- information security strategy template february 2016 1
DESCRIPTION
Why Develop a Security Strategy? 3 Could Do Should Do Work We Must Do Baseline protection Proactive management New business drivers Help the determine acceptable levels of risk and how much investment is needed. Manage Compliant- Ready Services “Legally Defensible” Security Risk-Based Decisions to Achieve Business GoalsTRANSCRIPT
- -
Information Security StrategyTemplate
February 2016
1
- -
Outline
• Why develop a security strategy
• Business drivers
• Information Security Ecosystem
• BoD Level State of Security Narratives
• Organization of Information Security
• Incident Summary
• Current Priorities
• Risk Landscape
• Investment Roadmap
• Next Steps
Why Develop a Security Strategy?
3
CouldDo
Should Do
Work We Must DoBaseline protection
Proactive management
New business drivers
Help the <the business> determine acceptable levels of risk and how much investment is needed.
Manage Compliant- Ready Services
“Legally Defensible” Security
Risk-Based Decisions to Achieve Business Goals
4
Information Technology risks are identified, understood, and managed to an acceptable level across the Enterprise. Business units have the tools, resources, and expertise to make optimal decisions for business success.
Develop and measure IT security standards while enabling business autonomy and agility. Deliver value through identification of threats, assessment of risk, expert consulting, and providing foundational security services to prevent, detect, and respond to disruptions.
Top Business DriversBusiness drivers associated with IT Risks
Brand• Earn and maintain
Customer trust• Online presence with
content integrity and availability
Competitive Advantage
• Protect sensitive information to continue growth in established markets, enable global expansion
Compliance• Identify and efficiently
manage regulations
Customer & Employee Privacy
• Protect Customer and Employee data from theft or disclosure
Vision (sample)
Mission
Data
Workforce
Applications
DevicesNetworks
Physical
Data is classified, known, & protected throughout its
lifecycle
How We Think About IT Security
5
Defining an IT Security ecosystem helps organize security risks across the Business.
Applications are developed and managed
securely
A diverse collection of devices configured and managed for security
Networks are available, monitored, and resilient
Facilities are safe and accessible
Workforce is trained and empowered to protect data
Data
Identify
Protect
DetectRespond
Recover
Anomalies, Event Monitoring, Detection Processes
(alt.) How We Think About IT Security
6
Defining an IT Security framework helps organize security risks across the Enterprise.
Asset Management, Governance, Risk Management
Access Control, Training, Data Protection, Maintenance,
Protective Technology
Planning, Communications, Analysis, Mitigation, Improvements
Recovery Planning, Improvements, Communications
Corporate Business Segment Business Segment Business Segment
(NIST CSF view)
NIST Cyber Security Framework (optional narrative)
• Each step required• Historically we invested in…
• Detect and Respond provide immediate value when prevention is not mature
• Reduce impact of breaches• Prevention longer ramp up time,
even then not 100%
7
Identify
Protect
DetectRespond
Recover
State of Security (BoD Level, central org.)
8
Workforce Data Access Applications Devices Networking Physical0
1
2
3
4
5
State of Security by Maturity & Adversary
Maturity Target
Mat
urity
Adversary Model
Advanced Adversary (Nation-State)
Organized Crime
Malicious Insider
Opportunistic Crime
Hactivist
Script Kiddie
State of Security (BoD level, multiple control owners)
• Service Objective: Foster and support an appropriate security posture aligned with business goals
• Monitor control effectiveness & visibility• Develop baseline standards where needed
9
Partial
Full
No/Limited?
Control Visibility Key
Short Term Gaps
Meet Standards
Long Term Gaps
Control Posture KeyNo Standard Defined
Can use ecosystem elements
State of Security (BoD level, over time narrative)
10
IT Init.
Initiative
Initiative 2
FY XX
TargetMaturityCallout e.g.
events
Ad Hoc
Developing
Defined
Managed
Optimizing
IT Init.
