SlideShare una empresa de Scribd logo

Effective IT Security Governance

Leo de Sousa
Leo de Sousa

This paper describes how a continuous improvement IT Security Governance process provides effective planning and decision making capabilities for a cybersecurity program. Governance can be thought of “doing the right things” while management is “doing things right”. IT Security Governance focuses on doing the right things to protect organizations and agencies.

TecnologíaEmpresariales
1 de 6
Descargar para leer sin conexión
IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012 Effective IT Security Governance Leo de Sousa – IST 725 Abstract This paper describes how a continuous improvement IT Security Governance process provides effective planning and decision making capabilities for a cybersecurity program. Governance can be thought of “doing the right things” while management is “doing things right”. IT Security Governance focuses on doing the right things to protect organizations and agencies. Operational Security focuses on doing things right and relies on IT Security Governance to direct those actions. As organizations and agencies look to save costs, reach more customers and implement efficiencies, they are turning more and more to digital technology solutions. While the reach and automation capabilities of information technology solutions and architectures are vast, they also expose organizations and agencies to risks from cybercrime, cyberattacks, and breaches of legal regulations, loss of corporate information and protection of personal and confidential information. Topics covered in this paper are (a) Key Definitions, (b) Introduction to IT Security Governance, (c) IT Security Governance Capabilities, (d) Effective Approaches to Planning and Decision Making using IT Security Governance Capabilities and (e) Conclusion. After reading this paper, the reader should have a clear understanding of the concepts of IT Security Governance, the capabilities of IT Security Governance, and the uses of those capabilities to effectively plan and make decisions for an overall, continuously improving cybersecurity program. Key Definitions Cyberattack – is an attempt to undermine or compromise the function of a computer-based system, or attempt to track the online movements of individuals without their permission. (wiseGEEK, 2011) Cybercrime – generally defined as a criminal offence involving a computer as the object of the crime (hacking, phishing, spamming), or as the tool used to commit a material component of the offence (child pornography, hate crimes, computer fraud). (Foreign Affairs and International Trade Canada, 2011) Cybersecurity – term used by the US Federal government which requires assigning clear and unambiguous authority and responsibility for security, holding officials accountable for fulfilling those responsibilities and integrating security requirements into budget and capital planning processes. (IT Governance Institute, 2006, p. 22) Information Security Governance – is captured in the Security Architecture Framework and is used “to define security strategies, policies, standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho, 2007, p. 11) Leo de Sousa Page 1
IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012 Integrated Governance Framework – is part of an integrated “governance structure that includes strategic planning, enterprise architecture, program management, capital planning, security and workforce planning.” (Bernard S. A., 2005, p. 33) Introduction IT Security Governance is one of several organizational governing processes that include Enterprise Architecture, IT Governance, Project Governance and Corporate Governance. It has strong alignment to enterprise risk management initiatives and programs. Successful organizations use corporate governance to direct and guide the successful operations of the company. IT Governance guides investments in technology that are aligned to the business’ goals and strategy. Project Governance is used to rank and prioritize project proposals, so investments in projects are aligned to business strategy. The IT Governance Institute defines Information Security Governance as “Security Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.” (Harris, 2006) Taking a top down approach with executive direction and support is a key success factor to establish a culture of security into organizations and agencies. Every organization and agency faces the challenge of balancing employee empowerment by providing access to information with enterprise risk management and compliance. As more and more organizations and agencies move their services into a digital environment, they are faced with significant challenges dealing with new corporate risks to information, business processes and privacy. The use of web-based applications, online payment systems and collaboration based information management systems introduce new information technology architectures that, if not properly protected, expose the company to the risk of cyberattacks and information security breaches. Recently, the downturn in the global economy is forcing organizations and agencies to cut operational costs and improve their processes. In most cases, this means cutting their budgets and investments, which can put IT Security efforts in jeopardy due to lack of funding. These high levels of budget cuts are rippling through companies and organizations impacting the resources available for IT security. “The $2.1 trillion debt-cap pact that Congress passed Tuesday could hurt economic and national security as agencies postpone plans to invest in