< All Chief Information Security Officer (CISO) Notes

richardb8006 | Chief Information Security Officer (CISO) | Module 4 - Developing a Security Strategy

By: richardb8006 | Related Course: Chief Information Security Officer (CISO) | Published: February 5, 2018 | Modified: February 5, 2018
Join Cybrary

NotepadModule 4 - Desired state

In this lesson you will learn about the desired state: what is the vision for all relevant conditions at a particular point in the future?  What principles, policies, and standards are needed to get us there?  Which well-known frameworks can help us achieve our goals?  Basically; where we are, where we’re going, and where we want to be.

You will also cover an overview of COBIT® 5.  The major drivers for COBIT® 5 are to help us:

Provide more stakeholders a means in determining what they expect from IT balancing benefits/risks/costs

  • Prioritize stakeholder needs
  • Address an organization’s success on third party entities
  • Deal with ever increasing amounts of data.  What is relevant and/or credible?  How do we maximize the information we have?
  • Understanding and utilizing the pervasiveness of Information technology and related resources
  • Facilitate the integration of IT and business functions
  • Provide for innovation and emerging technologies
  • Cover the full end-to-end IT and business functional responsibilities and allow for more effective governance and maintenance
  • Deliver more value and increase satisfaction with IT service
  • Connect and align with other major frameworks

What is the vision for all relevant conditions at a particular point in the future?

What principles, policies, standards etc are needed to get us there?

Which well known frameworks can help us achieve our goals?

Frameworks: ISO, COBIT; foundations to build a security program, not written in stone.

COBIT principles:

  1. Meeting stakeholder needs
  2. Covering the enterprise end to end
  3. Applying a single integrated framework
  4. Enabling a holistic approach
  5. Separating governance from management

ITIL Service management publications:

  1. Strategy
  2. Design
  3. Transition
  4. Operation
  5. Continuous improvement

OCTAVE Risk assessment method

  1. Identify assets
  2. Identify vulnerabilities
  3. Risk analysis and mitigation

ISO 27000 series

ISO27001: Establishment, implementation, control and improvement of the ISMS

ISO27002: Provides practical advice for how to implement security controls. Uses 10 domains to address ISMS.

ISO27004: Provides metrics for measuring the success of ISMS.

ISO27005: A standards bases approach to risk management.

ISO27799: Directives on protecting personal health information.

PDCA/Deming model

  1. Plan
  2. Do
  3. Check
  4. Act

CMMI capability maturity model

  1. Initial
  2. Repeatable
  3. Defined
  4. Measurable
  5. Optimized

 

 


NotepadModule 4 - Management responsibilities

In this lesson, participants will become familiar with the relationships of outcomes with management directives.  Instructor Kelly Handerhan will present a detailed examination of an ISACA chart that categorizes relationships of outcomes relative to:

  • Management level
  • Strategic alignment
  • Risk management
  • Value delivery
  • Performance measurement
  • Resource management
  • Integration

Key concepts covered are:

  • The job of the board of directors is to set direction
  • The board of directors is responsible for setting down the ultimate philosophy and approach of the organization
  • The job of senior executives is making sure the processes for strategic alignment are implemented, institute processes to integrate security with the business, and make sure roles and responsibilities look at risks

The question that is of most concern to us is: as a chief information security officer, how do you make sure what we’re doing supports and is strategically aligned with the business?

The chief information security officer will find out how to ensure that information security is aligned with the goals and objectives of the business through frequent meetings with the CEO and other senior management.


NotepadModule 4 - Purpose of Security Strategy

In this lesson, instructor Kelly Handerhan provides a detailed overview of the concepts, methods, and goals of an effective security strategy and details the six outcomes of effective security strategy.

  • Strategic alignment – information security should align directly with business strategy to support organizational objectives
  • Risk management – Executing appropriate measures to mitigate risks to an acceptable level
  • Resource optimization – using information security knowledge and infrastructure efficiently
  • Value delivery – optimizing information security investments in support of organizational objectives
  • Performance measurement – measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved
  • Process Assurance Integration – integration of disparate assurance functions to ensure that processes operate as intended from end to end, minimizing hidden risks

Course participants will understand the reasoning behind the six outcomes of effective security management and why it is important that personnel support the goals and objectives of the business.

Six outcomes of effective security strategy:

Strategic alignment – Information security should align directly with business strategy to support organizational objectives

  • security requirements driven by business requirements
  • solutions that take into account the environmental factors of an organization
  • investment in information security aligned with a well defined threat, vulnerability and risk profile

Risk management – Executing appropriate measures to mitigate risks to an acceptable level

  • Collective understanding of the organizations threat/vulnerability/risk profile
  • understanding risk exposure and the consequences of compromise
  • risk mitigation to a level of acceptable risk to the compan
  • properly prioritized effort directed of protecting the resources that have the greatest impact on the business

Resource optimization – Using information security knowledge and infrastructure efficiently

  • Ensure that knowledge is captured and available
  • Processes are documented
  • Security architecture defined

value delivery

Optimizing information security investments in support of organizational objectives

Performance measurement

Measuring, monitoring and reporting information security governance metrics to ensure that organizational objectives are achieved

Process assurance integration (convergence)

Integration of disparate assurance functions to ensure that processes operate as intended from end to end, minimizing hidden risks.

 


NotepadModule 4 - Questions and pitfalls

Instructor Kelly Handerhan will list important questions that must be asked if the CISO is to develop an effective security strategy for the organization.

  • Does the CISO routinely meet with or brief business management?
  • When was the last time top management got involved in security-related decisions?
  • How often does top management get involved in progressing security solutions?
  • Would people recognize a security incident if they saw one, and what would be their reaction?
  • Does management know who is responsible for security?
  • Does anyone know how many computers the company owns and would management now if some went missing?
  • Are damage assessment and disaster recovery plans in place?
  • Has management identified all information that would violate policy, legal, or regulatory requirements, or cause embarrassment/ competitive disadvantage if leaked?

Course participants will learn the numerous pitfalls inherent in developing a security strategy that can compromise your organization’s data.

  • Overconfidence- in inherent security, your own ability, or the abilities of your team
  • Optimism- you believe that “it won’t happen to you,” and if something does happen, that you can recover
  • Anchoring- As a CISO, you’re too reliant on past experience or quantitative data
  • The status quo- Believing it will always be the way it has been
  • Mental accounting- being more willing to spend money in one place than another, no direct line to profit
  • The herding instinct- For senior managers the only thing worse than making a huge mistake is being the only one in the industry who makes it

False consensus- CISOs may overestimate the extent that others share their views, or only seek out sources that support their views


< All Chief Information Security Officer (CISO) Notes
Join Cybrary

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel