Hierarchical Security Management



Similar documents
Platform voor Informatiebeveiliging IB Governance en management dashboards

Enabling Compliance Requirements using ISMS Framework (ISO27001)

Information Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer

Outsourcing and Information Security

IT Compliance After Hours Seminar September 2007 Zurich. Improving IT Risk & Compliance Management (RCM)

Core Fittings C-Core and CD-Core Fittings

Information Security Management Systems

Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza

Recent Advances in Automatic Control, Information and Communications

Moving Forward with IT Governance and COBIT

10 Best-Selling Modules For Home Information Technology Professionals

Achieving Governance, Risk and Compliance Requirements with HISP Certification Course

Governance and Management of Information Security

Achieving Business Imperatives through IT Governance and Risk

Benchmark of controls over IT activities Report. ABC Ltd

Strategic Planning for Small Business. Carol Rovello * carol@strategic-workplace-solutions.com *

BADM 590 IT Governance, Information Trust, and Risk Management

Corporate Governance, Internal Control and Compliance

IT Governance Dr. Michael Shaw Term Project

Subject Area 1 Project Initiation and Management

IMPLEMENTATION OF HIGH-PERFORMANCE SECURITY MANAGEMENT PROCESSES

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

Security Controls What Works. Southside Virginia Community College: Security Awareness

Hong Kong Information Security Group TRAINING AGENDA

Think like an MBA not a CISSP

Accelerating Cloud adoption with Security Level Agreements automation, monitoring and industry standards compliance

CYBERSECURITY SLAs: MANANGING REQUIREMENTS AT ARM S LENGTH

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Service Strategy. Process orientation Terminology Inputs and outputs Activities Process flow / diagram Process Roles Challenges KPIs

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

Five steps to Enterprise Risk Management

Developing National Frameworks & Engaging the Private Sector

ADRIAN DAVIS INFORMATION SECURITY FORUM

Certified Software Quality Assurance Professional VS-1085

ITIL: What it is What it Can Do For You V2.1

ISO Information Security Management Systems Foundation

ITIL CSI 2011 Vernon Lloyd

BCS Specialist Certificate in Business Relationship Management Syllabus. Version 1.9 March 2015

South East of Process Main Building / 1F. North East of Process Main Building / 1F. At 14:05 April 16, Sample not collected

IT Service Management

ISO/IEC Information Security Management. Securing your information assets Product Guide

Cloud Computing An Auditor s Perspective

An Implementation Roadmap

HOW SECURE IS YOUR PAYMENT CARD DATA?

Using Information Shield publications for ISO/IEC certification

Practical Approaches to Achieving Sustainable IT Governance

Continuous Improvements using Metrics for ITSM

GLOBAL STANDARD FOR INFORMATION MANAGEMENT

IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE

Wl Welcome! ITIL 2011 Explained. Donna Knapp Curriculum Development Manager ITSM Academy. ITSM Academy

Chayuth Singtongthumrongkul

ISO/IEC Information Security Management System Vs. ITIL IT Security Management

Driving Change through Clinical Informatics Dorothy DuSold, MA 1

2005 Kasse Initiatives, LLC version 1.2. ITIL Overview - 1

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Cyber Security and Cloud Computing. Dr Daniel Prince Course Director MSc in Cyber Security

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

Building Security In:

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

Italy. EY s Global Information Security Survey 2013

Beyond Mandates: Getting to Sustainable IT Governance Best Practices. Steve Romero PMP, CISSP, CPM IT Governance Evangelist

Plan Development Getting from Principles to Paper

Principles of IT Governance

Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5),

The Importance of IT Controls to Sarbanes-Oxley Compliance

Internal Audit RFP 2013 Questions and Answers

Final. North Carolina Procurement Transformation. Governance Model March 11, 2011

SAM Standards: A Review of ISO and 2

Software Asset Management (SAM) Best Practice

Tutorial: Towards better managed Grids. IT Service Management best practices based on ITIL

Enhancing NASA Cyber Security Awareness From the C-Suite to the End-User

Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, :00 AM

IRMAC SAS INFORMATION MANAGEMENT, TRANSFORMING AN ANALYTICS CULTURE. Copyright 2012, SAS Institute Inc. All rights reserved.

