Building Your Information Security Program: Frameworks & Metrics

  • Published on

  • View

  • Download

Embed Size (px)


<p>PowerPoint Presentation</p> <p>Rob Arnold, CISSP CISMBuilding your InfoSec Program: Frameworks &amp; BenchmarksInformation Security Officer, University of KansasRaytheon/Ponemon 2015 Global Megatrends in Cybersecurity, Feb 2015AgendaWhy use a framework?How do I use a framework?Where can I get a framework?What value are benchmarks?Where can I find benchmarks?How can I get started?What resources are there?Why use a framework?</p> <p>Use a framework toEnsure you have coverage (the unknown unknown problem)Frameworks are highly vettedSome degree of future-proofingHelp with responding to audits</p> <p>Use a framework toIdentify areas for improvementTaxonomy provides structureCommon vocabularyFramework defines some ideal You assess the gap between your reality and the idealDevelop a work plan</p> <p>Use a framework toBenefit from a proven successful approachRepeatable approaches to problemsStand on the shoulders of giantsAllow tailoring for your organization</p> <p>If I have seen further it is by standing on ye sholders of Giants.--Isaac Newton</p> <p>Use a framework toEnable service deliveryConsider your work output as servicesMove toward understanding the demandMove toward understanding your capacityMove toward knowing where your organization gets the security services it needs</p> <p>How do I use a framework?</p> <p>Build your security program on a frameworkCatalog of controlsMapped to the frameworkWith a narrative description of processesDo feed the auditors!Follow the taxonomy of your frameworkUse the common vocabularyDesign your controls to produce evidence</p> <p>6.1.3 Contact with authoritiesAppropriate contacts with relevant authorities shall be maintained.Requests for information by law enforcement shall be dispatched as set forth in the Investigative Contact by Law Enforcement, Policy and Procedures [KUIT6.1.3A]. Reporting of crimes shall occur as set forth in the Crime Reporting Policy [KUIT6.1.6B].6.1.4 Contact with special interest groupsAppropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.IT Security Office shall maintain membership and participation in special interest groups and information sharing groups as deemed appropriate by the Information Security Officer. ITSO staff are member representatives of REN-ISAC and members of MS-ISAC [KUIT6.1.4A].ITSO staff are members of various professional organizations including (ISC)2, ISACA, and EC Council as a result of the position requirement for current certification [KUIT6.1.4B].</p> <p>18.2 Information security reviewsObjective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.18.2.1 Independent review of information securityThe organizations approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.This program document shall serve as a record of the organizations approach to the management and implementation of information security. This document shall be reviewed no less than annually by the Information Security Officer. [KU18.2.1A]</p> <p>An external review of the program document shall be performed at least every two years. [KU18.2.1B]18.2.2 Compliance with security policies andstandardsManagers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.The IT Security Office shall conduct a Risk and Vulnerability Assessment (RVA) as a service to units. The RVA shall serve as a unit-level review of the practices and documentation of the unit. Issues from the review shall be reported to the unit leadership. [KU18.2.2A]</p> <p>Information security controlsAre specificAre testableProduce evidenceMap to your choice of frameworkUse shall not should or may</p> <p>Where can I get a framework?</p> <p>Finding frameworksYou may be required to use one (or more) by your industrys regulating bodyStandards bodies (NIST, ISO)Regulatory bodies (NERC, FISMA, HITRUST)Audit organizations (COBIT, CAG)</p> <p>What value are benchmarks?</p> <p>Are you in the lead?</p> <p>How do I compare to my competition?How do I compare to my industry?Am I paying too much for security?Is my attention focused correctly?</p> <p>How do I get more resources?What are my strategic gaps?</p> <p>Where can I find benchmarks?</p> <p>Big vendors give them awayor trade them for a leadResearch firms sell them to youISAC organizations can help, depending on industryGovernment agencies publish them (sometimes infrequently and poorly)</p> <p>How can I get started?</p> <p>Read the docs in the resource sectionUse your professional contacts(ISC)2ISACAISSAPick a frameworkWrite a program documentLather, rinse, repeat</p> <p>What resources are there?</p> <p>FrameworksSANS 20 Critical Security ControlsISO 27001:2013 and 27002:2013 (not free)NIST SP800-53rev4NIST Cybersecurity FrameworkISACA COBIT 5NERC CIPCouncil on CyberSecurity Cybersecurity Workforce HandbookNICE National Cybersecurity Workforce FrameworkHITRUST Common Security FrameworkMetricsVerizon DBIRPwC Global State of Information SecurityRaytheon/Ponemon 2015 Global MegatrendsIBM/Ponemon 2014 Cost of Data Breach StudyCisco Annual Security ReportHP Cyber Risk ReportWisegate 2013 IT Security Benchmark Summary ReportGartner Info Security and Risk Management Metrics (requires survey)</p> <p>Thank you!rob@robarnold.meImage creditsPublic domainPhotograph of a Workman on the Framework of the Empire State Building (National Archives Identifier) 518290Woolworth Bldg Library of Congress, call number LC-B2- 2416-4Creative CommonsHindenburg Bundesarchiv, Bild 146-1986-127-05 / CC-BY-SABenchmark User:Nixterrimus CC-BY-SAPeloton User:muffinn CC-BYCountisbury Ordnance Survey Benchmark Copyright Rachel Hunt CC-BY-SAIt's time to get started User:The fixerupperz CC-BY-SAUdachnaya mine User:stepanovas CC-BY-SA</p>


View more >