How To Do An Ismart In The Bcan Government

Similar documents
Critical Systems Guidelines

SECURITY RISK MANAGEMENT

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

Security Controls What Works. Southside Virginia Community College: Security Awareness

The PNC Financial Services Group, Inc. Business Continuity Program

Information Technology Governance. Steve Crutchley CEO - Consult2Comply

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

The Value of Vulnerability Management*

INCIDENT COMMAND SYSTEM MULTI-CASUALTY POSITION MANUAL PATIENT TRANSPORTATION GROUP SUPERVISOR ICS-MC DECEMBER, 1989

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

IT Governance: The benefits of an Information Security Management System

NIST National Institute of Standards and Technology

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Business Continuity Trends, Requirements and Expectations in Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

Certified Information Security Manager (CISM)

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

The Protection Mission a constant endeavor

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

ISO IEC ( ) TRANSLATED INTO PLAIN ENGLISH

Joint Audit Report for South Lakeland District Council. & Eden District Council

Information security controls. Briefing for clients on Experian information security controls

Enterprise Security Architecture

CLASSIFICATION SPECIFICATION FORM

The PNC Financial Services Group, Inc. Business Continuity Program

Change Management Process

State of Oregon. State of Oregon 1

University of Glasgow. Policy for. Business Continuity Management

Principles for BCM requirements for the Dutch financial sector and its providers.

How To Protect Your Network From Attack From A Network Security Threat

Key Considerations for Information Technology Governance. 900 Monroe NW Grand Rapids, MI (616)

UIIPA - Security Risk Management. June 2015

Cloud Computing Security Considerations

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

Your Agency Just Had a Privacy Breach Now What?

Healthcare and IT Working Together KY HFMA Spring Institute

OCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION:

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

Compliance Management, made easy

Chief Information Security Officer

Corporate Incident Response. Why You Can t Afford to Ignore It

Cisco Security Optimization Service

Risk & Audit Committee California Public Employees Retirement System

Information Technology Policy

FFIEC Cybersecurity Assessment Tool

IT Governance Regulatory. P.K.Patel AGM, MoF

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

Taking Information Security Risk Management Beyond Smoke & Mirrors

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

Richard Gadsden Information Security Office Office of the CIO Information Services

Security Risk Management Strategy in a Mobile and Consumerised World

Leicestershire Police Incident Response Policy

Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER

Building Reference Security Architecture

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

Enterprise Security Tactical Plan

Assurance 360 Performa. Ensuring a Secure, Reliable and High-Performing Control System

Ensuring Cloud Security Using Cloud Control Matrix

Privacy Governance and Compliance Framework Accountability

NERC CIP Compliance with Security Professional Services

VENDOR MANAGEMENT. General Overview

Business Continuity Management Framework

AUDIT COMMITTEE BEST PRACTICES CHECKLIST

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

The problem of cloud data governance

TITLE III INFORMATION SECURITY

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Cyber Security - What Would a Breach Really Mean for your Business?

I S O I E C I N F O R M A T I O N S E C U R I T Y A U D I T T O O L

INFORMATION TECHNOLOGY SECURITY STANDARDS

DBC 999 Incident Reporting Procedure

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

CGI Cyber Risk Advisory and Management Services for Insurers

Fraud Risk Management

Italy. EY s Global Information Security Survey 2013

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Who s next after TalkTalk?

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Transcription:

How to do an STRA in the BC Government Ken Prosser OCIO Information Security Branch

AGENDA Trust in a Connected World Security Threat & Risk Assessment Process STRAs and the system lifecycle Introduction to ismart Using ismart to manage risk Demonstrating trustworthiness

Trust in a Connected World

What is Trust? A belief that expectations will be met 4

Why do we need Trust? It s a connected world! 5

Would you do business with them? 92% 61% Business application environments with significant control weaknesses Chance they will suffer a MAJOR incident in a year Source: Information Security Forum 6

How do we get Trust? Prove IT! 7

Demonstrate Best Practice 13% The chance of suffering a major incident when controls are in 'good all round condition'. 8

