CHAPTER 2: GOVERNANCE AND STRATEGIC

PLANNING FOR SECURITY

You got to be careful if you don't know where
you're going, because you might not get
there.
YOGI BERRA

CCCY 321 Information Security Management

Spring 2022
Learning Objectives
Upon completion of this material, you should be able to:

 Identify the key organizational stakeholders that are actively involved in planning and compare their roles

 Explain strategic organizational planning for information security {InfoSec) and describe its relationship to organization-
wide and IT strategic planning

 Discuss the importance, benefits, and desired outcomes of information security governance and how such a program
would be implemented

 Describe the principal components of InfoSec system implementation planning within the organizational planning scheme

2
The Role of Planning

 Planning = the sequence of actions intended to achieve specific goals during a defined period of
time, and then controlling the implementation of these steps.

 Without specific and detailed planning, organizational units would attempt to meet objectives
independently, with each unit being guided by its own initiatives and ideas.
 Such an uncoordinated effort would result in an inefficient use of resources.

 Organizational planning, when conducted by the appropriate segments of the organization:

 provides a coordinated and uniform script that increases efficiency
 reduces waste and duplication of effort by each organizational unit.

3
The Role of Planning (Continued)

 Organizational planning should make use of a top-down process:

 the organization's leadership chooses the direction and initiatives that the entire
organization should pursue
 The primary goal of the planning process is the creation of detailed plans-=
systematic directions for how to meet the organization's objectives

4
Precursors to Planning

 Mission Statement
 Vision Statement
 Values Statements

5
Mission Statement
 The mission statement explicitly declares the business of the organization and its
intended areas of operations
 Example: RWW’ mission statement
 “Random Widget Works designs and manufactures quality widgets and associated equipment and
supplies for use in modern business environments”.

 The mission statement must explain what the organization does and for whom.
 A mission statement should be:
 concise,
 should reflect both internal and external operations,
 should be robust enough to remain valid for a period of four to six years.

6
Vision Statement
 The vision statement is an idealistic expression of what the organization wants to become.
 The vision statement expresses where the organization wants to go, while the mission
statement describes how it wants to get there

 Example: RWW's vision statement:

 Random Widget Works will be the preferred manufacturer of choice for every business's
widget equipment needs, with an RWW widget in every gizmo in use.

 The vision statements are not meant to express the probable, only the possible.

7
Values Statement

 Management must articulate the organization's values statement

 By establishing a formal set of organizational principles and qualities in a values statement, as
well as benchmarks for measuring behavior against these published values, an organization
makes its conduct and performance standards clear to its employees and the public
 Example: RWW's values
 Random Widget Works values commitment, honesty, integrity, and social responsibility among
its employees and is committed to providing its services in harmony with its corporate, social,
legal, and natural environments.

8
Example

The mission, vision, and values of The US National Archive

9
Strategic Planning

 Strategic planning= The process of defining and specifying the long-term direction (strategy) to
be taken by an organization, and the allocation and acquisition of resources needed to pursue
this effort.
 It is a three-step process:
1. First, an organization identifies a goal for an area of improvement or a need for a new
capability, and then it documents the current progress toward accomplishing that goal
{where are we now?}
2. Next, leadership articulates where the organization seeks to be with regard to the goal
{where are we going?}
3. Finally, plans can be made for how to achieve that goal {how will we get there?}

10
Top-down strategic planning

11
Top-down strategic planning- continued

 Strategic plans formed at the highest levels of the organization are used to create the
overall corporate strategy.
 As lower levels of the organizational hierarchy are involved, these high-level plans are
evolved into more detailed, more concrete planning.
Higher-level plans are translated into more specific plans for intermediate layers of
management, and high-level goals are translated into lower-level goals and objectives.
That layer of strategic planning by function is then converted into tactical planning and
provides direction for the operational plans.