cybersecurity technology and hire more network specialists due to uncertainty over potential program cuts, computer security advisers say.” (Sternstein, 2011) There are five IT Security Governance areas that have evolved from case law and are tied to the fiduciary duties of executives, board members and officers: 1) Govern the operations of the organization and protect its critical assets, 2) Protect the organization’s market share and stock price, 3) Govern the conduct of employees, 4) Protect the reputation of the organization and 5) Ensure compliance requirements are met. (Allen & Westby, 2007, p. 1) In this constrained environment, IT Security Governance becomes a strategic practice ensuring that the appropriate security capabilities are available and adequately funded to maintain and continually improve an effective cybersecurity program for organizations and agencies. Leo de Sousa Page 2
IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012 IT Security Governance Capabilities IT Security Governance relies on a set of core capabilities that enable organizations to provide oversight, authorize decisions and create and enable policy. These capabilities support accountability, strategic planning and resource allocation for IT Security programs in an organization. To successfully deploy IT Security Governance capabilities, organizations and agencies need to consider organizational strategy, culture and structure as well as compliance and risk management policies. These capabilities need to be implemented in a top down approach with the responsibility for success sitting with the Board of Directors and the Executive Committee. Bernard and Ho describe IT Security Governance capabilities at a high level as “to define security strategies, policies, standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho, 2007, p. 11) The Carnegie Mellon Software Engineering Institute published a paper “Governing Enterprise Security Implementation Guide” which provides a more detailed approach of IT Security Governance Capabilities including responsibilities and artifacts. The capabilities are grouped into the following four high level categories and subcategories: (Allen & Westby, 2007) Governance Category Governance Sub Categories Structure and Tone • Establish a Governance Structure (Deming – Plan – design or revise business • Assign Roles and responsibilities, process components to improve results) Indicating Lines of Responsibility • Develop Top-Level Policies Assets and Responsibilities • Inventory Digital Assets (Deming – Do – implement the plan and • Develop and Update System measure its performance) Descriptions • Establish and Update Ownership and Custody of Assets • Designate Security Responsibilities and Segregation of Duties Compliance • Determine and Update Compliance (Deming – Check – assess the measurements Requirements and report the results to decision makers) • Map Assets to Table of Authorities • Map and Analyze Data Flows • Map Cybercrime and Security Breach Notification Laws and Cross-Border Cooperation with Law Enforcement to Data Flows • Conduct Privacy Impact Assessments and Privacy Audits Assessments and Strategy • Conduct Threat, Vulnerability, and (Deming – Act – decide on the changes needed Risk Assessments (including System to improve the process) C&As) • Determine Operational Criteria Leo de Sousa Page 3
IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012 • Develop and Update Security Inputs to the Risk Management Plan • Develop and Update Enterprise Security Strategy (ESS) Interestingly, the implementation guide proposed by Allen and Westby follows the continuous improvement approach of W. Edwards Deming. (Balanced Scorecard Institute, 1998) By implementing the four major categories in the order specified, organizations and agencies establish accountability and responsibility at the most senior levels of their organization structure with a focus that these activities are part of a continuous improvement process. Effective Approaches to Cybersecurity Planning and Decision Making IT Security Governance delivers the key capabilities to facilitate planning and decision making for enterprise risk management and strategic planning in a cybersecurity program. This section explores the GES major categories using a higher education example and shows how they are essential to support the planning and decision making of a cybersecurity program with a focus on continuous improvement. Structure and Tone (Deming – Plan) There are 3 main activities in this category: Establish a Governance Structure, Assign Roles and responsibilities, Indicating Lines of Responsibility and Develop Top-Level Policies. The focus of these three activities is to clearly establish a top down, organization-wide approach to IT Security. At the British Columbia Institute of Technology (BCIT), our top level governance group is the Audit and Finance Committee of the Board of Governors. The committee reports quarterly to the Board of Governors and has overall responsibility for Enterprise Risk Management including IT Security Governance. In 2008, we created the Information Security Advisory Council (ISAC) to implement IT Security Governance. This governance committee consists of the Chief Information Officer, Director of Safety and Security, Manager, Institutional Records Management, Director of Finance and the Information Security Officer. The ISAC sponsors audits, PCI-DSS implementation, copyright policy and compliance training. This committee also has responsibility for the Security architecture domain in our EA practice. The ISAC created two top level policies: 3501 – Acceptable Use of Information Technology and 3502 - Information Security. (British Columbia Institute of Technology, 2009) These policies and the ISAC are the backplane for IT Security Governance in BCIT’s Enterprise Architecture and fit with Deming’s Plan step. (de Sousa, 2007) Assets and Responsibilities (Deming – Do) There are four main activities in this category: Inventory Digital Assets, Develop and Update System Descriptions, Establish and Update Ownership and Custody of Assets and Designate Security Responsibilities and Segregation of Duties. There is a requirement of the BCIT 3502 – Information Security policy to inventory systems and establish system ownership for the purpose Leo de Sousa Page 4
IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012 of designing security access. (British Columbia Institute of Technology, 2009) This process is essential to determine who gets access to secure systems and defining access controls for the BCIT community. These activities fit with Deming’s Do step for continual improvement. Compliance (Deming – Check) There are five main activities in this category: Determine and Update Compliance Requirements, Map Assets to Table of Authorities, Map and Analyze Data Flows, Map Cybercrime and Security Breach Notification Laws and Cross-Border Cooperation with Law Enforcement to Data Flows and Conduct Privacy Impact Assessments and Privacy Audits. Each year most organizations go through a financial audit. At BCIT, a component of the annual financial audit is an IT security audit. The auditors look at our IT systems and particularly the protections and security around financial transactions. With each audit there are recommendations for improving our treatment of secure transactions and access controls. These recommendations fit with Deming’s Check step and enable our organization to continually improve our IT Security program. Assessment and Strategy (Deming – Act) There are four main activities in this category: Conduct Threat, Vulnerability, and Risk Assessments (including System C&As), Determine Operational Criteria, Develop and Update Security Inputs to the Risk Management Plan and Develop and Update Enterprise Security Strategy (ESS). Each year, BCIT proactively conducts vulnerability assessments and external penetration tests which lead to changes in our security practices. Placing emphasis on actively testing our IT Security Governance framework fits with Deming’s Act process for continual improvement. Conclusion IT Security Governance is a strategic practice that ensures appropriate security capabilities are available and adequately funded to maintain effective cybersecurity program planning and decision making. Organizations and agencies that invest in IT Security Governance are able to manage the use of their assets securely, manage enterprise risk internally and externally and help ensure the ongoing viability of their operations. Information Security Governance is part of an integrated “governance structure that includes strategic planning, enterprise architecture, program management, capital planning, security and workforce planning.” (Bernard S. A., 2005, p. 33) Information Security Governance is captured in the Security Architecture Framework and is used “to define security strategies, policies, standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho, 2007, p. 11) By taking W. Edwards Deming’s Plan-Do-Check-Act continuous improvement model as the guiding principle for IT Security Governance, organizations and agencies will benefit from a consistent cybersecurity program focusing on secure business management and operations. Leo de Sousa Page 5
IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012 References Allen, J. H., & Westby, J. R. (2007). Governing for Enterprise Security (GES) Implementation Guide. Pittsburgh: Software Engineering Institute, Carnegie Mellon. Balanced Scorecard Institute. (1998). The Deming Cycle. Retrieved from Balanced Scorecard Institute: http://www.balancedscorecard.org/TheDemingCycle/tabid/112/Default.aspx Bernard, S. A. (2005). An Introduction to Enterprise Architecture 2nd Edition. Bloomington, IL: AuthorHouse. Bernard, S., & Ho, S. M. (2007, Oct 29). Enterprise Architecture as Context and Method for Implementing Information Security and Data Privacy. Washington, DC, USA. British Columbia Institute of Technology. (2009). 3501 - Acceptable Use of Technology. Retrieved from Policies: http://www.bcit.ca/files/pdf/policies/3501.pdf British Columbia Institute of Technology. (2009). 3502 - Information Security. Retrieved from Policies: http://www.bcit.ca/files/pdf/policies/3502.pdf de Sousa, L. (2007, Jun 22). EA Model V.2. Retrieved Jan 18, 2012, from Enterprise Architecture in Higher Education: http://leodesousa.ca/2007/06/ea-model-v2/ Foreign Affairs and International Trade Canada. (2011, Oct 14). Cybercrime. Retrieved 02 02, 2012, from International Security: http://www.international.gc.ca/crime/cyber_crime- criminalite.aspx?view=d Harris, S. (2006, Aug). Information Security Governance Guide. Retrieved Feb 1, 2012, from TechTarget: http://searchsecurity.techtarget.com/tutorial/Information-Security- Governance-Guide IT Governance Institute. (2006). Information Security Governance: Guidance for Board of Directors and Executive Management, 2nd Edition. Rolling Meadows, Illinois, USA. Sternstein, A. (2011, Aug 02). Debt deal could be a blow for cybersecurity. Retrieved from Nextgov: http://www.nextgov.com/nextgov/ng_20110802_1799.php?oref=topstory wiseGEEK. (2011). What Is a Cyberattack? Retrieved from wiseGEEK: http://www.wisegeek.com/what-is-a-cyberattack.htm Leo de Sousa Page 6

