developing an information security program
TRANSCRIPT
2011 National BDPA Technology Conference
Developing an Information Security Program
Shauna Cox
August 3 – 6, 2011
Chicago, IL
2
Presentation Objectives
• Understand the components of an Information Security Program.
• Understand the internal & external factors that impact Information Security Program development.
• Describe the various approaches used to develop an Information Security Program.
3
Agenda
I. Need for Information Security ProgramII. Program ComponentsIII. Methodologies / StandardsIV. Information Security Program
Development ProcessV. A Day In The Life
4
Reality
A Hacker has to be successful once.
A Security Professional must be successful every time.
5
Why is an Information Security Program Needed?
• Technology & Business Cycle Changes
• Regulatory Requirements
• Potential Security Threats
• Sophistication of Attacks / Attackers
• Strategic Necessity
6
Technology & Business Cycle Changes
• Decentralization of computing resources• Accessibility of technology for novices &
experts alike• Technology dependency• Layers of technology architecture
7
Regulatory Requirements
• FISMA • HIPAA• SOX• Computer Security Act• U.S. Privacy Act
8
Potential Threats
• Terrorism / Cyber-Terrorism
• Uninformed Users (Social Engineering)
• Disgruntled Users / Employees
• Intentional Hackers
9
Sophistication of Attacks
• Availability of Technology• Greater Modes of Organization (i.e.,
social networking)• Enhanced Technical Skills• Easier to Maintain Anonymity• Potentially Lucrative (e.g., organized
criminals)
10
Strategic Necessity
• Competitive Survival & Advantage • Business / Technology Alignment
11
Myth
Information Security Policy =
Information Security Program
12
Information Security Principles
13
People, Places & Things
• Roles & Responsibilities• Scope of Authority• Tools & Techniques
14
Roles & Responsibilities
• Information Security Function• Executive Management• Organizational (Line) Management• Users
15
Information Security Function
• Develop, maintain & help enforce information security policies, procedures and controls.
• Oversee the deployment and integration of security solutions.
• Serve as an advisor on IT security-related issues.
16
Executive Management
• Provide the strategic vision for an information security program.
• Approve strategic goals and ensure information security is integrated into management processes.
• Ensure enterprise compliance with applicable regulatory directives.
17
Management
• Ensure compliance & help facilitate awareness of organizational information security policies & procedures.
• Enforce rules for appropriate use and protection of organization’s systems.
• Ensure proper segregation of duties in operational areas.
• Follow appropriate procedures and provide first-line authorization for system access.
18
Users
• Adhere to organizational policies and procedures.
• Protect individual user accounts and passwords used to access systems.
• Report known or suspected IT security breaches to appropriate personnel.
• Treat all information with the sensitivity necessary in accordance with applicable information classification systems.
19
Scope of Authority & Need
20
Tools & Techniques
• Standards• Security Monitoring Tools• Organizational Process Assets (policies,
procedures, etc.)
21
Information Security Program Components
• Executive Commitment• Policies & Procedures• Monitoring Processes /
Metrics• Governance Structure• Awareness Training
22
Executive Commitment
• Executives must understand the strategic impact of information security.
• Executive management articulates the priority of information security in word & in deed.
• The role of the information security function must adhere to a level of independence (i.e., reporting structure should be appropriate).
23
Policies & Procedures
• Acceptable Use• Incident Handling• Security Violations• Identity Management• Physical Security
24
Metrics
• Financial• Application-based• Incident Management• Change Management• Vulnerability Management
25
Governance Structure
Governance: “…a set of responsibilities & practices exercised by the Board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly”.
Source: IT Governance Institute (Board Briefing on IT Governance, 2nd Edition)
26
Awareness Training
Who?
How?
27
Methodologies / Standards
• ISO 17799 developed by ISO includes 10 domains
• CobiT developed by ISACA derived from COSO
28
ISO 17799 Domains
• Information Security Policy• Information Security Infrastructure• Asset Classification & Control• Personnel Security• Physical & Environmental Security• Communications & Operations
Management• Access Control• System Development & Maintenance• Business Continuity Management• Compliance
29
Program Development Process
30
Program Development Process
• Plan & Organize• Implement• Operate & Maintain• Monitor & Evaluate
Source: All-In-One CISSP Exam Guide, 4th Edition, by Shon Harris
31
Plan & Organize
• Establish commitment & oversight• Conduct risk assessment• Develop security architecture• Identify solutions
32
Implement
• Assign roles & responsibilities• Develop & implement policies,
procedures, etc.• Implement security blueprints• Implement security solutions• Develop audit & monitoring mechanisms• Establish SLAs
33
Operate & Maintain
• Ensure baselines are met based on blueprints
• Conduct audits• Manage SLAs
34
Monitor & Evaluate
• Review logs, audit results, metrics• Assess goal accomplishments• Evaluate via governance structure
35
A Day in the Life
Conduct Self- Assessments
Respond to Audits
Train & Educate
Provide Expertise
Monitor Systems
Manage Projects
Track Compliance
Gauge SLA Adherence
36
Game Changers
• Cloud Computing• Mobile Computing• Social Networking
37
Resources
• NIST• ISC2
• ISACA• SANS Institute
38
Questions