Information Security Program Management

Ramachandra Kulkarni

Agenda

Information security program Organization and budgeting Program components Staffing and career development Metrics and measurement

Organization and budgeting

Information security organization structure(How will I organize myself)

Po

licy and

Risk P

ractices

Investig

ation

s

Pro

gram

Office

Arch

itecture

Infrastructure Risk

Application Risk

Business Information Risk

Business Continuity Planning

Information security Operational services

• Strategy and Planning• Macro Risk Profiles• Threat Horizon

• Solutions Catalog• Security Architecture

• Business Unit Resilience• Technology Resilience• Crisis Response• Supports BCP Coordinators

• BU Information Protection• Risk Monitoring• Incident/Investigations Response

• Policies and Standards• Training and Awareness• Risk Measurement Systems• Incident Learning

• Application Security• Risk Monitoring• Incident Response• Supports IT and LSCs

• Infrastructure Security• Risk Monitoring• Incident Response• Supports IT Infra and LSCs

•Operational support to Security streamsActs as a service engine

• E-Discovery investigations• Forensic investigations

Information security – Key activity streams

Risk Reporting

•Consult with business groups on their projects with regards to info risk

•Ability to develop / suggest and help implement controls around new systems

Riskconsulting

RiskMonitoring

• Ensure operational monitoring of events• Ensure implementation of defined policies• Ensure proper incident response mechanism effectiveness• Ensure control framework deployment• Ensure proper segregation of duties

• Reporting of external and internal threats and organization readiness• Provide analytics for prioritized investment in the protection program• Provide insight into resource allocation.• Provide inputs to the risk analysis process• Monitor and measure trends in the effectiveness of the security program

Planning and Funding

Define scope and alignment with business groups Yearly planner with quarterly reviews Determine the info. security model (centralized / de-centralized). Determine the method of funding (stakeholder / IT budgets /

independent) Major cost components

Implementation of new security technologies Reporting and tools Staffing Audits and assessment (Internal / External) Compliance (Internal policies / Regulatory / Contractual)

Typically 4 – 7 % (up to 7 – 10 % in specific cases) of the total “IT” budget.

Working the interfaces

InformationSecurity

IT operations

Business units

Legal / compliance

Buy-in, Tech Design, IT services, BCP, Capacity

& perf Management.

BCP, Buy-in for policies, Customer requirements,New systems and apps

and awareness

Compliance reporting,Legal requirements, Policy considerations.

Physical securityPhysical controls, visitorsHandling, differentiated

access setup in the Buildings..

Divisions Interfaceareas

Building credibility – the infosec brand.

Be the “go-to” person for any issue involving security (build domain expertise)

Admit existence of issues if they are (do not defend).

Communicate appropriately (multiple levels of communication).

Accept and acknowledge solutions from any source (most common issue).

Build programs for effective communications (dashboards / scorecards). Bring in risk transparency

Do not encourage the “differentiated security” culture (very difficult and sensitive).

Ultimately different groups should feel that information security is acting as an enabler and is not a department which puts brakes on every initiative. The answer

is communicate !!! communicate !!! communicate !!!

Program components

Program component framework

Asset classification User classification Threat classification

Risk Analysis

Strategy identification

Change management

Security plan development

Metrics

Education

Security architecture

Source : Burton research

Program input components

Asset classification Inventory of all information assets Classification according to value to the organization Feed into risk analysis

User classification Categories of users Not every user will require every bit of information, facilities Key input to segregation of duties within user community

Threat classification Value of consequences Location of the operational elements

Program core components

Risk analysis Most important component of information security strategy Output will be key facts such as priority of resources to be protected,

impact of the threats as well as resources to be made available. Need not always be a very high analytical (tool / etc).

Strategy identification Key inputs from the risk analysis Strategy includes resource, technology, reporting and program

Security plan development Details of the projects to be taken up Details on organization chart and responsibilities Details on the control environment

Security architecture Technology architecture (technology biases, tool standardization) Policy framework (adopted standard, policies and procedure Control framework (baseline, project based controls)

Program support components

Change management Structured approach to changes in the information environment Analysis of security impact before a change is done

Education Education during induction On-going education initiatives Educating users of new systems Delivery channels – classroom, email, videos and articles

Metrics Important barometer for protection standard Key inputs in terms of improvement / decline in security levels Operational and quantitative metrics

Staffing and career development

Information security – Staffing parameters

How big should be your team depends on No of systems (IT infrastructure) Percentage of critical business running on IT Overlapping functions (BCP, Compliance) No of locations No of employees

Some pointers for staffing 5 – 7 % of IT staff In large organizations (> 4000) One info. Security staff for every

700 employees (where > 70 % data is based on systems).

TechnologyTechnology

Process Appreciation

Technology

certification

Process Appreciation

Technology

certification

Defining and managing processes

Verification and Validation

Technology (specific areas)

Business processes awareness

Defining and managing processes

Verification and Validation

Technology (specific areas)

Business processes awareness

Business understanding

Ability to influence

Metrics management

Assurance mechanisms

Program management

Processes expertise

Regulatory frameworks

Technology

Business understanding

Ability to influence

Metrics management

Assurance mechanisms

Program management

Processes expertise

Regulatory frameworks

Technology

Team members / Security

specialists

Team members / Security

specialists

Team leader / ManagersTeam leader / Managers

CISO

Program manager – Info. Security

Senior Manager – Info. Security

CISO

Program manager – Info. Security

Senior Manager – Info. Security

Communication SkillsCommunication Skills

Assessments and ReviewsAssessments and Reviews Certifications

Certifications

Information Security Organization – Skills mappingInformation Security Organization – Skills mapping

