In the launch of this series, Information Security Management



Similar documents
ITIL Service Lifecycles and the Project Manager

Certified Information Security Manager (CISM)

BADM 590 IT Governance, Information Trust, and Risk Management

Sound Transit Internal Audit Report - No

Assessing Your Information Technology Organization

EMA CMDB Assessment Service

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Governance and Management of Information Security

GoodData Corporation Security White Paper

CMS Policy for Configuration Management

Agile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

IT Services Management Service Brief

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

Combine ITIL and COBIT to Meet Business Challenges

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

Information Technology Infrastructure Library (ITIL)

Benchmark of controls over IT activities Report. ABC Ltd

Process-Based Business Transformation. Todd Lohr, Practice Director

IT Service Management Vision and Strategy Summary / Roadmap

Gartner, Inc. DIR-SDD-2042

2005 Kasse Initiatives, LLC version 1.2. ITIL Overview - 1

Data Governance. Unlocking Value and Controlling Risk. Data Governance.

Enterprise Security Tactical Plan

MERCER 360-DEGREE FEEDBACK PLATFORM

White Paper Case Study: How Collaboration Platforms Support the ITIL Best Practices Standard

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

PRIORITIZING CYBERSECURITY

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Information Technology Auditing for Non-IT Specialist

INFORMATION TECHNOLOGY FLASH REPORT

Internal Audit Report ITS CHANGE MANAGEMENT PROCESS. Report No. SC-11-11

Recommendations for the PIA. Process for Enterprise Services Bus. Development

Four Top Emagined Security Services

SITA Service Management Strategy Implementation. Presented by: SITA Service Management Centre

Revised October 2013

Improving residual risk management through the use of security metrics

ISO 21500: Did we need it? A Consultant's Point of View after a first experience. Session EM13TLD04

ITIL's IT Service Lifecycle - The Five New Silos of IT

Blackhawk Technical College. Information Technology Services. Process Improvement Visioning Document

Program Lifecycle Methodology Version 1.7

Contents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface.

Information Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer

Sales & Operations Planning Process Excellence Program

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

Development, Acquisition, Implementation, and Maintenance of Application Systems

Frameworks for IT Management

Agile project portfolio manageme nt

State of Oregon. State of Oregon 1

IBM and the IT Infrastructure Library.

Achieving Business Imperatives through IT Governance and Risk

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

(Instructor-led; 3 Days)

ITIL V3: Making Business Services Serve the Business

Employing ITSM in Value Added Service Provisioning

Strategy and Tactics to Achieve Effective IT Governance

Service Oriented Architecture (SOA) Architecture, Governance, Standards and Technologies

EMA Service Catalog Assessment Service

IIA Super Conference

Creating a Catalog for ILM Services. Bob Mister Rogers, Application Matrix Paul Field, Independent Consultant Terry Yoshii, Intel

Effectively Using CobiT in IT Service Management

Consultants Alliance LLC. Professional Development Programs

Trends in Information Technology (IT) Auditing

Information Security Management Systems

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

IT Customer Relationship Management supported by ITIL

P.O. box 1796 Atlas, Fes, 30000, Morocco 2 ENSA, Ibn Tofail University, P.O 141, Kenitra, 14000, Morocco

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Determining Best Fit. for ITIL Implementations

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

Symantec Control Compliance Suite. Overview

NSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division

<Business Case Name> <Responsible Entity> <Date>

Integrating Project Management and Service Management

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

The IT Infrastructure Library (ITIL)

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing

4.1 Identify what is working well and what needs adjustment Outline broad strategies that will help to effect these adjustments.

