Information Security Strategy and Roadmap

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Our next section looks at
00:00
an information security strategy in the roadmap.
00:00
When we start talking about this,
00:00
you're going to see ISRM,
00:00
which stands for information security
00:00
and risk management.
00:00
I'm sorry M is very popular,
00:00
that term and that idea because once again,
00:00
just like this entire class is about,
00:00
is the necessary marriage between
00:00
information security and risk management.
00:00
What we're looking to do is to get this broad set
00:00
of goals and objectives
00:00
of how we get where we want to be.
00:00
We have to figure out where is it that we want to be,
00:00
we have to look at where we are and
00:00
figure out how to close that gap.
00:00
We'll be talking about the current state
00:00
and desired state.
00:00
But ultimately,
00:00
again, we go back to when we're determining
00:00
what our desired state is and where we want to be
00:00
we start with ensuring we
00:00
have alignment with business goals.
00:00
This idea of a desired state of
00:00
security needs to be determined,
00:00
this is what senior leadership,
00:00
this is a part of governance,
00:00
is to determine where we want to be,
00:00
what is our desired state?
00:00
Our desired state might be we want to be in compliance
00:00
with frameworks like COBIT or ISO 27001,
00:00
we may want to be in compliance with HIPAA or PCI,
00:00
DSS, or just whatever the frameworks are.
00:00
Whatever our requirements are,
00:00
whatever delivers the most value for the buck,
00:00
paying for the buck with their stakeholders.
00:00
But the governing bodies and
00:00
entities within the organization determine that.
00:00
Not down to all the controls and how to
00:00
configure encryption on multiple devices and that,
00:00
but broadly where do we want to be?
00:00
We call that the desired state.
00:00
Often, as I mentioned before,
00:00
organizations are governing entities determine, Hey,
00:00
we want to be compliant with an existing framework,
00:00
we want to be certified according to a framework.
00:00
What I have on this slide is a reference to the CMMI,
00:00
which stands for Capability Maturity Model Integrated
00:00
, the CMMI.
00:00
This originated out of Carnegie Mellon from
00:00
the good folks at the Software
00:00
Engineering Institute and it was
00:00
originally designed to provide assurance for
00:00
project management processes primarily
00:00
related to software development.
00:00
Ultimately the principle here is
00:00
the more mature that your processes are,
00:00
the better product you'll produce.
00:00
Rather than for instance,
00:00
if you're a software engineering group
00:00
and you want to get CMMI evaluated,
00:00
you don't show them your code,
00:00
you don't show them the actual software
00:00
you've developed and designed,
00:00
they evaluate your processes.
00:00
Show me a secure software development lifecycle,
00:00
show me secure testing,
00:00
show me configuration and change management.
00:00
That's what the CMMI is all about.
00:00
The idea is with each level of CMMI,
00:00
there's an increase in maturity within the organization.
00:00
Starting down at Level 0,
00:00
Level 0 is very rarely someone's goal.
00:00
We have nothing going for us, nobody's saying that.
00:00
We just don't have the capability to
00:00
secure our resources within an organization.
00:00
Now, we come up to Level 1,
00:00
and Level 1 is often referred to as initial and in
00:00
the initial level sometimes they
00:00
use the word chaotic or,
00:00
what's the other one,
00:00
basically it addresses the fact that
00:00
even though an organization might be successful,
00:00
it takes employees going above and beyond.
00:00
That's not a very standard consistent environment
00:00
by any stretch.
00:00
We're at a chaotic initial environment
00:00
we don't have mature processes in place at all.
00:00
Now as we come up to Level 2,
00:00
Managed, now,
00:00
there's some planning, there's some documentation.
00:00
We're still responding rather than being proactive,
00:00
but we're working in the right direction.
00:00
Now what most organizations want to
00:00
get is Level 3, which is Defined.
00:00
The reason I say most organizations want to get
00:00
there is that's generally
00:00
the requirement, like for instance,
00:00
if I wanted to develop software for a federal agency,
00:00
usually the requirement is Level 3.
00:00
Now, not top secret Hyatt,
00:00
not NASA or the FAA or anything like
00:00
that but just as a general rule for federal systems,
00:00
the software needs to be evaluated or
00:00
the software group needs to be evaluated at Level 3.
00:00
Defined, proactive.
00:00
Now, Level 4,
00:00
quantitatively measured means that we're
00:00
measured and controlled and that we have
00:00
an understanding quantitatively of how a change in
00:00
our process impacts a change in our product.
00:00
That's great. That's a big step
00:00
forward that leads us all the way to the point
00:00
of optimizing and at
00:00
the optimizing level, continuous improvement.