12
 Creating a Strategic Plan
 After an organization develops a general strategy, it must create an overall strategic plan by extending that
general strategy into specific strategic plans for major divisions.
 Each level of each division translates those goals into more specific goals for the level below.

 Example:
 Strategy: To provide the highest-quality, most cost-effective widgets in the industry.
 Goals:
 To increase revenue by 10 percent annually.
 To increase market share by 5 percent annually
 To decrease expenses by 5 percent annually.

13
Creating a Strategic Plan- Continued
 To execute this broad strategy and turn the general statement into action, the executive team (CEO, COO,
CFO, CIO, …) must first define individual responsibilities.

 Example: the CIO might respond to the CEO's statement with this IT-focused statement of strategy and its
supporting goals:
 Strategy: To provide high-level, cost-effective information service in support of the highest quality, most cost-effective
widgets in the industry.
 Goals:
 To reduce IT-related expenses by 5 percent annually while maintaining systems, networks, and service capabilities to
meet business needs.
 To support corporate reduction in the cost of production through cost-effective systems development and implementation.
 To recruit and retain highly competent IT professionals

14
Example –Continued
 The chief operations officer (COO) might derive a different strategic statement and its corresponding goals
that focus more on his or her specific responsibilities:
 Strategy: To provide the highest-quality, industry-leading widget development manufacture, and delivery
worldwide.
 Goals:
 To reduce the cost of manufacture by 10 percent per year through the development of improved
production methods.
 To reduce the cost of distribution and inventory management by 10 percent per year through improved
ordering methods with just-in-time delivery to our largest customers.
 To improve the quality of products through research and development of better and more efficient
product design and materials acquisition.

15
Planning Levels
 Once the organization's overall strategic plan is translated into strategic goals for each major division or
operation, the next step is to translate these strategic goals into objectives that are specific, measurable,
achievable, and time-bound.
 Strategic plans are used to create tactical plans, which are in turn used to develop operational plans.

16
Planning Levels- Continued
 Critical components of the tactical plan: Budgeting, resource allocation, and personnel

 CISOs and their security managers use the tactical plan to: organize, prioritize, and acquire
resources necessary for the major projects and to provide support for the overall strategic plan.

 Operational plans are derived from tactical plans, they are used to organize the ongoing, day-to
-day performance of tasks.
 An operational plan includes clearly identified coordination activities that span department boundaries,
communications requirements, weekly meetings, summaries, progress reports, and associated tasks.

17
Information Security Governance

 Governance:
 The set of responsibilities and practices exercised by the board and executive
management with the goal of providing strategic direction, ensuring that
objectives are achieved, ascertaining that risks are managed appropriately, and
verifying that the enterprise's resources are used responsibly.
 governance, risk management, and compliance (GRC)
 An approach to information security strategic guidance from a board of directors
or senior management perspective that seeks to integrate the three components
of information security governance, risk management, and regulatory
compliance.

18
Information Security Governance- Continued
 InfoSec objectives must be addressed at the highest levels of an organization’s management team in order to
be effective and offer a sustainable approach:
 formal governance board consisting of executive management from across the organization: usually the
chief executive officer (CEO) or president and their immediate subordinate executives.
 When security programs are designed and managed as a technical specialty in the IT department,
they are less likely to be effective.
 A broader view of InfoSec encompasses all of an organization's information assets, including IT
assets.
 These valuable commodities must be protected regardless of how the information is processed,
stored, or transmitted, and with a thorough understanding of the risks to, and the benefits of, the
information assets.

