Security Governance: What, Why, How

1
Security Governance What, Why, How?

• Presented by
• Jason A Witty, CISSP

2
What is Security?

• A firewall?
• A group of paranoid IT staff?
• An intrusion prevention mechanism?
• A process to keep your data safe?
• A deterrent?
• An enabler?
• A road block?

3
Security is Many Things
Source IBM Global Services
4
Security Must be Holistic
Source IBM Global Services
5
Security The Big Picture
Source IBM Global Services
6
Why Do We Need A Holistic Approach?

• Your entire staff must protect against
• thousands of security problems
• Attackers only need one thing to be missed.
• But with appropriate planning and execution, a
  comprehensive information security program will
  protect your corporate assets.

7
So What is Security Governance?

• The Information Systems Audit and Control
• Association Foundation (ISACA)'s Definition
• "Establish and maintain a framework to provide
  assurance that information security strategies
  are aligned with business objectives and
  consistent with applicable laws and regulations."
• From http//www.isaca.org/cismcont1.htm

8
Governance AppropriateLevels of Security
ISO 17799 (Best Practices)
1
2
How much is enough?
3
4
5
6
Classification Control of Assets
7
8
Environmental Physical Security
9
8
6
10
7
1
5
4
2
3
9
10
Source Forsythe Solutions, used with permission
9
Goals of Security Governance

• Link business strategy to security strategy
• Ensure senior management understands information
  risk and supports the information security
  program
• Ensure all employees understand their information
  security responsibilities
• Ensure proper business representation during
  security policy review processes

10
Governance Goals - 2

• Decrease litigation risks by ensuring corporate
  policies take legal regulatory environment into
  account
• Create procedures and guidelines that
  operationalize information security policies
• Develop information security value proposition
  and measure program effectiveness

11
Some Regulations to Consider

• US HIPAA
• US Gramm Leach Bliley (GLBA)
• US California SB 1386 mandates public
  disclosure of computer-security breaches in which
  confidential information may have been
  compromised. Becomes active on July 01 2003.
• UK Data Protection Act of 1998
• EU European Data Directive 95/46/EC
• NL Personal Data Protection Act
• http//www.privacyinternational.org/countries/inde
  x.html

12
Privacy Due Care Requirement

• Federal Trade Commission required that Eli Lilly
  and Company redress a privacy violation from June
  2001.
• An E-Mail with the names of all 669 subscribers
  listed in the TO field went to users of the
  www.prozac.com medication reminder service.
• It was an unintentional leakage of personal
  information.
• This was a violation of Lillys privacy policy.
• Lilly failed to maintain and protect the privacy
  of sensitive information.

13
FTC Consent Decree

• Lilly is required to implement a security and
  privacy program that does the following
• Designate personnel to coordinate and oversee the
  program.
• Identify reasonably foreseeable internal and
  external security risks.
• Conduct an annual review to monitor effectiveness
  and compliance with the program.
• Adjust the program to address changes in the
  business and any recommendations.
• www.ftc.gov/opa/2002/01/elililly.htm

14
How to Implement Security Governance

• Have a dedicated security organization with the
  right charter from executive management
• Build strong relationships with business
  stakeholders
• Gain trust and buy-in
• Establish review and approval processes
• Establish governance team(s) - committees
• Schedule regular meetings
• Report issues and exceptions to senior management
• Integrate security awareness training education
  into employee job responsibilities

15
Stakeholders in Security Governance

• Legal
• Audit
• Physical Security
• IT Operations

• HR
• PR
• Privacy Team
• Info-Security Team

16
Things to Watch Out For

• 1) Not having a written policy
• 2) If you have a written policy..
• Can it can be enforced?
• Does management buy-in to implementing the
  policy? Does funding exist?
• Does technology exist? Is it mature?
• Do proper skill-sets exist?
• How are users educated and updated?
• How are exceptions and violations handled?
• 3) Politics
• 4) Not being aware of your regulatory obligations
• 5) Trying to do everything at once

17
When Governance is Implemented Correctly

• Cross-functional executive committee reviews and
  approve corporate security policies
• Employees are regularly trained, and understand
  all security policies and responsibilities
• Metrics are captured to regularly measure and
  report program efficiency
• Incidents are tracked
• Regular vulnerability assessments are conducted
• All exceptions are rated by risk level and
  regularly reviewed corrected in a timely
  fashion

18
When Governance is Implemented Correctly - 2

• Repeatable processes ensure security is inserted
  very early in project and systems lifecycles
• Security is built into corporate culture and is
  viewed as a competitive advantage
• Executive buy-in is obvious videos, regular
  emails, posters, etc.

19
Questions?