Iso 27001 isms program governance with Mark E.S. Bernard

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor,

CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

GOVERNANCE FRAMEWORK

ENTERPRISE SECURITY

VISION

GOALS

BUSINESS BENEFITS

CRITICAL SSUCESS FACTORS

KEY PERFORMANCE INDICATORS

ROLES & RESPONSIBILITIES



Governance Framework Defined

A Vision is a broadly defined, clear and compelling statement

about the Enterprise’s purpose for Enterprise Security.

Strategic Objectives are a set of goals that are necessary and

sufficient to move the Enterprise towards its vision for

Enterprise Security.

Critical Success Factors (CSF) are a set of outcomes that are

necessary to achieve the strategic objectives for Enterprise

Security.

Key Performance Indicators (KPI) are concrete metrics

tracked to ensure that Enterprise Security’s critical success

factors are being achieved.

Key actions and business changes are the initiatives to be

delivered in order to achieve the Enterprise Vision and

Strategic Objectives for Enterprise Security.

Strategic

objectives CSFs KPIs / targets Key actions /

business changes

Vis

ion



“We will build and implement an information security program which will identify threats and risks to the Enterprise’s

information assets, systems resources including human assets before they become an employee or management concern.”



Develop an innovative Information Security Program that identifies risks and

implements safeguards to mitigate those risks.

The Information Security Program must meet all of the Enterprise’s expectations

while having little impact on existing budgets and/or schedules.

Develop an effective, efficient Information Security Program that will enhance all

services provided by the Enterprise while not impeding existing services to our

clients.

Isolate and mitigate potential risks and/or threats prior to an issue developing into an

employee, or management concern or problem.

Enhance the Enterprise’s ability to attract and maintain customers, investors and

partners because of its ability to efficiently and effectively protect information.



Reduce risks and threats to the Confidentiality, Integrity and Availability of the Enterprise’s

Information Assets and System Resources by providing policies, practices and standards designed to

mitigate or eliminate all known risks and threat.

Improve the effectiveness and efficiency of Information Security Management by implementing a

world class best practice and framework for consistent, concise security administration.

Improve effectiveness and efficiencies of existing security mechanisms by formalizing new practices

to monitor compliance and maintain sensitive data awareness.

Improve reassurance testing and validation outcomes by Internal Audit and External Auditors to

further assure the Enterprise’s Investors, Board of Directors and Executive Management Team that

the Enterprise’s Information Assets and System Resources are secure.

Reduce the likelihood that an accidental incident caused by Enterprise staff potentially resulting in

an adverse affect on the Enterprise’s reputation or liabilities potentially leading to financial losses, by

providing an ongoing information security education and awareness program.



Information security policy, objectives, and activities that reflect business objectives

An approach and framework to implementing, maintaining, monitoring, and improving information security that is consistent with the Enterprise’s culture

Visible support and commitment from all levels of management, especially Executives

A good understanding of the information security requirements, risk assessment, and risk management

Effective marketing of information security to all managers, employees, and other parties to achieve awareness

Distribution of guidance on information security policy and standards to all managers, employees and other parties

Provision to fund information security management activities

Providing appropriate awareness, training, and education

Establishing an effective information security incident management process

Implementation of a measurement system that is used to evaluate performance in information security management and feedback suggestions for improvement.



Strategic Alignment Enterprise Security Office activities do not materially hinder business

The Enterprise Security Office program enables business activities

Enterprise Security Office activities have provided predictable, robust operations

Enterprise Security Office incidents have not significantly impacted business operations

Trends for adverse impacts are continuously improving

The Enterprise Security Office organization is responsive to business requirements

The cost of Enterprise Security Office measurers are appropriate and generally track the degree of risk and value of

assets

The Enterprise Security Office group understands the business objectives

Risk Management Cost effectiveness of risk mitigation

Reduction in residual risk

Reduction in open vulnerabilities

Reduction of significant risks

Reduction in adverse impacts

Improved response time to new risks

Systematic, continuous risk management

Periodic risk assessments

Tested business continuity planning (BCP) , disaster recovery (DR)

Completeness of asset valuation and assignment of ownership

Meeting RTO objectives during testing


Business Process Assurance • No gaps exist in information asset protection

• All assurance activities are demonstrably integrated

• Roles and responsibilities that are well defined with concise interface

• Responsibility and accountability are clearly defined

• The steering committee has representatives of all assurance functions

Value Delivery • Enterprise Security Office activities achieve strategic objectives on budget

• The cost of Enterprise Security Office is proportional to the value of assets

• Enterprise Security Office resources are allocated by degree of assessed risk

• Aggregate protection costs that are a function of revenues or asset valuation

• Utilization of controls – rarely used controls are not likely to be cost-effective

• The number of controls to achieve acceptable risk and impact levels. Fewer effective controls can be expected to be

more cost-effective than less effective-controls

• The effectiveness of controls as determined by testing. Marginal controls are not likely to be cost-effective


