoonlijke voorkeuren Cultuur in de organisatie (onzichtbaar) Drijfveren Energie Angst Gedrag Service Manager Dag 2006 11 Evaluation - Risico matrix Zeker 7 1 2 Kans Mogelijk 8 10 3 4 6 9 Organisatiestructuur Onwaarschijnlijk 5 Laag Middel Hoog Impact 100% Resultaten Security Scan 90% 80% 70% 60% Score 50% 40% 30% 20% 10% 0% 1 2 3 4 5 6 7 8 9 10 Categorie uit de Code Service Manager Dag 2006 12 Aart.Bitter@Information-Security-Governance.com 6

Agenda Governance, Compliance Information Security Governance Aanpak om information security governance in organisaties in te voeren en te borgen Relaties tussen information security governance en service management Service Manager Dag 2006 13 Service & Security ITIL Klant definieert eisen op basis van bedrijfsprocessen Strategisch Rapportage SLA Managers Set Onderhoud Plan Tactisch Capacity Service Delivery Service Level Security Availability Business Continuity Mgt Financial Audit en evaluatie Sturing Implementatie Operationeel Helpdesk / Incident Mgt. Change Configuration Release Problem Service Support Service Manager Dag 2006 14 Aart.Bitter@Information-Security-Governance.com 7

NEW: ISO-20000 process model Capacity Service Continuity and Availability management Service Delivery Processes Service Level management Service Reporting Control Processess Configuration Change Information Security Budgeting and Accounting For IT Services Release Processes Release Resolution Processes Incident Problem Relationship Processes Business Relationship Supplier Service Manager Dag 2006 15 CobIT 4.0 Service Manager Dag 2006 16 Aart.Bitter@Information-Security-Governance.com 8

Corporate control COSO / ERM Risicomanagement Invoeren Committee of Sponsoring Organizations of the Treadway Commission Service Manager Dag 2006 17 Service en Security Establish the ISMS Plan Establish policies and processes Implement & Operate the ISMS Implement the defined and agreed processes Do Risico management Risico management Invoeren Invoeren Act Maintain & Improve ISMS Continually improve the operation of the ISMS Assess performance against defined policies Check Monitor & Review ISMS Information Security System IT Service System Service Manager Dag 2006 18 Aart.Bitter@Information-Security-Governance.com 9

Control Framework Part 1 ISMS Specification Part 2 Code of Practice Processes, ITIL, MOF, Procedures, work instructions, Technical standards & guidelines Service Manager Dag 2006 19 Certificeringen ISO-27001 Maintain and Improve the ISMS ISO-20000 Capacity Service Continuity and Availability management Risk Service Assessment Delivery and Processes Treatment Service Level management Control Security Environment Policy Security Organization HRM Security Release Processes Release Establish the ISMS Physical Security Service Reporting Operations Asset Information and Communication Access control Control Processess Configuration Change Risk Assessment Resolution Processes Incident IS Development Security Incident Problem Mgt. Business Continuity Monitoring Compliance Monitor and Review the ISMS Information Security Budgeting and Accounting For IT Services SoX: Relationship Processes Business Relationship CobIT ITGC COSO SAS70 Supplier Implement and Operate the ISMS Service Manager Dag 2006 20 Aart.Bitter@Information-Security-Governance.com 10

Information Security Governance & Service Process - & Risk Based Aantoonbaar Opzet, bestaan en werking Sign-offs and audits Interne procesverbeteringen Continue assessments Leveren en bewaren van evidence Service Manager Dag 2006 21 Information Security Governance & de Service Manager (1) Voldoen aan interne controle en risicobeheersing Change-, Autorisatie- en Identity procedures, Logging & Monitoring, Bewijsplicht en Bewaarplicht Maatregelen, review/monitor, evidence, document Service Manager Dag 2006 22 Aart.Bitter@Information-Security-Governance.com 11

Information Security Governance & de Service Manager (2) SLA en contracten dienen (wederzijdse) rechten en plichten te omvatten op het gebied van: Informatiebeveiliging Wet- en regelgeving Rapportages en audits Service Manager Dag 2006 23 Conclusie Compliance en Governance eisen kunnen vergaande gevolgen hebben voor de ICT organisatie, processen en infrastructuur en dus voor de Service Manager. Trust me Tell me Show me Prove me Service Manager Dag 2006 24 Aart.Bitter@Information-Security-Governance.com 12

Thank you. www.coso.org www.isaca.org www.itgi.org www.bsa.org www.bsi-global.com www.corpgov.nl www.information-security-governance.com Aart.Bitter@information-security-governance.com Service Manager Dag 2006 25 Aart.Bitter@Information-Security-Governance.com 13