Fadi Mutlak - Information security governance
- 1. May 2011
- 3. There is no single universal model for organizational structure to ensure that the Information Security requirements for the organization are adequately met. There is still some uncertainty regarding what such Information Security Governance actually consists of Information Security Governance does not function in isolation Information Security Governance, Management and Operations have very different functions, and clarity among them is fundamental to the performance of each. How do Organizations currently operate Globally & in the Middle East? 3 Information Security Governance @ 2011 Deloitte & Touche
- 4. 17% of Organizations Globally have a person responsible for Information Security. 33% in the Middle East 40% of the CISOs Globally report directly to IT related positions (CIO, IT executive and CTO). 31% in the Middle East Only 67% of respondents indicate that have a security governance structure. 49% in the Middle East Only 56% of respondents indicate they have a documented and approved information security strategy. 38% in the Middle East Only 18% of respondents have established metrics that have been aligned to business value and report on a scheduled basis. 15% in the Middle East Only 30% of respondents state that there is appropriate alignment between the business and information security initiatives. 32% in the Middle East 4 Information Security Governance @ 2011 Deloitte & Touche
- 6. Corporate governance is the set of processes, customs, policies, laws, and institutions affecting the way a corporation (or company) is directed, administered or controlled. includes the relationships among the many Corporate governance also stakeholders involved and the goals for which the corporation is governed. Subsets of Corporate Governance include: • Financial Governance • Information Technology Governance • Enterprise Risk Governance • Information Security Governance 6 Information Security Governance @ 2011 Deloitte & Touche
- 7. The structure, oversight and management processes which ensure the delivery of Corporate the of overall corporate governance Governance requires integration between the different subsets of the Corporate Governance Model Enterprise Information Legal Risk Technology Governance An organization’s Information Governance Governance Security Governance can be defined as "the processes that ensure that reasonable and appropriate actions are taken to protect the organization's Information information resources, in the most Security Governance effective and efficient manner, in pursuit of its business goals“ Information Information Security Security Management Operations Information Security Organization @ 2011 Deloitte & Touche 7 Information Security Governance
- 8. ―Information Security governance―, ―Information Security Management" and ―Information Security Operations" are broad terms, and we must bring these topics into focus. Members of governance committees must understand the difference between them in order to avoid dysfunction and meet Business, Risk and IT goals Very Broadly, Information Security Governance: Exists to ensure that the security program adequately meets the strategic needs of the business. Information Security Management: Implements that program. Information Security Operations: executes or manages security-related processes relating to current infrastructure on a day-to-day basis. Each of these layers must engage with corresponding layers throughout the enterprise. 8 Information Security Governance @ 2011 Deloitte & Touche
- 9. Information Security Steering Commitee 3rd Party Service Corporate Risk Providers Management Chief Infromation Officer (CIO) Lines of Business IT Operations Management Information Security Governance Information Security Information Security Communication Advisory Board Forum 3rd Party Service Information Security Information Security 3rd Party Service Providers Management Operations Providers 9 Information Security Governance @ 2011 Deloitte & Touche
- 11. Prudent CISOs are building their Security Governance Strategies based on the current economic climate, changes in the technology landscape, and most importantly, to meet and exceed the business expectations. Yet despite their best intentions, many are still struggling to improve relationships with the business that they operate in. Without alignment, Information Culture Security Governance operates in a vacuum and will implement security controls that are Controls 1. Plan Process invariably either too strong — and thus, is expensive and restrictive — or too weak, 3. Manage resulting in too much residual 2. Implement 4. Monitor risk. People Security Governance Integration Technology 11 Information Security Governance @ 2011 Deloitte & Touche
- 12. The following 4 domains must be considered when establishing an Information Security Governance Program Plan Implement Manage Monitor Security Program Develop Governance Accountabilities Project Oversight Strategy Processes Institute Governance Security Architecture Funding Value Assessments Forums Security Policy Conflict Conciliation Operational Security Budget Review and and Arbitration Oversight Development Governance Policy Program and Project Metrics and Management Oversight Measurement 12 Information Security Governance @ 2011 Deloitte & Touche
- 13. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Plan Security Program Strategy Security Program 1. Current State Strategy 2. Desired State 3. Gap Analysis Security Architecture 4. Project and Initiatives Derived from the Gap Analysis 5. A Reporting Framework Security Budget Governance Policy Management 13 Information Security Governance @ 2011 Deloitte & Touche