The Role of Internal Audit in Risk Governance

Vendor Risk Management Financial Organizations

How to implement an ISO/IEC information security management system

Implementation of Multiple Quality Frameworks An Analysis

Solutions. Master Data Governance Model and the Mechanism

Securing the Microsoft Cloud

Service Measurement Index Framework Version 2.1

OGC s Official Accreditor

Storage Management Within the NEW ITIL Version 3 Context. Dr. D. Akira Robinson, IT Governance Management, Ltd. Dept of Navy

Transform HR into a Best-Run Business Best People and Talent: Gain a Trusted Partner in the Business Transformation Services Group

Partnering for Project Success: Project Manager and Business Analyst Collaboration

Description of Program Management Processes (Initiating, Planning) 2011 PROGstudy.com. All rights reserved

Integrated Information Management Systems

HKITPC Competency Definition

IA Metrics Why And How To Measure Goodness Of Information Assurance

Transcription:

Information Security Management Programs: Operational Assessments Lessons Learned and Best Practices Revealed JUSTIN SOMAINI AND ALAN HAZLETON As the authors explain, a comprehensive assessment process that includes a focus on security and technology operations is critical to the development of a comprehensive information security management program. In the launch of this series, Information Security Management Programs: Lessons Learned and Best Practices Revealed, the process of developing a comprehensive information security management program ( ISMP ) was introduced. The second installment brought clar- Justin Somaini, Chief Information Security Officer for Symantec Corporation, leads its Information Security group, which is responsible for information security governance and risk management, privacy, and threat response. Most recently, he was the Director of Information Security at VeriSign, Inc., where he was responsible for all aspects of information security. Alan Hazleton, a Senior Advisor with TPI, has extensive expertise in helping clients with the full sourcing life cycle; reviewing strategic alternatives and priorities; structuring contracts; and implementing third party service provider solutions. Mr. Hazelton has a particular focus on assessing existing application development and maintenance organizations as well as information security management organizations and assisting with initial implementation and long term operational management. Mr. Hazleton can be reached at alan.hazleton@tpi.net. 892

INFORMATION SECURITY MANAGEMENT PROGRAMS; OPERATIONAL ASSESSMENTS Lesson One: The existing corporate culture, organizational roles and historical security events as well as potential response to secuity to a commonly overlooked component of a successful ISMP development process the organizational assessment a subset of the Assessment and Strategy phase. To date, the common challenges with ISMP design and implementation have been highlighted. Now the discussion turns to addressing the critical process of performing another subset of the Assessment and Strategy phase an operational assessment and the importance of this assessment s outputs for building an effective and achievable ISMP strategy. Why? A comprehensive assess- A Review and a Look Forward Article 1: Information Security Management Programs: Lessons Learned and Best Practices Revealed: Lesson One: ISMS do not typically fail due to difficulty understanding or implementing technology. Lesson Two: Comprehensive security policy is but one of the key building blocks to an effective ISMS. Lesson Three: To successfully design an ISMP, the information security team must thoroughly understand the employee and management team s opinions, attitudes and history with respect to enterprise information security. Lesson Four: To successfully design an ISMP, the information security team must thoroughly understand the current state of operational processes and tools for IT infrastructure and application development. Article 2: Information Security Management Programs: Organizational Assessment Lessons Learned and Best Practices Revealed: 893

PRIVACY & DATA SECURITY LAW JOURNAL ment process that includes a focus on security and technology operations is critical to the development of the ISMP strategy. A lesson from the initial piece in this series stated that ISMSs (information security management systems) do not typically fail due to difficulty understanding or implementing technology. This assertion was further clarified by an example that underscored the fact that technology rarely fails; rather, more frequently, people or processes fail. Even though an understanding of existing culture and organizational dynamics is often underesti- rity-related stimuli should be an integral part of the assessment process. Lesson Two: The charter of the organizational assessment process is to gain a detailed understanding of an organization s culture and workforce dynamics in order to effectively tailor the ISMP program to the organization. Lesson Three: To understand an organization, you must talk to its executives, managers and employees. Lesson Four: Surveys are not an acceptable replacement for interviews; but the feasibility of interviewing a relevant sample of any large, geographically distributed organization in a limited timeframe is difficult, and sometimes there are political sensitivities to interviews across geographies. ISMP Phases of Implementation Phase 1: Assessment and Strategy Phase 2: Triage and Tactical Initiatives Phase 3: Metrics and Awareness Phase 4: Technical and Process Maturity Phase 5: Assessment and Validation Phase 6: Strategic Initiatives 894

