Governance and Policy - PowerPoint PPT Presentation

About This Presentation
Title:

Governance and Policy

Description:

Governance and Policy Tim Shimeall March 2006 Addressing Security as Governance Set of beliefs, capabilities, actions: Security enacted at enterprise level Security ... – PowerPoint PPT presentation

Number of Views:168
Avg rating:3.0/5.0
Slides: 43
Provided by: timshi
Category:

less

Transcript and Presenter's Notes

Title: Governance and Policy


1
Governance and Policy
  • Tim Shimeall
  • March 2006

2
Addressing Security as Governance
  • Set of beliefs, capabilities, actions
  • Security enacted at enterprise level
  • Security treated as business requirement
  • Security considered during normal planning cycles
  • All business unit leaders understand how security
    serves as business enabler
  • Security integrated into enterprise functions and
    processes
  • All personnel accessing enterprise network
    understand their responsibilities
  • Which are most important depends on culture and
    business context

3
Governance
  • Setting clear expectations of conduct
  • Influencing to achieve expectations
  • Decision making
  • Assigned decision rights
  • Accountability
  • Intended to produce behavior/actions
  • Ensuring organization does right things and does
    things right

4
Security as Institutional Priority
  • Information security is a human enterprise
  • lack of security awareness by users cited as
    top obstacle
  • overriding impact of human complexities,
    inconsistencies, and peculiarities
  • People can become the most effective layer in an
    organization's defense-in-depth strategy
  • with proper training, education, motivation
  • The first step is making sure they operate in a
    security conscious culture.
  • Ernst Young. "Global Information Security
    Survey 2004."
  • http//www.ey.com/global/download.nsf/UK/Survey_-_
    Global_Information_Security_04/file/EY_GISS_2020
    04_EYG.pdf

5
Response Time
Human response impossible Automated response
Will need new paradigms Proactive blocking
possible
Human response difficult/impossible Automated
response possible
Human response possible
Contagion Timeframe
6
What Is At Risk?
  • Trust
  • Reputation image
  • Stakeholder value
  • Community confidence
  • Regulatory compliance fines, jail time
  • Customer retention, growth
  • Customer and partner identity, privacy
  • Ability to offer, fulfill transactions
  • Staff, client morale

7
Responsibility to Protect Digital Assets
  • In excess of 80 percent of an organizations
    intellectual property is in digital form
  • Duty of Care Governance of Digital Security
  • Govern institutional operations conduct
  • Protect critical assets and processes
  • Protect reputation
  • Ensure compliance requirements are met
  • Jody Westby, PricewaterhouseCoopers,
    Congressional Testimony case law

8
Barriers to Tackling Security
  • Abstract, concerned with hypothetical events
  • A holistic, enterprise-wide problem not just
    technical
  • No widely accepted measures/indicators
  • Disaster-preventing rather than payoff-producing
    (like insurance)
  • Installing security safeguards can have negative
    aspects

9
Information Survivability (1)
  • Focuses on sustaining the mission in the face of
    an ongoing attack requires an enterprise-wide
    perspective
  • Depends on the ability of networks and systems to
    provide continuity of essential services, albeit
    degraded, in the presence of attacks, failures,
    or accidents
  • Requires that only the critical assets need the
    highest level of protection

10
Information Survivability (2)
  • Complements current risk management approaches
    that are part of an organizations business
    practices
  • Includes (but is broader than) traditional
    information security
  • Business Judgment Rule That which a reasonably
    prudent director of a similar institution would
    have used

11
Shift the Security Perspective
To
From
  • Scope Technical
  • Ownership IT
  • Funding Expense
  • Focus Intermittent
  • Driver External
  • Application Platform/practice
  • Goal IT security
  • Institutional
  • Institutional
  • Investment
  • Integrated
  • Institution
  • Process
  • Institutional continuity/resilience

12
Technical problem to Institutional problem
  • IT owns problem and strategy, performs primary
    activities
  • Secure infrastructure secure organization
  • Organization owns problem and strategy
  • Secure assets and processes secure organization

13
Technical ownership to Institutional ownership
  • IT is driver, owner, benefactor
  • CSO is a technical advisor
  • Organization is driver, owner, benefactor
  • CSO is trusted advisor to business

14
Expense to investment
  • Security activities viewed as sunk costs,
    expenses
  • Naturally avoided by management
  • Security as amortizable investment in business
  • Security as goodwill on balance sheet raising
    organizational value

15
IA Regulations and Standards
  • National legislation (privacy, etc.)
  • Insurance industry requirements
  • Customer demand
  • E-torts and e-pacts