- 14. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Plan Security Architecture Security architecture is the planning discipline that provides the Security Program foundational models, templates and principles that support the Strategy program strategy. These artifacts are used to develop security technology and process solutions that match business requirements while maximizing standardization and reuse Security Architecture • Security Operations • Security Monitoring and Review • User Management Security Budget • User Awareness • Application Security • Database / Metadata Security • Host Security Governance Policy • Internal Network Security Management • Network Perimeter Security • Physical and Environmental Security 14 Information Security Governance @ 2011 Deloitte & Touche
- 15. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Plan Security Budget Planning The process of allocating financial resources to information Security Program security projects and operational Strategy activities Security Architecture Governance Policy Management Sets the principles for policy management, specifically regarding issues such as: Security Budget • Ownership • Documentation standards • Approval and formalization procedures Governance Policy • Enforcement regimes Management • Review and exception procedures 15 Information Security Governance @ 2011 Deloitte & Touche
- 16. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Implement Develop Governance Processes Design the governance processes: Develop Governance • The goal of the process Processes • The action steps to be taken and in what sequence • The responsibilities associated with the process • The process flow Institute Governance Forums Integrate the security governance framework with existing IT frameworks and Information Security Management frameworks in order to leverage the commonalities between the frameworks Security Policy Review and Development Institute Governance Forums Establish Governance forums and steering committee • Establish the accountabilities and responsibilities for information security within the organization. • Oversee the governance processes. • Commission and sponsor the corporate information security program. 16 Information Security Governance @ 2011 Deloitte & Touche
- 17. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Implement Security Policy Review and Development Assess the (1) completeness (2) effectiveness and (3) practicality of Develop Governance enforcement of your organization’s information security policy. Processes Identify major strengths and weaknesses of the policy and provide recommendations for improvement. Institute Governance Forums Security Policy Review and Development 17 Information Security Governance @ 2011 Deloitte & Touche
- 18. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Manage Design and explain management processes to the respective stakeholders for implementation: Accountabilities Process Process Description Accountabilities and responsibilities for information security are Accountabilities executed effectively. Manage effective allocation of financial resources for security Funding Funding initiatives as decided in the budget process. Facilitate assessment of conflicting security requirements Conflict Conciliation between different stakeholders. Ensure specific policy and Conflict Conciliation and Arbitration controls decisions are based on adequate consideration of and Arbitration individual and collective requirements. Program and Project Track security program and projects, deliverables, and costs to Program and Project Oversight ensure they remain within acceptable tolerances. Oversight 18 Information Security Governance @ 2011 Deloitte & Touche
- 19. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Monitor Design and explain monitoring processes to the respective stakeholders for implementation: Project Oversight Process Process Description Assess project results. Report on objectives achieved and Project Oversight missed, as well as unexpected results and consequences. Value Assessments Periodically assess the value of information security Value Assessments investments. Is the organization getting the anticipated benefits from investments involving information security? Operational Ensure that the execution of the information security Oversight program, and all its associated processes and activities, is Operational Oversight done within the parameters set out by the program strategy, architecture, and policy strategy. Measuring and reporting on the impact of the information Metrics and Metrics and Measurement security program on overall IT governance and Corporate Measurement Governance. 19 Information Security Governance @ 2011 Deloitte & Touche
- 21. Strategic Alignment of information security with business strategy to support organizational objectives Risk Management by executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to an acceptable level Resource Management by utilizing information security knowledge and infrastructure efficiently and effectively Performance Measurement by measuring, monitoring and reporting information security governance metrics to ensure that organizational objectives are achieved Value Delivery by optimizing information security investments in support of organizational objectives 21 Information Security Governance @ 2011 Deloitte & Touche
- 23. Leader, Security & Privacy – Middle East Fadi Mutlak +971 4 369 8999 fmutlak@deloitte.com @ 2011 Deloitte & Touche
- 24. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Member of Deloitte Touche Tohmatsu Limited