Professional Documents
Culture Documents
CISM Chapter3-Info Sec Program Development
CISM Chapter3-Info Sec Program Development
CISM Chapter3-Info Sec Program Development
Management
2
Chapter 3 - Information Security Program Development and
Management
This chapter reviews the diverse areas of knowledge needed to develop and
manage an information security program.
3
Information Security Program Management Overview
4
3.1 Information Security Program Management Overview
5
3.1 Information Security Program Management Overview
6
3.1 Information Security Program Management Overview
7
3.1 Information Security Program Management Overview
8
3.1 Information Security Program Management Overview
9
3.1 Information Security Program Management Overview
The reality is that many organizations are not yet ready to undertake the
costs and efforts to implement information security governance.
10
3.1 Information Security Program Management Overview
Subsequently, the primary task will be turning the high-level strategy into
logical and physical reality through a series of projects and initiatives.
11
3.1 Information Security Program Management Overview
There will be elements in the program that must be modified during program
design, development and ongoing administration. This can occur for a
variety of reasons, such as:
changes in business requirements
better solutions become available.
unanticipated resistance by those affected by the changes.
It is essential to determine the forces (drivers) that drive the business need
for the information security program, such as:
The ever mounting requirements for regulatory compliance.
Higher frequency and cost related to security incidents.
Concerns over reputational damage.
Growing commercial demands of Payment Card Industry (PCI) Data
Security Standard (DSS).
12
3.1 Information Security Program Management Overview
14
Enterprise Information Security Architecture
15
3.2 Enterprise Information Security Architecture
Architecture also acts as a road map for a collection of smaller projects and
services that must be integrated into a single homogenous whole. 16
3.2 Enterprise Information Security Architecture
Sherwood Applied Business Security Architecture (SABSA)
At each lower layer a new level of detail is developed, going through the
definition of the conceptual architecture, logical services architecture,
physical infrastructure architecture
and finally at the lowest layer, the selection of technologies and products
(component architecture).
17
3.2 Enterprise Information Security Architecture
Sherwood Applied Business Security Architecture (SABSA)
18
3.2 Enterprise Information Security Architecture
Sherwood Applied Business Security Architecture (SABSA)
19
3.2 Enterprise Information Security Architecture
For a detailed analysis of each of the 6 layers, a SABSA Matrix has been
developed that uses 6 questions for each layer (what, why, when, how,
where, and who?) as follows:
1. What are you trying to do at this layer?—The assets to be protected by
your security architecture.
2. Why are you doing it?—The motivation for wanting to apply security.
3. How are you trying to do it?—The functions needed to achieve
security at this layer.
4. Who is involved?—The people and organizational aspects of security at
this layer.
5. Where are you doing it?—The locations where you apply your security,
relevant to this layer.
6. When are you doing it?—The time-related aspects of security relevant
to this layer.
20
3.2 Enterprise Information Security Architecture
21
3.2 Enterprise Information Security Architecture
How? The business processes that require security (business interactions
and transactions, business communications, etc.).
22
3.2 Enterprise Information Security Architecture
2. The Architect's View – Conceptual Security Architecture: (security concepts
and principles)
What you want to protect in terms of Business Attributes (see next page).
24
3.2 Enterprise Information Security Architecture
3. The Designer’s View – Logical Security Architecture: (logical security
services, and the logical flow of control and the relationships between these
logical elements)
What? Business information that needs to be secured.
25
3.2 Enterprise Information Security Architecture
4. The Builder’s View – Physical Security Architecture: (physical security
mechanisms and servers)
What? Business data model and the security-related data structures
(tables, messages, certificates, etc.).
Who? The people dependency in the form of the human interface (screen
formats and user interactions) and the access control systems.
How? Process tools and standards for process delivery - both hardware
and software.
29
3.2 Enterprise Information Security Architecture
30
Business Case Development
31
3.3 Business Case Development
The business case should include all the factors that affect the project’s
success or failure, including benefits, costs and risk.
32
3.3 Business Case Development
The format of the business case should include some or all of the following:
Reference: Project name/reference, origins/background/current state.
33
3.3 Business Case Development
34
3.3 Business Case Development
35
3.3 Business Case Development
Program Budgeting
Budgeting is an essential part of information security program management
and can have a significant impact on the program’s success.
36
3.3 Business Case Development
Unanticipated costs are often the need for external resources to assist with a
security event that exceeds the skills or bandwidth of the organization’s staff
(such as forensic consultants).
37
Outsourcing and Service Providers
38
3.4 Outsourcing and Service Providers
39
3.4 Outsourcing and Service Providers
Vendor’s controls needs to be audited and monitored through the life of the
contract to ensure that security measures are not downgraded over time.
41
3.5 Controls and Countermeasures
42
3.5 Controls and Countermeasures
43
3.5 Controls and Countermeasures
Control categories:
Preventive: controls inhibit attempts to violate security policy, such as access
control enforcement, encryption and authentication.
