Embed Size (px)
Citation preview
Implementing security governancein a multinational financial group
Information Security SummitPrague, May 30 – 31, 2012
2
So what is governance?
Definition Nr. 1:
IT governance is the preparation for, making of and implementation of IT-related decisions regarding goals, processes, people and technology on a tactical or strategic level.
Definition Nr. 2:
Information security governance is a subset of enterprise governance that provides strategic direction, ensures that objectives are achieved, manages risks appropriately, uses organisational resources responsibly, and monitors the success or failure of the enterprise security programme.
3
Ok, let´s try again: what is governance?
Wikipedia:
Governance is
the act of governing
4
What is the goal of governance?
To govern!
5
Or, you might want to become:
The BAD ASS
Governor!
6
The best definion of governance
In order to govern, the question is not to follow out a more or less valid theory but to build with whatever materials are at hand. The inevitable must be accepted and turned to advantage.
His Imperial and Royal Majesty Napoleon I, By the Grace of God and the Constitutions of the Republic, Emperor of the French, King of Italy, Protector of the Confederation of the Rhine, Mediator of the Helvetic Confederation.
7
The playground
Home Credit Group
a leading multi-channel consumer finance provider part of PPF Group (13 billion EUR assets) Home Credit B.V. (Europe)
Czech Republic, Slovak Republic, Belarus, Russia, Kazakhstan 17.300 employees, over 26 million customers
Home Credit Asia China, Vietnam, India, Indonesia, to be continued.. 2825 employees, 1.34 million customers
Home Credit International part of Home Credit B.V. IT development & services provider for the whole Group 300 employees located in Brno, CZ
8
Implementing security governance
3 basic stepsfor implementing a security governance process:
1. Get to know them (personally)
2. Set up communication rules and processes
3. Define priorities and launch the governance process
9
Getting to know them
Ways of approach
offsite (top-down approach) country company IT / IT security
onsite (bottom-up approach) see it with your own eyes talk to everybody who seems to be important
10
Getting to know them
Hints & tips
get a 2nd opition external audit might be a good idea just don‘t rely on them completely (the 1st opinion should be still
yours!)
always look at the whole picture it‘s not only about security country, market, company, competition, local economy ..
11
Getting to know them
Famous quotes to remember
Well obviously I'm not a trained lawyer, or I wouldn't have been in charge of the legal unit.Sir Humphrey in Yes, Minister!
Amateurs study cryptography; professionals study economics.from the book The New School of Information Security
12
Setting up communication rules
decide about the governance approach individual vs. collective depends on the size and numbers of the entities
find the correct people to communicate to !!! might be a different role in each country
13
Starting the governance process
define the priorities or put them in the right order risk assessment, audit findings, requlatory requirements
follow up on their progress regular progress reporting, status calls, etc. => staying in touch
turn the opening project into an ongoing process
14
The end
And they governed happily ever after ..
.. thank you!
Zdeněk Adamec, CISMGroup IT Security ManagerHome Credit [email protected]
