Contents Acknowledgments Introduction 1. Governance Overview How Do We Do It? What Do We 1 Get Out of It? 1.1 What Is It? 1 1.2 Back to Basics 2 1.3 Origins of Governance 3 1.4 Governance Definition 5 1.5 Information Security Governance 5 1.6 Six Outcomes of Effective Security Governance 6 1.7 Defining Information, Data, Knowledge 7 1.8 Value of Information 7 2. Why Governance? 9 2.1 Benefits of Good Governance 11 2.1.1 Aligning Security with Business Objectives 11 2.1.2 Providing the Structure and Framework to Optimize 12 Allocations of Limited Resources 2.1.3 Providing Assurance that Critical Decisions are Not 13 Based on Faulty Information 2.1.4 Ensuring Accountability for Safeguarding Critical Assets 13 2.1.5 Increasing Trust of Customers and Stakeholders 14 2.1.6 Increasing the Company s Worth 14 2.1.7 Reducing Liability for Information Inaccuracy or Lack 14 of Due Care in Protection 2.1.8 Increasing Predictability and Reducing Uncertainty of 15 Business Operations 2.2 A Management Problem 15 COPYRIGHTED MATERIAL xi xiii v
vi Contents 3. Legal and Regulatory Requirements 17 3.1 Security Governance and Regulation 18 4. Roles and Responsibilities 21 4.1 The Board of Directors 22 4.2 Executive Management 22 4.3 Security Steering Committee 24 4.4 The CISO 24 5. Strategic Metrics 27 5.1 Governance Objectives 28 5.1.1 Strategic Direction 29 5.1.2 Ensuring Objectives are Achieved 29 5.1.3 Risks Managed Appropriately 30 5.1.4 Verifying that Resources are Used Responsibly 31 6. Information Security Outcomes 33 6.1 Defining Outcomes 33 6.1.1 Strategic Alignment Aligning Security Activities 34 in Support of Organizational Objectives 6.1.2 Risk Management Executing Appropriate Measures 36 to Manage Risks and Potential Impacts to an Acceptable Level 6.1.3 Business Process Assurance/Convergence Integrating 39 All Relevant Assurance Processes to Improve Overall Security and Efficiency 6.1.4 Value Delivery Optimizing Investments in Support 42 of Organizational Objectives 6.1.5 Resource Management Using Organizational 44 Resources Efficiently and Effectively 6.1.6 Performance Measurement Monitoring and Reporting 45 on Security Processes to Ensure that Objectives are Achieved 7. Security Governance Objectives 47 7.1 Security Architecture 48 7.1.1 Managing Complexity 49 7.1.2 Providing a Framework and Road Map 50 7.1.3 Simplicity and Clarity through Layering and 50 Modularization 7.1.4 Business Focus Beyond the Technical Domain 50 7.1.5 Objectives of Information Security Architectures 50
Contents vii 7.1.6 SABSA Framework for Security Service Management 54 7.1.7 SABSA Development Process 54 7.1.8 SABSA Life Cycle 54 7.1.9 SABSA Attributes 56 7.2 CobiT 58 7.3 Capability Maturity Model 59 7.4 ISO/IEC 27001/27002 63 7.4.1 ISO 27001 64 7.4.2 ISO 27002 67 7.5 Other Approaches 68 7.5.1 National Cybersecurity Task Force, Information Security 68 Governance: A Call to Action 8. Risk Management Objectives 75 8.1 Risk Management Responsibilities 76 8.2 Managing Risk Appropriately 76 8.3 Determining Risk Management Objectives 77 8.3.1 Recovery Time Objectives 78 9. Current State 81 9.1 Current State of Security 81 9.1.1 SABSA 82 9.1.2 CobiT 82 9.1.3 CMM 82 9.1.4 ISO/IEC 27001, 27002 83 9.1.5 Cyber Security Taskforce Governance Framework 83 9.2 Current State of Risk Management 84 9.3 Gap Analysis Unmitigated Risk 84 9.3.1 SABSA 85 9.3.2 CMM 85 10. Developing a Security Strategy 87 10.1 Failures of Strategy 88 10.2 Attributes of a Good Security Strategy 89 10.3 Strategy Resources 91 10.3.1 Utilizing Architecture for Strategy Development 94 10.3.2 Using CobiT for Strategy Development 94 10.3.3 Using CMM for Strategy Development 96 10.4 Strategy Constraints 96 10.4.1 Contextual Constraints 97 10.4.2 Operational Constraints 97
viii Contents 11. Sample Strategy Development 99 11.1 The Process 100 12. Implementing Strategy 109 12.1 Action Plan Intermediate Goals 109 12.2 Action Plan Metrics 110 12.3 Reengineering 110 12.4 Inadequate Performance 110 12.5 Elements of Strategy 110 12.5.1 Policy Development 111 12.5.2 Standards 116 12.6 Summary 125 13. Security Program Development Metrics 127 13.1 Information Security Program Development Metrics 127 13.2 Program Development Operational Metrics 129 14. Information Security Management Metrics 131 14.1 Management Metrics 132 14.2 Security Management Decision Support Metrics 132 14.3 CISO Decisions 134 14.3.1 Strategic Alignment Aligning Security Activities in 134 Support of Organizational Objectives 14.3.2 Risk Management Executing Appropriate Measures 137 to Manage Risks and Potential Impacts to an Acceptable Level 14.3.3 Metrics for Risk Management 138 14.3.4 Assurance Process Integration 141 14.3.5 Value Delivery Optimizing Investments in Support 142 of the Organization s Objectives 14.3.6 Resource Management Using Organizational Resources 144 Efficiently and Effectively 14.3.7 Performance Measurement Monitoring and Reporting 145 on Security Processes to Ensure that Organizational Objectives are Achieved 14.4 Information Security Operational Metrics 145 14.4.1 IT and Information Security Management 145 14.4.2 Compliance Metrics 146 15. Incident Management and Response Metrics 155 15.1 Incident Management Decision Support Metrics 156 15.1.1 Is It Actually and Incident? 156
Contents ix 15.1.2 What Kind of Incident Is It? 157 15.1.3 Is It a Security Incident? 157 15.1.4 What Is the Security Level? 157 15.1.5 Are there Multiple Events and/or Impacts 158 15.1.6 Will an Incident Need Triage? 158 15.1.7 What Is the Most Effective Response? 158 15.1.8 What Immediate Actions Must be Taken? 158 15.1.9 Which Incident Response Teams and Other Personnel 159 Must be Mobilized? 15.1.10 Who Must be Notified? 159 15.1.11 Who Is in Charge? 159 15.1.12 Is It Becoming a Disaster? 159 16. Conclusion 161 APPENDIX A. SABSA Business Attributes and Metrics 163 APPENDIX B. Cultural Worldviews 181 Heirarchists 181 Egalitarians 181 Individualists 182 Fatalists 182 Index 185