Multi-year Initiative
Key IT InitiativesKey Security Initiatives
FY XX FY XX FY XXFY XX
1
4
3
5
2
Current Maturity Target Maturity
May include adversary scale
also
Incident Summary
• Significant Incident summaries• Show count by severity graphic
• Current year and multi-year
11
FY XX
• Key initiatives and budget summary to reach target maturity levels• Include 3 year plan if significant maturity gaps exist
12
- -
CISO Peer & Control Owner NarrativesAdditional detail beyond Board of Director level content
13
Organization of Information Security
14
Risk Assessment
Information Security Information Technology
Compliance Ready
Resourced, not complete
Investment Required
Disaster Recovery
Security Policy
Security Awareness
Audit Mngt.
Firewall/IDS Mngt.
Access Mngt.
User Provisioning
Remote Access
Event Monitoring
Incident Response
Data Loss Prevention
Sys. Implementation
System Updates
Technical Standards
Change Mngt.
Capacity Mngt.
Data Inventory
Vendor Mngt.
Mobile Mngt.
H/W, S/W Inventory
Security Architecture
Security Engineering
Legend
Analyst & Operational Responsibilities
Vulnerability Mngt.
Mngt. & ReportingTier 1 Investigation
Business Units
Access Mngt.
Data Encryption
Secure Programming
Audit Oversight
Purchasing
Internal Consulting
Data Analytics
Compliance
Application Mngt.
Business Continuity
Unknown
Operations
Show ownership across security services
Current State Summary
15
• wins
• Need help
1.
Next Steps
Progress
Challenges
Risks Grouped By Business Driver (example)
• Protect Brand• Focus: Incident Response, Device
Support & Vulnerabilities• Impact estimates: loss of service or
data affecting patient adoption & retention
• 6 High risks
• Privacy• Focus: Malware & Unencrypted Data
• Enable Business• Meet Partner requirements• Strengthen remote authentication
• Compliance• 7 risks across foundational controls
16Accept Evaluate Act
3
4
5
6
7
8
9
10
3 4 5 6 7 8 9 10
Compliance
Protect Brand
PrivacyEnable Business
Current Risk Landscape
17
• Risks Needing Decision• Count: xx• Foundational controls missing or
partially implemented
• Mitigation In Progress• Count: x• Key risks: managing vulnerabilities,
backup-restore, upgrade software
• Mitigated• Count: x• Vendor managed assessed and
managed3
4
5
6
7
8
9
10
3 4 5 6 7 8 9 10
Shared ID's
Backup-restore
Unencrypted DataNo 2-Factor
Sanction Policy
DoS
Media destruction
Terminated Users
Data inventory
Password Policies
Validate Access
Wireless controls
Vuln. mngt.
Business continuity
Incident Response
Risk managementVendor Compromise
Background checks
Appropriate access
Partner Requirements
Attack Chain: malware
Obsolete Software
Phishing victims
Device Malware/Abuse
Active In Progress Mitigated
IT Security Performance
• Measuring xx Performance indicators across Business Units
18
Title Status Trend
Master Security Index
Protect Brand
Increase Revenue
Support Business
Reduce Costs
Comply Efficiently
Basic AAA
Align Controls To Agent Impacts
19
Controls: Investment & Process Maturity
Hactivists
Criminals
AdvancedAdversary
For IP
Basic SDL
Vuln Scans
Fraud Detection
Advanced SDL
Full Packet Capture Analysis
Response & Forensics Expertise
DoS
Script Kiddie
MaliciousInsider
Device Mngt.
AdvancedAAA
1 2 3 4 5
IRM
Custom MalwareDetection
Moti
ve, S
kill,
& P
erse
vera
nce
Adv. Awareness Edu.
Security Roadmap Funding Priorities
• Investment priorities evaluated by• Risk Priority• Business Support• IT Capacity• Cost (internal labor & Op. Ex.)
• Top Priorities- Funding Approval Request (blue icons)
• Incident Response Plan• Mature Vulnerability Mngt.• Device Malware Management• IT Risk Management• Update Security Policy
• Next Priorities• Back-up Restore• Remote 2-Factor• Replace Obsolete Systems• Access Mngt. (terminated users)
20
0
20
40
60
80
100
$0$25$50$75$100
Unique IDs Plan
Backup-RestoreEncrypt Data at rest
Business Impact Analysis
Sanction Policy
Mature Vuln. Mngt,
Anti-DoS Update PolicyMedia Destruction
Access Management
Inventory Data
Replace Obsolete Software
Strengthen Wireless Plan
Incident Response Proposal Plan
IT Risk Mngt.
