Date post: | 11-May-2015 |
Category: |
Documents |
Upload: | nooralmousa |
View: | 1,352 times |
Download: | 1 times |
May 2011
@ 2011 Deloitte & Touche
There is no single universal model for organizational structure to ensure that
the Information Security requirements for the organization are adequately
met.
There is still some uncertainty regarding what such Information Security
Governance actually consists of
Information Security Governance does not function in isolation
Information Security Governance, Management and Operations have very different
functions, and clarity among them is fundamental to the performance of
each.
How do Organizations currently operate Globally & in the Middle East?
Information Security Governance
3
@ 2011 Deloitte & Touche
17% of Organizations Globally have a person responsible for Information Security. 33% in
the Middle East
40% of the CISOs Globally report directly to IT related positions (CIO, IT executive and
CTO). 31% in the Middle East
Only 67% of respondents indicate that have a security governance structure. 49% in the
Middle East
Only 56% of respondents indicate they have a documented and approved information
security strategy. 38% in the Middle East
Only 18% of respondents have established metrics that have been aligned to business
value and report on a scheduled basis. 15% in the Middle East
Only 30% of respondents state that there is appropriate alignment between the business
and information security initiatives. 32% in the Middle East
Information Security Governance
4
@ 2011 Deloitte & Touche
Corporate governance is the set of processes, customs, policies, laws, and
institutions affecting the way a corporation (or company) is directed, administered or
controlled.
Corporate governance also includes the relationships among the many
stakeholders involved and the goals for which the corporation is
governed.
Subsets of Corporate Governance include:
• Financial Governance
• Information Technology Governance
• Enterprise Risk Governance
• Information Security Governance
Information Security Governance
6
@ 2011 Deloitte & Touche
The structure, oversight and management
processes which ensure the delivery of
the of overall corporate governance
requires integration between the different
subsets of the Corporate Governance
Model
An organization’s Information
Security Governance can be defined
as "the processes that ensure that
reasonable and appropriate actions are
taken to protect the organization's
information resources, in the most
effective and efficient manner, in pursuit
of its business goals“
Information Security Governance
7 Information Security Organization
Corporate Governance
Legal Governance
EnterpriseRisk
Governance
InformationTechnology Governance
Information Security
Governance
Information Security
Management
Information Security
Operations
@ 2011 Deloitte & Touche
―Information Security governance―, ―Information Security Management" and
―Information Security Operations" are broad terms, and we must bring these topics into
focus. Members of governance committees must understand the difference between
them in order to avoid dysfunction and meet Business, Risk and IT goals
Very Broadly,
Information Security Governance: Exists to ensure that the security program adequately
meets the strategic needs of the business.
Information Security Management: Implements that program.
Information Security Operations: executes or manages security-related processes
relating to current infrastructure on a day-to-day basis.
Each of these layers must engage with corresponding layers throughout
the enterprise.
Information Security Governance
8
@ 2011 Deloitte & Touche Information Security Governance
9
Information Security Management
Information Security Operations
Information Security Governance
Corporate Risk Management
IT OperationsLines of Business
Management
Chief Infromation Officer (CIO)
3rd Party Service Providers
3rd Party Service Providers
3rd Party Service Providers
Information Security Steering Commitee
Information Security Communication
Forum
Information Security Advisory Board
@ 2011 Deloitte & Touche
Prudent CISOs are building their Security Governance Strategies based on the current
economic climate, changes in the technology landscape, and most importantly, to meet
and exceed the business expectations. Yet despite their best intentions, many are still
struggling to improve relationships with the business that they operate in.
Information Security Governance
11
Security Governance
2. Implement
1. Plan
Process
Culture
Controls
Integration
Technology
People
4. Monitor
3. Manage
Without alignment, Information
Security Governance operates in
a vacuum and will implement
security controls that are
invariably either too strong —
and thus, is expensive and
restrictive — or too weak,
resulting in too much residual
risk.