What is Information Security? Confidentiality Integrity Availability

WHY MANAGE INFORMATION SECURITY? Enables business success Demonstrates due diligence Reduces # and impact of incidents 10

How do we manage security? Identify risk areas Determine risk mitigation Get management signoff

STRA Process

Risk Assessment Controls environment Criticality RISK FACTORS Special Circumstances Level of Threat Business Impact

Risk Mitigation Determine control gaps Analyze key issues Develop action plan

Management Signoff Present Risk Status Present Issues/Action Plan Management Risk Decision

So why would I do one? Required by Core Policy and Legislation Demonstrates due diligence Prepares organization for audits

When is an STRA required? All new information systems Any system subject to major change Every 3 years on critical systems

System Development Lifecycle Conceptual Design/Build Pre-Production Audit

Effort Required

What is ismart? information Security Management And Risk Tool

What can we do with ismart? Criticality Assessments Risk Assessments Incident Assessments

How to use ismart

ismart STRA Process 1. Define Target 2. Issue Scorecard 3. Complete scorecard 4. Identify issues and actions 5. Submit Scorecard and run reports 6. Notify Owner and get signoff

Defining a Target What is it? Who owns it? Who knows about it? How to evaluate it?

Concept of Owner Responsible for Program Has financial authority Risk decision maker

Basis Of Evaluation (BOE) Set of best practise controls Aligns to International standards Allows best fit for application

Issue the Scorecard

Completing the Scorecard Example scorecard

Section A: Information Resource Title Brief description Nature of Target Number of Users Percentage of business operations Date of Last Review Security Classification

Section B: Accountability Identifies Owner of resource Key contact information

Section C: Criticality Defines MAXIMUM harm from a loss of: Confidentiality Integrity Availability Pre-filled if Criticality Assessment done Helps define security classification

Section D: Vulnerability: Status of arrangements Assesses controls environment Based on FIRM (17 control areas) Defines state of compliance with BOE when completed at the detailed level.

Section E: Vulnerability: Special circumstances High degree of Change Geographically distributed Large in Scale Complex Immature Accessible by 3 rd parties Supports Call Centre

Section F: Level of threat Number of incidents in the last 12 months: Malfunctions of software or hardware Loss of services, equipment or facilities Overloads Human error Unforeseen effects of change Other undesirable acts

Section G: Business Impact Impact of incidents in the last 12 months: Financial loss Degraded performance Loss of management control Damaged reputation Impaired growth Any other ways

Section H: Strengthening controls Describes actions to improve controls Uses FIRM 17 Control areas Good tool for risk management planning

Section I: Completion details Identifies Primary completer Key contact information

Getting the most from ismart Use comments to: Document discussion and decisions Identify who is lead for answers to that section Raise questions for the team or management

Getting the most from ismart Use Test Field to: Document evidence that supports answer Document the testing required in next phase

Getting the most from ismart Use Issues Log to: Document issues that need investigation Document issues that impact the answer Document issues that need remediation

Getting the most from ismart Use Action Plan to: Identify a proposed action for each issue Develop a risk mitigation strategy Assign a lead for addressing the action item Track progress of resolution Get approval from Management for changes

Reporting to Management Typical report package for Management: Risk Scorecard Risk Status Risk Heatmap Schedule of Issues Action Plan with Signoff Compliance Checklist (if detail level done)

Using ismart to manage risk

Using ismart to manage risk ismart can help you: Identify critical systems Determine security requirements Build secure architecture Identify the cause & impact of incidents Develop remediation strategy

Developing a system security plan Use ismart to: Develop risk profile Document assessment history Build mitigation plans Show linkages/dependencies Support audits

Demonstrating Trustworthiness

Demonstrating Trustworthiness Proactive risk management Compliance with best practice Proven due diligence

Questions? Ken Prosser 250-387-8858 Information Security Branch Office of the Chief Information Office Province of BC Email: ken.prosser@gov.bc.ca citzciosecurity@gov.bc.ca

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information