Business case for information security program
2 likes2,851 views
This document presents a business case for establishing an information security program. It outlines the background, value, scope, and components of the program. The program aims to safeguard corporate information assets, establish security standards, comply with regulations, and align IT services with business needs. It involves categorizing data, determining risk appetite, analyzing business impacts, developing a security strategy and plans, and implementing controls. The goal is to effectively manage risks and threats, drive process maturity over time, and provide continuous improvements.
Business case for information security program
- 1. BUSINESS CASE FOR INFORMATION SECURITY PROGRAM Developed and Presented by: William Godwin3/12/2014 © 2014
- 2. Background Safeguards the company’s most important asset: CORPORATE INFORMATION Establishes a formal program and standard to: Safeguard Confidentiality, Integrity, and Availability of information Determine the company’s risk appetite Categorize data and information assets Establish appropriate security control baseline Assess risk of compromise Comply with governing regulations and corporate governance
- 3. Value Identify IT Operations as a business enabler Establish security benchmarks and determine assessment targets capable of maturing as threats evolve and become more sophisticated Aligns IT Services with the company’s mission Delivers long-term information security strategy Effectively mitigate threats and risks and reduce incidents Drive scalable processes and IT solutions Provides insight to… Optimize IT operations budget management Promote organizational structure to integrate program Conducive to organizational maturity
- 4. Scope Organization Position/Posture Data categorization of critical departments Risk Appetite Determine company’s tolerance to risk exposure Business Impact Analysis Determine criticality of departments and supporting resources Develop Strategy, Plan, Implement and Execute Cultivate Continuous Improvement Opportunities
- 5. Organization Position/Posture Develop strategy for implementation. Reference output from Data Categorization & Risk Appetite exercise (Ref. slide #6 & slide #7) Garner support from organization leadership Large/Enterprise organizations may have multiple executives Obtain operational leadership buy-in Operational Managers will need to be made aware of their roles and expectations Develop & establish corporate standards and requirements for information security
- 6. Data Categorization Defines broad classes of information created, stored, and/or delivered by the company Allows for logical groupings based on criticality to the business Determines data sensitivity levels to unauthorized access, modification or loss of availability Aids to … Establish security baseline for protecting sensitive data Identify business exposure Determine impact on company should data become compromised Permit executives to organize priority based on criticality of data
- 7. Determine & Establish Risk Appetite Company may implement appropriate level of information security control based on the risk appetite. Risk Appetite is determined by establishing the sensitivity of data stored, processed or transmitted by an information system. (Ref. slide #6) Sensitivity is determined by understanding the criticality of the data to the company’s mission or regulatory requirements.
- 8. Business Impact Analysis Categorize and analyze critical business departments/divisions Create priority list of most sensitive business functions Create priority list of support resources Human Resources Information Technology Resources Establish information security requirements Identify and implement baseline security controls to reduce risk
- 9. Strategy, Plan, Implement & Execute Strategy Identify desired service capability and control coverage – (Ref. slide #10) Identify and gather regulatory requirements and corporate governance Develop and execute strategic plan for program implementation Planning for critical IT assets Establish operation authority (typically an executive authorizes system to operate) Document system Security Plan Develop system IT Contingency Plan Develop Configuration Management & Control Plan Develop system Incident Response Plan Implement security controls as specified within the security plan Execute Conduct threat assessment Conduct initial Risk Assessment Mitigate security exposure to acceptable levels Conduct final security test to validate control implementation
- 10. Information Security Model Model Terms & Glossary Capability: Defines “what” information security process or process areas or disciplines. Coverage: Defines the “amount” of control and timeline coverage should be applied. Control: Managing obligations to the business, stakeholders, customers and demonstrating it. Info Security Mission & Goals 2 3 4 5 100% 50% 75% 25% Capability Coverage Optimal Path (Timeline) ROI & Cost- efficiency 1 Risk & Compliance Objectives Control 0% Capability Processes are … Coverage 1 Ad Hoc & Disorganized 0% 2 Repeatable (generally consistent pattern) 25% 3 Documented and communicated 50% 4 Monitored and measured 75% 5 Measured and improved 100% Maturing to Proactive Posture Capability: Process Discovery and Re-engineering to support Information Security program alignment with business and security requirements. Coverage: Integrate required regulations and observe areas for control enhancement. Control: Risk and Compliance based categorization and priority of information assets and processes. The Degree and complexity of controls are driven by the enterprises risk appetite and applicable compliance requirements. SEI, Carnegie Mellon 2008 Primary Drivers
- 11. Continuous Improvement Opportunities Identify success/fail requirements Identify metrics applicable to the organization. Examples such as… Total vulnerabilities Residual risk Total incidents Change in vulnerabilities and incidents IT system operational budget change
- 12. Conclusion Aids organization leaders to identify and assign priority to business units and supporting IT systems based on criticality Enables effective financial planning for IT Operations and Security Ensures compliance with regulatory requirements and governance Enables effective management of risk to IT systems Improve IT service capabilities through process maturity