An Enterprise Approach

1

• An Enterprise Approach

2
A Shift of Paradigm
Information Risk Management Then

Management of Threats to Technology (Legacy
Policies/Standards)
Controls Going Forward
Now Information Systems Risk Management Attribut
es
Unfunded Mandates
Procedural/ Prescriptive

• Be business mission requirement driven
• Be risk-focused control-based
• Be a cohesive Info Security program
• Be enabling of business processes
• Support the business environment
• Support deliberate investment decisions on
  controls

Technology Driven
Uncoordinated Policies
Results
IT Control of Security
Results
Controls (Limits) on Use of Technology (Driven by
Technical Staff)
Controls on Risk from the Operation of
Information Systems (Driven by Business/Service
Owners)
3
Diverse Requirements
Standards-Based Information Security Framework
(I.e., Risk Management)
Statute Federal, State and Local
Protect Enhance Revenue Avoid Costs
Regulations SOX, HIPAA, GLB, PCI-DSS, etc.
Missions Diverse/ Independent
4
Common Understanding
Information System A discrete set of information
resources organized for the collection,
processing, maintenance, use, sharing,
dissemination, or disposition of information. 44
U.S.C., Sec. 3502
Information Resources Information and related
resources, such as personnel, equipment, funds,
and information technology. 44 U.S.C., Sec. 3502
Information Technology Any equipment or
interconnected system or subsystem of equipment
that is used in the automatic acquisition,
storage, manipulation, management, movement,
control, display, switching, interchange,
transmission, or reception of data or information
by the executive agency The term information
technology includes computers, ancillary
equipment, software, firmware, and similar
procedures, services (including support
services), and related resources. 40 U.S.C.,
Sec. 1401
5
The Business Model
The Business Mandate/Mission
Primary Function
Lines of Business
LOB ( Sub-Mission) Business Processes
LOB ( Sub-Mission) Business Processes
LOB ( Sub-Mission) Business Processes
Business Process
Info Sys
Info Sys
Info Sys
Info Sys
Info Sys
Information Systems
Info Sys
Key Concept There are some organizational Lines
of Business that are critical to the
accomplishment of the organizations Mission.
Thus, there are some Information Systems that are
critical to the accomplishment of an
organizations mission.
6
The Business Mandate/Mission
Statute, Regulations, Policy
Business Constraints (Budget, Environment, Etc.)
Line of Business
Line of Business
Line of Business
Business Requirements
Business Solutions(That is, how do people
process information)
Risk to Business Solutions from the operation of
Information Systems
Design Requirements
Information Systems
People/ Process/ Information
People/ Process/ Information
People/ Process/ Information
People/ Process/ Information
Requirements of Technology
Technology B
Technology
Technology Z
Technology A
7
The Business Mandate/Mission
Statute, Regulations, Policy
Business Constraints (Budget, Environment, Etc.)
Line of Business
Line of Business
Line of Business
Risk Management Decisions
Business Solutions(That is, how do people
process information)
Risk to Business Solutions from the operation of
Information Systems
Information Systems
People/ Process/ Information
People/ Process/ Information
People/ Process/ Information
People/ Process/ Information
Evaluations
People Security Requirements
Controls on Risk
Process Security Requirements
Information Security Requirements
Technology B
Technology
Technology Z
Technology A
Security Plans
Technology Security Requirements
8
How To
Authorization of an Information
System (People/Processes/Information/Technology)
Identify Proponent
Define Boundaries
2. Security Authorization Package
Assessment Report
3. Authorization To Operate
Security Plan
Risk Assessment Report
1. Risk Management Process(Iterative)
Security Plan
Plan of Action And Milestones
Plan of Action and Milestones
9
How Policy Works
A Common Understanding of Terms
Policy A high-level statement of requirements,
often in business language, that sets and/or
communicates strategic direction. (Mandatory)
Standard A mid-level set of requirements that
translate policy statements into actionable
statements, bridging the gap between business and
operations. (Mandatory)
Guideline A mid-to-low-level set of process or
procedural instructions designed to assist
operations in achieving business requirements and
strategy. (May be optional.)
Procedure Low-level documentation of specific
steps or activities required to complete a task,
that meets standards and implements policy.
(Mandatory)
10
How Policy Works
Enterprise Common/Strategic PortionEstablish
Baseline Foundation
Local PortionOrganizational Unit-Specific (May
exceed Baseline Requirements)
Information System Security Policy
Information System Authorization Policy
Constraints Restraints
Local Policies
Information System Security Plan
Standards/ Guidelines
Local Procedures
Authorization To Operate
Other Requirements
11
Discussion
Kevin R Winegardner, BS, CISSP Chief Enterprise
Information System Security Bureau State of
Montana 406-444-2571 kwinegardner_at_mt.gov
Thank you