INFORMATION SECURITY MANAGEMENT PROGRAMS; OPERATIONAL ASSESSMENTS mated, a comprehensive operational assessment and gap analysis is an area that security professionals stress for development of a successful ISMP. Lesson One: The Operational Assessment or detailed understanding of the existing information technology services (e.g. design, operation, strategy and transition), governance, control and security processes must be a foundational component of the assessment process. There are several bodies of knowledge that have been embraced by information technology ( IT ) organizations across the world. The International Organization for Standardization, specifically, the ISO/IEC 27001 standard, is the core for an ISMP. There are very detailed controls defined in 27001 that should be used to build components of operational assessment processes. However, in order to effectively address the services, governance and control processes listed above, additional bodies of knowledge should be leveraged to complete or round out the operational assessment reference knowledge base. Governance and Control The primary IT control framework used in the United States is the CobiT 1 Framework. CobiT is an acronym for Control Objectives for Information and Related Technology, which was developed by the IT Governance Institute ( ITGI ). CobiT is an internationally recognized set of industry standards for IT governance and control practices. Although originated in the U.S., it is commonly used internationally due to the ever-increasing nature of the global economy and interrelationships between business partners. A detailed overview of CobiT is not addressed here. As a component of the operational assessment, CobiT should be leveraged to assess the existing information technology governance and control processes. The ISMP should represent an enterprise roadmap that must be tailored to meet program management guidelines, and even more importantly, to understand how all implementations of technology and process are accomplished in the organization. 895

PRIVACY & DATA SECURITY LAW JOURNAL Information Technology Infrastructure Library The Information Technology Infrastructure Library ( ITIL ) 2 is a widely adopted collection of published processes and techniques for managing IT infrastructure, development, and operations. ITIL includes detailed definitions of a series of critical IT practices that are designed to be tailored to any IT organization. ITIL is published by the United Kingdom s Office of Government Commerce ( OGC ) and includes comprehensive checklists, tasks and procedures. As a component of the operational assessment, ITIL should be leveraged to assess existing IT services. To be successful, the ISMP should represent a series of initiatives that must be tailored to integrate with existing services. Key areas including Change Management, Configuration Management, Incident Management and Service Management must be assessed for level of maturity and impact to the overall ISMP design. Lesson Two: The Operational Assessment should leverage a gap analysis model that enforces the consistency of the review process across multiple dimensions including industry best practices and existing organizational processes, controls and technology. Process and Control Framework The information security ( Infosec ) organization must be able to successfully analyze existing process and control hierarchy and rapidly define the gap between leading practices and existing policies, procedures and security architecture. Providing the ability to rapidly analyze maturity of processes against leading practices and drive analysis efforts from multiple dimensions, the use of best practices to develop a gap analysis will greatly enhance the quality of the strategy process. The Infosec team should strive to bring as much consistency as possible to the gap analysis model to define relationships between corporate business processes and leading practices that include CobiT, ISO27001 and ITIL standards. The operational assessment will benefit greatly from a relational approach to mapping leading practices, business require- 896

INFORMATION SECURITY MANAGEMENT PROGRAMS; OPERATIONAL ASSESSMENTS ments (regulatory and other) to corporate process and control hierarchies. Upon detailed review of CobiT, ISO27001 and ITIL, the redundancy, or overlap, in certain areas will become obvious. The use of an operational assessment framework will allow the reviewer to select the most appropriate best practices for their organization and maturity level. Lesson Three: The Operational Assessment should leverage a gap analysis model that ensures the discovery of all technology components utilized across existing information technology processes. Technical Architecture A common method used in the IT industry for describing the impact of new technology implementations (e.g. change) is to reference three dimensions: people, process and technology. Here and in previous installments, a great deal of focus has been placed on the analysis of culture and organizational process. The second column in this series emphasized the people aspect of ISMP design. The process and control framework approach described herein emphasizes the process aspects of ISMP design. What about technology? Why have we not focused on the review and assessment of technology and the security architecture for the organization? The answer is simple, but often misunderstood. The assessment of technology can be effectively accomplished through the lens of process review and cultural review. When asked what technology is planned for implementation over the next year, any good security professional s eyes will light up, and they will begin a long and colorful discussion, piece by piece, of how the network, server, storage and application infrastructure will be improved through technology. But the discussion can turn to interesting but sometimes misleading attributes of technology solutions, including Security Information Management, Intrusion Detection and Prevention, Data Encryption, Data Loss Prevention, Host Security, Endpoint Security and Mobile Security. The Infosec professional s leap to technology as the solution to specific issues is as natural as an IT infrastructure professional s leap to the next 897

