Lecture 3 - Governance and Strategic Planning for Security PDF

LECTURE 3 – GOVERNANCE AND STRATEGIC PLANNING FOR SECURITY 1502373 - INFORMATION SECURITY MANAGEMENT SPRING 2024-25 M5 – 220 [email protected]...

LECTURE 3 – GOVERNANCE AND STRATEGIC PLANNING FOR SECURITY 1502373 - INFORMATION SECURITY MANAGEMENT SPRING 2024-25 M5 – 220 [email protected] Dr. Saddaf Rubab “You got to be careful if you don't know where you're going, because you might not get there.” -YOGI BERRA THE ROLE OF PLANNING  Planning = the sequence of actions intended to achieve specific goals during a defined period of time, and then controlling the implementation of these steps.  Without specific and detailed planning, organizational units would attempt to meet objectives independently, with each unit being guided by its own initiatives and ideas. Such an uncoordinated effort would result in an inefficient use of resources.  Organizational planning, when conducted by the appropriate segments of the organization: provides a coordinated and uniform script that increases efficiency reduces waste and duplication of effort by each organizational unit THE ROLE OF PLANNING (CONTD…)  Organizational planning should make use of a top-down process: The organization's leadership chooses the direction and initiatives that the entire organization should pursue The primary goal of the planning process is the creation of detailed plans = systematic directions for how to meet the organization's objectives Mission Statement: explicitly declares the business of the organization and its intended areas of operations The vision statement expresses Vision Statement: is an idealistic expression of what the organization where the organization wants to go, while the mission statement PRECURSORS wants to become. describes how it wants to get there TO PLANNING Values Statement: By establishing a formal set of organizational principles and qualities in a values statement, as well as benchmarks for measuring behavior against these published values, an organization makes its conduct and performance standards clear to its employees and the public EXAMPLE FOR MISSION, VISION AND VALUES STATEMENT Example: RWW’ mission Example: RWW's vision Example: RWW's values statement statement: “Random Widget Works designs and Random Widget Works will be the preferred Random Widget Works values commitment, manufactures quality widgets and associated manufacturer of choice for every business's honesty, integrity, and social responsibility among equipment and supplies for use in modern widget equipment needs, with an RWW widget its employees and is committed to providing its business environments”. in every gizmo in use. services in harmony with its corporate, social, The vision statements are not meant to express legal, and natural environments. the probable, only the possible. EXAMPLE STRATEGIC PLANNING  Strategic planning = The process of defining and specifying the long-term direction (strategy) to be taken by an organization, and the allocation and acquisition of resources needed to pursue this effort.  It is a three-step process: 1. First, an organization identifies a goal for an area of improvement or a need for a new capability, and then it documents the current progress toward accomplishing that goal{where are we now?} 2. Next, leadership articulates where the organization seeks to be with regard to the goal{where are we going?} 3. Finally, plans can be made for how to achieve that goal{how will we get there?} TOP-DOWN STRATEGIC PLANNING TOP-DOWN STRATEGIC PLANNING (CONTD…)  Strategic plans formed at the highest levels of the organization are used to create the overall corporate strategy.  As lower levels of the organizational hierarchy are involved, these high-level plans are evolved into more detailed, more concrete planning.  Higher-level plans are translated into more specific plans for intermediate layers of management, and high-level goals are translated into lower-level goals and objectives.  That layer of strategic planning by function is then converted into tactical planning and provides direction for the operational plans. CREATING A STRATEGIC PLAN  After an organization develops a general strategy, it must create an overall strategic plan by extending that general strategy into specific strategic plans for major divisions.  Each level of each division translates those goals into more specific goals for the level below.  Example:  Strategy: To provide the highest-quality, most cost-effective widgets in the industry.  Goals: To increase revenue by 10 percent annually. To increase market share by 5 percent annually To decrease expenses by 5 percent annually. EXAMPLE (CONTD…)  The chief operations officer (COO) might derive a different strategic statement and its corresponding goals that focus more on his or her specific responsibilities:  Strategy: To provide the highest-quality, industry-leading widget development manufacture, and delivery world wide.  Goals: To reduce the cost of manufacture by 10 percent per year through the development of improved production methods. To reduce the cost of distribution and inventory management by 10 percent per year through improved ordering methods with just-in-time delivery to our largest customers. To improve the quality of products through research and development of better and more efficient product design and materials acquisition PLANNING LEVELS  Once the organization's overall strategic plan is translated into strategic goals for each major division or operation, the next step is to translate these strategic goals into objectives that are specific, measurable, achievable, and time-bound.  Strategic plans are used to create tactical plans, which are in turn used to develop operational plans INFORMATION SECURITY GOVERNANCE Governance: The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly. Governance, risk management, and compliance (GRC) An approach to information security strategic guidance from a board of directors or senior management perspective that seeks to integrate the three components of information security governance, risk management, and regulatory compliance. INFORMATION SECURITY GOVERNANCE  When security programs are designed and managed as a technical specialty in the IT department, they are less likely to be effective.  A broader view of InfoSec encompasses all of an organization's information assets, including IT assets. These valuable commodities must be protected regardless of how the information is processed, stored, or transmitted, and with a thorough understanding of the risks to, and the benefits of, the information assets. DESIRED OUTCOMES OF INFOSEC GOVERNANCE  Strategic alignment of InfoSec with business strategy to support organizational objectives  Risk management by executing appropriate measures to manage and mitigate threats to information resources  Resource management by utilizing InfoSec knowledge and infrastructure efficiently and effectively  Performance measurement by measuring, monitoring, and reporting InfoSec governance metrics to ensure that organizational objectives are achieved  Value delivery by optimizing InfoSec investments in support of organizational objectives ITGI APPROACH TO INFORMATION SECURITY GOVERNANCE  ITGI=Information Technology Governance Institute  InfoSec governance includes all the accountabilities and methods undertaken by the board of directors and executive management to provide strategic direction, establishment of objectives, the measurement of progress toward those objectives, verification that risk management practices are appropriate, and validation that the organization's assets are used properly.  ITGI recommends that boards of directors supervise strategic InfoSec objectives by: 1. Creating and promoting a culture that recognizes the criticality of information and InfoSec to the organization 2. Verifying that management's investment in InfoSec is properly aligned with organizational strategies and the organization's risk environment 3. Mandating and assuring that a comprehensive InfoSec program is developed and implemented 4. Requiring reports from the various layers of management on the InfoSec program's effectiveness and adequacy's NCSP INDUSTRY FRAMEWORK FOR INFORMATION SECURITY GOVERNANCE  National Cyber Security Partnership (NCSP), developed and published a framework "Information Security Governance: A Call to Action," encouraged organizations in both the public and private sectors to build information security governance programs and integrate them into their existing corporate governance structures. INFORMATION SECURITY GOVERNANCE FRAMEWORKS  In 2007, the CERT Division of Carnegie Mellon University's Software Engineering Institute published and promoted an implementation guide for its trademarked Governing for Enterprise Security (GES) program  ISO/IEC 27014: 2013 Governance of Information Security and many more… IMPLEMENTING THE SECURITY PROGRAM USING THE SECSDLC  security systems development life cycle (SecSDLC) INFOSEC FRAMEWORK SKELETON CYBER ASSESSMENT FRAMEWORK  NCSC Cyber Assessment Framework (CAF) provides a systematic and comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organization responsible REFERENCES  Chapter 03 – Michael, E. W., Herbert, J. M. (2016). Management of Information Security. ISBN: 9781337405713

Lecture 3 - Governance and Strategic Planning for Security PDF

Document Details

Tags

Related

Summary

Full Transcript