Please enable JavaScript.
Coggle requires JavaScript to display documents.
CHAPTER 3: GOVERNANCE AND STRATEGIC PLANNING FOR SECURITY (Precursor…
CHAPTER 3: GOVERNANCE AND STRATEGIC PLANNING FOR SECURITY
Planning involves:
Representatives of 3 communities of interest
Individuals internal and external to the organization (employees, management, stakeholders and other outside stakeholders).
Planning is the dominant means of managing resources in modern organizations and entails the enumeration of a sequence of actions intended to achieve specific goals during a defined period of time, and then controlling the implementation of these steps.
Precursor documents developed to support organizational planning include:
Mission Statement: explicitly declares the business of what the organization and its intended areas of operations.
Vision Statement: an idealistic expression of what the organization wants to become.
Values Statement: by establishing a formal set of organizational principles and qualities in a values statement, as well as benchmarks for measuring behaviour against these published values, an organization makes its conduct and performance standards clear to its employees and the public
Strategic planning level:
Tactical Planning - usually one to three years and has a more short-term focus than strategic planning.
Operational Planning - used by managers and employees to organizes the ongoing, day to day performance of tasks.
Basic components of a typical strategic planning
Executive summary
Mission, vision and value statement.
Organizational profile and history
Strategic issues and challenges
Organizational goals and objectives
Major business units, goals and objectives.
Appendices
When developing an InfoSec governance program, the designers should ensure that the program includes:
An InfoSec risk management methodology.
An effective security organization structure.
Security policies that address each aspect of strategy, control and regulation.
Tips for Planning
make planning a process that engages all involves to work toward the common objectives.
Strive for transperancy in the planning process so that inevitable changes to plans are explained to stakeholders.
Stick with the process over time because results may not always be achieved as quickly as intended.
Explain what is being done so that stakeholders perceive the intentions of the process.
Use processes that fit the organizations culture.
Information Security Governance
Governance is "the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly"
The ITGI Approach to Information Security Governance
According to ISACA's Information Technology Governance Institute (ITGI), InfoSec governance includes the accountability and the methods undertaken by the board of directors and executive management to provide: stategic direction, establishment of objectives and measurement of progress toward those objectives.
NACD InfoSec Governance Board of Directors Essential Practices
Place InfoSec on the board's agenda
Identify InfoSec leaders, hold them accountable and ensure support for them.
Ensure the effectiveness of the corporation's InfoSec policy through review and approval.
Benefits of Information Security Governance
An increase in share value for organization.
Optimization of the allocation of limited security resources.
Assurance of effective InfoSec policy and policy compliance.
A level of assurance that critical decisions are not based on faulty information.
ISO/IEC 27014: Governance of Information Security
The standard specifies 6 high-level "action-oriented" information security governance principles:
Establish organization-wide information security.
Adopt a risk-based approach.
Set the direction of investment decisions.
Ensure conformance with internal and external requirements.
Foster a security-positive environment.
Review performance in relation to business outcomes.
Security Convergence
The convergence of security-related governance in organizations has been observed since the broad deployment of information systems began in the 1970s and 1980s.
Benefits:
Significantly lower cost.
Use existing servers to make the decisions.
Use IT infrastructure to keep the system running.
Use existing IT redundancy and backup to protect in case of failures.
Let the IT department protect valuable data and keep out cyber-intruders
Staffing of Information Security Functions:
The organization must decide how to position and name the security function.
The InfoSec community of interest plan for the proper staffing of the information security function.
The IT community of interest must understand the impact of information security across every role in IT.
Finally, the general management community of interest must work with the InfoSec professionals to integrate solid information security concepts into personnel management practices of organization.
InfoSec Project Team should includes:
Champion
Team Leader
Security policy developers
Risk assesment specialists
Security professionals
Systems administrators
End users.
Most important element of the implementation in the SecSDLC
Planning the project.
Supervising the tasks and action steps within the project.
Wrapping up the project.
InfoSec Professionals:
It takes a wide range of professionals to support a diverse information security program:
Chief Information Officer (CIO)
Chief Security Officer (CSO)
Security Managers
Security Technicians
Data Owners