Upload
sreekar
View
217
Download
0
Embed Size (px)
Citation preview
8/12/2019 Information Security Strategy - Guide
http://slidepdf.com/reader/full/information-security-strategy-guide 1/14
8/12/2019 Information Security Strategy - Guide
http://slidepdf.com/reader/full/information-security-strategy-guide 2/14
Copyright © 2009 Accenture All Rights Reserved. 2
Contents
Information security strategy development process
Determine security baseline
Understand business drivers and define security objective
Identify and prioritize gaps
Develop implementation/action plans
Implement activities
8/12/2019 Information Security Strategy - Guide
http://slidepdf.com/reader/full/information-security-strategy-guide 3/14
Copyright © 2009 Accenture All Rights Reserved. 3
The strategy for information security is developed
through a four step process
Implementactivities
Understandbusinessdriversanddefinewantedposition
Developimplementation/action plans
Definetargetstate
Determine
information
securitybaselin
e
Step 1 Step 2 Step 3 Step 4 Step 5
Assess how security
needs to change inthe organization inthe next three to fiveyears in order toadequately supportthe business
Determine the current
state of informationsecurity, e.g.
-Information assets
-Processes
-Governance
-Organisation
-Risks
Prioritize business
needs and define atarget state
Determine solutions
to reach target stateand their associatedcost/effort, definebudget and createroad map
D e s c r i p t i o n
D u r a t i o n
1-2 weeks 2 days 2-3 days 1 week
A p p r o a c h Collect and analyze
secondary data Perform qualitative
and quantitativeinterviews and/orsurveys of IT andbusiness
Perform qualitative
interviews with ITand businessmanagement
Articulate policystatement
Describe target
state, e.g. ascapabilityimprovementsand eliminatedrisks
Create roadmap of
activities to bridgetarget state andcurrent position
8/12/2019 Information Security Strategy - Guide
http://slidepdf.com/reader/full/information-security-strategy-guide 4/14
Copyright © 2009 Accenture All Rights Reserved. 4
ISO 17799 Information Security Domains*
The ISO Information Security Domains can be used as
a model to assess maturity
Compliance
Business
ContinuityManagement
InformationSecurityIncident
Management
InformationSystem Acq.Dev. and Maint.
AccessControl
Communication& OperationsManagement
Physical andEnvironmental
Security
HumanResourcesSecurity
AssetManagement
Organization ofInformation
Security
SecurityPolicy
InformationAssets
* See appendix for domain descriptions
8/12/2019 Information Security Strategy - Guide
http://slidepdf.com/reader/full/information-security-strategy-guide 5/14
Copyright © 2009 Accenture All Rights Reserved. 5
Risk and Strategy
• What are your main security concerns and do you have plans to fix them?
• Is there any security initiative, which is not progressing as you would like? In a positive case, what is slowing it down andwhat would be required, in your opinion, to make it happen?
• What are your thoughts on where security can be improved/ increased?
• Do you have an ongoing process to classify data (Confidentiality, Integrity and Availability), assets value, threats andvulnerabilities?
• Have you identified main Business and Information Assets with their related value? This is relevant for both Risk
Assessment and Business Continuity Management.• Are you aware of any recent security incident within your organization or other competitors, which have called attention to
the press or customers?
• Do you have difficulties in prioritizing security investments and receive approval from the board?
Compliance, Organization and Management
• Are you currently struggling to comply with existing regulation (e.g. European Data Privacy, Sarbanes-Oxley, etc.)? If so,which regulation?
• Are you aware of new regulations you will need to comply with that will impact your security capability?
• Are you planning to achieve any secure certification (e.g. ISO27001) and if so, within which timeframe?
• Have you received any feedback from internal or external auditors, which requires your company to implement specificsecurity measures?
• Are you comfortable with existing security policies, procedures, roles and responsibilities, and the level of compliance and awareness from your permanent and temporary staff?
• Which metrics do you use to monitor ongoing level of security and compliance, and which actions do you take to correctthem?
• Do you feel comfortable with the existing level of security provided by third-parties and are you considering to outsource any security-critical service to external parties?
The first step is to determine the security baseline
through qualitative and quantitative interviews
Sample qualitative questions
8/12/2019 Information Security Strategy - Guide
http://slidepdf.com/reader/full/information-security-strategy-guide 6/14
Copyright © 2009 Accenture All Rights Reserved. 6
The first step is to determine the security baseline
through qualitative and quantitative interviews
Maturity Scale
Nothing Ad-hoc Repeatable Defined Managed Optimized
Sample quantitative questions
7.1 RESPONSIBILITY FOR
ASSETS
Is there an inventory of key
information assets (data
sources)?
7.1.1 Inventory of assets
Is it clear who owns / is
responsible for the assets?
7.1.2 Ownership of
assets
Are there guidelines for
classifying assets?
7.1.3 Acceptable use of
assets Are the assets classified?