Control recommendations:
The following factors should be considered in recommending controls to
minimize or eliminate identified risk:
Effectiveness of recommended options.
Compatibility with other impacted systems, processes and controls.
Relevant legislation and regulation.
Organizational policy and standards.
Organizational structure and culture.
Operational impact.
Safety and reliability.
47
Common Information Security Program Challenges
48
3.6 Common Information Security Program Challenges
Initiating or expanding a security program will often result in a surprising array
of unexpected impediments for the information security manager. These can
include:
1. Organizational resistance due to changes in areas of responsibility
introduced by the program
2. A perception that increased security will reduce access required for job
functions
3. Overreliance on subjective metrics
4. Failure of strategy
5. Assumptions of procedural compliance without confirming oversight
6. Ineffective project management, delaying security initiatives
7. Previously undetected, broken or buggy security software
49
3.6 Common Information Security Program Challenges
• Management Support Lack of management support is most common in
smaller organizations and those that are not in security-intensive industries.
• Funding Inadequate funding for information security initiatives is perhaps
one of the most frustrating and challenging issues that the information
security manager must address
• Staffing The root causes of funding issues extend to the challenge of
inadequate staff levels to meet security program requirements
50
Information Security Program Objectives
51
3.7 Information Security Program Objectives
The objective of the information security program is to implement the strategy
in the most cost-effective manner possible, while maximizing support of
business functions and minimizing operational disruptions.
Chapters 1 and 2 explain how governance and risk management objectives for a
security program are defined and incorporated into an overall strategy
Whether the strategy has been developed in significant detail or only to the
conceptual level, program development will include a great deal of planning
and design to achieve working project plans.
52
3.7 Information Security Program Objectives
It is essential to determine the forces that drive the business need for the
information security program. Primary drivers for an information security
program may include:
• The ever mounting requirements for regulatory compliance
• Higher frequency and cost related to security incidents
• Concerns over reputational damage
• Growing commercial demands of Payment Card Industry (PCI) Data Security
Standard (DSS)
• Determining the drivers will help clarify objectives for the program and
provide the basis for the development of relevant metrics.
53
Information Security Program Concepts
54
3.8 Information Security Program Concepts
As an information security program is developed, it is important that the
developers keep in mind the fundamental purpose of the security program
55
3.8 Information Security Program Concepts
CONCEPTS:
Both implementing and managing a security program will require the
information security manager to understand and have a working knowledge of a
number of management and process concepts including:
• Business case development
• SDLCs • Business process reengineering
• Requirements development • Budgeting, costing and financial issues
• Specification development • Deployment and integration strategies
• Control objectives • Training needs assessments and approaches
• Control design and development • Communications
• Control implementation and testing • Problem resolution
• Control monitoring and metrics • Variance and noncompliance resolution
• Architectures • Risk management
• Documentation • Compliance monitoring and enforcement
• Quality assurance • Personnel issues
• Project management
Note: This is not an all inclusive list, but merely representative of many of the major concepts with
which that the information security manager must be familiar.
56
3.8 Information Security Program Concepts
Technology Resources:
It is also essential that the information security manager understand where a
given technology fits into the basic prevention, detection, containment, reaction
and recovery framework, and how it will serve to implement strategic elements.
• Firewalls • Wireless security methodologies
• Antivirus systems • Mobile computing
• Security features in networking devices • Application security methodologies
(e.g., routers, switches) • virtual private network (VPNs)
• Intrusion detection systems (IDSs), • Web security techniques
(HIDSs),(NIDSs) • Vulnerability scanning and penetration
• Intrusion-prevention systems (IPSs) testing tools
• Cryptographic techniques • Data leak prevention methodologies
• Digital signatures • Data integrity controls
• Smart cards • Identity and access management systems
• Authentication and authorization
mechanisms
57
Security Program Metrics And Monitoring
58
3.9 Security Program Metrics And Monitoring
From a management perspective, while there have been improvements in
technical metrics, they are generally incapable of providing answers to such
questions as:
• How secure is the organization?
• How much security is enough?
• How do we know when we have achieved security?
• What are the most cost-effective solutions?
• How do we determine the degree of risk?
• How well can risk be predicted?
• Are we moving in the right direction?
• What impact is lack of security having on productivity?
• What impact would a catastrophic security breach have?
• What impact will the solutions have on productivity?
59
3.9 Security Program Metrics And Monitoring
The primary parameter of metrics design can be summed up as:
1. Who needs to know?
2. What do they need to know?
3. When do they need to know it?
60
3.9 Security Program Metrics And Monitoring
1. Strategic metrics are often a compilation of other management metrics
designed to indicate that the security program is on track, on target and on
budget to achieve the desired outcomes.
61
3.9 Security Program Metrics And Monitoring
There are a number of other considerations for developing metrics. The
essential attributes that must be considered include:
• Manageable
• Meaningful
• Actionable
• Unambiguous
• Reliable
• Accurate
• Timely
• Predictive
• Genuine
62