SlideShare a Scribd company logo

Assuring Digital Strategic Initiatives by

Download as PPTX, PDF
F
FirstMutualHoldings

Mrs Bianca Pasipanodya, the Group ICT executive for First Mutual Group an esteemed speaker at the ISACA Harare Chapter, gives her remarks about the implementation of an effective Information Security Management System” in Zimbabwe.

1 of 17
Assuring Digital Strategic Initiatives: Implementation of an effective Information Security Management System
Information security program management Information security program management is the discipline of designing, implementing and maturing security practices to protect critical business processes and IT assets across the enterprise. The future of enterprises depends on the quality of security and risk management—information, information systems and technologies may bring about numerous benefits to any organization; however, they can also become its main source of vulnerability if they are not managed efficiently.
Information Security Management System Its objectives, among others, are to: • Protect the organization and its information assets by keeping security at a desired level • Manage risks by identifying assets, discovering threats and estimating the risk • Provide direction for security by documenting security policies, procedures, etc. • Plan and justify budgets and resources related to security • Assess effectiveness of the implemented controls by using metrics and indicators.
Ensure You have C- Suite support • Security culture and support for security comes from the top • It is important to ensure a common understanding of the threats • How do you find out whether you have support? Ask!
Align to Business Strategy • Determine aims to achieve during a defined period • Influenced, to a great deal, by the organization’s business strategy. Align with organization’s vision, mission, goals, strategy.
Environmental Trends • Trends in the economic, business, market, regulatory, political and technology environments can have a great impact on the security risk facing the enterprise. • Widespread cyber threats to businesses include: Spam; phishing emails; viruses; Trojans; spyware; malware; ransomware; rootkits; drive-by downloads; password decryption; denial-of-service (DoS) attack; out-of-date, unpatched software
Security Assessment Assess the overall effectiveness and efficiency of security in the company by performing: - Vulnerability assessments and penetration tests to assess the technical infrastructure - Risk assessments to balance the investment on controls appropriate to the actual risks - Internal and external audit results to assess the effectiveness of policy and controls compliance and more
Organisation’s Risk Appetite • The consequence and likelihood of the risk occurring should determine the level of acceptable risk • management can prioritize resources for taking action based on the appetite it has set Consider risk appetite in these areas: • Asset management. • Access control. • Cryptography. • Physical and environmental security. • Operations security. • Communications security. • System acquisition development and maintenance. • Supplier relationships. • Information security incident management. • Business continuity management
Gap Analysis • Consists of mapping the current state against the vision statement, identifying the • gaps between the two states in order to derive the actions and projects required to close these gaps.
Prioritization Almost no organization will have the resources required to execute on all of the identified security projects and activities. Prioritization criteria include the following: - The level of risk reduction potentially achieved by a given project/activity - The resources (skills, staff and systems) required - The financial cost - The "time to value", the period between the initial investment and the point at which the project will start accruing value to the organization.
Approval • The final step is to obtain executive approval and budget. • The strategy should be communicated using a written report and an executive presentation clearly • describing the current state, the desired state, and how the projects with their respective phases and milestones will help to achieve the desired state.
Review & Reporting • Use Metrics that Matter - False Positive Reporting, incident response volumes, Fully Revealed Incidents Rate, Percentage Of Security Incidents Detected By An Automated Control • Measure Performance, Not Activity • Measure to Objectives • Progress should be reported to the Upper Management on a regular basis.
Security Awareness Security education is an important component of any organization's information security program. If employees don't know their security responsibilities they cannot be depended upon to do their part
Assuring Digital Strategic Initiatives by
Security Programs Success  Security programs will be successful when they are:  Supported by executive  Aligned with organisational goals  Risk-based, aligned with business and risk appetite  Standards-based, evolve over time  Capture present and target state accurately  Plans are realistic and actionable  Resourced effectively  Focused on building security in from the ground up  Measured/monitored  Continuous improvement  Communicated appropriately  Executed on
Digital strategic initiatives • Business innovation means extending beyond the enterprise. Organizations leverage information technology to power their innovation efforts, while battling mounting regulation and escalating threats to information. Without the right security strategy, business can be stifled or put the organization at great risk. • Enter new markets, launch new products or services, create new business models, establish new channels or partnerships, or achieve operational transformation. • Need to work on business problems, not compliance issues
Questions?

