+ All Categories
Home > Documents > Fadi Mutlak - Information security governance

Fadi Mutlak - Information security governance

Date post: 11-May-2015
Category:
Upload: nooralmousa
View: 1,352 times
Download: 1 times
Share this document with a friend
Popular Tags:
24
May 2011
Transcript
Page 1: Fadi Mutlak - Information security governance

May 2011

Page 2: Fadi Mutlak - Information security governance
Page 3: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche

There is no single universal model for organizational structure to ensure that

the Information Security requirements for the organization are adequately

met.

There is still some uncertainty regarding what such Information Security

Governance actually consists of

Information Security Governance does not function in isolation

Information Security Governance, Management and Operations have very different

functions, and clarity among them is fundamental to the performance of

each.

How do Organizations currently operate Globally & in the Middle East?

Information Security Governance

3

Page 4: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche

17% of Organizations Globally have a person responsible for Information Security. 33% in

the Middle East

40% of the CISOs Globally report directly to IT related positions (CIO, IT executive and

CTO). 31% in the Middle East

Only 67% of respondents indicate that have a security governance structure. 49% in the

Middle East

Only 56% of respondents indicate they have a documented and approved information

security strategy. 38% in the Middle East

Only 18% of respondents have established metrics that have been aligned to business

value and report on a scheduled basis. 15% in the Middle East

Only 30% of respondents state that there is appropriate alignment between the business

and information security initiatives. 32% in the Middle East

Information Security Governance

4

Page 5: Fadi Mutlak - Information security governance
Page 6: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche

Corporate governance is the set of processes, customs, policies, laws, and

institutions affecting the way a corporation (or company) is directed, administered or

controlled.

Corporate governance also includes the relationships among the many

stakeholders involved and the goals for which the corporation is

governed.

Subsets of Corporate Governance include:

• Financial Governance

• Information Technology Governance

• Enterprise Risk Governance

• Information Security Governance

Information Security Governance

6

Page 7: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche

The structure, oversight and management

processes which ensure the delivery of

the of overall corporate governance

requires integration between the different

subsets of the Corporate Governance

Model

An organization’s Information

Security Governance can be defined

as "the processes that ensure that

reasonable and appropriate actions are

taken to protect the organization's

information resources, in the most

effective and efficient manner, in pursuit

of its business goals“

Information Security Governance

7 Information Security Organization

Corporate Governance

Legal Governance

EnterpriseRisk

Governance

InformationTechnology Governance

Information Security

Governance

Information Security

Management

Information Security

Operations

Page 8: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche

―Information Security governance―, ―Information Security Management" and

―Information Security Operations" are broad terms, and we must bring these topics into

focus. Members of governance committees must understand the difference between

them in order to avoid dysfunction and meet Business, Risk and IT goals

Very Broadly,

Information Security Governance: Exists to ensure that the security program adequately

meets the strategic needs of the business.

Information Security Management: Implements that program.

Information Security Operations: executes or manages security-related processes

relating to current infrastructure on a day-to-day basis.

Each of these layers must engage with corresponding layers throughout

the enterprise.

Information Security Governance

8

Page 9: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche Information Security Governance

9

Information Security Management

Information Security Operations

Information Security Governance

Corporate Risk Management

IT OperationsLines of Business

Management

Chief Infromation Officer (CIO)

3rd Party Service Providers

3rd Party Service Providers

3rd Party Service Providers

Information Security Steering Commitee

Information Security Communication

Forum

Information Security Advisory Board

Page 10: Fadi Mutlak - Information security governance
Page 11: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche

Prudent CISOs are building their Security Governance Strategies based on the current

economic climate, changes in the technology landscape, and most importantly, to meet

and exceed the business expectations. Yet despite their best intentions, many are still

struggling to improve relationships with the business that they operate in.

Information Security Governance

11

Security Governance

2. Implement

1. Plan

Process

Culture

Controls

Integration

Technology

People

4. Monitor

3. Manage

Without alignment, Information

Security Governance operates in

a vacuum and will implement

security controls that are

invariably either too strong —

and thus, is expensive and

restrictive — or too weak,

resulting in too much residual

risk.

Page 12: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche

The following 4 domains must be considered when establishing an Information Security