00:00
This is sometimes called Kaizen
00:00
with the idea that we can always get better,
00:00
that was a term popularized at
00:00
the Japanese Auto from the Japanese Auto industry,
00:00
and that we can always
00:00
improve the process or the product.
00:00
To go from Level 3 to Level 5 can be very expensive,
00:00
it can take a lot of time.
00:00
That's why I say, unless there's another driving factor,
00:00
then most companies are shooting for Level 3.
00:00
Now, that gives us our target.
00:00
We may want do business with
00:00
the government and they come back to us and say,
00:00
"Hey, you need to be certified at Level 3."
00:00
That becomes my desired state.
00:00
Something that you may want to consider is that
00:00
the CMMI is often used with
00:00
Gap Analysis and I think
00:00
that's something that'll come up on the test.
00:00
The Capability Maturity Model Integrated
00:00
gives us the basis for Gap Analysis.
00:00
I want to be at Level 3,
00:00
so I collect all the information that ISACA provides,
00:00
and by the way, this used to be from
00:00
the Security Software Engineering Institute
00:00
in Carnegie Mellon
00:00
but ISACA and now owns this process
00:00
and this certification and accreditation now,
00:00
so another thing that could come
00:00
up on the exam just because of
00:00
the fact that it's from ISACA.
00:00
What I was essentially saying is this is
00:00
a tool that can be used for
00:00
gap analysis because the idea is,
00:00
our customer tells us, "Hey,
00:00
you have to be CMMI Level 3,
00:00
that now becomes the desired state."
00:00
We have to ensure,
00:00
specifically when I say we, your governing entities,
00:00
need to make sure that we have
00:00
a well articulated version of what the desired state is,
00:00
to be CMMI Level 3 certified by improving,
00:00
that can in and of itself be desired state
00:00
and then what's going to have to
00:00
happen is we're going to figure out,
00:00
okay, where are we in relation to desired state?
00:00
Then when we start examining how to
00:00
close the gap between current and desired,
00:00
that becomes our strategy and
00:00
then ultimately leads us to a roadmap.
00:00
Our strategy is to be CMMI Level 3 certified,
00:00
so how do we do that?
00:00
Strategy though is broad.
00:00
We're going to get more specific and detailed
00:00
in our information security program.
00:00
Everything with governance is broad strokes,
00:00
leadership, point the organization
00:00
in the right direction.
00:00
Just like if you ever watch sports.
00:00
Football, I've been watching a lot of football
00:00
lately because it's the playoffs
00:00
and they interview a coach
00:00
coming out after halftime and they say,
00:00
well, what's your strategy for the second half?
00:00
Well, we're going to try to run the ball more
00:00
and open things up for our quarterback.
00:00
He doesn't go through and tell
00:00
his specific pass plays
00:00
and the different plays that he's going to be running,
00:00
but that strategy is in general,
00:00
here's the gist of what we're trying to do.
00:00
Same thing from governance.
00:00
In general we're trying to get certified CMMI Level 3,
00:00
we're going to develop
00:00
a project such and is the project manager
00:00
assigned to this project to document the needs,
00:00
the current state versus
00:00
the specifics of the desired state.
00:00
We're going to look at shifting policies and procedures,
00:00
we're going to look at outsourcing the security function,
00:00
perhaps whatever it is that we're doing.
00:00
But again, our strategy is going
00:00
to be broad strokes and then
00:00
our information security program is going to go in and
00:00
actually give us that step-by-step set
00:00
of policies and procedures,
00:00
standards and guidelines to accomplish the strategy.
00:00
Then ultimately what I hope to wind up
00:00
with is an information security roadmap.
00:00
Now it doesn't have to be graphical,
00:00
it doesn't have to be visual.
00:00
But if you can look at this broad,
00:00
easy to look at, easy to understand,
00:00
maybe a little bit more information here
00:00
than just what we have but ultimately,
00:00
the steps of closing
00:00
the gap between current state and desired state.
00:00
I think like an app.
00:00
If I'm going to California,
00:00
first thing I do is just get
00:00
a general view of how to get there.
00:00
I'm not writing down
00:00
every rest stop that I'm going to stop and
00:00
get fast food at or where I'm going to get gasoline,
00:00
I just look generally, hey,
00:00
I need to take a 95 five south to
00:00
40 west and drive for 3000 miles, whatever it is.
00:00
This is a roadmap.
00:00
The roadmap will show us,
00:00
it gives us a visual of the strategy,
00:00
the purpose of the strategy is to close
00:00
the gap between current state and desired state.
Up Next