Remote Access: 2-Factor
Background Checks
Replace Obsolete Software Plan
Anti-phishing program
Device Standards/Mngt.
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
FYxxFYxxFYxxPriority Initiative
21
Security Roadmap TemplateCurrent Focus
FY xx Investments
Project Sustained Process
FYxx Investments
TransitionPl
anni
ng
Plan
nin
g
Plan
ning
Next Steps
• Execute current commitments
• Formalize “Organization of Information Security”• Fund priority investment requests• Complete 3 year roadmap during FYxx planning
22
Additional ContentAppendix (additional stories)
23
Primary Services: Current State
24
Service Maturity Capacity Org. Alignment
Primary Service1(from previous slide)
Select a light and/or short description (see
notes)Select a light or short
descriptionSelect a light or short
description
Primary Service2
• Optional: show process maturity, capacity, or org. alignment visuals
25
Group Title ScoreProtect Brand Backup-restore 68
Protect Brand Denial of Service 45
Protect Brand Terminated Users 68
Protect Brand Vuln. mngt. 85
Protect Brand Business continutity 38
Protect Brand Incident Response 78
Protect Brand Attack Chain: malware 65
Protect Brand Obsolete Software 73
Protect Brand Phishing victims 55
Privacy Unencrypted Data 71
Privacy Media distruction 41
Privacy Data inventory 48
Privacy inventory 59
Privacy Appropriate access 35
Privacy Device Malware/Abuse
64
Enable Business No 2-Factor 64
Enable Business Partner Requirements 59
Compliance Shared ID's 35
Compliance Sanction Policy 36
Compliance Password Policies 42
Compliance Validate Access 37
Compliance Wireless controls 41
Compliance Risk management 55
Compliance Background checks 35
Risk By Business Driver
Accept Evaluate Act
3
4
5
6
7
8
9
10
3 4 5 6 7 8 9 10
Compliance
Protect Brand
PrivacyEnable Business
26
Data Related Threats
• Threats• Regulatory Costs
• Fines associated with accidental loss or theft of Data• Initiated by report or compliant to Office of Civil Rights (OCR)
• Criminal Organizations• Data theft and discovery
• Complaint from OCR, Health & Human Services (HHS), or patient
• OCR Fines, Audit, and Remediation Costs• Required annual compliance program and audit regardless of breach volume• Subjective fine determination based on knowledge of loss, control awareness, and effectiveness (see
notes for references)• Fines range from $2 to $5,208 per record
• Avg. fine $255 per record
• Examples• Wellpoint: Inadequate general controls, loss of 612,402 records, $1.7M fine• North Idaho Hospice: “unsecured Data,” <500 records, $50k fine
Specific to industry, leverage ISACs, intel. services
Local Industry Collaboration
• Project to meet & collaborate with <peer> security leaders• Information Security priorities• Investment levels• Optimal organizational structure
27
Summarize outreach efforts for industry
comparison
Calibrated Risk Scale Definitions
28
Value Direct Costs Indirect Costs Examples
10...
Revenue: Missed Targets of $xxx,xxxRegulatory: Fines & Audits of...
Competitive: Differentiator of...Goodwill: Customer departure of...
Focus: Mitigate Risk e.g. material loss estimated above $xx,xxx,xxx.
6 Revenue: Limited to department...Regs: Increased scrutiny...
Goodwill: Customer churn of 5-10%...
Focus : Owner Judgment e.g. business considerations.
Value Description ARO Guide Examples
10...
Strong evidence of imminent realization, precedent exists, reliable intelligence.
> 1 annually, see risk details for estimates
Known control weaknesses of..., confirmed agent...
6 Difficult to exploit without internal...
Realized once in 4 years...