Recomendados

Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Cissp notes
Cissp notesCissp notes
Cissp notesJagbir Singh
 
Cybertopicsecurity_3
Cybertopicsecurity_3Cybertopicsecurity_3
Cybertopicsecurity_3Anne Starr
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information SecurityJohn Macasio
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMatthew Rosenquist
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance TemplateFlevy.com Best Practices
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Redspin, Inc.
 

Recomendados

Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Cissp notes
Cissp notesCissp notes
Cissp notesJagbir Singh
 
Cybertopicsecurity_3
Cybertopicsecurity_3Cybertopicsecurity_3
Cybertopicsecurity_3Anne Starr
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information SecurityJohn Macasio
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMatthew Rosenquist
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance TemplateFlevy.com Best Practices
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Redspin, Inc.
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
 
Asset Security
Asset Security Asset Security
Asset Security Jagbir Singh
 
IS3 Capabilities Brief
IS3 Capabilities BriefIS3 Capabilities Brief
IS3 Capabilities Briefmrsjennbrown
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governancedigitallibrary
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017EQS Group
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Briefmageeb
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0Maganathin Veeraragaloo
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Briefwdjohnson1
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001Hiran Kanishka
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011subramanian K
 
Information Security Governance #2A
Information Security Governance #2A Information Security Governance #2A
Information Security Governance #2A Marius FAILLOT DEVARRE
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingRaghuraman Ramamurthy
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...DFLABS SRL
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFLABS SRL
 
Discussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxDiscussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxelinoraudley582231
 
Enterprise Risk Management-Paper
Enterprise Risk Management-PaperEnterprise Risk Management-Paper
Enterprise Risk Management-PaperPierre Samson
 

Más contenido relacionado

La actualidad más candente

Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
 
IS3 Capabilities Brief
IS3 Capabilities BriefIS3 Capabilities Brief
IS3 Capabilities Briefmrsjennbrown
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governancedigitallibrary
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017EQS Group
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Briefmageeb
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Briefwdjohnson1
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001Hiran Kanishka
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011subramanian K
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingRaghuraman Ramamurthy
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...DFLABS SRL
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFLABS SRL
 

La actualidad más candente (20)

Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
 
Asset Security
Asset Security Asset Security
Asset Security
 
IS3 Capabilities Brief
IS3 Capabilities BriefIS3 Capabilities Brief
IS3 Capabilities Brief
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governance
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Brief
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and Prospect
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity Model
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Brief
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011
 
Information Security Governance #2A
Information Security Governance #2A Information Security Governance #2A
Information Security Governance #2A
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcing
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security Policy
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013
 

Similar a Effective IT Security Governance

Discussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxDiscussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxelinoraudley582231
 
Enterprise Risk Management-Paper
Enterprise Risk Management-PaperEnterprise Risk Management-Paper
Enterprise Risk Management-PaperPierre Samson
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxsoulscout02
 
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docx
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docx2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docx
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docxlorainedeserre
 
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docx
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docx2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docx
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docxRAJU852744
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practiceswacasr
 
Cyber capability brochureCybersecurity Today A fresh l.docx
Cyber capability brochureCybersecurity Today A fresh l.docxCyber capability brochureCybersecurity Today A fresh l.docx
Cyber capability brochureCybersecurity Today A fresh l.docxfaithxdunce63732
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
 
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking
 
Getting Real About Security Management and “Big Data”
Getting Real About Security Management and “Big Data” Getting Real About Security Management and “Big Data”
Getting Real About Security Management and “Big Data” EMC
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxstirlingvwriters
 
Agiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key StepsAgiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key Stepsagiliancecommunity
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 

Similar a Effective IT Security Governance (20)

Discussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxDiscussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docx
 
Enterprise Risk Management-Paper
Enterprise Risk Management-PaperEnterprise Risk Management-Paper
Enterprise Risk Management-Paper
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptx
 
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docx
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docx2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docx
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docx
 
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docx
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docx2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docx
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docx
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practices
 
Cyber capability brochureCybersecurity Today A fresh l.docx
Cyber capability brochureCybersecurity Today A fresh l.docxCyber capability brochureCybersecurity Today A fresh l.docx
Cyber capability brochureCybersecurity Today A fresh l.docx
 
Task 2
Task 2Task 2
Task 2
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance Requirements
 
Getting Real About Security Management and “Big Data”
Getting Real About Security Management and “Big Data” Getting Real About Security Management and “Big Data”
Getting Real About Security Management and “Big Data”
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docx
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Steps
 
Agiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key StepsAgiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key Steps
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 

Más de Leo de Sousa

Smart Communities Roadshow 2019 - Vancouver
Smart Communities Roadshow 2019 - VancouverSmart Communities Roadshow 2019 - Vancouver
Smart Communities Roadshow 2019 - VancouverLeo de Sousa
 
UAE Higher Education CIO Council Ankabut Users Meeting October 2013
UAE Higher Education CIO Council Ankabut Users Meeting October 2013UAE Higher Education CIO Council Ankabut Users Meeting October 2013
UAE Higher Education CIO Council Ankabut Users Meeting October 2013Leo de Sousa
 
