Information Security Managing The Risk

Information Technology Capability Maturity Model Information Security Managing The Risk

Introduction Information Security continues to be business critical and is increasingly complex to manage for the following reasons: - 72% of organizations report increased risk to information security, based on both external and internal threats. - Legal and regulatory expectations pertaining to information are also changing with increased complexity arising from organizations operating across multiple jurisdictions; key considerations here are: - Has the information been retained longer than it should have been? - Does the data follow a defined life-cycle and is it safe to delete it? - Does the business have permission to share this data with its partners? - Is it permissible for the company to use data supplied by another company? Information Security Forum November 2012 2

Whose job is it to manage security risks? - To counter these threats and remove fear, uncertainty and doubt, organizations need to develop a comprehensive information security management capability. So whose job is that? ISO 38500 Corporate governance of information technology places responsibility for IT governance at the board of director s level. Section 1.4.2 of ISO 38500:2008(E) states that directors could be held responsible for security policy and standards failings. Information security is not an IT only function; it is an organization responsibility in which each employee, customer, and supplier has responsibilities. - Since vast amounts of information are digitally collected, stored and processed, the IT department has a significant role to play in the protection of information. 3

Information Security Management Information Security Management is the capability to direct, oversee and control the actions and processes required to protect documented and digitized information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, accessibility, availability and usability of data; and to support nonrepudiation (i.e. to prevent an author denying his/her own authorship or actions). Adapted from http://www.law.cornell.edu/uscode/text/44/3542 4

Scope of Information Security Management - Strategy & Governance - Identifying applicable regulations. - Establishing and maintaining security policies and controls. - Providing communication and training content on security. - Responding to security-related incidents. - Reporting on information security activities and compliance levels. - Profiling security threats, and assessing, prioritizing, handling and monitoring security risks. 5

Information Security Management is Complex The six categories of building blocks address: - Governance - Information Security Strategy; Security Policies, Standards, and Controls; Security Roles, Responsibilities, and Accountabilities; Communication and Training; Security Performance Reporting; and Supplier Security - Technical Security Security Architecture; IT Component Security; and Physical Environment Security. - Security Resource Management - Security Budgeting; Tools and Resources; and Resource Effectiveness - Security Risk Management Security Threat Profiling; Security Risk Assessment; Security Risk Prioritization; Security Risk Handling; and Security Risk Monitoring - Security Data Management Data Identification and Classifications; Access Rights Management; Life-cycle Management - Business Continuity Management Business Continuity Planning; and Incident Management 6

Summary of insights and lessons learned (1 of 6) What does mature look like? There is awareness and understanding across the enterprise of the role that effective security plays in business success i.e. security is recognized as an enabler rather than a disabler. There are clear responsibilities for security activities. There is agreement by business and IT stakeholders on risk appetite, and the level of security that is needed. Senior level sponsorship is evident. The organization has the capability to identify and address new and emerging risks and threats. There is recognition that improvements to maturity require an evolving process, with no short cuts. Business focused measures are defined, monitored and acted upon by business and IT. 7

Summary of insights and lessons learned (2 of 6) Why would a CIO/CEO invest in maturing this CC? To build a competent and effective organization capability to manage information security. To protect business value and business success from any adverse effects of inadequate security. To demonstrate effective security for stakeholders and regulators. 8

Summary of insights and lessons learned (3 of 6) What is unique, new or different about the IT- CMF approach? IVI s ISM capability is informed by academics and industry-based practitioners, and provides a toolkit to enable organizations to measure their capability maturity levels and develop a targeted improvement programme. Use of the ISM maturity curve allows organizations to set appropriate and structured security targets. Detailed ISM Practices, Outcomes and Metrics provide guidance to organizations in maturing their ISM capability, with a view to deriving business value. IVI s ISM capability is integrated with other key critical IT capabilities. The IT-CMF can be used by multiple stakeholders to discuss and assess maturity in a structured way using a common language e.g. internal audit. 9

