Mission Critical Global Technology Group E: Info@mcglobaltech.com T: 571-249-3932

www.mcglobaltech.com

Building  a  better  Security  Program    

 Why  you  need  a  security  program    As  a  business  leader,  you  are  responsible  for  ensuring  the  protection  of  your  organization's  assets;  this  includes  its  mission  critical  data,  the  systems  used  to  store,  process  and  transport  them  and  the  employees  that  utilize  and  depend  on  them.  To  do  this  in  a  cost-­‐effective,  efficient,  and  effective  manner,  you  need  an  enterprise  information  security  management  program.  A  security  program  provides  the  framework  for  establishing,  implementing  and  maintaining  an  acceptable  level  of  security  risk  to  your  organization's  assets  and  operations  as  determined  by  executive  leadership.  The  scope,  scale  and  complexity  of  such  a  program  must  be  driven  by  your  organization's  business  and  security  needs.  A  security  program  also  allows  you  to  examine  your  organization  holistically  and    

• Identify,  classify  and  categorize  your  assets  that  need  protecting  • Identify  and  evaluate  threats  to  those  assets  • Identify  and  assess  where  those  assets  are  vulnerable  to  evaluated  threats  • Manage  the  resulting  risks  to  those  assets  though  mitigation,  transference,  avoidance  and  

acceptance      Current  state  of  security  management    The  reality  is  that  all  organizations  are  doing  something  with  respect  to  security.  However,  without  a  formal  security  program,  your  organization,  like  many  others,  will  continue  to  respond  to  network  intrusions,  data  breaches,  system  failures  and  other  security  incidents  in  an  ad-­‐hoc  and  reactive  manner;  responding  to  individual  incidents,  thereby  spending  unnecessary  time,  money  and  other  resources  to  address  the  symptoms  rather  than  the  root  cause  which  is  usually  the  lack  of  a  organized,  enterprise-­‐wide  approach  to  managing  your  security  risks  that  allows  you  to  prioritize  your  security  investments  and  efforts.      Eg.  A  data  breach  that  leads  to  loss  of  sensitive  information  may  be  attributed  to  an  unpatched  web  server,  thus  leading  your  IT  department  to  launch  an  aggressive  patching  effort.  While  applying  security  patches  and  fixes  to  vulnerable  servers  is  definitely  needed,  having  unpatched  servers  in  your  network  is  merely  a  symptom  of  a  systemic  problem  that  could  include  lack  of  proper  security  oversight,  policies,  procedures,  risk  management,  security  architecture,  employee  training  etc.  ...all  of  which  could  have  contributed  to  preventing  the  breach  and  resulting  cost  of  dealing  with  it.  Unless  all  of  those  elements  are  addressed,  your  organization  will  continue  to  ricochet  from  one  security  incident  to  the  next.  Security  vendors  and  service  providers  are  more  than  willing  to  sell  you  point  solutions  to  deal  with  any  subset  of  technical  security  challenges  but  as  business  managers  across  industries  and  sectors  face  increasing  threats  and  decreasing  budgets,  you  can  ill-­‐afford  to  continue  down  that  path.          

Mission Critical Global Technology Group E: Info@mcglobaltech.com T: 571-249-3932

www.mcglobaltech.com

Security  Program  Standards  and  Best  Practices    The  International  Organization  for  Standardization  (ISO)  and  the  International  Electrotechnical  Commission  (IEC)  provides  recommendations  for  information  security  program  management  (ISO/IEC  27002).    Other  common  security  frameworks  include  National  Institute  of  Science  and  Technology  (NIST),  Control  Objectives  for  Information  and  related  Technology  (COBIT),  Committee  of  Sponsoring  Organizations  of  the  Treadway  Commission  (COSO)  and  the  HiTRUST  Common  Security  Framework  (CSF).    Regardless  of  which  framework  you  employ,  it  must  be  tailored  to  fit  your  organization’s  business  model,  operations  and  technology  environment.      