More Related Content

Assuring Digital Strategic Initiatives by

  • 1. Assuring Digital Strategic Initiatives: Implementation of an effective Information Security Management System
  • 2. Information security program management Information security program management is the discipline of designing, implementing and maturing security practices to protect critical business processes and IT assets across the enterprise. The future of enterprises depends on the quality of security and risk management—information, information systems and technologies may bring about numerous benefits to any organization; however, they can also become its main source of vulnerability if they are not managed efficiently.
  • 3. Information Security Management System Its objectives, among others, are to: • Protect the organization and its information assets by keeping security at a desired level • Manage risks by identifying assets, discovering threats and estimating the risk • Provide direction for security by documenting security policies, procedures, etc. • Plan and justify budgets and resources related to security • Assess effectiveness of the implemented controls by using metrics and indicators.
  • 4. Ensure You have C- Suite support • Security culture and support for security comes from the top • It is important to ensure a common understanding of the threats • How do you find out whether you have support? Ask!
  • 5. Align to Business Strategy • Determine aims to achieve during a defined period • Influenced, to a great deal, by the organization’s business strategy. Align with organization’s vision, mission, goals, strategy.
  • 6. Environmental Trends • Trends in the economic, business, market, regulatory, political and technology environments can have a great impact on the security risk facing the enterprise. • Widespread cyber threats to businesses include: Spam; phishing emails; viruses; Trojans; spyware; malware; ransomware; rootkits; drive-by downloads; password decryption; denial-of-service (DoS) attack; out-of-date, unpatched software
  • 7. Security Assessment Assess the overall effectiveness and efficiency of security in the company by performing: - Vulnerability assessments and penetration tests to assess the technical infrastructure - Risk assessments to balance the investment on controls appropriate to the actual risks - Internal and external audit results to assess the effectiveness of policy and controls compliance and more
  • 8. Organisation’s Risk Appetite • The consequence and likelihood of the risk occurring should determine the level of acceptable risk • management can prioritize resources for taking action based on the appetite it has set Consider risk appetite in these areas: • Asset management. • Access control. • Cryptography. • Physical and environmental security. • Operations security. • Communications security. • System acquisition development and maintenance. • Supplier relationships. • Information security incident management. • Business continuity management
  • 9. Gap Analysis • Consists of mapping the current state against the vision statement, identifying the • gaps between the two states in order to derive the actions and projects required to close these gaps.
  • 10. Prioritization Almost no organization will have the resources required to execute on all of the identified security projects and activities. Prioritization criteria include the following: - The level of risk reduction potentially achieved by a given project/activity - The resources (skills, staff and systems) required - The financial cost - The "time to value", the period between the initial investment and the point at which the project will start accruing value to the organization.
  • 11. Approval • The final step is to obtain executive approval and budget. • The strategy should be communicated using a written report and an executive presentation clearly • describing the current state, the desired state, and how the projects with their respective phases and milestones will help to achieve the desired state.
  • 12. Review & Reporting • Use Metrics that Matter - False Positive Reporting, incident response volumes, Fully Revealed Incidents Rate, Percentage Of Security Incidents Detected By An Automated Control • Measure Performance, Not Activity • Measure to Objectives • Progress should be reported to the Upper Management on a regular basis.
  • 13. Security Awareness Security education is an important component of any organization's information security program. If employees don't know their security responsibilities they cannot be depended upon to do their part
  • 15. Security Programs Success  Security programs will be successful when they are:  Supported by executive  Aligned with organisational goals  Risk-based, aligned with business and risk appetite  Standards-based, evolve over time  Capture present and target state accurately  Plans are realistic and actionable  Resourced effectively  Focused on building security in from the ground up  Measured/monitored  Continuous improvement  Communicated appropriately  Executed on
  • 16. Digital strategic initiatives • Business innovation means extending beyond the enterprise. Organizations leverage information technology to power their innovation efforts, while battling mounting regulation and escalating threats to information. Without the right security strategy, business can be stifled or put the organization at great risk. • Enter new markets, launch new products or services, create new business models, establish new channels or partnerships, or achieve operational transformation. • Need to work on business problems, not compliance issues