Summary of insights and lessons learned (4 of 6) What are the key practices required for moving up the maturity profile? Develop security policies and awareness/understanding (level 1 to 2) Develop and agree the information security strategy, risk appetite and consistent policies (level 2 to 3). Develop and implement appropriate education and awareness programmes (level 2 to 3). Ensure structured and integrated testing of security effectiveness and independent validation (level 2 to 3). Target and test security awareness and understanding (level 3 to 4) Engage stakeholders across the enterprise and adopt business level metrics (level 3 to 4). Recognise the need to work effectively across the supply chain and the extended enterprise (level 4 to 5). Audit and verify practices to improve reach and consistency (levels 4 & 5). 10

Summary of insights and lessons learned (5 of 6) Which maturity level is typical for different types of companies/ industries? Based on workgroup experiences of industry, smaller organizations would be expected to be at level 2 and larger and security sensitive organizations would be expected to be at levels 3 and 4. This indicator will be updated later based on executive assessments and again later on ISM assessments. 11

Summary of insights and lessons learned (6 of 6) What typically prevents companies from moving up the maturity profile? Lack of resources, typically financial and skills. Lack of visible and tangible senior management drive and endorsement. Limited recognition of the need for a strategic approach to security. Rapidly changing and an increasing volume of threats and risks resulting in organizations taking a reactive versus proactive stance. Organizational limitations including clarity and boundaries of responsibilities and potential conflicts of priorities. Lack of an easy to apply ISM framework Appropriate in-depth security measures are key to supporting confidentiality and availability of information. 12

Assessing Current Maturity The information security management capability as defined in the IT- CMF comes with: - On-line survey & assessment interviews identify current (ISM) maturity level - Companies can relate their maturity levels at a capability building block to benchmark levels. - Based on this knowledge and viewing their own strategic and tactical objectives, target levels can be set for the desired capability maturity level. Steps to improve - As with any journey, developing an effective information management security capability, the start and end states need to be understood. Once these are agreed a route to the destination can be selected based on the needs to optimize for cost, time or resource usage. 13

Using ISM s six categories, an Information Security Management capability can be matured. The six categories of building blocks address: - Governance - Information Security Strategy; Security Policies, Standards, and Controls; Security Roles, Responsibilities, and Accountabilities; Communication and Training; Security Performance Reporting; and Supplier Security - Technical Security Security Architecture; IT Component Security; and Physical Environment Security. - Security Resource Management - Security Budgeting; Tools and Resources; and Resource Effectiveness - Security Risk Management Security Threat Profiling; Security Risk Assessment; Security Risk Prioritization; Security Risk Handling; and Security Risk Monitoring - Security Data Management Data Identification and Classifications; Access Rights Management; Life-cycle Management - Business Continuity Management Business Continuity Planning; and Incident Management See also: Enterprise Architecture Management (EAM), Enterprise Information Management (EIM), Technical Infrastructure Management (TIM), Service Provisioning (SRP), and Solutions Delivery (SD) 14

Security Is there an app for that? - Not any time soon! - The remaining slides can be read for additional detail and retained for your notes. 15

Questions and Answers

IVI Global Community Update

IVI Global Community - Upcoming Events 18 February 18 Virtual Meeting, 11-12 (EST) March 10 and 11 IVI Spring Summit, New York April 15 Virtual Meeting, 11-12 (EST) May 20 Live event, US June 17 Virtual event, 11-12 (EST) July 15 Virtual event, 11-12 (EST) September 9 and 10 IVI Autumn Summit, Dublin October 21 Virtual event November 18 Live event, US Making it Real: Transforming IT with IT-CMF, Dinesh Kumar, Mitovia Delivering Business Improvement + IVI Certified Training Assessor Essentials (12 and 13 March) IT Professionalism - The international dimension of e-skills and the impact of globalisation Martin Sherry, IVI Topic TBC Innovation Management (TBC) Agility in IT Management, Gar MacCriosta, IVI Topic TBC Topic and venue TBC

