Security Governance: What, Why, How - PowerPoint PPT Presentation

About This Presentation
Title:

Security Governance: What, Why, How

Description:

A group of paranoid IT staff? An intrusion prevention mechanism? ... FTC Consent Decree ... www.ftc.gov/opa/2002/01/elililly.htm. How to Implement Security Governance ... – PowerPoint PPT presentation

Number of Views:45
Avg rating:3.0/5.0
Slides: 20
Provided by: dalems
Category:
Tags: ftc | gov | governance | security

less

Transcript and Presenter's Notes

Title: Security Governance: What, Why, How


1
Security Governance What, Why, How?
  • Presented by
  • Jason A Witty, CISSP

2
What is Security?
  • A firewall?
  • A group of paranoid IT staff?
  • An intrusion prevention mechanism?
  • A process to keep your data safe?
  • A deterrent?
  • An enabler?
  • A road block?

3
Security is Many Things
Source IBM Global Services
4
Security Must be Holistic
Source IBM Global Services
5
Security The Big Picture
Source IBM Global Services
6
Why Do We Need A Holistic Approach?
  • Your entire staff must protect against
  • thousands of security problems
  • Attackers only need one thing to be missed.
  • But with appropriate planning and execution, a
    comprehensive information security program will
    protect your corporate assets.

7
So What is Security Governance?
  • The Information Systems Audit and Control
  • Association Foundation (ISACA)'s Definition
  • "Establish and maintain a framework to provide
    assurance that information security strategies
    are aligned with business objectives and
    consistent with applicable laws and regulations."
  • From http//www.isaca.org/cismcont1.htm

8
Governance AppropriateLevels of Security
ISO 17799 (Best Practices)
1
2
How much is enough?
3
4
5
6
Classification Control of Assets
7
8
Environmental Physical Security
9
8
6
10
7
1
5
4
2
3
9
10
Source Forsythe Solutions, used with permission
9
Goals of Security Governance
  • Link business strategy to security strategy
  • Ensure senior management understands information
    risk and supports the information security
    program
  • Ensure all employees understand their information
    security responsibilities
  • Ensure proper business representation during
    security policy review processes

10
Governance Goals - 2
  • Decrease litigation risks by ensuring corporate
    policies take legal regulatory environment into
    account
  • Create procedures and guidelines that
    operationalize information security policies
  • Develop information security value proposition
    and measure program effectiveness

11
Some Regulations to Consider
  • US HIPAA
  • US Gramm Leach Bliley (GLBA)
  • US California SB 1386 mandates public
    disclosure of computer-security breaches in which
    confidential information may have been
    compromised. Becomes active on July 01 2003.
  • UK Data Protection Act of 1998
  • EU European Data Directive 95/46/EC
  • NL Personal Data Protection Act
  • http//www.privacyinternational.org/countries/inde
    x.html

12
Privacy Due Care Requirement
  • Federal Trade Commission required that Eli Lilly
    and Company redress a privacy violation from June
    2001.
  • An E-Mail with the names of all 669 subscribers
    listed in the TO field went to users of the
    www.prozac.com medication reminder service.
  • It was an unintentional leakage of personal
    information.
  • This was a violation of Lillys privacy policy.
  • Lilly failed to maintain and protect the privacy
    of sensitive information.

13
FTC Consent Decree
  • Lilly is required to implement a security and
    privacy program that does the following
  • Designate personnel to coordinate and oversee the
    program.
  • Identify reasonably foreseeable internal and
    external security risks.
  • Conduct an annual review to monitor effectiveness
    and compliance with the program.
  • Adjust the program to address changes in the
    business and any recommendations.
  • www.ftc.gov/opa/2002/01/elililly.htm

14
How to Implement Security Governance
  • Have a dedicated security organization with the
    right charter from executive management
  • Build strong relationships with business
    stakeholders
  • Gain trust and buy-in
  • Establish review and approval processes
  • Establish governance team(s) - committees
  • Schedule regular meetings
  • Report issues and exceptions to senior management
  • Integrate security awareness training education
    into employee job responsibilities

15
Stakeholders in Security Governance
  • Legal
  • Audit
  • Physical Security
  • IT Operations
  • HR
  • PR
  • Privacy Team
  • Info-Security Team

16
Things to Watch Out For
  • 1) Not having a written policy
  • 2) If you have a written policy..
  • Can it can be enforced?
  • Does management buy-in to implementing the
    policy? Does funding exist?
  • Does technology exist? Is it mature?
  • Do proper skill-sets exist?
  • How are users educated and updated?
  • How are exceptions and violations handled?
  • 3) Politics
  • 4) Not being aware of your regulatory obligations
  • 5) Trying to do everything at once

17
When Governance is Implemented Correctly
  • Cross-functional executive committee reviews and
    approve corporate security policies
  • Employees are regularly trained, and understand
    all security policies and responsibilities
  • Metrics are captured to regularly measure and
    report program efficiency
  • Incidents are tracked
  • Regular vulnerability assessments are conducted
  • All exceptions are rated by risk level and
    regularly reviewed corrected in a timely
    fashion

18
When Governance is Implemented Correctly - 2
  • Repeatable processes ensure security is inserted
    very early in project and systems lifecycles
  • Security is built into corporate culture and is
    viewed as a competitive advantage
  • Executive buy-in is obvious videos, regular
    emails, posters, etc.

19
Questions?
Write a Comment
User Comments (0)
About PowerShow.com