19
The ITGI Approach to Information Security Governance
 ITGI =Information Technology Governance Institute
 Role: address the recognized need for the intellectual development and advancement of Governance of
Enterprise IT (GEIT).
 ITGI recommends that boards of directors supervise strategic InfoSec objectives by:
1. Creating and promoting a culture that recognizes the criticality of information and InfoSec to the
organization
2. Verifying that management's investment in InfoSec is properly aligned with organizational strategies
and the organization's risk environment
3. Mandating and assuring that a comprehensive InfoSec program is developed and implemented
4. Requiring reports from the various layers of management on the InfoSec program's effectiveness
and adequacy's

20
Desired Outcomes of Governance
 Strategic alignment of InfoSec with business strategy to support organizational objectives
 Risk management by executing appropriate measures to manage and mitigate threats to
information resources
 Resource management by utilizing InfoSec knowledge and infrastructure efficiently and
effectively
 Performance measurement by measuring, monitoring, and reporting InfoSec governance
metrics to ensure that organizational objectives are achieved
 Value delivery by optimizing InfoSec investments in support of organizational objectives

21
Benefits of Information Security Governance
 An increase in share value for organizations
 Increased predictability and reduced uncertainty of business operations by lowering information-
security-related risks to definable and acceptable levels
 Protection from the increasing potential for civil or legal liability as a result of information
inaccuracy or the absence of due care
 Optimization of the allocation of limited security resources
 Assurance of effective InfoSec policy and policy compliance
 A firm foundation for efficient and effective risk management, process improvement, and rapid
incident response
 A level of assurance that critical decisions are not based on faulty information
 Accountability for safeguarding information during critical business activities, such as mergers
and acquisitions, business process recovery, and regulatory response

22
InfoSec Governance Responsibilities

23
Defining an Effective Enterprise Security Program

24
ISO/IEC 27014:2013 Governance of Information Security
 The ISO 27000 series, discussed in greater detail in Chapter 8, provides a set of international
standards for the certification of an Information Security Management System (ISMS).
 these are not documents designed to provide specific "how-to's" for designing, implementing, operating, and
maintaining security systems, but allow the organization to assess whether its security program meets the
expectations of the standard.

 ISO 27014:2013 is the ISO 27000 series standard for Governance of Information Security
 provides brief recommendations for the assessment of an information security governance program

 The standard specifies six high-level "action-oriented" information security governance

principles

25
ISO/IEC 27014:2013- Principles
1. Establish organization-wide information security.
2. Adopt a risk-based approach.
3. Set the direction of investment decisions.
4. Ensure conformance with internal and external requirements.
5. Foster a security-positive environment.
6. Review performance in relation to business outcomes

26
ISO/IEC 27014:2013- Governance processes

27
ISO/IEC 27014:2013- Governance processes
 Evaluate- Review the status of current and projected progress toward organizational information security
objectives, and make a determination whether modifications of the program or its strategy are needed to keep
on track with strategic goals.
 Direct- The board of directors provides instruction for developing or implementing changes to the security
program:
 It include modification of available resources, structure of priorities of effort, adoption of policy, recommendations for
the risk management program, or alteration to the organization's risk tolerance.
 Monitor- The review and assessment of organizational information security performance toward goals and
objectives by the governing body (ongoing performance measurement).
 Communicate- The interaction between the governing body and external stakeholders, where information
on organizational efforts and recommendations for change are exchanged.
 Assure- The assessment of organizational efforts by external entities like certification or accreditation
groups, regulatory agencies, auditors, and other oversight entities, in an effort to validate organizational
security governance, security programs, and strategies.

28
Planning for Information Security Implementation

 The CIO and CISO play important roles in translating overall strategic planning into tactical and operational
InfoSec plans.
 the CIO charges the CISO and other IT department heads with creating and adopting plans that are
consistent with and supportive of the IT strategy as it supports the organizational strategy.
 The CIO ensures that various IT functional areas in the organization provide broad support for the plan and
that no areas are omitted or ignored.
 The CISO ensure that the InfoSec plan directly supports the entire organization and the strategies of other
business units, beyond the scope of the IT plan.
 the CISO must convince the CIO of the priorities of the InfoSec program, both within and outside of the IT
function
 The CISO plays a more active role in the development of the planning details than the CIO does.
 Once the organization's overall strategic plan has been translated into IT departmental objectives by the CIO
and translated into strategic, tactical, and operational plans by the CISO, the implementation of InfoSec can
begin.