Security  Program  Components  

 Regardless  of  industry  sector  or  organization  size,  there  are  five  components  that  are  the  foundation  of  any  security  program:      

• Designated  security  leader  Security  within  an  organization  is  everyone’s  responsibility.  However  your  organization  must  designate  a  security  officer  or  manager  to  lead,  implement  and  manage  the  security  program.  This  is  a  requirement  for  most  security  regulations  and  standards,  with  some  requiring  that  this  role  be  at  the  executive  management  level.    Your  security  leader  should  have  the  authority  and  support  to  champion  the  cause  of  security  as  a  business  driver  and  enabler  from  the  boardroom  to  the  operations  floor.      

Mission Critical Global Technology Group E: Info@mcglobaltech.com T: 571-249-3932

www.mcglobaltech.com

• Security  Policy  Framework  Your  security  policy  documents  organization  leadership’s  goals  for  managing  security  risk  and  protecting  organization  assets.  Your  policy  framework  also  includes  standards,  procedures  and  guidelines  that  govern  the  implementation  of  the  security  program  across  all  organization  business  units  and  functions.  Your  policy  framework  should  be  reviewed  and  updated  periodically  ensure  it  keeps  pace  with  the  ever-­‐changing  regulatory  compliance  requirements,  business  operations  and  technology  landscape.      

• Risk  Management  Framework  Your  security  program  must  continuously  assess  threats  and  vulnerabilities  in  order  to  identify,  measure  and  prioritize  risks  to  the  organization’s  assets  that  must  be  managed.    Periodic  enterprise  risk  assessments  must  be  performed  to  include  security  penetration  testing  of  security  procedures  and  controls  and  employee  security  awareness  and  practices.        

• Security  Architecture  and  Operations  An  enterprise  security  architecture  enables  your  organization  to  implement  necessary  technology  infrastructure  that  maximizes  ROI  and  minimizes  risk.  A  layered  approach  to  applying  security  controls  allows  you  to  protect  your  data,  applications,  systems  and  networks.  Security  event  monitoring  and  response  allows  your  organization  to  efficiently  detect  and  mitigate  security  incidents  that  lead  to  data  breaches,  system  downtime  and  network  intrusions.      

• Security  Awareness  and  Training  Program  A  security  awareness  program  and  role-­‐based  security  training  are  essential  to  educating  your  employees  about  their  roles  and  responsibilities  in  helping  to  maintain  a  strong  security  posture.  Users  are  often  considered  the  “weakest  link”  in  an  organization’s  security  controls  however  users  that  are  trained  and  equipped  with  the  tools  needed  to  perform  their  duties  securely  are  your  first  line  of  defence  against  security  threats.  

     MCGlobalTech  Enterprise  Information  Security  Management    The  MCGlobalTech  Enterprise  Information  Security  Management  (EISM)  Service  leverages  common  security  frameworks  including  ISO,  NIST,  COBIT,  COSO  and  COBIT  to  measure  the  maturity  of  your  security  management  program.  This  includes  a  comprehensive  assessment  of  your  security  policies,  security  organization  structure,  asset  management,  personnel  security,  physical  and  environmental  security,  security  operations,  security  architecture  and  technology,  business  continuity  preparedness,  and  security  compliance.                  

Mission Critical Global Technology Group E: Info@mcglobaltech.com T: 571-249-3932

www.mcglobaltech.com

Using  our  proven  four-­‐phased  service  delivery  model  (APIM),  we  provide  full  EISM  life-­‐cycle  support  to  your  organization.  We  help  you  develop,  implement,  maintain  and  improve  a  security  program  tailored  to  the  specific  needs  of  your  organization.      Our  model  is  flexible  and  customizable  to  meet  your  organization's  unique  security  program  management  needs.  Working  with  your  executive  leadership  team  allows  us  to  help  guide  investments  in  IT  and  security  to  more  closely  align  withy  your  business  and  mission  goals  and  priorities  while  increasing  ROI  and  decreasing  business  risk.  We  do  not  simply  focus  on  point  solutions  and  services  that  may  simply  address  immediate  challenges.  By  working  at  the  management  and  programmatic  levels  of  an  organization,  we  are  able  to  identify  weaknesses  in  IT  infrastructure  and  security  management  that  are  root  causes  to  many  of  the  more  common  IT  and  security  problems  such  as  service  outages,  failed  technology  investments,  data  breaches  and  regulatory  compliance  penalties.    