16
Legal Perspective
  • Analyze applicable state laws and municipal
    ordinances
  • Assess IS vulnerabilities and risks
  • Review and update IS policies procedures
  • Review policies procedures for sensitive
    information
  • Scrutinize relationships with third-party vendors
  • Review insurance policies
  • Develop a rapid response plan incident response
    team
  • Work with associations coalitions to develop
    standards
  • IT Security for Higher Education A Legal
    Perspective. Salomon, Kenneth Cassat, Peter
    Thibeau, Briana. Dow, Lohnes Albertson, PLLC.
    EDUCAUSE/Internet2 Computer and Network Security
    Task Force, 2003. http//www.educause.edu/ir/libra
    ry/pdf/csd2746.pdf

17
Practice-driven to process-oriented
  • Willingness to accept and implement best
    practices
  • Practices as process
  • Possibly out of context with organizational
    drivers
  • Security is proactive and managed
  • Driven by risk management

18
Shifting the security approach
Managed and strategic
Ad-hoc and tactical
to
  • systematic
  • adaptive
  • measured
  • adequate
  • irregular
  • reactive
  • immeasurable
  • absolute

19
How Are You ManagingInformation Risks?
  • Policies, governance
  • Critical information assets
  • Who to involve
  • Management controls
  • Sustain survivability

20
Security to Resiliency
  • Managing to threat and vulnerability
  • No articulation of desired state
  • Possible security technology overkill
  • Managing to impact and consequence
  • Adequate security defined as desired state
  • Security in sufficient balance to cost, risk

21
A Resilient Institution Is Able To. . .
  • withstand systemic discontinuities and adapt to
    new risk environments
  • be sensing, agile, networked, prepared
  • dynamically reinvent institutional models and
    strategies as circumstances change
  • have the capacity to change before the case for
    change becomes desperately obvious

22
Security Strategy Questions
  • What needs to be protected? Why does it need to
    be protected? What happens if it is not
    protected?
  • What potential adverse consequences need to be
    prevented? At what cost? How much disruption can
    we stand before we take action?
  • How do we effectively manage the residual risk?

23
Defining Adequate Security
  • The condition where the protection strategies
  • for an organization's critical assets and
    processes
  • are commensurate with the organization's risk
    appetite and risk tolerances
  • Risk appetite and risk tolerance as defined by
    COSOs Enterprise Risk Management Integrated
    Framework, September, 2004.

24
Determining Adequate Security Depends On . . .
  • Organizational factors size, complexity, asset
    criticality, dependence on IT, impact of downtime
  • Market factors provider of critical
    infrastructure, openness of network, customer
    privacy, regulatory pressure, public disclosure
  • Principle-based decisions Accountability,
    Awareness, Compliance, Effectiveness, Ethics,
    Perspective/Scope, Risk Management, etc.

25
Adequate Security and Operational Risk
  • Appropriate security is that which protects the
    organization from undue operational risks in a
    cost-effective manner.
  • With the advent of regulatory agencies assessing
    a organizations aggregate operational risk,
    there needs to be a way of looking at the
    organization as a whole rather than its many
    parts.

26
Evolving the Security Approach
Institutional Security Management
Process Maturation
Security Risk Management
Vulnerability Management
Incident Response
27
High Performing Organizations - 1
  • Apply resources (time, effort, dollars, capital)
    to accomplish stated objectives, with little to
    no wasted effort
  • Regularly implement repeatable, predictable,
    secure, measurable, and measured operational
    processes
  • Independently evolved a system of process
    improvement as a natural consequence of their
    business demands

28
High Performing Organizations - 2
  • Use defined, verifiable controls to improve
    efficiency and effectiveness
  • Preventive, detective and corrective controls in
    place
  • Easier to audit
  • Detect production variances early
  • Lowest cost and least impact to fix problems
  • Fix problems in a planned manner
  • Devote increasingly more time and resources to
    strategic issues and new opportunities, having
    mastered tactical concerns

29
High Performing Organizations - 3
  • Demonstrated ability to get IT operations and
    security organizations working together to
    create
  • Higher service levels (availability, high MTBF,
    low MTTR, low MTTD)
  • High percentage of planned (vs unplanned) work
  • Early integration of security requirements into
    the service delivery life cycle
  • The ability to quickly return to a known,
    reliable, trusted operational state
  • Unusually efficient cost structures
    (server-to-sysadmin ratios of 1001 or greater)
  • Timely identification and resolution of security
    incidents

30
Areas of Pain for High Performing Organizations
  • Patch management
  • Proliferation of scorecards
  • Managing outsourced IT services

31
Areas of Pain Patch Volume
  • Low performing Adhoc, chaotic, urgent,
    disruptive increase in unplanned work
  • High performing Planned, predictable, just
    another change -gt higher change success rate

32
Areas of Pain Proliferation of Scorecards
  • Low Performing Look to external sources,
    authorities adopt scorecard du jour
  • High Performing Have defined their own
    performance characteristics can demonstrate
    traceability to other instruments

