In the first three installments of our series on Information Security



Similar documents
In the launch of this series, Information Security Management

The relationship between technology advancements and business

Principles of Execution. Tips and Techniques for Effective Project Portfolio Management

ITIL Service Lifecycles and the Project Manager

Certified Information Security Manager (CISM)

IT Services Management Service Brief

The 10 Knowledge Areas & ITTOs

Positive Train Control (PTC) Program Management Plan

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

HKITPC Competency Definition

Information Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer

Benchmark of controls over IT activities Report. ABC Ltd

White Paper Case Study: How Collaboration Platforms Support the ITIL Best Practices Standard

Effectively Using CobiT in IT Service Management

Development, Acquisition, Implementation, and Maintenance of Application Systems

Agile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners

Information Security Risk Management

Frameworks for IT Management

Process-Based Business Transformation. Todd Lohr, Practice Director

Sound Transit Internal Audit Report - No

This alignment chart was designed specifically for the use of Red River College. These alignments have not been verified or endorsed by the IIBA.

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

Governance For Compliance The Convergence of Central and Distributed IT Compliance Presented to VASCAN Conference 2009

Understanding ITIL Service Portfolio Management and the Service Catalog. An approach for implementing effective service lifecycle management

Solutions. Master Data Governance Model and the Mechanism

Contents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface.

ownership We increase return on investment by We deliver reliable results by engaging

Develop Project Charter. Develop Project Management Plan

IT Services Management Service Brief

Preparing for the Convergence of Risk Management & Business Continuity

White paper. Secure Cloud Services: An Integrated Approach

Implementing ITIL Using the PMBOK Guide in Four Repeatable Steps

ITIL CSI 2011 Vernon Lloyd

PROJECT MANAGEMENT METHODOLOGY SECTION 3 -- PLANNING PHASE

Key Components of a Risk-Based Security Plan

Scheduling Process Maturity Level Self Assessment Questionnaire

Enterprise Content Management (ECM)

PRIORITIZING CYBERSECURITY

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

California Enterprise Architecture Framework

Program Lifecycle Methodology Version 1.7

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Integration Mgmt / Initiating Process Group 4.1 Develop Project Charter

Information Technology Auditing for Non-IT Specialist

Data Governance. Unlocking Value and Controlling Risk. Data Governance.

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

IT Services Management Service Brief

Description of Program Management Processes (Initiating, Planning) 2011 PROGstudy.com. All rights reserved

POLAR IT SERVICES. Business Intelligence Project Methodology

Risk mitigation for business resilience White paper. A comprehensive, best-practices approach to business resilience and risk mitigation.

EMA CMDB Assessment Service

The Key to a Successful KM Project

Nydia González 1, Franck Marle 1 and Jean-Claude Bocquet 1. Ecole Centrale Paris, FRANCE

P.O. box 1796 Atlas, Fes, 30000, Morocco 2 ENSA, Ibn Tofail University, P.O 141, Kenitra, 14000, Morocco

MIS Systems & Infrastructure Lifecycle Management 1. Week 13 April 14, 2016

Analytics Strategy Information Architecture Data Management Analytics Value and Governance Realization

Certified Information Systems Auditor (CISA)

(Instructor-led; 3 Days)

Information Technology Governance. Steve Crutchley CEO - Consult2Comply

IBM and the IT Infrastructure Library.

Enterprise Security Architecture

Project Type Guide. Project Planning and Management (PPM) V2.0. Custom Development Version 1.1 January PPM Project Type Custom Development

Appendix V Risk Management Plan Template

Partnering for Project Success: Project Manager and Business Analyst Collaboration

Overview. FedRAMP CONOPS

Creating A Risk Management Plan

SUMMARY PROFESSIONAL EXPERIENCE. IBM Canada, Senior Business Transformation Consultant

NSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division

A Guide to the Business Analysis Body of Knowledge (BABOK Guide) Version 2.0

Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project

Think like an MBA not a CISSP

Strategic Planning Process Map

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Strategy and Tactics to Achieve Effective IT Governance

Service Transition and Support: A CA Service Management Process Map

CHArTECH BOOkS MANAgEMENT SErIES INTrODuCINg ITSM AND ITIL A guide TO IT SErvICE MANAgEMENT

P3M3 Portfolio Management Self-Assessment

Enterprise Data Governance

Quick Reference Guide Interactive PDF Project Management Processes for a Project

Business resilience: The best defense is a good offense

Combine ITIL and COBIT to Meet Business Challenges

Enterprise Security Tactical Plan

MoP Glossary of Terms - English

Application Support Solution

Project Management Guidelines

BUSINESS ARCHITECTURE MEETS STRATEGIC PLANNING. 9/16/2014 Austin, TX

ITL BULLETIN FOR MARCH 2012 GUIDELINES FOR IMPROVING SECURITY AND PRIVACY IN PUBLIC CLOUD COMPUTING

Finding the Right People for Your Program Evaluation Team: Evaluator and Planning Team Job Descriptions

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

OCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION:

PROJECT MANAGEMENT PLAN Outline VERSION 0.0 STATUS: OUTLINE DATE:

Integrated Information Management Systems

How Cisco IT Plans and Executes a Large-Scale Data Center Application Migration

Achieving Business Imperatives through IT Governance and Risk

ITIL: Continual Service Improvement

Abstract. Keywords: Program map, project management, knowledge transition, resource disposition

Assessing Your Information Technology Organization

<Business Case Name> <Responsible Entity> <Date>

Transcription:

Information Security Management Programs: Assessment Analysis Lessons Learned and Best Practices Revealed JUSTIN SOMAINI AND ALAN HAZLETON This article, the fourth in a series, expands on the overlooked aspects of information security management system implementations introduced in a previous installment by focusing on the process of normalizing and analyzing organizational and operational assessment outputs. In the first three installments of our series on Information Security Management Programs ( ISMP ), we have explored the process of developing a comprehensive ISMP and have defined the first two steps in the Assessment & Strategy phases. The initial step in the Justin Somaini, Chief Information Security Officer for Symantec Corporation, leads its Information Security group, which is responsible for information security governance and risk management, privacy, and threat response. Most recently, he was the Director of Information Security at VeriSign, Inc., where he was responsible for all aspects of information security. Alan Hazleton, a Senior Advisor with TPI, has extensive expertise in helping clients with the full sourcing life cycle; reviewing strategic alternatives and priorities; structuring contracts; and implementing third-party service provider solutions. Mr. Hazelton has a particular focus on assessing existing application development and maintenance organizations as well as information security management organizations and assisting with initial implementation and long-term operational management. Mr. Hazleton can be reached at alan.hazleton@tpi.net. 981

PRIVACY & DATA SECURITY LAW JOURNAL Assessment & Strategy phase is the Organizational Assessment, and the second step is the Operational Assessment. Along the way, lessons have been highlighted that address common challenges with ISMP design and implementation. Please bear in mind that the phases and steps in the ISMP development are not necessarily in sequential order and are definitely not intended to be performed only once. Most industry best practices, including CobiT, 1 ITIL 2 and ISO/IEC27001, 3 refer to processes as life cycles that are recurring, repetitive, and most importantly reflect continuous improvement. Figure 1 depicts the overall ISMP life cycle phases, including the first phase, Assessment & Strategy. Figure 1 Now we turn to Assessment Analysis, another subset of the Assessment & Strategy phase and a key step in the ISMP strategy development process. Why? Information security professionals have been challenged with the process of consolidating the output of various assessment techniques into a roadmap for change, such as the ISMP strategy. Unlike politicians that espouse their versions of change, when change is referred to in this context, the implication is achievable and measurable change to 982