29
Planning for Information Security Implementation- Approaches

30
Implementing the Security Program using the SecSDLC
 When developing any major program, the organization must identify a model or blueprint it
wants to implement:
 In order to implement that model, the organization will need to identify a formal methodology that can provide
guidance on the implementation.
SDLC
The SDLC approach can be scaled up to support the design, implementation, and maintenance of an entire
security program => SecSDLC

31
Implementing the Security Program using the SecSDLC

 Methodology: A formal approach to solving a problem based on a structured sequence of procedures, the use
of which ensures a rigorous process and increases the likelihood of achieving the desired final objective.
 Systems Development Life Cycle (SDLC): A methodology for the design and implementation of an information
system.
 The SDLC contains different phases: investigation, analysis, design, implementation, and maintenance.
 Security Systems Development Life Cycle (SecSDLC): A formal approach to designing information security
programs that follows the methodology of a traditional information systems development life cycle (SDLC}.
 Controls and safeguards Security mechanisms: policies, or procedures that can successfully counter attacks,
reduce risk, resolve vulnerabilities, and otherwise improve security within an organization.

32
SDLC waterfall methodology

33
Investigation in the SecSDLC
 This phase begins with the affirmation or creation of security policies on which the security
program of the organization is or will be founded.

 Then, Teams of managers, employees, and consultants are assembled to investigate problems,
define their scope, specify goals and objectives, and identify any additional constraints not
covered in the enterprise security policy.

 Finally, an organizational feasibility analysis determines whether the organization has the
resources and commitment to conduct a successful security analysis and design.

34
Analysis in the SecSDLC

 The team studies the documents from the investigation phase

 The development team that was assembled during the investigation phase
conducts a preliminary analysis of existing security policies or programs along with
documented current threats and associated controls
 Analysis of relevant legal issues that could affect the design of the security
solution
 The risk management task also begins in this stage:
 Process of identifying, assessing, and evaluating the levels of risk an organization faces

35
Design in the SecSDLC
 SecSDLC design phase consists of two distinct phases: the logical design and the physical design

 In the logical design phase:

 Team members create and develop the blueprint for security, and they examine and implement key policies that
influence later decisions
 Critical contingency plans for incident response are developed.
 Next, a feasibility analysis determines whether the project should continue in-house or should be outsourced.

 In the physical design phase:

 Team members evaluate the technology needed to support the security blueprint, generate alternative solutions, and
agree on a final design
 The security blueprint may be revisited to keep it synchronized with the changes needed when the physical design is
completed
 At the end of this phase, a feasibility study should determine the readiness of the organization for the proposed
project.

36
Design in the SecSDLC
 A security manager may seek to use established security models to guide the design process:
 Models provide frameworks for ensuring that all areas of security are addressed.
 The design phase continues with the formulation of the controls and safeguards used to protect information
from attacks by threats.
 There are three categories of controls:
 managerial controls:
 address the design and implementation of the security planning process, risk management and security controls
reviews,
 describe the necessity and scope of legal compliance and the maintenance of the entire security systems life cycle
 operational controls:
 deal with the operational functionality of security in the organization, with lower-level planning, such as disaster
recovery and incident response planning,
 personnel security, physical security, and the protection of production inputs and outputs, development of education,
training, and awareness programs for users, administrators, and management,
 address also hardware and software systems maintenance and the integrity of data

37
Design in the secSDLC
 technical controls:
 address technical approaches used to implement security in the organization,
 address specific operational issues, such as control development and integration into business functions, whereas
technical controls must be selected, acquired (made or bought), and integrated into the organization’s IT structure,
 include logical access controls, such as those used for identification, authentication, authorization, and accountability

 The design phase next addresses physical security:

 requires the design, implementation, and maintenance of countermeasures to protect the physical resources of an
organization.
 Physical resources include people, hardware, and the supporting system elements and resources associated with the
management of information in all its states- transmission, storage, and processing.