Resource Management The frequency of problem rediscovery

The effectiveness of knowledge capture and dissemination

Clearly defined roles and responsibilities for IT security functions

IT security functions are incorporated into every project plan

Information assets and related threats that are covered by security resources

Performance Management The time it takes to detect and report incidents

The number and frequency of unreported incidents

Benchmarking security costs against comparable organizations

Effectiveness and efficiency of controls

Trends in audit findings

Compliance metrics

Time for variance resolutions

Trends in impacts

Downtime for critical systems


Adopt Information Security framework

Implement Enterprise Security Governance

Facilitate adoption of Risk Management Methodology

Implement Security Monitoring System

Facilitate harmonization of Access Control and Identity processes

Led Implementation of Continuous Improvement process

Develop and implement Communications Strategy including Awareness

Training



Management

Level

Strategic

Alignment

Risk

Management

Value

Delivery

Performance

Measurement

Resource

Management

Process

Assurance

Board of

Directors

Require demonstrable

Alignment

Institute a policy of

risk management in

all activities and

ensure regulatory

compliance

Require

reporting of

Enterprise

Security activity

costs

Require reporting

of Enterprise

Security activity

effectiveness

Institute a policy

of knowledge

management

and resource

utilization

Institute a policy of

assurance process

Integration

Executive

Management

Institute processes to

Integrate Enterprise

Security With business

objectives

Ensure roles and

responsibilities

include risk

management in

all activities and

monitor regulatory

compliance

Require

business case

studies of

Enterprise

Security

Initiatives

Require monitoring

and metrics for

Enterprise Security

Activities

Ensure

processes for

knowledge

capture and

efficiency

metrics

Provide oversight of

all assurance

functions and plans

for integration

Management

Review

Committee

Review Enterprise

Security strategy and

integration efforts,

and ensure business

owners support

integration

Identify emerging

risks, promote

business unit

Enterprise & Security

practices and identify

compliance issues

Review

Accuracy of

Enterprise

Security

initiatives

to serve

business

functions

Review and advise

according to

Enterprise Security

Initiatives and

ensure they meet

business

objectives

Review

processes for

knowledge

capture and

dissemination

Identify critical

business processes

and assurance

providers, and direct

integration

assurance efforts

Enterprise

Security

Office

Develop Enterprise

Security strategy,

oversee the

Enterprise Security

program and initiatives,

and liaise with

business process

owners for ongoing

alignments

Ensure risk and

business impact

assessments,

develop

risk mitigation

strategies, and

enforce policy

and regulatory

compliance

Monitor

utilization

and

effectiveness

of Enterprise

Security

resources

Develop and

implement

monitoring and

metrics

approaches, and

direct and monitor

Enterprise Security

activities

Develop

methods

for knowledge

capture and

dissemination,

and metrics for

effectiveness

and efficiency

Liaise with other

assurance

providers, and

ensure that gaps

and overlaps are

identified and

Addressed


Purpose: Management shall review the Enterprise’s ISMS at planned intervals (at least

once a year) to ensure its continuing suitability, adequacy and effectiveness. This review

shall include assessing opportunities for improvement and the need for changes to the

ISMS, including the information security policy and information security objectives. The

results of the reviews shall be clearly documented and records shall be maintained, (ISO27k

clause 4.3.3).

Goals: The ISMS Management Review Committee has been formed to provide an

effective joint forum which will contribute to the following goals:

• Decision making which supports the Enterprise Security Program

• Balanced and informed review and advisory services contributing to a range of

Enterprise Security Office (ESO) planning, service delivery and issue resolution

activities

• Proactive ESO alignment with higher level joint governance functions to improve the

effectiveness and efficiency within the ESO domain


Committee Functions: Review input (ISO27k clause 7.2)

The input to a management review shall include:

a). results of ISMS audits and reviews;

b). feedback from interested parties;

c). techniques, products or procedures, which could be used in the

organization to improve the ISMS performance and effectiveness;

d). status of preventive and corrective actions;

e). vulnerabilities or threats not adequately addressed in the previous risk

assessment;

f). results from effectiveness measurements;

g). follow-up actions from previous management reviews;

h). any changes that could affect the ISMS; and

i). recommendations for improvement.


Review output (ISO27k clause 7.3)

The output from the management review shall include any decisions and actions related to

the following.

a). Improvement of the effectiveness of the ISMS.

b). Update of the risk assessment and risk treatment plan.

c). Modification of procedures and controls that effect information security, as necessary,

to respond to internal or external events that may impact on the ISMS, including changes

to: 1). business requirements;

2). security requirements;

3). business processes effecting the existing business requirements;

4). regulatory or legal requirements;

5). contractual obligations; and

6). levels of risk and/or criteria for accepting risks.

d). Resource needs.

e). Improvement on how the effectiveness of controls is being measured




For more information contact

Skype; Mark_E_S_Bernard

Twitter; @MESB_TechSecure

LinkedIn; http://ca.linkedin.com/in/markesbernard

Date post:	12-May-2015
Category:	Business
Upload:	mark-es-bernard-cissp-cism-cisa-cgeit-crisc
View:	2,594 times
Download:	9 times