33
Areas of Pain Outsourced IT Services
Low Performing Transfer risk out of sight then
unable to control
High Performing Manage like any other business
unit or project understand unique challenges
develop more bullet proof service level agreement
34
Common Root Causes
  • Absence of explicit articulation of current state
    and desired state
  • Thus current state (and companion pain) is
    tolerable doesnt hurt enough yet dont know
    that there is an alternative
  • Culturally embedded belief that control is not
    possible
  • Abdication of responsibility throw up my
    hands
  • Rewards/reinforcement for personal heroics vs.
    repeatable, predictable discipline
  • Continued argument that IT ops and security are
    different (than other business investments or
    projects)
  • Desire for a technical solution easier to
    justify and implement than people and process
    improvements

35
IT Change Management
  • Process for efficient and timely handling of all
    IT changes
  • Enterprise capabilities critical to achieving
    effective change management
  • Risk Management
  • Project Management
  • Process Management
  • IT Operations
  • Security Operations
  • Audit
  • IIA Global Technology Audit Guide series Change
    and Patch Management Critical for Organizational
    Success

36
Progression of Capability
Organization controls the changes
  • Continuously Improving
  • lt5 of time spent on unplanned work
  • Change success rate very high
  • Service levels world class
  • IT operating costs under control
  • Can scale IT capacity rapidly with marginal
    increases in IT costs
  • Change review and learning processes in place
  • Able to increase capacity in a cost-effective way

Changes control the organization
  • Closed-Loop Process
  • 15-35 of time spent on unplanned work
  • Some ticketing / workflow system in place
  • Changes documented and approved
  • Change success rate high
  • Service levels good
  • Server-to-admin ratio good, but not best-of-breed
  • IT costs improving but still too high
  • Security incidents down

  • Using Honor System
  • 35-50 of time spent on unplanned work
  • Some technology deployed
  • Right vision but no accountability
  • Server-to-admin ratio too low
  • IT costs too high
  • Process subverted by talking to the right people
  • Reactive
  • Over 50 of time spent on unplanned work
  • Chaotic environment lots of fire fighting
  • MTTR very long poor service levels
  • Can only scale by throwing people at the problem

Effectiveness
Reactive
Using The Honor System
Closed-Loop Change Mgt
ContinuouslyImproving
Based on the IT Process Institutes Visible Ops
Framework
37
Measurement
  • Performance measurement of an enterprise's
    security state is conducted with the same rigor
    as other enterprise functions and business units.
  • Corporate Information Security Working Group
    Report of the Best Practices and Metrics Team,
    December, 2004
  • Thirty Information Security Program Elements with
    companion metrics
  • Governance (7 elements 12 metrics)
  • Management (10 elements 42 metrics)
  • Technical (13 elements 45 metrics)

38
Example Measures - Governance
  • Oversee Risk Management and Compliance Programs
    Pertaining to Information Security
  • Percentage of key information assets for which a
    comprehensive strategy has been implemented to
    mitigate information security risks as necessary
    and to maintain these risks within acceptable
    thresholds
  • Percentage of key external requirements for which
    the organization has been deemed by objective
    audit or other means to be in compliance

39
Example Measures - Management
  • Establish Information Security Management
    Policies and Controls and Monitor Compliance
  • Percentage of staff assigned responsibilities for
    information security policies and controls who
    have acknowledged accountability for their
    responsibilities in connection with those
    policies and controls
  • Assess Information Risks, Establish Risk
    Thresholds and Actively Manage Risk Mitigation
  • Percentage of critical information assets for
    which some form of risk assessment has been
    performed and documented as required by policy

40
Example Measures - Technical
  • Software Change Management, including Patching
  • Percentage of systems with the latest approved
    patches installed
  • Percentage of software changes that were reviewed
    for security impacts in advance of installation
  • Incident and Vulnerability Detection and Response
  • Percentage of operational time that critical
    services were unavailable (as seen by users and
    customers) due to security incidents
  • Percentage of security incidents that exploited
    existing vulnerabilities with known solutions,
    patches, or workarounds

41
What Does Effective Security Look Like at the
Enterprise Level?
  • No longer solely under ITs control
  • Achievable, measurable objectives are defined and
    included in strategic and operational plans
  • Functions across the organization view security
    as part of their job (e.g., Audit) and are so
    measured
  • Adequate and sustained funding is a given
  • Senior executives visibly sponsor and measure
    this work against defined performance parameters
  • Considered a requirement of being in business

42
Governance and the Case Study
  • What regulations must the convention follow?
  • Industry
  • Financial processing
  • SOX
  • Venue
  • What best practices should the convention follow?
Write a Comment
User Comments (0)
About PowerShow.com