Information Security Staff - Skills composition

Information Security - Skills Composition

Technology20%

Monitoring and

reporting30%

Consulting25%

Processes10%

Audit and Assessment

15%

Technology

Monitoring andreporting

Consulting

Processes

Audit andAssessment

Information Security Career Paths (broad level)

Information Security Program Management Office (CISO)

Secu

rity

En

gin

eeri

ng

Secu

rity

En

gin

eeri

ng

Ris

k M

an

ag

em

en

t an

d A

ssu

ran

ceR

isk M

an

ag

em

en

t an

d A

ssu

ran

ce

Security administrator

(O/s, Network, DB)

Security administrator

(O/s, Network, DB)

Security Specialist

(Firewall, VPN, IDS)

Security Specialist

(Firewall, VPN, IDS)

Security Manager

(design, planning,

Implementation and

Roll-out)

Security Manager

(design, planning,

Implementation and

Roll-out)

Engineering Head

(budgets, design

validation, stakeholder

Interface)

Engineering Head

(budgets, design

validation, stakeholder

Interface)

Process ConsultantProcess Consultant

Controls AnalystControls Analyst

Risk and compliance

Analyst

Risk and compliance

Analyst

Risk and Assurance

Manager

Risk and Assurance

Manager

Staff challenges and strategies

Challenges Security being equated to technologies (firewall, IDS, anti virus etc). Lack of business understanding Lack of appreciation towards processes Inability to convince / influence stakeholders

Some of the possible solutions Develop ability to interact in “business language” Educate information security staff on the big picture (go beyond

firewall, IDS etc). Penalize for process failures through the appraisal system. Staff Rotation

Within security team on different areas Agreement with the IT team for rotation

Metrics and Measurement

Why measuring security is difficult

What do dictionaries say Security – “freedom from risk or danger” Security – “keeping from harm”

Inherently the definitions are pointing to a relative term Some of the things difficult to measure

Employee morale Opportunity cost due to outage caused from infosec Statistics need to be blended with enterprise knowledge

A trader unable to access the application for 30 minutes (from 19:00 to 19:30 hours) is totally different from a trader unable to access the application from 11:00 to 11:30

As a result what gets measured is what can be visualized but unfortunately a large percentage of that is not meaningful

Measurement strategy

Possible options for measurement Gap assessment (prioritization is a challenge) Against previous performance (aligning with organization goals is

not easy) Measure against business criticality (ideal but very difficult to

measure, and requires extensive enterprise knowledge) ROI metrics ( There is hardly any robust method of computing ROI

on security) Comparing against other organization (Does not align with

organization goals and sharing of information is a limitation) Program management (top / down) metrics (Blending the details is a

big challenge)

None of the above methods give the required assurance independently however a combinationof two or more of the above approaches will be a reasonable plan towards metrics

What information risk metrics should offer

Should provide fact based decision making Provide resource allocation insight Serve as a communication tool to influence organization. Metrics should essentially throw up risk elements Metrics should provide pointers on when to

Accept the risk Avoid the risk Mitigate the risk Transfer the risk

Should provide trends of improvement or lack of it. Should also provide pointers to investment areas

Design Principles for Information Risk Scorecard

Performance Measurement and Communication: In their efforts to create reporting processes that truly resonate with diverse audiences, Members cite a litany of obstacles, including a dearth of reliable key performance indicators, lack of consensus around what should be measured,and the perennial challenge of quantifying risk.

• Start with the key decisions that need to be made and derive metrics that support those decisions, instead of a bottom-up aggregation of available metrics.

• Include CISO risk assertions and concise summaries.

• Include a CISO explanation of estimated future direction.

• Develop metrics with longevity in-mind, considering the life of various systems and anticipated business changes that may diminish effectiveness and/or complicate collection in the future.

• Identify both the upfront burden of putting collection process in place as well as the ongoing burden of regular data collection.

Each Metric Should…

…Enable Decision Making: Metrics should translatetechnical security data into business risk implications that executives can leverage to drive mitigation trade-off decisions.

…Articulate Future Readiness: Metrics should not only provide a view of current performance but also provide directional guidance on readiness to meet future threat scenarios.

…Be Comparable Over Time: Each metric should capture historical trends to outline performance.

…Require Minimal Resource Consumption: The data for each metric should be easily and cost-effectively captured.

The Overall Scorecard Should…

Be Simple: Performance measurement reports should be concise and quickly highlight areas of concern.

Present Nontechnical Data: The scorecard should speak to an executive audience and focus on nontechnical data.

• To draw audience attention to highest-priority issues, adopt an exception-based reporting approach instead of inundating the audience with reams of data.

• Involve the audiences in the design by soliciting input prior and during scorecard creation.

Source: IREC research.

Sample approach

Steps Define categories Define risk indicators Define Tolerance levels Input the current reporting period results Measure against tolerance Obtain trends

Define categories

Sample Metrics Categories

Infrastructure

Applications

Management

Physical security

Data protection

Awareness

Change management

Sample – Key Risk Indicator definition

Sample – Key risk indicator definition

Quarterly data analysis

Process: Unauthorized access via ext connections

Control objective : To ensure that all the external connections have security violation detection mechanisms

Previous Status

Event

type

Area Key Risk Indicator and

DescriptionG Y R Current

Value

Q3

FY 2008

Q4

2008

Trend

Percentage of external connection with security monitoring.

All external connections should be under security monitoring

ToleranceLevels

Event types1. Control Failure2. External threats3. Internal threats4. Processing failure5. Unauthorized activity

Infra < 80 >= 80 =100 95 78 74

One event per metric

Previous reporting period

Areas

1. Infrastructure2. Applications3. Management4. Physical security5. Data protection6. Awareness7. Change management

Questions