Information Security Governence Book

Acknowledgments xi

Introduction xiii

1 Governance Overview-How Do We Do It? What Do We Get Out of It? 1

1.1 What Is It? 1

1.2 Back to Basics 2

1.3 Origins of Governance 3

1.4 Governance Definition 5

1.5 Information Security Governance 5

1.6 Six Outcomes of Effective Security Governance 6

1.7 Defining Information, Data, Knowledge 7

1.8 Value of Information 7

2 Why Governance? 9

2.1 Benefits of Good Governance 11

2.1.1 Aligning Security with Business Objectives 11

2.1.2 Providing the Structure and Framework to Optimize Allocations of Limited Resources 12

2.1.3 Providing Assurance that Critical Decisions are Not Based on Faulty Information 13

2.1.4 Ensuring Accountability for Safeguarding Critical Assets 13

2.1.5 Increasing Trust of Customers and Stakeholders 14

2.1.6 Increasing the Company's Worth 14

2.1.7 Reducing Liability for Information Inaccuracy or Lack of Due Care in Protection 14

2.1.8 Increasing Predictability and Reducing Uncertainty of Business Operations 15

2.2 A Management Problem 15

3 Legal and Regulatory Requirements 17

3.1 Security Governance and Regulation 18

4 Roles and Responsibilities 21

4.1 The Board of Directors 22

4.2 Executive Management 22

4.3 Security Steering Committee 24

4.4 The CISO 24

5 Strategic Metrics 27

5.1 Governance Objectives 28

5.1.1 Strategic Direction 29

5.1.2 Ensuring Objectives are Achieved 29

5.1.3 Risks Managed Appropriately 30

5.1.4 Verifying that Resources are Used Responsibly 31

6 Information Security Outcomes 33

6.1 Defining Outcomes 33

6.1.1 Strategic Alignment-Aligning Security Activities in Support of Organizational Objectives 34

6.1.2 Risk Management-ExecutingAppropriate Measures to Manage Risks and Potential Impacts to an Acceptable Level 36

6.1.3 Business Process Assurance/Convergence-Integrating All Relevant Assurance Processes to Improve Overall Security and Efficiency 39

6.1.4 Value Delivery-Optimizing Investments in Support of Organizational Objectives 42

6.1.5 Resource Management-Using Organizational Resources Efficiently and Effectively 44

6.1.6 Performance Measurement-Monitoring and Reporting on Security Processes to Ensure that Objectives are Achieved 45

7 Security Governance Objectives 47

7.1 Security Architecture 48

7.1.1 Managing Complexity 48

7.1.2 Providing a Framework and Road Map 50

7.1.3 Simplicity and Clarity through Layering and Modularization 50

7.1.4 Business Focus Beyond the Technical Domain 50

7.1.5 Objectives of Information Security Architectures 50

7.1.6 SABSA Framework for Security Service Management 54

7.1.7 SABSA Development Process 54

7.1.8 SABSA Life Cycle 54

7.1.9 SABSA Attributes 56

7.2 CobiT 58

7.3 Capability Maturity Model 59

7.4 ISO/IEC 27001/27002 63

7.4.1 ISO 27001 64

7.4.2 ISO 27002 67

7.5 Other Approaches 68

7.5.1 National Cybersecurity Task Force, Information Security Governance: A Call to Action 68

8 Risk Management Objectives 75

8.1 Risk Management Responsibilities 76

8.2 Managing Risk Appropriately 76

8.3 Determining Risk Management Objectives 77

8.3.1 Recovery Time Objectives 78

9 Current State 81

9.1 Current State of Security 81

9.1.1 SABSA 82

9.1.2 CobiT 82

9.1.3 CMM 82

9.1.4 ISO/IEC 27001, 27002 83

9.1.5 Cyber Security Taskforce Governance Framework 83

9.2 Current State of Risk Management 84

9.3 Gap Analysis-Unmitigated Risk 84

9.3.1 SABSA 85

9.3.2 CMM 85

10 Developing a Security Strategy 87

10.1 Failures of Strategy 88

10.2 Attributes of a Good Security Strategy 89

10.3 Strategy Resources 91

10.3.1 Utilizing Architecture for Strategy Development 94

10.3.2 Using CobiT for Strategy Development 94

10.3.3 Using CMM for Strategy Development 96

10.4 Strategy Constraints 96

10.4.1 Contextual Constraints 97

10.4.2 Operational Constraints 97

11 Sample Strategy Development 99

11.1 The Process 100

12 Implementing Strategy 109

12.1 Action Plan Intermediate Goals 109

12.2 Action Plan Metrics 110

12.3 Reengineering 110

12.4 Inadequate Performance 110

12.5 Elements of Strategy 110

12.5.1 Policy Development 111

12.5.2 Standards 116

12.6 Summary 125

13 Security Program Development Metrics 127

13.1 Information Security Program Development Metrics 127

13.2 Program Development Operational Metrics 129

14 Information Security Management Metrics 131

14.1 Management Metrics 132

14.2 Security Management Decision Support Metrics 132

14.3 CISO Decisions 134

14.3.1 Strategic Alignment-Aligning Security Activities in Support of Organizational Objectives 134

14.3.2 Risk Management-Executing Appropriate Measures to Manage Risks and Potential Impacts to an Acceptable Level 137

14.3.3 Metrics for Risk Management 138

14.3.4 Assurance Process Integration 141

14.3.5 Value Delivery-Optimizing Investments in Support of the Organization's Objectives 142

14.3.6 Resource Management-Using Organizational Resources Efficiently and Effectively 144

14.3.7 Performance Measurement-Monitoring and Reporting on Security Processes to Ensure that Organizational Objectives are Achieved 145

14.4 Information Security Operational Metrics 145

14.4.1 IT and Information Security Management 145

14.4.2 Compliance Metrics 146

15 Incident Management and Response Metrics 155

15.1 Incident Management Decision Support Metrics 156

15.1.1 Is It Actually and Incident? 156

15.1.2 What Kind of Incident Is It? 157

15.1.3 Is It a Security Incident? 157

15.1.4 What Is the Security Level? 157

15.1.5 Are there Multiple Events and/or Impacts 158

15.1.6 Will an Incident Need Triage? 158

15.1.7 What Is the Most Effective Response? 158

15.1.8 What Immediate Actions Must be Taken? 158

15.1.9 Which Incident Response Teams and Other Personnel Must be Mobilized? 159

15.1.10 Who Must be Notified? 159

15.1.11 Who Is in Charge? 159

15.1.12 Is It Becoming a Disaster? 159

16 Conclusion 161

Appendix A SABSA Business Attributes and Metrics 163

Appendix B Cultural Worldviews 181

Heirarchists 181

Egalitarians 181

Individualists 182

Fatalists 182

Index 185