Third-Party Cybersecurity and Data Loss Prevention

Project Management and ITIL Transitions

Fundamentals of Information Governance:

Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

Enterprise Service Management (ESM)

Measuring Continuity Planning Program. Performance

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Executive's Guide to

Transcription:

Hierarchical Security Management 2nd Security Workshop: Future Security January 16-17, 2007 Sophia Antipolis, France Johan D. Bakker MSc CISSP ISSAP Royal Dutch Telecom (KPN)

Agenda ISO 27001 Organizing security governance Hierarchical ISMS approach Future work Questions 1

ISO 27001 What ISO 27001 does: Provides a model and requirements Plan for establishing, implementing, Act Do operating, monitoring, reviewing, Check maintaining and improving an Information Security Management System (ISMS) 2

ISO 27001 What ISO 27001 doesn t do: Specify organizational requirements and structure for security governance and compliance reporting for a large and complex organization...that offers hundreds of products and services, with 16.000 employees, organized in a score of different departments within 5 different market or corporate segments. 3

Organizing security governance Policy Rules Means Corporate Security Policy CSP Compliance Framework #1.1 #1.2 #1.3 #2.1 Security Management Requirements Security Design principles and axioms Security Management Implementation Manual Baseline Security Controls #3 #4 #5 #2.2 Guidelines, templates, methods, tools #6 #7 Introduction into the CSPF Functional Security Policies Security Report Repository for Support Functions 4

Organizing security governance CISO / CFO Corporate Center Strategic MT MT Tactical Reporting Units (TRU).(5 TRU s) Tactical Operational Reporting Units (ORU) MT MT MT MT MT MT MT MT Operational 5

Organizing security governance Governance CISO / CFO Strategic MT MT.(5 TRU s) Tactical MT MT MT MT MT MT MT MT Operational 6

Organizing security governance Governance CISO / CFO Compliance reporting MT MT.(5 TRU s) MT MT MT MT MT MT MT MT 7

Hierarchical ISMS approach - What if. the same ISMS approach could be used for the operational, tactical and strategic level? Then, all levels could share the same vocabulary, document templates, concepts. To enable this, it is required to parameterize some concepts in the ISMS process, depending on the scope and abstraction level. 8

Hierarchical ISMS approach - Parameters to an ISMS What is in Scope of the ISMS? What is the Context of the ISMS? Related to what type of Assets? What Aspects of the assets is focussed on? What type of Risks are managed? What type of Controls are available? 9

Hierarchical ISMS approach - Parameter values Scope Context Security aspects Assets Risks Controls Strategic Tactical Operational (typical 27001) KPN Enterprise Market, legal, regulatory, societal developments, KPN Mission Enterprise impact, tactical level of compliance The KPN Brand(s) Enterprise risks CSP Framework, tactical ISMS s Tactical Reporting Unit Business developments, demand/supply chain, tactical scopes, CSP Business impact, operational level of compliance Products, services and processes Business risks SLA s, local policies operational ISMS s Product(s), service(s) or process(es) Cust. requirements, CSP and local policies and procedures Confidentiality, Integrity and Availability Typical Information assets Security risks ISO/IEC 17799:2005 controls 10

Hierarchical ISMS approach - Benefits Defined enterprise-wide governance approach Uniform dossier templates Shared vocabulary Solid bases for compliance reporting 11

Future work. Risk aggregation Compliance metrics Integration into a single management system Corporate Baseline - COSO II (SOx), ISO9001 & ISO27001 amended with ISO14000, ISO10002, SAS70, ITIL, etc. depending on the type of department 12

Questions 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information