Title: Security Governance: What, Why, How?
1Security Governance What, Why, How?
- Presented by
- Jason A Witty, CISSP
2What is Security?
- A firewall?
- A group of paranoid IT staff?
- An intrusion prevention mechanism?
- A process to keep your data safe?
- A deterrent?
- An enabler?
- A road block?
3Security is Many Things
Source IBM Global Services
4Security Must be Holistic
Source IBM Global Services
5Security The Big Picture
Source IBM Global Services
6Why Do We Need A Holistic Approach?
- Your entire staff must protect against
- thousands of security problems
- Attackers only need one thing to be missed.
- But with appropriate planning and execution, a
comprehensive information security program will
protect your corporate assets.
7So What is Security Governance?
- The Information Systems Audit and Control
- Association Foundation (ISACA)'s Definition
- "Establish and maintain a framework to provide
assurance that information security strategies
are aligned with business objectives and
consistent with applicable laws and regulations." - From http//www.isaca.org/cismcont1.htm
8Governance AppropriateLevels of Security
ISO 17799 (Best Practices)
1
2
How much is enough?
3
4
5
6
Classification Control of Assets
7
8
Environmental Physical Security
9
8
6
10
7
1
5
4
2
3
9
10
Source Forsythe Solutions, used with permission
9Goals of Security Governance
- Link business strategy to security strategy
- Ensure senior management understands information
risk and supports the information security
program - Ensure all employees understand their information
security responsibilities - Ensure proper business representation during
security policy review processes
10Governance Goals - 2
- Decrease litigation risks by ensuring corporate
policies take legal regulatory environment into
account - Create procedures and guidelines that
operationalize information security policies - Develop information security value proposition
and measure program effectiveness
11Some Regulations to Consider
- US HIPAA
- US Gramm Leach Bliley (GLBA)
- US California SB 1386 mandates public
disclosure of computer-security breaches in which
confidential information may have been
compromised. Becomes active on July 01 2003. - UK Data Protection Act of 1998
- EU European Data Directive 95/46/EC
- NL Personal Data Protection Act
- http//www.privacyinternational.org/countries/inde
x.html
12Privacy Due Care Requirement
- Federal Trade Commission required that Eli Lilly
and Company redress a privacy violation from June
2001. - An E-Mail with the names of all 669 subscribers
listed in the TO field went to users of the
www.prozac.com medication reminder service. - It was an unintentional leakage of personal
information. - This was a violation of Lillys privacy policy.
- Lilly failed to maintain and protect the privacy
of sensitive information.
13FTC Consent Decree
- Lilly is required to implement a security and
privacy program that does the following - Designate personnel to coordinate and oversee the
program. - Identify reasonably foreseeable internal and
external security risks. - Conduct an annual review to monitor effectiveness
and compliance with the program. - Adjust the program to address changes in the
business and any recommendations. - www.ftc.gov/opa/2002/01/elililly.htm
14How to Implement Security Governance
- Have a dedicated security organization with the
right charter from executive management - Build strong relationships with business
stakeholders - Gain trust and buy-in
- Establish review and approval processes
- Establish governance team(s) - committees
- Schedule regular meetings
- Report issues and exceptions to senior management
- Integrate security awareness training education
into employee job responsibilities
15Stakeholders in Security Governance
- Legal
- Audit
- Physical Security
- IT Operations
- HR
- PR
- Privacy Team
- Info-Security Team
16Things to Watch Out For
- 1) Not having a written policy
- 2) If you have a written policy..
- Can it can be enforced?
- Does management buy-in to implementing the
policy? Does funding exist? - Does technology exist? Is it mature?
- Do proper skill-sets exist?
- How are users educated and updated?
- How are exceptions and violations handled?
- 3) Politics
- 4) Not being aware of your regulatory obligations
- 5) Trying to do everything at once
17When Governance is Implemented Correctly
- Cross-functional executive committee reviews and
approve corporate security policies - Employees are regularly trained, and understand
all security policies and responsibilities - Metrics are captured to regularly measure and
report program efficiency - Incidents are tracked
- Regular vulnerability assessments are conducted
- All exceptions are rated by risk level and
regularly reviewed corrected in a timely
fashion
18When Governance is Implemented Correctly - 2
- Repeatable processes ensure security is inserted
very early in project and systems lifecycles - Security is built into corporate culture and is
viewed as a competitive advantage - Executive buy-in is obvious videos, regular
emails, posters, etc.
19Questions?