Private system, agent unconfirmed
Impact
Frequency
Strategy Communication
29
Mission success requires stakeholder awareness, support, & participation
Stakeholder Communication Means Frequency
Board of Directors State & Compliance Summary BoD Summary Semi-Annual
Executive Team State, Compliance, & Initiative Summary
Executive SummaryMetric Summary Quarterly
Business Lines State, Compliance, & Initiative Detail
IT IntranetBrown bags
MetricsSemi-Annual
IT State, Compliance, & Initiative Detail
IT IntranetBrown bags
MetricsMonthly
Employees/Customers Awareness Training & Measurement
Awareness TrainingUser Intranet
Engagement PortalSemi-Annual
30
Key Performance Indicators
Security Incidents
Access Management Device Security Application
SecurityIT/Biz Project
SupportSecurity Program
•No. critical & emergency incidents
•No. of moderate incidents
•% accounts de-provisioned within standard
•% of production servers compliant to minimum standards
•% apps with security assessment completed
•# Critical vulns in production
•# Long-term engagements
•# Medium & Short term engagements
•# of unplanned, short projects
•% security initiatives completed on time
(Reference Master Metrics List - starter set below)
31
Risk
Impact
Direct
Regulatory
Recovery
Revenue
Indirect
Goodwill
Scrutiny
Competitive
Corrective Capability
Frequency
Vuln. Attributes
Complexity
Vector
Access
Availability
Control Effectiveness
Roles
Awareness
Tools
Policy & Process
Detect/Deter
Agent
Capability-motivation
Occurrence
Complete Risk Statements
Executive Discussion Example (unsorted)
Question Answer (in strategy deck) Balanced Score Card Category High Level Measurements
Has anything bad happened?
• # High incidents• # Medium incidents• # Near misses
• Financial• # High incidents• # Medium incidents• # Near misses
What are the top risks?
• Top risk estimates e.g. Heat Map • Financial
• % risks with treatment decisions• % unacceptable risks under mitigation• +/- % Annual budget
What are we doing about them?
• Funded initiatives• Future initiatives
• Learning & Growth
• +/- % Initiative budget (amount)• $ estimate future initiatives
Are we improving internally? • Target process maturity • Learning &
Growth• % Processes at target maturity• +/- # Process improvement initiatives (count)
How are we helping the business?
• Strategy alignment• Training• Consulting
• Customer• % business strategies aligned with Security • % training objectives met• # business & IT consulting projects
Is our environment resilient? • Control metrics • Internal
Business• % key controls with metrics• % metrics at/above target
Are we compliant?• Passed last year• Overdue findings• Repeat findings
• Internal Business
• # overdue findings• # repeat findings
Are we efficient? • Initiatives on time & budget
• Internal Business
• Budget to Forecast variance• % Initiatives completed on time & budget
32
Balanced Security Scorecard (Example)
33
FinancialRisks• % risks with treatment decisions• % unacceptable risks under mitigation• +/- % Annual budgetIncidents• # High incidents• # Medium incidents• # Near misses
Internal BusinessResiliency• % Key controls with metrics• % Metrics at/above targetCompliance• # Overdue findings• # Repeat findingsEfficiency• Budget to forecast variance• % Initiatives completed on time & Budget
Learning & Growth• $ Initiative budget (+/- last
year)• # process improvement
initiatives (+/- last year)• $ Estimate future initiatives• % Processes at target maturity
Customer• % Business strategies aligned
with Security Services• % Training objectives met• # Business & IT consulting
projects (+/- % budgeted)
<Services> Maturity Plan
3434
Component Current State FY15 FY16 FY17
Assessment Services
Security Operations & Engineering
Emergency Preparedness
Program Administration
Governance, Compliance, Reporting
Investigations & Response
Ad Hoc Optimized
1 2 3 4 5
Ad Hoc Optimized
1 2 3 4 5
Ad Hoc Optimized
1 2 3 4 5
Ad Hoc Optimized
1 2 3 4 5
Ad Hoc Optimized
1 2 3 4 5
Ad Hoc Optimized
1 2 3 4 5
35
Risk Assessment Deliverables
Type Output Purpose Duration
Ad Hoc Risk Statement Email, Meeting Clarify Policy 1-2 Hours
Position Paper 1-2 Page Document Official Team Statement 1 Week
Project Support Document Identify Security Requirements Varies
Detailed Assessment Document Active Evidence Collection, Testing 2-3 Weeks
Strategic Presentation & Document Prioritize Budget Quarterly Updates –
Annual Budget