Information Security Management Summary of key practices, outcomes, and metrics Maturity Key practices Outcomes Key metrics High 5 Optimizing Review and improve governance across the extended enterprise. Use best practice architecture, components, and physical security options. Review, improve, and manage security budget, tools, and resources. Extend security risk management to the extended enterprise. Consistently use and improve data identification and classifications, access rights management and data lifecycles across the extended enterprise. Provide industry best practice information security guidelines and advice on business continuity. Reduced likelihood of regulatory issues to be managed. Fewer security issues. Less waste and better returns for the spend on security. Holistic risk management Value return is improved based on the widespread usage of sound data management layers. Reduced impacts during incidents # Security audit issues # Compliance issues under corrective action # Security issues # Security staff turnover rates # Security resource utilization ratios # Security issues included in risk register # Effort to develop security features in new applications # Count and cost of incidents 4 Advanced Regularly review and improve all aspects of security. Implement governance criteria across the enterprise Implement technical and physical security consistently across the enterprise. Use risk assessment and value returns to guide security budget Roll data management and business continuity practices out across the enterprise Reduced risk of weak links compromising security. Locations and access points have sufficient security Security spend provides risk reduction and improves reputation Higher returns from security investment. # Incidents and adverse audit findings by site, department, and/or function # Equipment and configuration variances between HQ, Branch or end devices # Identified critical risks that are cost effectively mitigated # Security feature costs in new developments 3 Intermediate Implement documented security governance, roles, architecture, components, tools, resources, and practices aligned with some business units Identify and communicate data security classifications and life-cycles for IT and some business units Provide business continuity security plans Efficient, effective and consistent security is applied. Appropriate levels of security can be applied to business data. # Stakeholder satisfaction # Security competences being developed # Automated monitoring and screening # Availability and confidentiality issues # Cost to develop security features # Security focused elements in continuity plan 2 Basic Establish and communicate policies based on regulations and standards and risk assessment. Start to implement data security classifications, lifecycles, and access control mechanisms Raised security awareness and improved security features Aspects of security can be managed using meta-data. # Stakeholder awareness surveys # Security issues # Security meta data utilization 1 Initial Educate and raise awareness of information security. Use system and application secured options by default. Basic security problems are fixed Increased security # Staff attended awareness training # Components or suppliers not complying 19

Information Security Management (ISM) Transitions to increase maturity Maturity Action Taken Value Delivered High 5. Optimized 4. Advanced 3. Intermediate 2. Basic Align security strategies across extended enterprise. Develop and adopt agile risk management practices. Promote security awareness and understanding across extended enterprise. Promote effective security designs and architectures. Implement automated responses and alerts. Regularly review and update security strategies. Standardize risk management practices. Target and test security awareness and understanding. Develop an enterprise approach to security architecture. Align and focus data classification, lifecycle and access management practices. Use advanced/targeted tools; ROI on budgets. Align information security with business security strategy and risk appetite. Standardize risk practices and threat profiling. Promote security awareness/understanding. Apply extensive architecture and security features. Develop general data classification, lifecycle and access management practices. Increase tool use and make budgets transparent Confidence in consistent security measures and reduced risk of weakest link compromising security Cost effective rapid responses to risk changes. Enhanced security is achievable only with security conscious staff. Effective security measures have little or no impact on business volumes or variety. Faster effective responses to threats limits exposure. Security measures match changing risks and threats. Training costs and learning efforts are reduced. Awareness weaknesses are identified and corrected. Security views are available showing layers and depth. Security factors are considered and factored in at data classification, lifecycle and access control design. Security spend and ROI are measured and managed. Information security measures match those the business needs. Threat profiles are interpreted consistently. Security-aware staff expand resources available to secure business assets Improved consistency and efficiency Security is applied to data and applications in accordance with business needs and priorities Tools free staff for higher value activities; increased understanding of value delivered from investments 1. Initial Develop basic risk management and threat profiling. Develop security policies and awareness/understanding. Start to implement basic architecture and security features. Start using local practices in data classification, lifecycle and access management. Start using tools and budget management. Awareness and competence grow. Immediate improvements in behaviour Concepts for a security foundation emerge Local successes on sensitive data and information act as a starting point for communities of practice Tools free people for higher value activities. 20

