Date post: | 12-Jan-2016 |
Category: |
Documents |
Upload: | berniece-avis-leonard |
View: | 220 times |
Download: | 2 times |
Symantec Security Program Assessment and the Symantec Security Management Model
<Name>
<Date>
IT Security used to be much simpler
• A single team addressed the problems
• Incident management was centered around the security team
• Security devices were owned and operated by the security team
• Software was just anti-virus
Security Management and Measurement Programs 2
Less RedundancyAs organizations
run faster and leaner, security
budgets are under pressure.
IT Security Now
Security Management and Measurement Programs 3
Outsourcing81% of firms
outsource up to 50% of their IT
functions
Distributed Control
Security requires software and hardware all
throughout the IT environment.
Culpepper Compensation Survey, 2007
What is your guide to a complete program to address all your firm’s needs?
Three questions you need to answer.
4
How do you ensure that your business partners and outsourcers don’t leave you
exposed?
Security Management and Measurement Programs
What helps you determine the correct amount of effort to spend on the different
areas of security at your firm?
Symantec Security Management ModelWhat is the model?
The Symantec Security Management Model was developed as a graphical tool to facilitate wide-ranging discussions about our customer’s information security programs
The Model examines security from three perspectives…People “Strategic”
Process “Operational”
Technology “Tactical”
…across seven core areas:Security Strategy
Security Organization
Secure Operations
Business Continuity
Network & System Security
Application Security
Data Security
5Security Management and Measurement Programs
6
Symantec Security Management ModelWhat does the model look like?
Security Management and Measurement Programs
Symantec Security Management ModelHow do our clients use the model?
In order to ensure that all security responsibilities are clearly understood throughout the enterprise
To determine the maturity of their security programs
Identifying areas of strength and opportunities for improvement
Addressing areas of excess security expenditure
7
Customer drivenWe developed this service to meet our clients’ need for a systematic, scalable and repeatable process to assess the maturity of their IT Security activities which could be easily communicated
to executive management
Security Management and Measurement Programs
8
Security Management and Measurement ProgramsWhat is the Security Program Assessment?
Consultative engagement intended to:Evaluate the maturity for a security program against the framework
Identify the desired state of security capabilities
Prioritize roadmap for achieving information security goals
Utilizing a well-defined methodology that engages:Senior Management
Business Stakeholders
Technical Owners
Conducted in a series of:Interviews
Risk Workshops
Documentation Review
Typical engagement3 weeks offsite planning
3-4 weeks onsite delivery
Security Management and Measurement Programs
9
Security Management and Measurement ProgramsWhat is the Security Program Assessment?
Security Management and Measurement Programs
10
Security Management and Measurement ProgramsWhat are the results of the Security Program Assessment?
Detailed AnalysisCovering all 42 elements of the framework
Defined Capability Maturity Model
Five Levels of evaluation
Focused on each element
Detailed subcategories
Heat Map of the Core Areas
Current State
Desired State
Executive SummaryCapability Maturity Model Rating
Prioritized Action Plan
Security Management and Measurement Programs
11
Security Management and Measurement ProgramsWhat are the results of the Security Program Assessment?
Detailed AnalysisCovering all 42 elements of the framework
Defined Capability Maturity Model
Five Levels of evaluation
Focused on each element
Detailed subcategories
Heat Map of the Core Areas
Current State
Desired State
Executive SummaryCapability Maturity Model Rating
Prioritized Action Plan
Security Management and Measurement Programs
12
Security Management and Measurement ProgramsWhat are the results of the Security Program Assessment?
Detailed AnalysisCovering all 42 elements of the framework
Defined Capability Maturity Model
Five Levels of evaluation
Focused on each element
Detailed subcategories
Heat Map of the Core Areas
Current State
Desired State
Executive SummaryCapability Maturity Model Rating
Prioritized Action Plan
Security Management and Measurement Programs
13
Security Management and Measurement ProgramsWhat are the results of the Security Program Assessment?
Detailed AnalysisCovering all 42 elements of the framework
Defined Capability Maturity Model
Five Levels of evaluation
Focused on each element
Detailed subcategories
Heat Map of the Core Areas
Current State
Desired State
Executive SummaryCapability Maturity Model Rating
Prioritized Action Plan
Level 1 Level 2 Level 3 Level 4 Level 5
Security Strategy
Security Organization
Secure Operations
Data Security
Business Continuity
Network & System Security
Application Security
Current State Desired State
Objectives for Year One
Level 1 Level 2 Level 3 Level 4 Level 5
Security Strategy
Security Organization
Secure Operations
Data Security
Business Continuity
Network & System Security
Application Security
Current State Desired State
Objectives for Year Two
Security Management and Measurement Programs
Security Management and Measurement ProgramsWho’s using the Security Program Assessment?