38
Implementation in the SecSDLC
 Security solutions are acquired (made or bought), tested, implemented, and retested.
 Personnel issues are evaluated and specific training and education programs are conducted.
 Finally, the entire tested package is presented to upper management for final approval

39
Members of the development team
 InfoSec is a field with a vast array of technical and nontechnical requirements:
 Champion- A senior executive who promotes the project and ensures its support, both financially and administratively,
at the highest levels of the organization
 Team leader- A project manager (a departmental line manager or staff unit manager) who understands project
management, personnel management, and InfoSec technical requirements
 Security policy developers- Individuals who understand the organizational culture, existing policies, and requirements
for developing and implementing successful policies
 Risk assessment specialists- Individuals who understand financial risk assessment techniques, the value of
organizational assets, and the security methods to be used
 Security professionals- Dedicated, trained, and well-educated specialists in all aspects of InfoSec from both technical
and nontechnical standpoints
 Systems administrators- Individuals with the primary responsibility for administering the systems that house the
information used by the organization
 End users - The individuals whom the new system will most directly affect; a disparate group of users from various
departments and levels, and with varying degrees of technical knowledge, to assist the team in applying realistic
controls in ways that do not disrupt the essential business activities they seek to safeguard
40
The various roles involved in InfoSec
 Chief information officer (CIO)- The senior technology officer responsible for aligning the strategic efforts of the
organization and integrating them into action plans for the information systems or data-processing division of the
organization
 Chief security officer (CSO)- it is used to refer to a role that is superior to the CISO, the CSO is responsible for the
protection of all physical and information resources within the organization
 Chief information security officer (CISO)- The individual responsible for the assessment, management, and
implementation of information-protection activities in the organization
 Security managers- The individuals accountable for ensuring the day-to-day operation of the InfoSec program,
accomplishing the objectives identified by the CISO and resolving issues identified by technicians
 Security technicians- Technically qualified individuals who are tasked with configuring firewalls and intrusion
detection systems, implementing security software, diagnosing and troubleshooting problems, and coordinating
with systems and network administrators to ensure that security technology is properly implemented

41
The various roles involved in InfoSec- continued
 Data trustees - The executive management group that is generally responsible for the collection, storage,
use, and maintenance of the data by the organization’s business units that report directly to them

 Data owners- Individuals who control, and are therefore responsible for, the security and use of a particular
set of information; data owners may rely on custodians for the practical aspects of protecting their
information, specifying which users are authorized to access it, but they are ultimately responsible for it

 Data custodians- Individuals who work directly with data owners and are responsible for storage,
maintenance, and protection of the information; the IT department and the InfoSec group are the most
common data custodians

 Data users - Internal and external stakeholders (customers, suppliers, and employees) who interact with the
information in support of their organization’s planning and operations

42
Maintenance in the SecSDLC
 Today's InfoSec systems need constant monitoring, testing, modifying, updating, and repairing

 Once the InfoSec program is implemented, it must be operated, properly managed, and kept up to date by
means of established procedures

 the organization should establish formal security maintenance (to see Later in Chapter 11 )

 maintenance model is intended to complement a systems management model and focus those ongoing
maintenance efforts that are needed to keep systems useable and secure.

43
Summary

 Planning is central to the management of any organization and is based on the

preparation, application, and control of a sequence of action steps to achieve
specific goals.
 To develop and implement effective planning, documents representing the
philosophical, ethical, and entrepreneurial perspectives of the company are first
created- namely, the mission, vision, values, and strategy of the organization.
 The systems development life cycle (SDLC) is a methodology for the design and
implementation of an information system in an organization. The process of
phased system development described by the traditional SDLC can be adapted to
support the specialized implementation of a security project by using the security
systems development life cycle (SecSDLC).
44