Information Security Management (ISM) Critical capability maturity profile levels Maturity Information Security Management (ISM) High 5 Optimizing The information security strategy is regularly aligned to business/it strategies and risk appetite across the extended enterprise. An effective multi-layered security architecture framework is used across the extended enterprise. A structured approach to measuring value for money is applied consistently to proposed security investments and post implementation, Intelligence is gathered and security threat profiles defined and updated in collaboration with the extended enterprise Access rights management is dynamic and can effectively address organization restructures, acquisitions and divestments. The extended enterprise works proactively to avoid security incidents occurring and incidents are effectively managed.. 4 Advance 3 Intermediate 2 Basic 1 Initial There is an established security culture with dedicated and tailored employee training and measurement of efficiency and effectiveness IT component security measures are implemented enterprise-wide for detection and mitigation of threats and attacks and tested Advanced managerial tools that monitor and alert and detect issues or non-compliances are specified to aggregate across the enterprise. Employee skill and competence levels are specified and a standardized toolset and resource management approach is adopted. A standardized security risk assessment process is consistently used across the enterprise and aligned with an enterprise risk process. Access rights processes including a movers process, are effectively implemented across the enterprise and audited. Enterprise-wide continuity planning is provided for each specific risk. IT regularly tests and confirms business restoration can be achieved There is a growing security aware culture. Detailed security requirements for procurement are defined and adhered to IT and some business units have a shared vision for security; most security architecture features are common and depth of defence and configuration management practices are evident. There is visibility of security budget requirements and allocations with consistent training programmes and an agreed approach to toolsets The security risk prioritization process is based on a repeatable evaluation of business impact, probability of occurrence, and time-horizon Access rights including joiners and leavers, are granted based on a formal authorization process. An agreed business and IT continuity plan, addressing backups, archival and system recovery, is implemented with some testing Information security policies and standards are developed by IT and reviewed after major incidents. There is some performance measurement. Physical security guidelines are emerging, and IT and facilities departments are active with restricted physical access to key locations A small number of key information security roles are identified within IT and individuals are allocated responsibility and accountability Some basic intelligence gathering and security threat profiling takes place but there is no consistent method. Data security classification guidelines are defined for key sensitive data items and processes for managing the security of data throughout its lifecycle are emerging. Access rights management is basic and is dependent on vendor supplied solutions. There is basic management of security incidents in IT and Key incidents are recorded. Information security strategy, policies and standards are defined ad hoc with little alignment to business strategies or risk appetite IT component security is addressed ad hoc or locally and mainly reflects the security bundled by primary suppliers only. The purchase specification of security tools, products and resources tends to be ad hoc. or local There is no systematic monitoring of security risks. A risk register is not present or is incomplete. Access rights are managed ad hoc, or using informal procedures. The security of data throughout its lifecycle is considered ad hoc. Business continuity planning advice and expertise is limited to local efforts with security incidents managed ad hoc. 21 Key: Breakthrough level (first level with significant interconnection between business and the IT organization )

Security Risk Management Capability Building Blocks Category Governance Capability Building Block Information Security Strategy Security Policies, Standards, and Controls Security Roles, Responsibilities, and Accountabili Communication and Training Security Performance Reporting Supplier Security Description Develops, communicates, and supports the organization s IT security objectives so they fit the organization s business model and risk appetite. Establishes and maintains security policies and controls incorporating relevant security standards, regulatory and legislative security requirements; ensuring they fit the organization s business model and security objectives. Identifies and establishes information security roles including allocation and enforcement of security responsibilities. Agrees and / or assigns responsibilities and accountability to allocated resources. Disseminates security processes, policies and other relevant information. Provides training content in security practices and develops security knowledge and skills. Reports on the levels of compliance achieved, and the effectiveness and efficiency of the security activities. Defines security requirements and expectations pertaining to the procurement and supply of hardware, software, services and data. 22