14
Industry Services Results
Financial Services• Conducted Maturity Assessments of Information Security
Program in order to measure improvements in capability over the past eighteen months
Insurance• Utilized the Symantec Security Management Model to compare
and contrast anticipated program improvements to be gained from key security initiatives
Retail
• Conducted Maturity Assessments of core and subsidiary business units to align program objectives
• Modeled future program initiatives using the model
Government• Used the model as a framework to establish IT Security
Program and to communicate and collaborate on security initiatives across multiple, autonomous divisions
Security Management and Measurement Programs
Security Management and Measurement ProgramsWhat are people saying about the Security Program Assessment?
15
[The service] which highlights numerous security postures and attributes a risk level to each one, gives us a snapshot of where we are. It really provides a comprehensive picture of each of the different pieces to the larger security landscape. Not only do I find it useful, but I've shown it to the audit committee and to other executives to explain our current security state and our direction over the next year.
Dave Cullinane
CISO, eBay Marketplaces
CIO Digest Magazine, October 2007
Security Management and Measurement Programs
16
Symantec Services Portfolio
Symantec Global Services offers deep technical knowledge and expert resources to protect and manage your information-driven world
• Consulting– Advisory Services
– Product Enablement Services
– Residency Services
• Hosted Services– DeepSight Early Warning
Services
– Symantec Protection Network
– MessageLabs
Managed & HostedServices
Enterprise SupportProfessional
Services
• Enterprise Support– Business Critical Services
– Essential Support
– Basic Maintenance
• Education– Technical Training
– Custom Learning Services
• Managed Services– Managed Security Services
– Managed Backup Services
Security Management and Measurement Programs
Symantec Services Portfolio
Consulting Services
Data Centre Transformation• Data Center Strategy and Planning• Standardization services• Green IT Assessment• Future State Architecture• IT Service Management
Security• Strategic Services (e.g., Security
Program Assessment)• Secure Application Services• Secure Infrastructure Services• Operations Services (e.g., Security Policy
/ Program)• Compliance Services
Advisory Services
Product Enablement
Residency Services
Representative Products• SEP, Altiris• EV, Control Compliance Suite,
Vontu• Veritas Storage Foundation• NetBackup, PureDisk
Solution Domains• Security• Information Risk and Compliance• Storage• Infrastructure Operations• Business Continuity
Services• Executive/ Strategic advisory• Operations management
Services• Assessment, Design, Transform &
Operate• Upgrades / Solution Reviews• Integration Services• Health-checks
Security Management and Measurement Programs
Symantec Services Portfolio
Managed Services
Symantec’s Global Intelligence Network• Database of 25,000+ Vulnerabilities• Attack Quarantine System (Honeypot)• 40,000 registered sensors in 200+
countries• 120 million threat/virus submission
systems• 2,000,000 decoy accounts in the
Symantec Probe Network• 200,000 Malicious Code Submissions
per month
Deepsight Global Intelligence Services• Threat Management System• Alert Services
Recent Introductions• Deepsight Datafeeds v3.0
Managed SecurityServices Early Warning Services
Managed BackupServices
Core Services• Security Monitoring• Security Management• Vulnerability Assessment Services• Vulnerability Data Integration
Recent Introductions• Managed Threat Analysis• Gold Firewall Monitoring• Bundled IDP Solution• Bot-aware network detection• Traffic Anomaly Detection• Security Device Virtualisation
Future Planned Offerings• Log Management Service
(Nov 2008)
• Managed Endpoint(Jan 2009)
Service Features• 24 x 7 x 365 proactive management
of backup environment• SLAs backed by penalties• Local account management • Daily status reports of SLAs• Regular monthly service reviews• Fixed monthly fee
Delivery Model• “Best shoring” model, using local
administrators and service deliver managers + remote 24x7 operations
• Standard transition plan and methodology
Security Management and Measurement Programs
Security Management and Measurement ProgramsWhat are the Next Steps to move forward?
Account Team can provide additional information:Security Program Assessment Datasheet
Sample Statement of Work
Sample Final Deliverable
Share the webcast on Building Confidence in Enterprise Security
http://www.symantec.com/business/theme.jsp?themeid=building_confidence
Schedule a discussion with a Enterprise Security Practice expert to:
Provide a detailed overview of the Security Program Assessment
Begin scoping a Security Program Assessment or to determine how to put the Symantec Security Management Model to work for you
Security Management and Maturity Programs 19
20
&ANSWERS
QUESTIONS
Security Management and Measurement Programs
Thank You!
Copyright © 2009 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.