Create a roadmap for ea using capability maturity models
Create a roadmap for ea using capability maturity modelsCreate a roadmap for ea using capability maturity models
Create a roadmap for ea using capability maturity modelsLeo de Sousa
 
Canadian Red Cross Tainted Blood Scandal
Canadian Red Cross Tainted Blood ScandalCanadian Red Cross Tainted Blood Scandal
Canadian Red Cross Tainted Blood ScandalLeo de Sousa
 
Planning A Secure Partner Portal
Planning A Secure Partner PortalPlanning A Secure Partner Portal
Planning A Secure Partner PortalLeo de Sousa
 
ITIL and IT Security Architecture
ITIL and IT Security ArchitectureITIL and IT Security Architecture
ITIL and IT Security ArchitectureLeo de Sousa
 
BYOD for Employees
BYOD for EmployeesBYOD for Employees
BYOD for EmployeesLeo de Sousa
 
Motivating Strategic Practice Development Using CMM
Motivating Strategic Practice Development Using CMMMotivating Strategic Practice Development Using CMM
Motivating Strategic Practice Development Using CMMLeo de Sousa
 
Rewards for Information Workers
Rewards for Information WorkersRewards for Information Workers
Rewards for Information WorkersLeo de Sousa
 
Flexible Leadership
Flexible LeadershipFlexible Leadership
Flexible LeadershipLeo de Sousa
 
Ford and GM A Comparison of 2 Fortune 500 Companies
Ford and GM A Comparison of 2 Fortune 500 CompaniesFord and GM A Comparison of 2 Fortune 500 Companies
Ford and GM A Comparison of 2 Fortune 500 CompaniesLeo de Sousa
 
EA - A Year of Growth
EA - A Year of GrowthEA - A Year of Growth
EA - A Year of GrowthLeo de Sousa
 
IT Service Management Overview
IT Service Management OverviewIT Service Management Overview
IT Service Management OverviewLeo de Sousa
 
Intrinsic Motivation Using Personal Learning Plans
Intrinsic Motivation Using Personal Learning PlansIntrinsic Motivation Using Personal Learning Plans
Intrinsic Motivation Using Personal Learning PlansLeo de Sousa
 
Enterprise Architecture And The Business Analyst
Enterprise Architecture And The Business AnalystEnterprise Architecture And The Business Analyst
Enterprise Architecture And The Business AnalystLeo de Sousa
 
BCIT Application Portfolio Mgmt
BCIT Application Portfolio MgmtBCIT Application Portfolio Mgmt
BCIT Application Portfolio MgmtLeo de Sousa
 
BCIT Technology Management
BCIT Technology ManagementBCIT Technology Management
BCIT Technology ManagementLeo de Sousa
 

Más de Leo de Sousa (17)

Smart Communities Roadshow 2019 - Vancouver
Smart Communities Roadshow 2019 - VancouverSmart Communities Roadshow 2019 - Vancouver
Smart Communities Roadshow 2019 - Vancouver
 
UAE Higher Education CIO Council Ankabut Users Meeting October 2013
UAE Higher Education CIO Council Ankabut Users Meeting October 2013UAE Higher Education CIO Council Ankabut Users Meeting October 2013
UAE Higher Education CIO Council Ankabut Users Meeting October 2013
 
Create a roadmap for ea using capability maturity models
Create a roadmap for ea using capability maturity modelsCreate a roadmap for ea using capability maturity models
Create a roadmap for ea using capability maturity models
 
Canadian Red Cross Tainted Blood Scandal
Canadian Red Cross Tainted Blood ScandalCanadian Red Cross Tainted Blood Scandal
Canadian Red Cross Tainted Blood Scandal
 
Planning A Secure Partner Portal
Planning A Secure Partner PortalPlanning A Secure Partner Portal
Planning A Secure Partner Portal
 
ITIL and IT Security Architecture
ITIL and IT Security ArchitectureITIL and IT Security Architecture
ITIL and IT Security Architecture
 
BYOD for Employees
BYOD for EmployeesBYOD for Employees
BYOD for Employees
 
Motivating Strategic Practice Development Using CMM
Motivating Strategic Practice Development Using CMMMotivating Strategic Practice Development Using CMM
Motivating Strategic Practice Development Using CMM
 
Rewards for Information Workers
Rewards for Information WorkersRewards for Information Workers
Rewards for Information Workers
 
Flexible Leadership
Flexible LeadershipFlexible Leadership
Flexible Leadership
 
Ford and GM A Comparison of 2 Fortune 500 Companies
Ford and GM A Comparison of 2 Fortune 500 CompaniesFord and GM A Comparison of 2 Fortune 500 Companies
Ford and GM A Comparison of 2 Fortune 500 Companies
 
