Please enable JavaScript.
Coggle requires JavaScript to display documents.
Lecture 12: InfoSec Program (How to do Gap Analysis (Using Questionnaire…
Lecture 12: InfoSec Program
Sucessful InfoSec Program (ISP)
Good infosec strategy
Strong involvement of relevant stakeholders
Appropriate and eff sec metrics
Eff infosec manager who comm well
Structure of ISP
Strategic
Security vision and strategy
Enterprise Security Framework
Organisation and Authority
Tactical
Policy
Audit & Compliance
Risk Mgmt & Intelligence
Privacy
Incident Mgmt
Edu and Awareness
Operational
Technical Security & access control
Monitoring, Measurement & reporting
Physical & Environmental
Assets identification & classification
Acct mgmt & outsourcing
Program and Proj Mgmt
Gap analysis provide
recommendation
to addr identified gaps
Each recommendation may be deployed in proj or prog
Project: Series of activities to achieve an obj. Has defined resources and time. Ends after obj achieved
Program: Portfolio of proj to achieve
strategic
goals. Completed when all projs completed
Prog/Proj mgmt skills to ensure:
Selection of proj based on priority
Portfolio of proj efficient w little/no overlaps
Right resources allocated optimally
Dependencies identified and sequenced optimally
Deliver max benefits within avail resources and timeframe
Project Phases (according to PMBoK)
Intiate - Is it doable?
Planning - How to do it?
Execute - Actual work to produce deliverables
Closing - Review and document lesson learnt
How to do Gap Analysis
Identify baseline
Baseline - min state to achieve; basis for comparison
Common Baselines: ISO 27000 series, PDPA, SoGP, internal baseline
Not all items in standard applicable
Current State Analysis
As-is snapshot of:
Data
Applications
System
Facilities
Processes
Infrastructure
Focus areas
Outcomes of gap analysis are areas where:
Security level less/at/over baseline
Control ineffective/effective to mitigate risks
Monitoring would be needed
Focus area will be identified:
Improvement
to areas where sec/control found to be deficient
Efficiency
to areas where sec/control found over baseline
Level of
monitoring
required
Scope of Gap Analysis
Define scope based on:
Geog/Location
Time
Business
Systems
Applications/Services
Frequency:
Single Iteration
Multiple Iterations
Obtaining Mgmt Support
Mgmt support crit to analysis success
w/o mgmt support:
Little/no co-op in data gathering
Incorrect responses
Analysis result may be challenged outside of context
Mgmt support best provided by key exec or biz heads
Data Gathering
Collect info about people, process, technology
Prioritise people info
Tech source data can collect w emphasis on relevancy and efficiency
Using Questionnaire
Infosec mgr create questionnaire to collect info from stakeholders
self-assessment simplest + low cost way of collecting as-is condition
Decentralised and completed by nominated person from each area who knows their domain well
Questionnaire to be well developed and capture right info
Analysing reuslts
Compare values from various points = obtain variances
Discrete variances itself not useful. Correlation of diff data point more credible in highlighting potential issues or deficiencies
Correlation best done w analytics sw given data vol and potential error
Draft Preliminary Report
Share w stakeholders
Comments, feedback, disagreements collected and discussed
Final report prepared based on feedback to present to snr mgmt
Implementing InfoSec Program
Step 1: Identify desired state to be in
Step 2: Perform gap analysis
Determines, documents, obtains mgmt awareness of diff betw req set in regulation, guideline, best prac and org's current infosec program
Step 3: Communicate to mgmt results of report
Step 4: Obtain support from mgmt
Step 5: Implement recommendations from gap analysis