An Introduction to the Information Security Program Model (ISPM)

Similar documents

Secure360. Measuring the Maturity of your Information Security Program Impossible? Presented by: Mark Carney, VP of Strategic Services

Vendor Risk Management Financial Organizations

Enterprise Service Management (ESM)

Applied Security Metrics

EMA CMDB Assessment Service

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Enterprise Security Tactical Plan

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

IESO Information & Technology Services Group Roles, Responsibilities, and Project Management. Doug Thomas: VP- I&TS and CIO May 28, 2015

Vendor Management Panel Discussion. Managing 3 rd Party Risk

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015

How To Improve Your Business

Office of the Chief Information Officer

IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

Appendix A-2 Generic Job Titles for respective categories

Impact of New Internal Control Frameworks

Cisco Unified Communications and Collaboration technology is changing the way we go about the business of the University.

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

Governance and Management of Information Security

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

Process-Based Business Transformation. Todd Lohr, Practice Director

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

The Value of Vulnerability Management*

Data Governance. Unlocking Value and Controlling Risk. Data Governance.

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

Cisco Network Optimization Service

SITA Service Management Strategy Implementation. Presented by: SITA Service Management Centre

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

The role of IT in business-led Data Governance. by First San Francisco Partners

Moving Forward with IT Governance and COBIT

Human Performance & the Role of Human Resources

OE PROJECT CHARTER TEMPLATE

ITIL and IT Operations Optimization

IA Metrics Why And How To Measure Goodness Of Information Assurance

Certkiller Q.A. Cisco Understanding Cisco Business Value Analysis Fundamentals

Board of Trustees IT Subcommittee Meeting. November 3, :00-2:50 PM Harper Center 3023

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

CMS Policy for Configuration Management

EMA Service Catalog Assessment Service

Developing National Frameworks & Engaging the Private Sector

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

New BGP Performa Service for Advanced Software

Beyond Mandates: Getting to Sustainable IT Governance Best Practices. Steve Romero PMP, CISSP, CPM IT Governance Evangelist

Information Technology Governance: Key Success Factors

building a business case for governance, risk and compliance

ITIL: What it is What it Can Do For You V2.1

ITSM 101. Patrick Connelly and Sandeep Narang. Gartner.

Fortune 500 Medical Devices Company Addresses Unique Device Identification

NETWORK SECURITY SOLUTIONS

Leveraging a Maturity Model to Achieve Proactive Compliance

Finding The PPM Sweet Spot

Successfully Market your PMO

COBIT Helps Organizations Meet Performance and Compliance Requirements

Principles of Execution. Tips and Techniques for Effective Project Portfolio Management

Advanced Topics for TOGAF Integrated Management Framework

EMC PERSPECTIVE. Information Management Shared Services Framework

10 Best-Selling Modules For Home Information Technology Professionals

Tutorial: Towards better managed Grids. IT Service Management best practices based on ITIL

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

Principled Performance & GRC

SECURITY. Risk & Compliance Services

CIOs: How to Become the CEO s Business Partner

Establishing Enterprise Portfolio and Project Management in a Shared Service Environment

Employing ITSM in Value Added Service Provisioning

Why you should adopt the NIST Cybersecurity Framework

Sound Transit Internal Audit Report - No

IT Service Management Vision and Strategy Summary / Roadmap

Qlik UKI Consulting Services Catalogue

Analyzing Risks in Healthcare. February 12, 2014

ITIL AND COBIT EXPLAINED

Gobierno de TI Enfrentando al Reto. IT Governance Facing the Challenge. Everett C. Johnson, CPA International President ISACA and ITGI

An Introduction to SharePoint Governance

Leading Practices in Business Transformation

Differentiate your business with a cloud contact center

Enterprise Business Service Management

Software Defined Hybrid IT. Execute your 2020 plan

EXECUTIVE SUMMARY...5

Sales & Operations Planning Process Excellence Program

Project Management vs. Change Management Presentation to the National Institutes of Health July 21, 2015

RSA Archer Risk Intelligence

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR

Driving PPM Adoption Through Effective Change Management

Transcription:

SECURELY ENABLING BUSINESS An Introduction to the Information Security Program Model (ISPM) Presented by: Nick Puetz VP of Strategic Services, FishNet Security David Robinson CIO, Lockton Companies

AGENDA Information Security Program Model (ISPM) Overview Why the ISPM Goals of the ISPM ISPM Overview ISPM Deliverables

GAP ANALYSIS GAPS Client asks: How mature is my security program? What do I need to fix first? What does my long-term roadmap look like? How do I manage and measure my program once you leave? What traditional Gap Analysis projects are missing? Findings are overly tactical; very black and white. Lacks actionable and prioritized remediation roadmap. Provides very little program level analysis or direction.

PURPOSE OF THE ISPM Provide a foundation to build and develop an Information Security Program. Identify the gaps in your security program, evaluate its maturity and better manage your security strategy. Ensure priority is placed on the most valued aspects of your security program. Articulate information security program s value and progress to executives. Continually measure the maturity of one s information security program against best practices and/or industry vertical peers.

