Information Assurance

Fall 2023
INFORMATION SECURITY GOVERNANCE-2

2
 4
https://static.securityintelligence.com/uploads/2017/03/threat_vuln_impact.jpg
 5
https://avkashk.files.wordpress.com/2014/03/isms.jpg
 Conceptual Information Security Governance

Senior Management Business Strategy Organization Objectives

Steering Committee and Risk Management,

Executive Management Information Security Security Requirements
Strategy

CISO/ Steering Security Action Plan,

Committee Security Program
Policies, Standards

Strategy Inputs:
• Current State and
Desired State of
Implementation
Security Monitor/ Metrics
• Business Processes Reporting Trend
and requirements Action Plan
Analysis Security
• Risk Assessment Inputs Objectives
• Business Impact Available 6

Analysis Resources and

• Regulatory Constraints
Requirements
Information Security Governance

TOPIC: THE BUSINESS MODEL FOR

INFORMATION SECURITY

7
 Challenges ISM Face

• Security managers face myriad challenges, including

–Changing risk profiles, lack of funding, cultural issues, and internal and
external threats.
–How the enterprise changes, how the culture adapts, and what may or
may not emerge as a result.
–Current models tend to be static and simple, while environments are
continuously changing.
• Possible Solution:
–Is there a way for information security managers to take a holistic
approach in managing information security while directly addressing
business objectives.

7
 Challenges ISM Face: Example

• Security weaknesses that result from inappropriate governance,

inadequate management, a dysfunctional culture or unready staff
cannot be fixed with technology.
• But, the expectation exists, and often results in enterprise
leadership’s disappointment with the performance of the security
program.
• Lack of a common language, risk managed in silos and cultures that
do not understand information security—is undoubtedly familiar to
many enterprises.
• The Business Model for Information Security addresses each.

8
 The Business Model for Information Security

• Business Model for Information

Security (BMIS) A holistic and
business-oriented approach to
managing information security,
and a common language for
information security and business
management to talk about
information protection.
–Four elements
–Six dynamic interconnections (DIs)
–Elements are linked to each other
via the DIs.
–If any one part of the model is
changed, other parts will change as
well.

9
 The Business Model for Information Security

• Organization Design and

Strategy
–An organization is a
network of people, assets
and processes interacting
with each other in defined
roles and working toward a
common goal.

10
 The Business Model for Information Security

• People
–The people element
represents the human
resources and the security
issues that surround them.
It defines who implements
(through design) each part
of the strategy.
–It represents a human
collective and must take
into account values,
behaviors and biases.

11
 The Business Model for Information Security

• Process
–Processes identify,
measure, manage and
control risk, availability,
integrity and confidentiality,
and they also ensure
accountability.
–They derive from the
strategy and implement the
operational part of the
organization element.

12
 The Business Model for Information Security

• Technology
–The technology element is
composed of all of the tools,
applications and infrastructure
that make processes more
efficient. As an evolving element
that experiences frequent
changes, it has its own dynamic
risks.
–Given the typical enterprise’s
dependence on technology,
technology constitutes a core
part of the enterprise’s
infrastructure and a critical
component in accomplishing its
mission.

13
 The Business Model for Information Security

• IT People in technical roles (Admin and Operations)define and present Technology as What technology does.
• ISM will present Technology on the basis of what is does and how it supports business objectives.

14
15
 Example

A higher number of vulnerabilities obviously leads to an increased attractiveness of an

attack—as does the lack of monitoring or countermeasures. 17
Example

18
Example

19
 The Business Model for Information Security

• Diligent utilization of the model

will equip enterprises to deal
with current and future issues
such as:
–Regulatory requirements
–Globalization
–Growth and scalability
–Organizational synergies
–Evolving technology
–Economic markets
–Human resources
–Competition
–Ever-changing threats
–Innovation

20
 21
http://www.isaca.org/Knowledge-Center/Research/Documents/Introduction-to-the-Business-Model-for-Information-Security_res_Eng_0109.pdf
 The Business Model for Information Security

Assignment 1:
• Explain each standard’s purpose in your own words? (3 lines max)
• As ISM give justification for implementing them in your organization? (5 Lines max)

22
 Roles and Responsibilities

• Board of Directors
• Senior Management
• Business Process Owners
• Steering Committee
• Chief Information Security Officer

http://i0.wp.com/lcdn.24point0.com/media/catalo
g/product/cache/1/image/1800x/6a98226f0254c
10d9ba7ccf96e396a7d/r/a/raci-triangle-model-
powerpoint-slide.jpg
23
 Roles and Responsibilities

Riphah Institute of Systems Engineering 24

 Knowledge Check

Information Board of Directors CISO CEO Business Process

Security Manager Owner
Define the Target IT
capabilities
C R A I

Conduct a gap A
analysis
R R
Define the strategic C
plan and road map
C A
Communicate the IT
strategy and
I I R R I
directions

25
Information Security Governance

TOPIC: INFORMATION SECURITY GOVERNANCE

METRICS

26
 Information Security Governance Metrics
Identity
• A metric is defined as information
needs

quantifiable entity that allows Evaluate

information Create and
the measurements of security
performance and
ISMS
maintain
measures
achievement of a process goal. effectiveness

–Security metrics should tell us

about the state or degree of
safety relative to a reference Analyze Establish
point. results procedures

Monitor and
measure

ISO/ IEC 27004:2016

26
 Information Security Governance Metrics

• Technical metrics are useful for the tactical operational management of

technical security systems (IDS, Proxy servers, firewalls)
–They can indicate that the infrastructure is operating soundly and technical
vulnerabilities are identified and addressed.
–They have less value from strategic management or governance point of view.
–Say nothing about strategic alignment with organizational objectives or how
well risk is being managed.
–They provide few measures of policy compliance or whether objectives for
acceptable levels of potential impact are being met.