 

MCGlobalTech  EISM  Service  Delivery  Model    

 

Each  phase  is  designed  around  your  specific  organizational  goals,  challenges  and  culture.  As  your  strategic  security  advisors,  MCGlobalTech  partners  with  you  every  step  of  the  way.  

           

Mission Critical Global Technology Group E: Info@mcglobaltech.com T: 571-249-3932

www.mcglobaltech.com

Phase  1:  Assessment  Our  engagements  typically  begin  with  a  full  assessment  of  the  organizations  information  security  program  and/or  IT  infrastructure  management.  During  this  assessment,  we  document  the  as-­‐is  posture.  This  includes  your  policies,  processes,  procedures,  required  standards,  people  and  technologies.  We  assess  your  information  security,  IT  infrastructure  and  compliance  risk.  Following  each  assessment  engagement,  we  provide  you  with  

a  detailed  gap  analysis  that  documents  areas  of  weaknesses  and  recommendations  for  remediation.  

Phase  2:  Planning  The  planning  phase  is  especially  crucial  to  the  success  of  initiatives  involving  integrating  new  procedures,  technologies  or  operational  processes  into  a  your  environment.  Many  IT  and  security  initiatives  fail  due  to  lack  of  proper  planning  that  takes  into  consideration  organization  culture,  capabilities  and  operational  realities.  We  work  with  all  stakeholders  across  your  organization  to  create  an  efficient,  operationally  feasible  and  priorities-­‐driven  remediation  and  

improvement  plan  of  action  based  of  the  results  of  the  assessment  and  leadership  prioritization.  

Phase  3:  Implementation  During  this  phase,  we  manage  the  successful  implementation  of  your  approved  plan  of  action  to  improve  and  mature  compliance  readiness,  enterprise  security  program  and  IT  infrastructure  management.  We  help  develop  appropriate  policies,  effective  procedures  and  practices,  staff  and  management  training  and  expertise  and  capability  augmentation.  Leveraging  our  strategic  partnership  network,  we  help  drive  and  manage  new  technology  integration  and  infrastructure  migration.  We  help  you  implement  

business  focused,  cost-­‐effective  mitigation  strategies  for  risks  identified  during  the  assessment  engagement.  

Phase  4:  Monitor  Our  Continuous  Monitoring  phase  includes  an  on-­‐going  combination  of  performance  monitoring,  security  assessments,  awareness  training,  metrics  reporting  and  executive  advisory  services.  We  partner  with  your  organization  leadership  to  ensure  continuous  improvement  of  IT  infrastructure  and  security  management.  We  help  you  ensure  that  mission  critical  decisions  regarding  your  IT  and  security  are  aligned  with  your  organizational  strategic  goals.    

       

Mission Critical Global Technology Group E: Info@mcglobaltech.com T: 571-249-3932

www.mcglobaltech.com

Improving  your  security  reduces  the  risk  to  your  organization      A  mature  security  program  will  help  your  organization  maintain  focus  and  mitigate  organization-­‐wide  risk  associated  with  information  security.  It  will  also  help  your  organization  identify  and  comply  with  government  regulations,  industry  standards,  and  best  practices  associated  with  your  business,  its  creditability,  and  any  data  or  electronic  assets  it  has  guardianship  over.  Your  security  program  will  enable  you  to  meet  the  security  requirements  of  your  clients  and  your  customers,  contractual  obligations,  while  mitigating  the  risk  of  adverse  legal  action  being  levied  against  you  or  your  organization.  This  is  paramount  for  protecting  your  organization’s  most  important  IT  infrastructure,  data,  brand,  and  reputation.      Contact  MCGlobalTech  today  at  info@mcglobaltech.con  for  a  free  EISM  Quick  Assessmentsm  to  give  you  a  high  level  view  of  how  well  your  organization  manages  security  risks  and  implements  the  critical  components  of  a  security  program.