ISPM OVERVIEW FishNet Security Information Security Program Model Developed: January 2012 Authors: 12+ contributors Model consists of: 3 Pillars (Governance & Policy, Risk, and Operations Management) 23 Programs 157 Strong Characteristics Based on Info Security Best Practices (ISO 27002:2005, CoBIT 4.1, CoBIT 5, NIST PS Series, NERC-CIP, and PCI) Delivery: ISPM Workshop ISPM Assessment ISPM Continuous Engagement

INFORMATION SECURITY PROGRAM MODEL 2014 FishNet Security Inc. All rights reserved.

ISPM MATURITY VOTING RANKING LEGEND

SECURELY ENABLING BUSINESS Information Security Program Model (ISPM) Deliverables

ISPM HANDBOOK Detailed narrative document that includes an explanation of the ISPM including descriptions of all Pillars and Elements. Provide guidance for ongoing management of the ISPM Annual Program that enables the customer take control of the program after the initial 12-months of the program.

ISPM COMPARISON DASHBOARDS Current State Self-Evaluation 3.5 1 3.5 5 INFORMATION SECURITY PROGRAM MODEL (ISPM) PILLARS { Governance & Policy Risk Operations Management 3.5 3 3.5 3.25 2.5 3 3.25 4.25 4.25 PROGRAMS { 4 3 4.25 4 3 3 3.5 3.5 3.75 2.5 n/a 3.75 2.75 3.25 4.25 5 4.5

ISPM VALUE VS. PRIORITY MAP

DETAILED INITIATIVE PLANNING Develop an effective logging and Initiative: Target Completion End of Q4 2013 Importance HIGH monitoring program INITIATIVE SUMMARY: Related Initiatives None Current Maturity (CMMI): 2.25 ABC Inc. will undertake an initiative to develop an enterprise wide approach to the collection and management of log files for key systems within the ABC, Inc. computing environment. This will include Sub-Initiatives Develop a log management framework Develop business, staffing and Conduct a software monitoring / management tool inventory Executive Sponsor Project Manager Key Staff Members Key Skillsets Required CIO IT Delivery Manager IT, Security, Audit Information Security SMEs, product SME(s) Complexity High Resources Required Executive stakeholder involvement and buy in (CEO, CIO, CISO) Resource and expertise availability Business unit buy-in RESULT OF COMPLETED INITIATIVE Future Maturity (CMMI): 4.25 ABC Inc. will have the ability to take a proactive approach to addressing network and access issues. Compliance mandates will be addressed FUNDING/RESOURCE REQUIREMENTS Internal Labor Yes SME input for technical and business requirements. Industry average: Minimum 9 resources to manage SNOC External Labor Yes - Solution specific expertise Other Costs Capital Yes: Product Expense Yes: Ongoing maintenance / support, staffing, and product owner training RISKS Impact to business operations due to a data breach or service outage ABC Company could be in violation of compliance mandates Increase time to identify and resolve network and access issues Inability to answer the why question during a post incident review KEY TASKS/OWNERS Identify compliance mandate requirements Conduct staffing feasibility assessment Develop business and technical solution requirements Develop Gain support Conduct a Determine the Roll out the

ISPM STRATEGIC ROADMAP

TARGETED ROADMAP Ref# Recommendation Program Priority Initiative Start Resource Product Component Cost ST-01 ST-02 Develop and effective Logging and Monitoring program Build a BYOD strategy and plan Operations Management High Q4 2012 Internal Yes $ Strategic Business Alignment High Q4 2012 Blended Yes $$ ST-03 ST-04 Migrate to a unified compliance approach for audit and assessment activities Develop the security Risk Management Communications High Q4 2012 Blended Yes $$$ High Q1 2013 Internal No $$$$ ST-05 Conduct a data security associated with the data types used throughout ABC Inc. Communications Medium Q1 2014 Blended Possible $$$ ST-07 Define business requirements for a enterprise wide GRC solution Policy Management / Risk Management Medium Q2 2013 Internal Yes $$$

ISPM VS. GAP ANALYSIS Executive Summary Detailed Security Controls Analysis Maturity Dashboard Future Initiatives/Remediation Roadmap Provides Executive Reporting Tools Continuous Model Refresh Option Detailed Remediation Recommendations Gap Analysis ISPM Workshop Full ISPM Assessment

Q&A DAVID ROBINSON Tell us a little bit about yourself and where you are from.

Q&A DAVID ROBINSON Why did you decide to engage FishNet Security for a security review project?

Q&A DAVID ROBINSON Had Lockton traditionally used any standards or frameworks to measure and drive security initiatives?

Q&A DAVID ROBINSON How do these standards or frameworks stack up when compared to the ISPM?

Q&A DAVID ROBINSON Describe what the ISPM provided that traditional gap analysis projects have not.

Q&A DAVID ROBINSON What did you like about the data gathering process during the onsite workshop?

Q&A DAVID ROBINSON What value did you get out of the final set of deliverables that were provided by FishNet Security?

Q&A DAVID ROBINSON How did Lockton use the information that came out of the workshop?

Q&A DAVID ROBINSON How does Lockton plan to leverage the ISPM beyond the project that FishNet Security conducted?

Q&A DAVID ROBINSON Were there any unexpected side benefits realized by Lockton during the ISPM engagement?

THANK YOU Nick Puetz VP, Strategic Services FishNet Security Nick.Puetz@fishnetsecurity.com facebook.com/fishnetsecurity twitter.com/fishnetsecurity