strategies for implementing security · auditing and testing metrics definition and collectio n...
Post on 03-Jul-2020
3 Views
Preview:
TRANSCRIPT
E
February 2003
Strategies for Implementing Security
Ernst & Young Confidential and Proprietary- 2 -
#!@
Security Architecture Framework
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 3 -
#!@
Confidentiality, Integrity and Availability
§ Confidentiality – Ensuring that only authorized personnel have access to information
§ Integrity – Ensuring that information is unchanged and accurate
§ Availability – Ensuring that information is available to the user when it is needed
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 4 -
#!@
Business Drivers
§ Regulations
§ Guidelines
§ Business Requirements
§ Customer Requirements
§ Business Partner Requirements
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 5 -
#!@
Policies§ Demonstrate support for, and
commitment to, information security
§ States policy across the entire enterprise
§ Broad statement of principle
§ Long term; changed infrequently
§ Few in overall number
§ Provide overall direction for the organization
§ Mandatory; require formal exception process
§ Process and technology independent
§ Require a high level of authority to create, change or eliminate
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 6 -
#!@
Standards
§ Suitable for complying with policies
§ Specify a course of action
§ Mandatory; require formal exception process
§ Process and technology independent
§ Mid-level authority required to create, change or eliminate
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 7 -
#!@
Procedures / Guidelines
§ Process and/or technology dependent
§ Require a low level of authority to create, change or eliminate
§ May have a high level of complexity
§ Generally apply enterprise-wide, with some exceptions locally
§ May be situation-specific
§ May require formal exception process
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 8 -
#!@
Policy Management / Administration
§ Development: Planning and creation of the policy
§ Review: Assessment of the policy by an independent party
§ Approval: Authorizing implementation of the policy
§ Communication: Dissemination of policy to enterprise
§ Implementation: Initial execution of the policy
§ Compliance Monitoring: Tracking and reporting on the effectiveness
§ Exception Approval: Evaluation, documentation and tracking of exceptions
§ Maintenance: Ensuring currency
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 9 -
#!@
Asset Management - Process and Guidelines
– Provide simple, consistent and timely classification and authorization processes
– Balance between protection of and access to an organization’s business information
– Provide clear guidelines for employees and contractors for the classification and handling of information
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 10 -
#!@
Asset Management - Asset Inventory
– Maintain an inventory of assets, link those assets to owners, and identify technologies supporting key applications or groups of applications
– Enable organizations to track security controls implemented to protect assets
– Monitor support of ongoing threats that may be introduced to the asset environment
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 11 -
#!@
Technical Security Architecture
§ Multi-tiered centrally managed approach to Internet access
§ All access to the Internet is controlled via password protected proxy devices that filter inappropriate content
§ Third party connectivity is controlled via connections to distinct network segments
§ Connections to the enterprise network are only made after a review of controls at connecting organization
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 12 -
#!@
Technical Security Architecture
§ Network-based intrusion detection in place for all external network connections
§ Host-based intrusion detection in place for all business critical servers
§ Production data is strictly segmented from development data
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 13 -
#!@
Technical Security Architecture
§ Multiple tiers of virus protection exist
§ All email is filtered through a virus scanner
§ All file servers and workstations are protected via a managed (push-technology) virus protection solution
§ Encryption Standards are employed consistently across enterprise
§ Only Standards Based Encryption is used
§ Centralized Directory (LDAP) in useSecurity Program Compliance and Reporting Security Program Compliance and Reporting
Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 14 -
#!@
Processes and Operational Practices
§ Business Continuity Management– Critical Business Process are
identified and linked to Applications
– Business Applications are linked to IT Disaster Recovery Plans
§ Incident Response– Documented Incident Response
Plans define roles and actions
– Ensure proper control of information released to public
§ Identity and Access Management– Users are centrally managed
– Tools may assist in user provisioning
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 15 -
#!@
Processes and Operational Practices
– Security Development / Deployment
• A formal security requirements analysis of new applications and releases of existing applications
• Security is involved from the beginning
• Appropriate security controls including activity logs, strong authentication methods, secure data storage techniques, and data validation is included
• Certification and Accreditation
– Security Awareness and Education
• Regular Awareness conducted
– SLA Definition
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 16 -
#!@
Processes and Operational Practices
§ Security Monitoring– Monitoring all critical systems to
ensure compliance with Corporate configuration policies and standards
– Intrusion Detection linked to Incident Response
§ Physical Security– All Critical Servers located in Data
Center– Segmented from regular office
location– Adequate controls exist for access– Environmental Controls in place
§ Vulnerability Management– Process in place to obtain and review
vulnerabilities and ensure timely remediation
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 17 -
#!@
Processes and Operational Practices
§ Risk Management
– Formal process for conducting risk assessments
– Ongoing process
§ 3rd Part Security– Parameters for connecting 3rd parties
well documented
§ Asset Management – All business critical platforms have
security standards that are applied before deployment
– There are clearly documented and communicated exception policies for individual machines that may not meet corporate security standards
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 18 -
#!@
Processes and Operational Practices
§ Change Management
– Review all components: computer software, data transfers, database fields and structures, and hardware that could be impacted
– Database is maintained which contains the relationships between all applications, hardware, and data
– Change control review boards exist that have significant interaction with business leaders
– All program changes including infrastructure changes are reviewed
– Mirror images of production systems exist for comprehensive testing of programs
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 19 -
#!@
Technical Specifications
§ All Major Platforms are identified
§ Minimum Security Baselines for Specific platforms in use
§ Technical Specifications for technologies created before implementation
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 20 -
#!@
Security Organization - Executive Sponsorship
§ Security concerns are issues of corporate governance
§ Identify and communicate high level executive sponsorship to manage information security risks
§ Recognize information security as a business issue that requires people, technology, policy, and process to implement
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 21 -
#!@
Security Organization - Reporting Relationships
§ Industry trend is for Chief Information Security Officers (CISO) to report independent of the IT organization and directly to executive management
§ Leading practice is a direct reporting relationship to the CIO, with dotted line or committee interface to other business and operations executives
§ Some organizations have established dotted line interfaces to the audit committee
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 22 -
#!@
Security Organization - Structure
§ Structure is clearly defined and communicated in leading organizations
§ Reporting levels are appropriately aligned and have appropriate authority
§ Blends of both centralized and de-centralized security structure
§ Decentralized business unit or functional security units are aligned with centralized corporate security function
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
Ernst & Young Confidential and Proprietary- 23 -
#!@
Security Program Compliance and Reporting
§ Measures effectiveness of Security Program
§ Conducts Compliance reviews across all domains of influence
§ Reports across the Enterprise
§ Security Audits performed on Risk Based
§ Clear Goals have been defined for projects
Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality
Governance StructurePolicies
Technology-Independent Standards
Governance,Governance,Policies and StandardsPolicies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Profile, Classification
TechnologyTechnologySpecificationsSpecifications
Minimum Security Baselines
Operating Systems
DatabasesApplicationsNetworks
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational PracticesOperational Practices
BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management
top related