PRIVACY & DATA SECURITY LAW JOURNAL level of server virtualization. The astute Infosec professional, however, will weave the technology implementations into a series of people and process changes with the overall goal of reducing risk to the organization. Lesson Four: The charter of the gap analysis process is to document the maturity level of the existing culture (people), processes and technology in order to identify where there is doubt in the ability of current state processes to effectively address risk to the organization. Operational Assessment and Gap Analysis The development of a comprehensive gap analysis of the current state of security in any organization is critical to the development of a security strategy. The phased journey to a destination or future state can only be accurately planned if the definition of that destination is well defined. The operational assessment and gap analysis process varies significantly from the organizational assessment described in the previous article. The operational assessment is primarily oriented to a quantitative analysis approach, while the organizational assessment includes a significant level of qualitative analysis. What is the difference? The simple view is that qualitative analysis involves words and quantitative analysis involves numbers. During the organizational assessment, qualitative analysis involves active participation of the reviewer in the process and immersion in the analysis (e.g. interviews). In addition, one of the key goals of the organizational assessment is to build relationships of trust between Infosec (reviewers) and IT (participants). During the operational assessment, quantitative analysis involves objective observation wherein the reviewer does not participate directly in processes being reviewed nor significantly influence those processes. Since Infosec is involved in many IT processes and usually exerts some influence on the process execution, this pure approach is not strictly followed, but the use of quantitative principles in the operational assessment and gap analysis still applies. The accompanying table outlines the high-level tasks and order of operations for completing the gap analysis process for IT operations. 898

INFORMATION SECURITY MANAGEMENT PROGRAMS; OPERATIONAL ASSESSMENTS Step Preparation Identify Analysis Scope Identify Analysis Gaps Select Analysis Approach Select Analysis Population Conduct Assessment and Gap Analysis Distribute Results and Gain Consensus Distribute Final Results Description Select the best practice knowledge bases Identify redundant coverage and select knowledge base of record for each topic area Select, refine and confirm the components of those best practices that will be used in the gap analysis process Identify coverage gaps Select additional knowledge bases of record for each gap, or supplement with additional content For each component, identify the most appropriate analysis approach Develop analysis response definitions (e.g., binary response selection definitions, or multiple choice selection definitions) Develop analysis response weightings (e.g., level of importance indicators) For each component, identify the most appropriate people, processes and technology Confirm assessment and analysis participants Complete gap analysis process Distribute results to participants and provide for feedback mechanism Make modifications where analysis was incomplete or inaccurate Distribute results to executive management 899

PRIVACY & DATA SECURITY LAW JOURNAL Security Goals and Objectives (Strategy) In order to develop an achievable strategy for security in any organization, the Infosec professional must be able to define in detail the endstate goals to be achieved. The process of developing a gap analysis is to define the people, process and technology changes that must be prioritized, designed, implemented, measured and managed over the course of a phased implementation approach. The phased implementation approach (for example, security strategy), must be carefully tailored to the organization s unique requirements and process maturity. The organization must be secured, risks must be mitigated, and the business must continue to operate while the security strategy is in process. In the next installment in this series, the process of developing a comprehensive security strategy will be defined, including leveraging the outputs of the organizational assessment and operational assessment processes. Constraints to the implementation of the strategy will be addressed in order to tailor the strategy to the current state of the organization. Although frequently a component of process improvement in the strategy itself, the use of enterprise risk management disciplines to tailor the strategy will also be introduced. NOTES 1 Control Objectives for Information and Related Technology ( CobiT ), IT Governance Institute ( ITGI ). 2 Information Technology Infrastructure Library ( ITIL ), United Kingdom s Office of Government Commerce ( OGC ). 900

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information