Click here to load reader
Upload
william-mcborrough
View
55
Download
2
Embed Size (px)
DESCRIPTION
As a business leader, you are responsible for ensuring the protection of your organization's assets; this includes its mission critical data, the systems used to store, process and transport them and the employees that utilize and depend on them. To do this in a cost-effective, efficient, and effective manner, you need an enterprise information security management program. Contact MCGlobalTech today at [email protected] for a free EISM Quick Assessment to give you a high level view of how well your organization manages security risks and implements the critical components of a security program.
Citation preview
Mission Critical Global Technology Group E: [email protected] T: 571-249-3932
www.mcglobaltech.com
Building a better Security Program
Why you need a security program As a business leader, you are responsible for ensuring the protection of your organization's assets; this includes its mission critical data, the systems used to store, process and transport them and the employees that utilize and depend on them. To do this in a cost-‐effective, efficient, and effective manner, you need an enterprise information security management program. A security program provides the framework for establishing, implementing and maintaining an acceptable level of security risk to your organization's assets and operations as determined by executive leadership. The scope, scale and complexity of such a program must be driven by your organization's business and security needs. A security program also allows you to examine your organization holistically and
• Identify, classify and categorize your assets that need protecting • Identify and evaluate threats to those assets • Identify and assess where those assets are vulnerable to evaluated threats • Manage the resulting risks to those assets though mitigation, transference, avoidance and
acceptance Current state of security management The reality is that all organizations are doing something with respect to security. However, without a formal security program, your organization, like many others, will continue to respond to network intrusions, data breaches, system failures and other security incidents in an ad-‐hoc and reactive manner; responding to individual incidents, thereby spending unnecessary time, money and other resources to address the symptoms rather than the root cause which is usually the lack of a organized, enterprise-‐wide approach to managing your security risks that allows you to prioritize your security investments and efforts. Eg. A data breach that leads to loss of sensitive information may be attributed to an unpatched web server, thus leading your IT department to launch an aggressive patching effort. While applying security patches and fixes to vulnerable servers is definitely needed, having unpatched servers in your network is merely a symptom of a systemic problem that could include lack of proper security oversight, policies, procedures, risk management, security architecture, employee training etc. ...all of which could have contributed to preventing the breach and resulting cost of dealing with it. Unless all of those elements are addressed, your organization will continue to ricochet from one security incident to the next. Security vendors and service providers are more than willing to sell you point solutions to deal with any subset of technical security challenges but as business managers across industries and sectors face increasing threats and decreasing budgets, you can ill-‐afford to continue down that path.
Mission Critical Global Technology Group E: [email protected] T: 571-249-3932
www.mcglobaltech.com
Security Program Standards and Best Practices The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) provides recommendations for information security program management (ISO/IEC 27002). Other common security frameworks include National Institute of Science and Technology (NIST), Control Objectives for Information and related Technology (COBIT), Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the HiTRUST Common Security Framework (CSF). Regardless of which framework you employ, it must be tailored to fit your organization’s business model, operations and technology environment.
Security Program Components
Regardless of industry sector or organization size, there are five components that are the foundation of any security program:
• Designated security leader Security within an organization is everyone’s responsibility. However your organization must designate a security officer or manager to lead, implement and manage the security program. This is a requirement for most security regulations and standards, with some requiring that this role be at the executive management level. Your security leader should have the authority and support to champion the cause of security as a business driver and enabler from the boardroom to the operations floor.
Mission Critical Global Technology Group E: [email protected] T: 571-249-3932
www.mcglobaltech.com
• Security Policy Framework Your security policy documents organization leadership’s goals for managing security risk and protecting organization assets. Your policy framework also includes standards, procedures and guidelines that govern the implementation of the security program across all organization business units and functions. Your policy framework should be reviewed and updated periodically ensure it keeps pace with the ever-‐changing regulatory compliance requirements, business operations and technology landscape.
• Risk Management Framework Your security program must continuously assess threats and vulnerabilities in order to identify, measure and prioritize risks to the organization’s assets that must be managed. Periodic enterprise risk assessments must be performed to include security penetration testing of security procedures and controls and employee security awareness and practices.
