Professional Documents
Culture Documents
Shon Harris
Security consultant, educator, author
http://www.sabsa-institute.org/UserFiles/Image/3-framework.png
Result of Trying to Understand
all Approaches
Exactly Where Are We Trying to
Go?
► Risk Management
► Enterprise Security Architecture
► Security Governance
► Security Legal and Regulatory
Compliance
► Staying out of the Headlines
Need Risk Management
Now?
Security is to be in alignment
with organization’s strategic
Enterprise Security Architecture
Strategic alignment
Business enablement
Process enhancement
Security effectiveness
Without an Enterprise Security
Architecture
Security only takes place at the technical
level
Continual confusion and repeating
expensive mistakes
Stovepipe solutions, which costs more
in maintenance and integration
►Depending upon point solutions, not
enterprise solutions
Unable to use enterprise information to
make solid business decisions
Continually putting out fires
►Reactive versus proactive
Security Governance
“Security governance is the set of responsibilities and
practices exercised by the board and executive
management with the goal of providing strategic
direction, ensuring that objectives are achieved,
ascertaining that risks are managed
appropriately and verifying that the enterprise’s
resources are used responsibly.”
- IT Governance Institute
Company A Company B
Board members understand that Board members do not understand
information security is critical to that information security is in their
the company and demand to be realm of responsibility and focus
updated quarterly on security solely on corporate governance
performance and breaches. and profits.
CEO, CFO, CIO and business unit CEO, CFO and business unit
managers participate in a risk managers feel as though
management committee that information security is the
meets each month and information responsibility of the CIO, CISO and
security is always one topic on the IT department and do not get
agenda to review. involved.
Executive management sets an CISO took some boilerplate
acceptable risk level that is the security policies, inserted his
basis for the company’s security company’s name, then had the
policies and all security activities. CEO sign them.
Consultants
Department Managers
Products
Project
management
is required to
keep everyone
in step and on
track
Phases Need Useful Detail and
Goals
Mapping Requirements to
Security Processes
Security Program Components are the
Categories of Control Objectives
Security Program
Subcomponents
Defining the Surrounding
Process around Specific
Subcomponents
Example
Vulnerability Management
Almost all regulations require
vulnerability management.
There are about 100 different ways that
vulnerability management is termed in
the various laws and regulations.
Program
Components
When?
Do you have to accomplish all of this
today?
In a week?
In a year?
In 2 years?
Swamp guides
become
more valuable than
security architects
The current approach will continue to provide a gap between what we preach
and what we practice.
Holistic, integrated security, that is integrated into business processes.
Security Maturity Evolution Assurance
Auditing, monitoring, and reporting
processes and controls in place to
ensure they are meeting standards and
that they are effective
Security
Organizational
Baseline Security
Structure
Individuals and organizations Standards
Documented assigned responsibility, Security controls defined to
Strategy, Principles, accountability, and authority to establish a consistent basis
support the infrastructure for managing risk
and Policy
Clearly defined set of
Security Metrics
Security Capability
Level 1 Defined
Level 2 Integrated
Level 3 Optimized
Evolution
How to be Successful
► Gather much more data – do not work in a vacuum
► Break the pieces down into achievable goals that are inexpensive
Quick wins will be much quicker
► Learn from each phase, improve, and incorporate knowledge into
next phase
► Phases will allow the group to understand more about the current
processes and business as a whole
► Use products that are currently in-house and in the market to
accomplish many of these tasks through automation
► Do not create metrics, baselines, processes “in the dark” – which
would waste a lot of money and be useless
► Provide a structured risk-based approach that is measurable and
controllable
► Understand how to incorporate security into business units and
processes
► Understand how to continually improve and be innovative in a
healthy manner
► Protect the company in a more effective and understandable
process
Success of Failure
What will Allow this What will Cause this
Project to Succeed? Project to Fail?
Take the time to gather all of If necessary resources and
the necessary data before funds are not provided
running forward through ALL PHASES
Get feedback from all Viewed as a bottleneck for
departments that would be business expansion. Must
involved and affected be enforced as a “must
Provide real information for have” not a “nice to have”
decision makers and not
superficial data
If one person does not own
this process and keep
Solid and reasonable phased
approach people on track
Realize and communicate
More communication does
the true benefit that this will not take place
provide for ALL security Wrong people are on the
needs and departments security committee
Realize that this is a long Other projects take
jog, not a short sprint
precedence and motivation
fades
Improvement Will Not Happen
Accidentally
Shon Harris
www.LogicalSecurity.com
(888) 373-5116
info@LogicalSecurity.com