Governance Program

Information Security Governance

12

Plan Implement Manage Monitor

Security Program Strategy

Security Architecture

Security Budget

Governance Policy Management

Develop Governance Processes

Institute Governance Forums

Security Policy Review and

Development

Accountabilities

Funding

Conflict Conciliation and Arbitration

Program and Project Oversight

Project Oversight

Value Assessments

Operational Oversight

Metrics and Measurement

Page 13: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche

Security Program Strategy

1. Current State

2. Desired State

3. Gap Analysis

4. Project and Initiatives Derived from the Gap Analysis

5. A Reporting Framework

Information Security Governance

13

Security Governance

2. Implement

1. Plan

Process

Culture

Controls

Integration

Technology

People

3. Manage

4. Monitor

Plan

Security Program Strategy

Security Architecture

Security Budget

Governance Policy Management

Page 14: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche

Security Architecture

Security architecture is the planning discipline that provides the

foundational models, templates and principles that support the

program strategy. These artifacts are used to develop security

technology and process solutions that match business

requirements while maximizing standardization and reuse

• Security Operations

• Security Monitoring and Review

• User Management

• User Awareness

• Application Security

• Database / Metadata Security

• Host Security

• Internal Network Security

• Network Perimeter Security

• Physical and Environmental Security

Information Security Governance

14

Security Governance

2. Implement

1. Plan

Process

Culture

Controls

Integration

Technology

People

3. Manage

4. Monitor

Plan

Security Program Strategy

Security Architecture

Security Budget

Governance Policy Management

Page 15: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche

Security Budget Planning

The process of allocating financial resources to information

security projects and operational

activities

Governance Policy Management

Sets the principles for policy management, specifically regarding issues

such as:

• Ownership

• Documentation standards

• Approval and formalization procedures

• Enforcement regimes

• Review and exception procedures

Information Security Governance

15

Security Governance

2. Implement

1. Plan

Process

Culture

Controls

Integration

Technology

People

3. Manage

4. Monitor

Plan

Security Program Strategy

Security Architecture

Security Budget

Governance Policy Management

Page 16: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche

Develop Governance Processes

Design the governance processes:

• The goal of the process

• The action steps to be taken and in what sequence

• The responsibilities associated with the process

• The process flow

Integrate the security governance framework with existing IT

frameworks and Information Security Management frameworks in

order to leverage the commonalities between the frameworks

Institute Governance Forums

Establish Governance forums and steering committee

• Establish the accountabilities and responsibilities for information security

within the organization.

• Oversee the governance processes.

• Commission and sponsor the corporate information security program.

Information Security Governance

16

Security Governance

2. Implement

1. Plan

Process

Culture

Controls

Integration

Technology

People

3. Manage

4. Monitor

Implement

Develop Governance Processes

Institute Governance Forums

Security Policy Review and

Development

Page 17: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche

Security Policy Review and Development

Assess the (1) completeness (2) effectiveness and (3) practicality of

enforcement of your organization’s information security policy.

Identify major strengths and weaknesses of the policy and provide

recommendations for improvement.

Information Security Governance

17

Security Governance

2. Implement

1. Plan

Process

Culture

Controls

Integration

Technology

People

3. Manage

4. Monitor

Implement

Develop Governance Processes

Institute Governance Forums

Security Policy Review and

Development

Page 18: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche

Design and explain management processes to the respective

stakeholders for implementation:

Information Security Governance

18

Security Governance

2. Implement

1. Plan

Process

Culture

Controls

Integration

Technology

People

3. Manage

4. Monitor

Manage

Accountabilities

Funding

Conflict Conciliation and Arbitration

Program and Project Oversight

Process Process Description

Accountabilities Accountabilities and responsibilities for information security are

executed effectively.

Funding Manage effective allocation of financial resources for security

initiatives as decided in the budget process.

Conflict Conciliation

and Arbitration

Facilitate assessment of conflicting security requirements

between different stakeholders. Ensure specific policy and

controls decisions are based on adequate consideration of

individual and collective requirements.

Program and Project

Oversight

Track security program and projects, deliverables, and costs to

ensure they remain within acceptable tolerances.

Page 19: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche

Design and explain monitoring processes to the respective

stakeholders for implementation:

Information Security Governance

19

Security Governance

2. Implement

1. Plan

Process

Culture

Controls

Integration

Technology

People

3. Manage

4. Monitor

Monitor

Project Oversight

Value Assessments

Operational Oversight

Metrics and Measurement

Process Process Description

Project Oversight Assess project results. Report on objectives achieved and

missed, as well as unexpected results and consequences.

Value Assessments

Periodically assess the value of information security

investments. Is the organization getting the anticipated

benefits from investments involving information security?

Operational Oversight

Ensure that the execution of the information security

program, and all its associated processes and activities, is

done within the parameters set out by the program strategy,

architecture, and policy strategy.

Metrics and

Measurement

Measuring and reporting on the impact of the information

security program on overall IT governance and Corporate

Governance.

Page 20: Fadi Mutlak - Information security governance
Page 21: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche

Strategic Alignment of information security with business strategy to support

organizational objectives

Risk Management by executing appropriate measures to manage and mitigate risks

and reduce potential impacts on information resources to an acceptable level

Resource Management by utilizing information security knowledge and infrastructure

efficiently and effectively

Performance Measurement by measuring, monitoring and reporting information

security governance metrics to ensure that organizational objectives are achieved

Value Delivery by optimizing information security investments in support of

organizational objectives

Information Security Governance

21

Page 22: Fadi Mutlak - Information security governance
Page 23: Fadi Mutlak - Information security governance

@ 2011 Deloitte & Touche

Leader, Security & Privacy – Middle East

Fadi Mutlak

+971 4 369 8999

[email protected]

Page 24: Fadi Mutlak - Information security governance

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which

is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu

Limited and its member firms.

Member of Deloitte Touche Tohmatsu Limited


Recommended