8/12/2019 Information Security Strategy - Guide
http://slidepdf.com/reader/full/information-security-strategy-guide 7/14Copyright © 2009 Accenture All Rights Reserved. 7
The wanted position is determined by interviews with
business and IT and articulated in a policy statement
Sample Information Security Policy Statement
Objective
The Information Security Principles is a tool for management team at ClientCo to set direction in regards
to protecting Diaverums Information Assets (Data Sources) in regards to:
• Confidentiality - Data should only be accessible by authorized users
• Integrity - Data should be authentic, sufficiently accurate and reliable
• Availability - Data should be accessible when needed
Principles
• Information Security has the endorsement and support of executive management and the Board
- Management is delegated to an appropriate security organization with clear roles and responsibilities
• Everyone is responsible for Information Security (Clinics, HQ, Corporate and External Parties)
- Awareness is built through continuous training and communication, and clear policies
• The organization strives to be compliant with all regulatory requirements
- The regulatory environment is continuously monitored, and compliance is audited regularly
• Protection of data is critical in a highly regulated market
- Proper access controls is combined with high awareness of data sensitivity
• Risk exposure is balanced with the cost of risk mitigation
- Risks are understood and managed based on potential business impact
• Security measures are proactively implemented based on a comprehensive understanding of threats
- Industry standards (E.g. ISO17799) are used to baseline capabilities and assess potential gaps
8/12/2019 Information Security Strategy - Guide
http://slidepdf.com/reader/full/information-security-strategy-guide 8/14Copyright © 2009 Accenture All Rights Reserved. 8
The target state is expressed as capability
improvements and eliminated risks
Example output from target state definition
8/12/2019 Information Security Strategy - Guide
http://slidepdf.com/reader/full/information-security-strategy-guide 9/14Copyright © 2009 Accenture All Rights Reserved. 9
Solutions to reach the target state are identified and
combined into an implementation road map
Proposed initiatives to reach target state
Tier I: Secure
fundamentals
Tier II: Enable strategic
agenda
Tier III: Enable differentiation Actions Actions
Actions Actions Actions Actions
Actions
Actions Actions Actions
8/12/2019 Information Security Strategy - Guide
http://slidepdf.com/reader/full/information-security-strategy-guide 10/14Copyright © 2009 Accenture All Rights Reserved. 10
The final step is to initiate the implementation
Initiatives
Effort
(Man days) 2009 2010 2011 2012
Ensure regulatory compliance 34
Audit and secure critical assets 28
Design security organisation 6
Develop security policy 23
Design security processes 40
Create individual policies 19
Secure standards and processes 12
Create guidelines 15
Implement ISO 27001 25
C r i t i c
a l
R e q u i r e d
D i f f e r e n t i a t
i n g
Example implementation road map
8/12/2019 Information Security Strategy - Guide
http://slidepdf.com/reader/full/information-security-strategy-guide 11/14Copyright © 2009 Accenture All Rights Reserved. 11
Appendix
8/12/2019 Information Security Strategy - Guide
http://slidepdf.com/reader/full/information-security-strategy-guide 12/14Copyright © 2009 Accenture All Rights Reserved. 12
Definition of CMMI Maturity levels
0. Non-existent
1. Initial
2. Repeatable
3. Defined
Complete lack of any recognizable processes. The enterprise has not even recognized that
there is an issue to be addressed.
There is evidence that the enterprise has recognized that the issues exist and need to be
addressed. There are, however, no standardized processes; instead there are ad hoc
approaches that tend to be applied on an individual or case-by-case basis. The overall
approach to management is disorganized.
Processes have developed to the stage where similar procedures are followed by differentpeople undertaking the same task. There is no formal training or communication of standard
procedures, and responsibility is left to the individual. There is a high degree of reliance on
the knowledge of individuals and, therefore, errors are likely.
Procedures have been standardized and documented, and communicated through training.
It is, however, left to the individual to follow these processes, and it is unlikely that deviations
will be detected. The procedures themselves are not sophisticated but are the formalizations
of existing practices.
4. ManagedIt is possible to monitor and measure compliance with procedures and to take action where
processes appear not to be working effectively. Processes are under constant improvement
and provide good practice. Automation and tools are used in a limited or fragmented way.
Definition of CMMI maturity levels:
5. Optimized
Processes have been refined to a level of best practice, based on the results of continuous
improvement and maturity modeling with other enterprises. IT is used in an integrated way
to automate the workflow, providing tools to improve quality and effectiveness, making the
enterprise quick to adapt.
8/12/2019 Information Security Strategy - Guide
http://slidepdf.com/reader/full/information-security-strategy-guide 13/14
Copyright © 2009 Accenture All Rights Reserved. 13
Description of the ISO17799 domain’s aim and focus: (1/2)
1. Security Policy – To provide management direction and support for information
security in accordance with business requirements and relevant laws and
regulations.
2. Organization of Information Security – To manage and plan information security
within the organization, taking into account the needs of both internal and external
parties.
3. Asset Management - To deliver appropriate levels of protection and ensure that
information receives a level of protection that is appropriate to its needs.
4. Human resources (personnel) Security - To ensure that staff, during
employment, after termination and during change of employment, are part of the
information security process.
5. Physical and Environmental Security – To secure buildings, locations and
equipment in such a way as to prevent unauthorized physical access, damage andinterference to the organization's assets, premises and information.
8/12/2019 Information Security Strategy - Guide
http://slidepdf.com/reader/full/information-security-strategy-guide 14/14
Copyright © 2009 Accenture All Rights Reserved. 14
6. Communications and Operations Management - To ensure that information is
treated properly, backed up correctly and handled securely to the highest
standards available.
7. Access Control - To control access to information, networks, and applications.
Preventing unauthorized access, interference, damage and theft.
8. Information Systems acquisition, development and maintenance - To ensure
that security is an integral part of the information system. Securing applications,
files and reducing vulnerabilities.
9. Information Security Incident Management – To ensure information security
events and weaknesses are communicated consistently in a manner allowing
timely corrective action to be taken.
10. Business Continuity Management – To counteract interruptions to business
activities and to protect critical business processes from the effects of major
failures of information systems or disasters and to ensure their timely resumption.
11. Compliance - To avoid breaches of any law, regulation or contractual obligations.
To ensure compliance without adverse affects on Information Security.
Description of the ISO17799 domain’s aim and focus: (2/2)