enterprise security in the form of risk reduction. Since the organizational and operational assessment techniques include both quantitative and qualitative disciplines, the ISMP strategist must be able to consolidate the output of these different disciplines into a cohesive model that can be used to prioritize strategy components and highlight which of them need to be analyzed further using enterprise risk assessment techniques. Lesson One: The analysis of assessment outputs developed from disparate techniques or disciplines must be normalized prior to leveraging these outputs for ISMP strategy development. ISMP Strategy Development Framework An ISMP strategy development process is a complex undertaking that should be approached with detailed planning and identification of assumptions, constraints, and expectations. We have discussed in previous components of this series the identification of which best practices should be adopted for information security. Another area of decision regards the approach for consolidating and normalizing assessment outputs. In the overview of the Organizational Assessment and the Operational Assessment, the concept of leveraging best practices or of not reinventing the wheel has been stressed, and this decision area is no different. Lesson Two: The assessment analysis process should leverage a model that is easy to understand and familiar to various roles, from executives to security technicians. SWOT Analysis INFORMATION SECURITY MANAGEMENT PROGRAMS: ASSESSMENT ANALYSIS During the 1960s and 1970s, Albert Humphrey led research projects for Stanford University that resulted in developing a method of strategic planning now referred to as Strengths, Weaknesses, Opportunities, and Threats ( SWOT ) Analysis. Using data from leading corporations, the research project was targeted at identifying the reasons behind failures of corporate planning and strategy. While the SWOT model has been used in planning and analysis for many years, it is primarily a collection and categorization technique that can be used as the mechanism for normalizing 983

PRIVACY & DATA SECURITY LAW JOURNAL the quantitative and qualitative outputs of the organizational and operational assessments. During the time Humphrey was conducting research that resulted in the SWOT Analysis model, weaknesses and threats did not cause an automatic assumption that information security was the driver of the discussion, as most IT professionals would conclude in this day and age. Weaknesses can easily be associated with vulnerabilities in information security terminology; however, threats have always been threats whether they are economic, operational, physical, logical, external, or internal. Figure 2 depicts the components of the ISMP strategy development process outlined in this and previous articles. Figure 2 984

INFORMATION SECURITY MANAGEMENT PROGRAMS: ASSESSMENT ANALYSIS Lesson Three: The SWOT analysis should be targeted at a specific objective, such as ISMP strategy, to reduce corporate information security risk and should be used to begin the analysis process, not as a substitute for analysis. Best Practice Framework Continuity The information security ( Infosec ) organization must be able to successfully analyze organizational and operational assessment results and rapidly prioritize the gaps between leading practices and existing policies, procedures, and security architecture. Providing the ability to rapidly analyze assessment outputs and drive analysis from multiple dimensions, the SWOT normalization model will greatly enhance the quality of the analysis. In order to leverage both the SWOT categorization model and the maturity model components of best practices, the Infosec team should strive to bring as much consistency as possible to the SWOT Analysis model and ensure that relationships between SWOT components and leading practices that include CobiT, ITIL, and ISO/IEC27001 standards are maintained. A Review and a Look Forward July 2008: Information Security Management Programs Lessons Learned and Best Practices Revealed: Lesson One: ISMS do not typically fail due to difficulty understanding or implementing technology Lesson Two: Comprehensive security policy is but one of the key building blocks to an effective ISMS Lesson Three: To successfully design an ISMP, the information security team must thoroughly understand the employee and management team s opinions, attitudes, and history with respect to enterprise information security Lesson Four: To successfully design an ISMP, the information security team must thoroughly understand the current state of operational processes and tools for IT infrastructure and application development 985