Information Security Management Capability Building Blocks Category Technical Security Security Resource Management Capability Building Block Security Architecture IT Component Security Physical Environment Security Security Budgeting Tools and Resources Resource Effectiveness Description Establishes and applies criteria and practices in designing security solutions with the aim of achieving appropriate cost effective protection. Defines security layers to provide depth of defence and configuration management of security features. Defines and implements the measures to protect physical and virtual IT, servers, networks, and end-points such as peripherals and mobile devices. Specifies and procures specific security tools/ products and resources. Establishes and maintains measures to control access into and protect the physical infrastructure from threats and environmental factors (e.g. extreme temperatures, flooding, fire). Provides security related budget criteria. This includes concepts such as new equipment must be purchased with specific security features e.g. virus protection. Specifies and procures specific security tools/ products and resources. Manages the tools, security solutions and the staff assigned for security purposes. Measures value for money from security investments. Captures feedback from stakeholders and other sources on the effectiveness of security resource management procedures, tools and activities. 23

Security Risk Management Capability Building Blocks Category Security Risk Management Capability Building Block Security Threat Profiling Security Risk Assessment Security Risk Prioritization Security Risk Handling Security Risk Monitoring Description Gathers intelligence on threats and vulnerabilities from internal and external sources. Identifies and documents the security threat profiles by their potential impact on business objectives and activities. Runs assessments to identify, document and quantify/ score securityrelated risks and their components. Assessments include the evaluation of exposure to risks, and measurement of their likely impact. Prioritizes security risks and risk handling strategies, based on residual risks, acceptable risk levels and changes to the business/ IT environment or operating environment such as outsourcing, mergers and acquisitions. Implements risk handling strategies, where risks can be deferred, accepted, mitigated, transferred or eliminated, and risk ownership allocated. Interacts with Incident Management functions. Tracks changes to the identified security risks, and validates the effectiveness of risk handling strategies/ controls. 24

Security Risk Management Capability Building Blocks Category Security Data Management Business Continuity Management Capability Building Block Data Identification and Classifications Access Rights Management Life-cycle Management Business Continuity Planning Incident Management Description Defines security classifications and provides guidance for associated protection levels and access control. Manages the lifecycle of user accounts and certificates, and the granting, denial and revocation of access rights. Matches access control procedures to data classifications. Provides the security expertise and guidance to ensure that data throughout its lifecycle is appropriately available, adequately preserved and/ or destroyed to meet business, regulatory and/ or security requirements. Provides expertise and guidance to ensure that business continuity planning is effective in ensuring data integrity, confidentiality and availability. This may include input on backup management, archiving management, and systems recovery policies and procedures. Establishes and implements procedures for handling incidents and near incidents. Evaluates the nature and impact of incidents. Supports protection of the organization by providing feedback and reports on security aspects of incidents. 25

Limitation of Liability - 2014 Innovation Value Institute. All rights reserved. - The material contained herein may not be copied, photocopied, reproduced, translated, or - reduced to any electronic medium or machine-readable form, in whole or in part, without - prior written consent of the Innovation Value Institute, except in the manner described in the - documentation. - All other brand names, product names, and trademarks are copyright of their respective - owners. - While every reasonable precaution has been taken in the preparation of this document, the - author and publishers assume no responsibility for errors or omissions, nor for uses made - of the material contained herein and the decisions based upon such use. No warranties are - made, express or implied, with regards to either the contents of this work, its - merchantability, or fitness for a particular purpose. Neither the author nor the publishers - shall be liable for direct, indirect, special, incidental, or consequential damages arising out of - the use or the inability to use the contents of this text.

For more information visit www.ivi.ie