EA - A Year of Growth
EA - A Year of GrowthEA - A Year of Growth
EA - A Year of Growth
 
IT Service Management Overview
IT Service Management OverviewIT Service Management Overview
IT Service Management Overview
 
Intrinsic Motivation Using Personal Learning Plans
Intrinsic Motivation Using Personal Learning PlansIntrinsic Motivation Using Personal Learning Plans
Intrinsic Motivation Using Personal Learning Plans
 
Enterprise Architecture And The Business Analyst
Enterprise Architecture And The Business AnalystEnterprise Architecture And The Business Analyst
Enterprise Architecture And The Business Analyst
 
BCIT Application Portfolio Mgmt
BCIT Application Portfolio MgmtBCIT Application Portfolio Mgmt
BCIT Application Portfolio Mgmt
 
BCIT Technology Management
BCIT Technology ManagementBCIT Technology Management
BCIT Technology Management
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Último (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Effective IT Security Governance

  • 1. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012 Effective IT Security Governance Leo de Sousa – IST 725 Abstract This paper describes how a continuous improvement IT Security Governance process provides effective planning and decision making capabilities for a cybersecurity program. Governance can be thought of “doing the right things” while management is “doing things right”. IT Security Governance focuses on doing the right things to protect organizations and agencies. Operational Security focuses on doing things right and relies on IT Security Governance to direct those actions. As organizations and agencies look to save costs, reach more customers and implement efficiencies, they are turning more and more to digital technology solutions. While the reach and automation capabilities of information technology solutions and architectures are vast, they also expose organizations and agencies to risks from cybercrime, cyberattacks, and breaches of legal regulations, loss of corporate information and protection of personal and confidential information. Topics covered in this paper are (a) Key Definitions, (b) Introduction to IT Security Governance, (c) IT Security Governance Capabilities, (d) Effective Approaches to Planning and Decision Making using IT Security Governance Capabilities and (e) Conclusion. After reading this paper, the reader should have a clear understanding of the concepts of IT Security Governance, the capabilities of IT Security Governance, and the uses of those capabilities to effectively plan and make decisions for an overall, continuously improving cybersecurity program. Key Definitions Cyberattack – is an attempt to undermine or compromise the function of a computer-based system, or attempt to track the online movements of individuals without their permission. (wiseGEEK, 2011) Cybercrime – generally defined as a criminal offence involving a computer as the object of the crime (hacking, phishing, spamming), or as the tool used to commit a material component of the offence (child pornography, hate crimes, computer fraud). (Foreign Affairs and International Trade Canada, 2011) Cybersecurity – term used by the US Federal government which requires assigning clear and unambiguous authority and responsibility for security, holding officials accountable for fulfilling those responsibilities and integrating security requirements into budget and capital planning processes. (IT Governance Institute, 2006, p. 22) Information Security Governance – is captured in the Security Architecture Framework and is used “to define security strategies, policies, standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho, 2007, p. 11) Leo de Sousa Page 1
  • 2. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012 Integrated Governance Framework – is part of an integrated “governance structure that includes strategic planning, enterprise architecture, program management, capital planning, security and workforce planning.” (Bernard S. A., 2005, p. 33) Introduction IT Security Governance is one of several organizational governing processes that include Enterprise Architecture, IT Governance, Project Governance and Corporate Governance. It has strong alignment to enterprise risk management initiatives and programs. Successful organizations use corporate governance to direct and guide the successful operations of the company. IT Governance guides investments in technology that are aligned to the business’ goals and strategy. Project Governance is used to rank and prioritize project proposals, so investments in projects are aligned to business strategy. The IT Governance Institute defines Information Security Governance as “Security Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.” (Harris, 2006) Taking a top down approach with executive direction and support is a key success factor to establish a culture of security into organizations and agencies. Every organization and agency faces the challenge of balancing employee empowerment by providing access to information with enterprise risk management and compliance. As more and more organizations and agencies move their services into a digital environment, they are faced with significant challenges dealing with new corporate risks to information, business processes and privacy. The use of web-based applications, online payment systems and collaboration based information management systems introduce new information technology architectures that, if not properly protected, expose the company to the risk of cyberattacks and information security breaches. Recently, the downturn in the global economy is forcing organizations and agencies to cut operational costs and improve their processes. In most cases, this means cutting their budgets and investments, which can put IT Security efforts