Please enable JavaScript.
Coggle requires JavaScript to display documents.
Lecture 11: Information Security Governance (InfoSec Gov (Elements of IS…
Lecture 11: Information Security Governance
Cyber security from Directors' POV
Directors need to understand and approach cybersec as
enterprise-wide risk mgmt
issue
1st Level: Business Unit
2nd Level: Risk and Security functions
3rd Level: Internal audit
4th Level: BoD
BoD = 4th line of defence
Directors shld understand
legal implications
of cyber risks in relation to company's circumstances
Cyber risks assoc w 3rd party svc providers
Understand requirement of personal data protection
Aware of all data breach attempts against org
BoD have adequate access to
cybersecurity expertise
and discussions about cyber risk mgmt given regular time
Annual meeting w CISO
Chance to discuss cybersec matters direct w board
Verify existing contact w appropriate law enforcement auth in case of incidents
BoD set expectation that mgmt est ent-wide risk mgmt
framework
w
adequate staffing and budget
Require mgmt to comm ent risk mgmt org struct + staffing and budget details
Ensure CISO reporting at appropriate levels within org
Ensure no conflict of interest in reporting lines
Discussion to include
identification
of risks to avoid,
risk mitigation options
and specific plans assoc w each approach
Meet w CRO annually to review risks avoided/accepted
Verify cyber insurance coverage sufficient to addr potential cyber risks
InfoSec Gov
Subset of GEIT
Outlines responsibilities and practices exercised by BoD + mgmt
Ensure Security risks managed
Align strategic direction of security activities w biz strategy
Ensure resources used efficiently to achieve obj
Benefits:
Enable more businesses
Increased and sustainable reputation
Increased competitive adv
Encourage pro-active behaviour rather than compliance driven
Gov: CISO
EDM
Mgmt: Information Security Manager
Establish
and
execute
infosec program
Provide
advisory
svcs to stakeholders
Cultivate
risk based decision making
Act as
subject matter expert
in infosec matters
PBRM
Desired Outcomes
Strategic Alignment: align w biz strategy to support obj
Risk Mgmt: Mitigate risk and reduce potential impacts to acceptable levels
Resource mgmt: use sec knowledge and infra efficiently and effectively
Performance measurement: monitor and report to ensure obj achieved
Value delivery: optimise sec investments in support of obj
Board Best Practices
Agenda to include infosec matters
Identify infosec leaders, hold accountable + adequate support
Ensure effectiveness of org infosec pol through review and approval
Assign infosec to key comm + adequate suport for comm
Elements of IS Gov
Infosec risk mgmt methodology
Comprehensive security strategy linked w biz and IT obj
Appropriate org structure
Infosec policies
Infosec standards
Monitoring processes
Continuing evaluation and renewal
Business Model for InfoSec (BMIS)
3D pyramid w 4 elements linked by 6 dynamic interactions
Elements:
Organisation Design and Strategy
People
Process
Technology
Dynamic Interconnections:
Governing (betw org and processes)
Direction setting + ldrship to do so
Culture (betw org and people)
Set way of doing things which becomes the norm
Architecture (betw org and tech)
Blueprint connecting sec w tech and org strategy
Emergence (betw process and people)
New dev betw ppl and process, may not be predicatable
Used in feedback look to get +ve result
Human factors (betw tech and people)
Interaction and gaps betw ppl and tech
gap = sec incidents, data leakage, misuse of svc
Enabling and support *betw tech and people)
Connects tech to process elements
May enable more efficient process
Desired State of InfoSec
InfoSec Strategy should:
Explicitly state obj
Define methodologies to achieve obj
Define desired state org should be in
Describe realistic action plan
Desired State Definition - ISACA Capability Maturity Model (CMM)
0: Non existent
1: Ad hoc
2: Repeatable but intuitive
3: Defined process
4: Managed and measurable
5: Optimised
ISO 27001