PRIVACY & DATA SECURITY LAW JOURNAL Lesson Four: The Assessment Analysis process should be designed to continue to leverage a reference model that ensures that SWOT Analysis components remain linked to best practice definitions of maturity. See Table 1 for an example of this concept. Assessment Analysis Once the SWOT analysis has been completed, the ISMP strategist begins the process of prioritizing the changes that need to occur into tactical (short term) and strategic (long term) categories. The phased journey to a destination or future state can only be accurately planned if the definition of that destination is well defined. With regard to ISMP strategy, defining the destination in detail with clear, periodic milestones is critical to achieving measurable success. A Review and a Look Forward August 2008: Information Security Management Programs: Organizational Assessment Lessons Learned and Best Practices Revealed: Lesson One: The existing corporate culture, organizational roles, historical security events as well as potential response to security-related stimuli should be integral parts of the assessment process. Lesson Two: The charter of the organizational assessment process is to gain a detailed understanding of an organization s culture and workforce dynamics in order to effectively tailor the ISMP program to the organization. Lesson Three: To understand an organization, you must talk to its executives, managers and employees. Lesson Four: Surveys are not an acceptable replacement for interviews; but the feasibility of interviewing a relevant sample of any large, geographically distributed organization in a limited timeframe is difficult, and sometimes there are political sensitivities to interviews across geographies. 986

INFORMATION SECURITY MANAGEMENT PROGRAMS: ASSESSMENT ANALYSIS Table 1 987

PRIVACY & DATA SECURITY LAW JOURNAL As illustrated in Figure 1, there are three distinct categories of work efforts that are used to group changes to security policy, process, standards, and/or technology: Triage & Tactical Initiatives Metrics & Awareness Technical & Process Maturity Triage and Tactical Initiatives One of the challenges with developing an effective ISMP strategy is balancing tactical initiatives while achieving strategic change. Information security best practices always include a discussion on the merits of risk analysis and risk management. This is a key area where textbooks lead the security strategist astray. All threats and vulnerabilities do not require a risk analysis to be completed to prioritize the work activity of mitigating that risk. An example of this concept is frequently referred to as information access controls. A common finding of an operational assessment is that too many resources or users have administrative access to server operating systems. The security strategist does not need to perform a risk analysis on excessive administrative access privileges to know that this weakness should be addressed as quickly as possible. This is a prime example of an operational assessment result that would be normalized into the weakness quadrant of the SWOT model and would subsequently be prioritized into the Triage & Tactical Initiatives group of changes. Phased Approach with Rolling Wave Planning The phased implementation approach of the ISMP strategy must be carefully tailored to the organization s unique requirements and process maturity. Due to the dynamic nature of the information security industry, it is paramount to leverage concepts like rolling wave planning ( RWP ), where components of an overall plan are decomposed into phases. The phases are repetitive in nature with frequent adjustments to the deliverables and expectations. As the implementation process of change compo- 988

nents occurs, the understanding of the work required and deliverables becomes clearer. This is frequently referred to as progressive elaboration. The ISMP strategy must be flexible and designed to leverage the RWP concepts and progressive elaboration. What s Next The use of common sense and the application of best practices will provide most organizations with very clear change components to include in the Triage & Tactical Initiatives, Metrics & Awareness, and Technical & Process Maturity groupings of the ISMP Strategy. Strategic initiatives are very different and represent the appropriate use of risk analysis and risk management disciplines. The organization must be secured, risks must be mitigated, and the business must continue to operate while the security strategy is in process. In the next installment(s) in this series, the process of assembling a comprehensive security strategy will be defined, including leveraging the outputs of the assessment analysis processes. Constraints of a strategy implementation will be addressed in order to tailor the strategy to the current state of the organization. The use of enterprise risk management disciplines to tailor the strategy will also be introduced. NOTES INFORMATION SECURITY MANAGEMENT PROGRAMS: ASSESSMENT ANALYSIS 1 Control Objectives for Information and Related Technology ( CobiT ), IT Governance Institute ( ITGI ). 2 Information Technology Infrastructure Library ( ITIL ), United Kingdom s Office of Government Commerce ( OGC ). 3 BS ISO/IEC 27001:2005, Information Security Information Security Management Systems Requirements, International Standards Organization, 2005. 989

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information