Security Manager - Slides - Module 4 Powerpoint Presentation
- 1. Information Security Management Certification Dr. Kevin F. Streff Founder and Managing Partner 605.270.4427 kevin.streff@americansecurityandprivacy.com 1
- 2. Agenda 1. Overview 2. Laws & Regulations 3. IT Exam Process 4. Information Security Programs 5. Risk Management 6. Threats 7. Third Party Management 8. SETA Programs 9.Incident Response Programs 10.Business Continuity Programs 11. Documentation 12. Auditing 13. Metrics Information Security Management Certification 2
- 3. Section 4 Information Security Program 3
- 4. Learning Objectives • Understand Security Maturity Model • Understand Linking Business Strategy to Security Program • Understand Information Security Program Options • Understand ASP Information Security Program Option 4
- 5. SP-CMM Security & Privacy Maturity Model • SP-CMM is an acronym for Security & Privacy Capability Maturity Model. Maintained by the Secure Controls Framework Council, this framework seeks to help organizations in the establishment and evaluation of their security and security controls. 5
- 6. SP-CMM Security & Security Maturity Model • On a high-level, it has three primary objectives: • Provide C-level executives with a well-defined criterion for setting the expectations for an organization’s cybersecurity and security program; • Provide internal security teams with a well- defined criterion for planning and implementing security practices; and • Provide a baseline criterion for organizations to evaluate third-party service providers. 6
- 7. Security Tied to Strategy 7
- 8. 8
- 9. Leading Security Frameworks 1. NIST Security Framework 2. OASIS Security Framework 3. APEC Security Framework 4. Nymity Security Management Accountability Framework 5. HITRUST Security Framework 6. STREFF Security Framework 7. American Security and Privacy (ASP) Information Security Framework (ISP) 9
- 11. Oasis Security Framework • The International Open Standards Consortium (OASIS) was founded under the name "SGML Open" in 1993. • The consortium changed its name to "OASIS" (Organization for the Advancement of Structured Information Standards) in 1998 to reflect an expanded scope of technical work. • Later renamed to the International Open Standards Consortium, announcements about creating security frameworks emerged (The OASIS PMRM TC) that to assist business process engineers, IT analysts, architects, and developers implement security and security policies in their operations. • PMRM extends broad security policies, as most policies describe fair information practices and principles but offer little understanding into how to operationalize or implement these practices. 11
- 12. Oasis Security Framework • PMRM includes two phases: Use Case and High-Level Analysis. • The first phase entails the scoping of the Use Case in which data is associated. • This includes drafting a complete description of the environment following the definitions of “business environment” or “application” as established by the Stakeholders using the PMRM within a particular Use Case. • The second phase is the analysis phase. • This high-level analysis likely includes Security Impact Assessments, previous security and security risk assessments, security maturity assessments, compliance reviews, and security audits. • PMRM can be used to examine an entire business environment to develop Policies, Security Controls, Services and Functions, Mechanisms, or a Security Architecture. 12
- 13. APEC Security Framework 1. Asian-Pacific Framework 2. Set of principles and implementation guidelines that were created in order to establish effective security protections that avoid barriers to information flows, and ensure continued trade and economic growth in the Asia Pacific Economic Cooperation region of 27 countries. • The APEC Security Framework set in motion the process of creating the APEC Cross-Border Security Rules system. • The CBPR system has now been formally joined by the United States, Canada, Japan and Mexico, 1. The APEC CBPR system requires participating businesses like Apple, Box, HP, IBM, Lynda.com, Merck, Rimini Street, Workday, and Intasect to develop and implement Information Security policies consistent with the APEC Security Framework. These policies and practices must be assessed as compliant with the minimum program requirements of the APEC CBPR system by an accountability agent 13
- 14. Nymity Security Framework 1. Maintain Governance Structure 2. Maintain Personal Data Inventory and Data Transfer Mechanisms 3. Maintain Internal Information Security Policy 4. Embed Information Security into Operations 5. Maintain Training and Awareness Program 6. Manage Information Security 7. Manage Third Party Risk 8. Maintain Notices 9. Respond to Requests and Complaints from Individuals 10. Monitor for New Operational Policies 11. Maintain Information Security Breach Management Program 12. Monitor Data Handling Practices 13. Track External Criteria 14
- 15. HITRUST Security Framework • Founded in 2007, Health Information Trust Alliance (HITRUST) was launched with the idea that information protection should be a core pillar of the broad adoption of health information systems. • HITRUST brought together public and private healthcare professionals to develop a common risk and compliance management framework. • In 2015, HITRUST announced that their security framework was updated with security controls. • Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the CSF, making it the most widely adopted security framework in the industry. • CSF – Common Security and Security Framework 15
- 16. • The CSF contains 14 control categories, comprised of 49 control objectives and 156 control specifications. • The CSF control categories, accompanied with their respective number of control objectives and control specifications for each category, are: – 0. Information Security Management Program (1, 1) – 1. Access Control (7, 25) – 2. Human Resources Security (4, 9) – 3. Risk Management (1, 4) – 4. Security Policy (1, 2) – 5. Organization of Information Security (2, 11) – 6. Compliance (3, 10) – 7. Asset Management (2, 5) – 8. Physical and Environmental Security (2, 13) – 9. Communications and Operations Management (10, 32) – 10. Information Systems Acquisition, Development, and Maintenance (6, 13) – 11. Information Security Incident Management (2, 5) – 12. Business Continuity Management (1, 5) – 13. Security Practices (7, 21) HITRUST Security Framework 16
- 17. Information Security Program Blueprint Inventories Policies Procedures Standards Guidelines Plans Audit/Test Results Reports SARS Meeting Minutes Committee Approvals Previous Exams Awareness/Training Materials Third Party Reports Network Diagram Organizational Chart Process Flows Incident Reports Strategies Budgets Memos FI Processes Documentation Asset Mgmt. Physical Security Business Continuity Incident Response Developmen t & Acquisition Operations Security Risk Mgmt. Network Security Auditing Functions Personnel Security Reporting Remediation Assessment Changes Audit Recommendations Exam Findings Incident Reports Policy Changes Board Committee Operations Third Party Examiner FI and Technology Strategy ASP ISP v1.1 IT Audit Soc. Eng. Pen Test Vul. Scanning Third Party Mgmt. Soft. Dev. Customer Employee Systems Inventory Technology BIA AUP Roles & Resp.