in jeopardy due to lack of funding. These high levels of budget cuts are rippling through companies and organizations impacting the resources available for IT security. “The $2.1 trillion debt-cap pact that Congress passed Tuesday could hurt economic and national security as agencies postpone plans to invest in cybersecurity technology and hire more network specialists due to uncertainty over potential program cuts, computer security advisers say.” (Sternstein, 2011) There are five IT Security Governance areas that have evolved from case law and are tied to the fiduciary duties of executives, board members and officers: 1) Govern the operations of the organization and protect its critical assets, 2) Protect the organization’s market share and stock price, 3) Govern the conduct of employees, 4) Protect the reputation of the organization and 5) Ensure compliance requirements are met. (Allen & Westby, 2007, p. 1) In this constrained environment, IT Security Governance becomes a strategic practice ensuring that the appropriate security capabilities are available and adequately funded to maintain and continually improve an effective cybersecurity program for organizations and agencies. Leo de Sousa Page 2
  • 3. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012 IT Security Governance Capabilities IT Security Governance relies on a set of core capabilities that enable organizations to provide oversight, authorize decisions and create and enable policy. These capabilities support accountability, strategic planning and resource allocation for IT Security programs in an organization. To successfully deploy IT Security Governance capabilities, organizations and agencies need to consider organizational strategy, culture and structure as well as compliance and risk management policies. These capabilities need to be implemented in a top down approach with the responsibility for success sitting with the Board of Directors and the Executive Committee. Bernard and Ho describe IT Security Governance capabilities at a high level as “to define security strategies, policies, standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho, 2007, p. 11) The Carnegie Mellon Software Engineering Institute published a paper “Governing Enterprise Security Implementation Guide” which provides a more detailed approach of IT Security Governance Capabilities including responsibilities and artifacts. The capabilities are grouped into the following four high level categories and subcategories: (Allen & Westby, 2007) Governance Category Governance Sub Categories Structure and Tone • Establish a Governance Structure (Deming – Plan – design or revise business • Assign Roles and responsibilities, process components to improve results) Indicating Lines of Responsibility • Develop Top-Level Policies Assets and Responsibilities • Inventory Digital Assets (Deming – Do – implement the plan and • Develop and Update System measure its performance) Descriptions • Establish and Update Ownership and Custody of Assets • Designate Security Responsibilities and Segregation of Duties Compliance • Determine and Update Compliance (Deming – Check – assess the measurements Requirements and report the results to decision makers) • Map Assets to Table of Authorities • Map and Analyze Data Flows • Map Cybercrime and Security Breach Notification Laws and Cross-Border Cooperation with Law Enforcement to Data Flows • Conduct Privacy Impact Assessments and Privacy Audits Assessments and Strategy • Conduct Threat, Vulnerability, and (Deming – Act – decide on the changes needed Risk Assessments (including System to improve the process) C&As) • Determine Operational Criteria Leo de Sousa Page 3
  • 4. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012 • Develop and Update Security Inputs to the Risk Management Plan • Develop and Update Enterprise Security Strategy (ESS) Interestingly, the implementation guide proposed by Allen and Westby follows the continuous improvement approach of W. Edwards Deming. (Balanced Scorecard Institute, 1998) By implementing the four major categories in the order specified, organizations and agencies establish accountability and responsibility at the most senior levels of their organization structure with a focus that these activities are part of a continuous improvement process. Effective Approaches to Cybersecurity Planning and Decision Making IT Security Governance delivers the key capabilities to facilitate planning and decision making for enterprise risk management and strategic planning in a cybersecurity program. This section explores the GES major categories using a higher education example and shows how they are essential to support the planning and decision making of a cybersecurity program with a focus on continuous improvement. Structure and Tone (Deming – Plan) There are 3 main activities in this category: Establish a Governance Structure, Assign Roles and responsibilities, Indicating Lines of Responsibility and Develop Top-Level Policies. The focus of these three activities is to clearly establish a top down, organization-wide approach to IT Security. At the British Columbia Institute of Technology (BCIT), our top level governance group is the Audit and Finance Committee of the Board of Governors. The committee reports quarterly to the Board of Governors and has overall responsibility for Enterprise Risk Management including IT Security Governance. In 2008, we created the Information Security Advisory Council (ISAC) to implement IT Security Governance. This governance committee consists of the Chief Information Officer, Director of Safety and Security, Manager, Institutional Records Management, Director of Finance and the Information Security Officer. The ISAC sponsors audits, PCI-DSS implementation, copyright policy and compliance training. This committee also has responsibility for the Security architecture domain in our EA practice. The ISAC created two top level policies: 3501 – Acceptable Use of Information Technology and 3502 - Information Security. (British Columbia Institute of Technology, 2009) These policies and the ISAC are the backplane for IT Security Governance in BCIT’s Enterprise Architecture and fit with Deming’s Plan step. (de Sousa, 2007) Assets and Responsibilities (Deming – Do) There are four main activities in this category: Inventory Digital Assets, Develop and Update System Descriptions, Establish and Update Ownership and Custody of Assets and Designate Security Responsibilities and Segregation of Duties. There is a requirement of the BCIT 3502 – Information Security policy to inventory systems and establish system ownership for the purpose Leo de Sousa Page 4