• Security Architecture and Operations An enterprise security architecture enables your organization to implement necessary technology infrastructure that maximizes ROI and minimizes risk. A layered approach to applying security controls allows you to protect your data, applications, systems and networks. Security event monitoring and response allows your organization to efficiently detect and mitigate security incidents that lead to data breaches, system downtime and network intrusions.
• Security Awareness and Training Program A security awareness program and role-‐based security training are essential to educating your employees about their roles and responsibilities in helping to maintain a strong security posture. Users are often considered the “weakest link” in an organization’s security controls however users that are trained and equipped with the tools needed to perform their duties securely are your first line of defence against security threats.
MCGlobalTech Enterprise Information Security Management The MCGlobalTech Enterprise Information Security Management (EISM) Service leverages common security frameworks including ISO, NIST, COBIT, COSO and COBIT to measure the maturity of your security management program. This includes a comprehensive assessment of your security policies, security organization structure, asset management, personnel security, physical and environmental security, security operations, security architecture and technology, business continuity preparedness, and security compliance.
Mission Critical Global Technology Group E: [email protected] T: 571-249-3932
www.mcglobaltech.com
Using our proven four-‐phased service delivery model (APIM), we provide full EISM life-‐cycle support to your organization. We help you develop, implement, maintain and improve a security program tailored to the specific needs of your organization. Our model is flexible and customizable to meet your organization's unique security program management needs. Working with your executive leadership team allows us to help guide investments in IT and security to more closely align withy your business and mission goals and priorities while increasing ROI and decreasing business risk. We do not simply focus on point solutions and services that may simply address immediate challenges. By working at the management and programmatic levels of an organization, we are able to identify weaknesses in IT infrastructure and security management that are root causes to many of the more common IT and security problems such as service outages, failed technology investments, data breaches and regulatory compliance penalties.
MCGlobalTech EISM Service Delivery Model
Each phase is designed around your specific organizational goals, challenges and culture. As your strategic security advisors, MCGlobalTech partners with you every step of the way.
Mission Critical Global Technology Group E: [email protected] T: 571-249-3932
www.mcglobaltech.com
Phase 1: Assessment Our engagements typically begin with a full assessment of the organizations information security program and/or IT infrastructure management. During this assessment, we document the as-‐is posture. This includes your policies, processes, procedures, required standards, people and technologies. We assess your information security, IT infrastructure and compliance risk. Following each assessment engagement, we provide you with
a detailed gap analysis that documents areas of weaknesses and recommendations for remediation.
Phase 2: Planning The planning phase is especially crucial to the success of initiatives involving integrating new procedures, technologies or operational processes into a your environment. Many IT and security initiatives fail due to lack of proper planning that takes into consideration organization culture, capabilities and operational realities. We work with all stakeholders across your organization to create an efficient, operationally feasible and priorities-‐driven remediation and
improvement plan of action based of the results of the assessment and leadership prioritization.
Phase 3: Implementation During this phase, we manage the successful implementation of your approved plan of action to improve and mature compliance readiness, enterprise security program and IT infrastructure management. We help develop appropriate policies, effective procedures and practices, staff and management training and expertise and capability augmentation. Leveraging our strategic partnership network, we help drive and manage new technology integration and infrastructure migration. We help you implement
business focused, cost-‐effective mitigation strategies for risks identified during the assessment engagement.
Phase 4: Monitor Our Continuous Monitoring phase includes an on-‐going combination of performance monitoring, security assessments, awareness training, metrics reporting and executive advisory services. We partner with your organization leadership to ensure continuous improvement of IT infrastructure and security management. We help you ensure that mission critical decisions regarding your IT and security are aligned with your organizational strategic goals.
Mission Critical Global Technology Group E: [email protected] T: 571-249-3932
www.mcglobaltech.com
Improving your security reduces the risk to your organization A mature security program will help your organization maintain focus and mitigate organization-‐wide risk associated with information security. It will also help your organization identify and comply with government regulations, industry standards, and best practices associated with your business, its creditability, and any data or electronic assets it has guardianship over. Your security program will enable you to meet the security requirements of your clients and your customers, contractual obligations, while mitigating the risk of adverse legal action being levied against you or your organization. This is paramount for protecting your organization’s most important IT infrastructure, data, brand, and reputation. Contact MCGlobalTech today at [email protected] for a free EISM Quick Assessmentsm to give you a high level view of how well your organization manages security risks and implements the critical components of a security program.