27
 Information Security Governance Metrics

• Management is interested in:

–How secure is organization
–How much security is enough?
–How do we know we have achieved adequate level of security?
–What are most cost effective security solutions?
–How do we determine degree of risk?
–Is security program achieving its objectives?
–What impact is lack of security having on productivity?
–What impact will catastrophic security breach have?
–What impact security solutions have on productivity?

28
 SMART

• Good metrics are SMART:

–Specific
•Based on clearly understood goal; clear and concise
–Measurable
•Able to be measured; quantifiable (objective), not subjective
–Attainable
•Realistic; based on important goal and values
–Relevant
•Directly related to a specific activity or goal
–Timely
•Grounded in a specific time frame

29
 METRICS Standard

• ISO/IEC 27004:2016
–Provide guidance on development and use of measures in order to assess the
effectiveness of ISMS and controls or groups; specified in ISO/IEC 27001.
• COBIT 5
–Offers IT metrics for each of 17 suggested enterprise goals – totaling 150
metrics.
• The Center for Internet Security (CIS) – CIS Security Metrics
–Includes 28 metrics definitions
• NIST 800-55 (Performance Measurement Guide for Information Security)
–Aligned with Security Controls provided in NIST SP 800-53

30
Governance Implementation Metrics

31
ISO 27004:2016 (Example)

32
NIST 800-55 (Example)

33
NIST 800-55 (Example)

34
 Metrics - Balance Scorecard (Example)

https://www.isaca.org/Journal/archives/2013/Volume-5/PublishingImages/13v5-How-to-Measure-3.jpg 35
 Governance Implantation Metrics

• Strategic Alignment Metrics

–Any control that cannot be tracked directly back to a specific business
requirement is suspect and should be analyzed for relevancy and
possible elimination.

•Examples
–The percentage of security program activities mapped to organizational
objectives and validated by senior management.
–A security steering committee consisting of key executives with charter to
ensure ongoing alignment of security activities and business strategy.

36
 Governance Implantation Metrics

• Risk Management Metrics

–Expectations and objectives of risk management be defined. Otherwise
there is no basis for determining whether the program is succeeding
and whether resource allocations are appropriate.

•Examples
–Trends of periodic risk assessment indicating progress towards defined goals.
–Ration of security incidents from known risk compared to those from
unidentified risk.

37
 Governance Implantation Metrics

• Value Delivery Metrics

–Value Delivery occurs when security investments are optimized in
support of organizational objectives.
–Optimal investment levels occur when strategic goals for organization
are achieved and an acceptable risk posture is attained at the lowest
cost.

•Examples
–The cost of security being proportional to the value of assets
–Control cost-effectiveness that is determined by periodic testing

38
 Governance Implantation Metrics

• Resource Management Metrics

–Describes the processes to plan, allocate and control information
security resources, including people, processes and technologies, for
improving the efficiency and effectiveness of business solutions.
–Optimal investment levels occur when strategic goals for organization
are achieved and an acceptable risk posture is attained at the lowest
cost.
•Examples
–The cost of security being proportional to the value of assets
–Control cost-effectiveness that is determined by periodic testing

39
 Governance Implantation Metrics

• Performance Measurement
–Measuring, monitoring and reporting on information security processes
is required to ensure the organizational objectives

•Examples
–The time it takes to detect and report security related incidents.
–Benchmarking comparable organizations for cost and effectiveness.

40
 Governance Implantation Metrics

• Assurance Process Integration (Convergence)

–Organizations should consider an approach to integrate assurance
functions. This will reduce duplicated efforts and gaps in protection.

•Example
–The elimination of unnecessary security overlaps.
–Well-defined roles and responsibilities.

41
• What should be the PRIMARY basis of a road map for implementing
information security governance?
• Select one:
–Architecture
–Strategy Correct
–Policies
–Legal requirements

42
• What should be the PRIMARY basis of a road map for implementing
information security governance?
• Select one:
–Architecture
–Strategy
–Policies
–Legal requirements

43
• Investment in security technology and processes should be based
on:
• Select one:
–best business practices
–safeguards that are inherent in existing technology
–success cases that have been experienced in previous projects.
–clear alignment with the goals and objectives of the organization

44
• Investment in security technology and processes should be based
on:
• Select one:
–best business practices
–safeguards that are inherent in existing technology
–success cases that have been experienced in previous projects.
–clear alignment with the goals and objectives of the organization

45
• Successful implementation of information security governance will
FIRST require:
• Select one:
–computer incident management team
–security architecture Incorrect
–updated security policies
–security awareness training

46
• Successful implementation of information security governance will
FIRST require:
• Select one:
–computer incident management team
–security architecture Incorrect
–updated security policies
–security awareness training

47