  • 5. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012 of designing security access. (British Columbia Institute of Technology, 2009) This process is essential to determine who gets access to secure systems and defining access controls for the BCIT community. These activities fit with Deming’s Do step for continual improvement. Compliance (Deming – Check) There are five main activities in this category: Determine and Update Compliance Requirements, Map Assets to Table of Authorities, Map and Analyze Data Flows, Map Cybercrime and Security Breach Notification Laws and Cross-Border Cooperation with Law Enforcement to Data Flows and Conduct Privacy Impact Assessments and Privacy Audits. Each year most organizations go through a financial audit. At BCIT, a component of the annual financial audit is an IT security audit. The auditors look at our IT systems and particularly the protections and security around financial transactions. With each audit there are recommendations for improving our treatment of secure transactions and access controls. These recommendations fit with Deming’s Check step and enable our organization to continually improve our IT Security program. Assessment and Strategy (Deming – Act) There are four main activities in this category: Conduct Threat, Vulnerability, and Risk Assessments (including System C&As), Determine Operational Criteria, Develop and Update Security Inputs to the Risk Management Plan and Develop and Update Enterprise Security Strategy (ESS). Each year, BCIT proactively conducts vulnerability assessments and external penetration tests which lead to changes in our security practices. Placing emphasis on actively testing our IT Security Governance framework fits with Deming’s Act process for continual improvement. Conclusion IT Security Governance is a strategic practice that ensures appropriate security capabilities are available and adequately funded to maintain effective cybersecurity program planning and decision making. Organizations and agencies that invest in IT Security Governance are able to manage the use of their assets securely, manage enterprise risk internally and externally and help ensure the ongoing viability of their operations. Information Security Governance is part of an integrated “governance structure that includes strategic planning, enterprise architecture, program management, capital planning, security and workforce planning.” (Bernard S. A., 2005, p. 33) Information Security Governance is captured in the Security Architecture Framework and is used “to define security strategies, policies, standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho, 2007, p. 11) By taking W. Edwards Deming’s Plan-Do-Check-Act continuous improvement model as the guiding principle for IT Security Governance, organizations and agencies will benefit from a consistent cybersecurity program focusing on secure business management and operations. Leo de Sousa Page 5
  • 6. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012 References Allen, J. H., & Westby, J. R. (2007). Governing for Enterprise Security (GES) Implementation Guide. Pittsburgh: Software Engineering Institute, Carnegie Mellon. Balanced Scorecard Institute. (1998). The Deming Cycle. Retrieved from Balanced Scorecard Institute: http://www.balancedscorecard.org/TheDemingCycle/tabid/112/Default.aspx Bernard, S. A. (2005). An Introduction to Enterprise Architecture 2nd Edition. Bloomington, IL: AuthorHouse. Bernard, S., & Ho, S. M. (2007, Oct 29). Enterprise Architecture as Context and Method for Implementing Information Security and Data Privacy. Washington, DC, USA. British Columbia Institute of Technology. (2009). 3501 - Acceptable Use of Technology. Retrieved from Policies: http://www.bcit.ca/files/pdf/policies/3501.pdf British Columbia Institute of Technology. (2009). 3502 - Information Security. Retrieved from Policies: http://www.bcit.ca/files/pdf/policies/3502.pdf de Sousa, L. (2007, Jun 22). EA Model V.2. Retrieved Jan 18, 2012, from Enterprise Architecture in Higher Education: http://leodesousa.ca/2007/06/ea-model-v2/ Foreign Affairs and International Trade Canada. (2011, Oct 14). Cybercrime. Retrieved 02 02, 2012, from International Security: http://www.international.gc.ca/crime/cyber_crime- criminalite.aspx?view=d Harris, S. (2006, Aug). Information Security Governance Guide. Retrieved Feb 1, 2012, from TechTarget: http://searchsecurity.techtarget.com/tutorial/Information-Security- Governance-Guide IT Governance Institute. (2006). Information Security Governance: Guidance for Board of Directors and Executive Management, 2nd Edition. Rolling Meadows, Illinois, USA. Sternstein, A. (2011, Aug 02). Debt deal could be a blow for cybersecurity. Retrieved from Nextgov: http://www.nextgov.com/nextgov/ng_20110802_1799.php?oref=topstory wiseGEEK. (2011). What Is a Cyberattack? Retrieved from wiseGEEK: http://www.wisegeek.com/what-is-a-cyberattack.htm Leo de Sousa Page 6