Information Security Governence
The Growing Imperative Need for Effective Information Security Governance\ With monotonous regularity, headlines announce ever more spectacular failures of information security and mounting losses. The succession of corporate debacles and dramatic control failures in recent years underscores the necessity for information security to be tightly integrated into the fabric of every organization. The protection of an organization's most valuable asset information can no longer be relegated to...
Search in google:
The Growing Imperative Need for Effective Information Security Governance With monotonous regularity, headlines announce ever more spectacular failures of information security and mounting losses. The succession of corporate debacles and dramatic control failures in recent years underscores the necessity for information security to be tightly integrated into the fabric of every organization. The protection of an organization's most valuable asset information can no longer be relegated to low-level technical personnel, but must be considered an essential element of corporate governance that is critical to organizational success and survival. Written by an industry expert, Information Security Governance is the first book-length treatment of this important topic, providing readers with a step-by-step approach to developing and managing an effective information security program. Beginning with a general overview of governance, the book covers: The business case for information security Defining roles and responsibilities Developing strategic metrics Determining information security outcomes Setting security governance objectives Establishing risk management objectives Developing a cost-effective security strategy A sample strategy development The steps for implementing an effective strategy Developing meaningful security program development metrics Designing relevant information security management metrics Defining incident management and response metrics Complemented with action plans and sample policies thatdemonstrate to readers how to put these ideas into practice, Information Security Governance is indispensable reading for any professional who is involved in information security and assurance.
Acknowledgments xiIntroduction xiii1 Governance Overview-How Do We Do It? What Do We Get Out of It? 11.1 What Is It? 11.2 Back to Basics 21.3 Origins of Governance 31.4 Governance Definition 51.5 Information Security Governance 51.6 Six Outcomes of Effective Security Governance 61.7 Defining Information, Data, Knowledge 71.8 Value of Information 72 Why Governance? 92.1 Benefits of Good Governance 112.1.1 Aligning Security with Business Objectives 112.1.2 Providing the Structure and Framework to Optimize Allocations of Limited Resources 122.1.3 Providing Assurance that Critical Decisions are Not Based on Faulty Information 132.1.4 Ensuring Accountability for Safeguarding Critical Assets 132.1.5 Increasing Trust of Customers and Stakeholders 142.1.6 Increasing the Company's Worth 142.1.7 Reducing Liability for Information Inaccuracy or Lack of Due Care in Protection 142.1.8 Increasing Predictability and Reducing Uncertainty of Business Operations 152.2 A Management Problem 153 Legal and Regulatory Requirements 173.1 Security Governance and Regulation 184 Roles and Responsibilities 214.1 The Board of Directors 224.2 Executive Management 224.3 Security Steering Committee 244.4 The CISO 245 Strategic Metrics 275.1 Governance Objectives 285.1.1 Strategic Direction 295.1.2 Ensuring Objectives are Achieved 295.1.3 Risks Managed Appropriately 305.1.4 Verifying that Resources are Used Responsibly 316 Information Security Outcomes 336.1 Defining Outcomes 336.1.1 Strategic Alignment-Aligning Security Activities in Support of Organizational Objectives 346.1.2 Risk Management-ExecutingAppropriate Measures to Manage Risks and Potential Impacts to an Acceptable Level 366.1.3 Business Process Assurance/Convergence-Integrating All Relevant Assurance Processes to Improve Overall Security and Efficiency 396.1.4 Value Delivery-Optimizing Investments in Support of Organizational Objectives 426.1.5 Resource Management-Using Organizational Resources Efficiently and Effectively 446.1.6 Performance Measurement-Monitoring and Reporting on Security Processes to Ensure that Objectives are Achieved 457 Security Governance Objectives 477.1 Security Architecture 487.1.1 Managing Complexity 487.1.2 Providing a Framework and Road Map 507.1.3 Simplicity and Clarity through Layering and Modularization 507.1.4 Business Focus Beyond the Technical Domain 507.1.5 Objectives of Information Security Architectures 507.1.6 SABSA Framework for Security Service Management 547.1.7 SABSA Development Process 547.1.8 SABSA Life Cycle 547.1.9 SABSA Attributes 567.2 CobiT 587.3 Capability Maturity Model 597.4 ISO/IEC 27001/27002 637.4.1 ISO 27001 647.4.2 ISO 27002 677.5 Other Approaches 687.5.1 National Cybersecurity Task Force, Information Security Governance: A Call to Action 688 Risk Management Objectives 758.1 Risk Management Responsibilities 768.2 Managing Risk Appropriately 768.3 Determining Risk Management Objectives 778.3.1 Recovery Time Objectives 789 Current State 819.1 Current State of Security 819.1.1 SABSA 829.1.2 CobiT 829.1.3 CMM 829.1.4 ISO/IEC 27001, 27002 839.1.5 Cyber Security Taskforce Governance Framework 839.2 Current State of Risk Management 849.3 Gap Analysis-Unmitigated Risk 849.3.1 SABSA 859.3.2 CMM 8510 Developing a Security Strategy 8710.1 Failures of Strategy 8810.2 Attributes of a Good Security Strategy 8910.3 Strategy Resources 9110.3.1 Utilizing Architecture for Strategy Development 9410.3.2 Using CobiT for Strategy Development 9410.3.3 Using CMM for Strategy Development 9610.4 Strategy Constraints 9610.4.1 Contextual Constraints 9710.4.2 Operational Constraints 9711 Sample Strategy Development 9911.1 The Process 10012 Implementing Strategy 10912.1 Action Plan Intermediate Goals 10912.2 Action Plan Metrics 11012.3 Reengineering 11012.4 Inadequate Performance 11012.5 Elements of Strategy 11012.5.1 Policy Development 11112.5.2 Standards 11612.6 Summary 12513 Security Program Development Metrics 12713.1 Information Security Program Development Metrics 12713.2 Program Development Operational Metrics 12914 Information Security Management Metrics 13114.1 Management Metrics 13214.2 Security Management Decision Support Metrics 13214.3 CISO Decisions 13414.3.1 Strategic Alignment-Aligning Security Activities in Support of Organizational Objectives 13414.3.2 Risk Management-Executing Appropriate Measures to Manage Risks and Potential Impacts to an Acceptable Level 13714.3.3 Metrics for Risk Management 13814.3.4 Assurance Process Integration 14114.3.5 Value Delivery-Optimizing Investments in Support of the Organization's Objectives 14214.3.6 Resource Management-Using Organizational Resources Efficiently and Effectively 14414.3.7 Performance Measurement-Monitoring and Reporting on Security Processes to Ensure that Organizational Objectives are Achieved 14514.4 Information Security Operational Metrics 14514.4.1 IT and Information Security Management 14514.4.2 Compliance Metrics 14615 Incident Management and Response Metrics 15515.1 Incident Management Decision Support Metrics 15615.1.1 Is It Actually and Incident? 15615.1.2 What Kind of Incident Is It? 15715.1.3 Is It a Security Incident? 15715.1.4 What Is the Security Level? 15715.1.5 Are there Multiple Events and/or Impacts 15815.1.6 Will an Incident Need Triage? 15815.1.7 What Is the Most Effective Response? 15815.1.8 What Immediate Actions Must be Taken? 15815.1.9 Which Incident Response Teams and Other Personnel Must be Mobilized? 15915.1.10 Who Must be Notified? 15915.1.11 Who Is in Charge? 15915.1.12 Is It Becoming a Disaster? 15916 Conclusion 161Appendix A SABSA Business Attributes and Metrics 163Appendix B Cultural Worldviews 181Heirarchists 181Egalitarians 181Individualists 182Fatalists 182Index 185