@ 2011 Deloitte & Touche
The following 4 domains must be considered when establishing an Information Security
Governance Program
Information Security Governance
12
Plan Implement Manage Monitor
Security Program Strategy
Security Architecture
Security Budget
Governance Policy Management
Develop Governance Processes
Institute Governance Forums
Security Policy Review and
Development
Accountabilities
Funding
Conflict Conciliation and Arbitration
Program and Project Oversight
Project Oversight
Value Assessments
Operational Oversight
Metrics and Measurement
@ 2011 Deloitte & Touche
Security Program Strategy
1. Current State
2. Desired State
3. Gap Analysis
4. Project and Initiatives Derived from the Gap Analysis
5. A Reporting Framework
Information Security Governance
13
Security Governance
2. Implement
1. Plan
Process
Culture
Controls
Integration
Technology
People
3. Manage
4. Monitor
Plan
Security Program Strategy
Security Architecture
Security Budget
Governance Policy Management
@ 2011 Deloitte & Touche
Security Architecture
Security architecture is the planning discipline that provides the
foundational models, templates and principles that support the
program strategy. These artifacts are used to develop security
technology and process solutions that match business
requirements while maximizing standardization and reuse
• Security Operations
• Security Monitoring and Review
• User Management
• User Awareness
• Application Security
• Database / Metadata Security
• Host Security
• Internal Network Security
• Network Perimeter Security
• Physical and Environmental Security
Information Security Governance
14
Security Governance
2. Implement
1. Plan
Process
Culture
Controls
Integration
Technology
People
3. Manage
4. Monitor
Plan
Security Program Strategy
Security Architecture
Security Budget
Governance Policy Management
@ 2011 Deloitte & Touche
Security Budget Planning
The process of allocating financial resources to information
security projects and operational
activities
Governance Policy Management
Sets the principles for policy management, specifically regarding issues
such as:
• Ownership
• Documentation standards
• Approval and formalization procedures
• Enforcement regimes
• Review and exception procedures
Information Security Governance
15
Security Governance
2. Implement
1. Plan
Process
Culture
Controls
Integration
Technology
People
3. Manage
4. Monitor
Plan
Security Program Strategy
Security Architecture
Security Budget
Governance Policy Management
@ 2011 Deloitte & Touche
Develop Governance Processes
Design the governance processes:
• The goal of the process
• The action steps to be taken and in what sequence
• The responsibilities associated with the process
• The process flow
Integrate the security governance framework with existing IT
frameworks and Information Security Management frameworks in
order to leverage the commonalities between the frameworks
Institute Governance Forums
Establish Governance forums and steering committee
• Establish the accountabilities and responsibilities for information security
within the organization.
• Oversee the governance processes.
• Commission and sponsor the corporate information security program.
Information Security Governance
16
Security Governance
2. Implement
1. Plan
Process
Culture
Controls
Integration
Technology
People
3. Manage
4. Monitor
Implement
Develop Governance Processes
Institute Governance Forums
Security Policy Review and
Development
@ 2011 Deloitte & Touche
Security Policy Review and Development
Assess the (1) completeness (2) effectiveness and (3) practicality of
enforcement of your organization’s information security policy.
Identify major strengths and weaknesses of the policy and provide
recommendations for improvement.
Information Security Governance
17
Security Governance
2. Implement
1. Plan
Process
Culture
Controls
Integration
Technology
People
3. Manage
4. Monitor
Implement
Develop Governance Processes
Institute Governance Forums
Security Policy Review and
Development
@ 2011 Deloitte & Touche
Design and explain management processes to the respective
stakeholders for implementation:
Information Security Governance
18
Security Governance
2. Implement
1. Plan
Process
Culture
Controls
Integration
Technology
People
3. Manage
4. Monitor
Manage
Accountabilities
Funding
Conflict Conciliation and Arbitration
Program and Project Oversight
Process Process Description
Accountabilities Accountabilities and responsibilities for information security are
executed effectively.
Funding Manage effective allocation of financial resources for security
initiatives as decided in the budget process.
Conflict Conciliation
and Arbitration
Facilitate assessment of conflicting security requirements
between different stakeholders. Ensure specific policy and
controls decisions are based on adequate consideration of
individual and collective requirements.
Program and Project
Oversight
Track security program and projects, deliverables, and costs to
ensure they remain within acceptable tolerances.
@ 2011 Deloitte & Touche
Design and explain monitoring processes to the respective
stakeholders for implementation:
Information Security Governance
19
Security Governance
2. Implement
1. Plan
Process
Culture
Controls
Integration
Technology
People
3. Manage
4. Monitor
Monitor
Project Oversight
Value Assessments
Operational Oversight
Metrics and Measurement
Process Process Description
Project Oversight Assess project results. Report on objectives achieved and
missed, as well as unexpected results and consequences.
Value Assessments
Periodically assess the value of information security
investments. Is the organization getting the anticipated
benefits from investments involving information security?
Operational Oversight
Ensure that the execution of the information security
program, and all its associated processes and activities, is
done within the parameters set out by the program strategy,
architecture, and policy strategy.
Metrics and
Measurement
Measuring and reporting on the impact of the information
security program on overall IT governance and Corporate
Governance.
@ 2011 Deloitte & Touche
Strategic Alignment of information security with business strategy to support
organizational objectives
Risk Management by executing appropriate measures to manage and mitigate risks
and reduce potential impacts on information resources to an acceptable level
Resource Management by utilizing information security knowledge and infrastructure
efficiently and effectively
Performance Measurement by measuring, monitoring and reporting information
security governance metrics to ensure that organizational objectives are achieved
Value Delivery by optimizing information security investments in support of
organizational objectives
Information Security Governance
21
@ 2011 Deloitte & Touche
Leader, Security & Privacy – Middle East
Fadi Mutlak
+971 4 369 8999
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which
is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu
Limited and its member firms.
Member of Deloitte Touche Tohmatsu Limited