Information Security Strategy
Template
May 2015
-
-
1
Outline
•
Why develop a security strategy
•
Business drivers
•
Information Security Ecosystem
•
Organization of Information Security
•
Incident Summary
•
Current Priorities
•
Risk Landscape
•
Investment Roadmap
•
Next Steps
-
-
Why Develop a Security Strategy?
Help the <the business> determine acceptable levels of risk
and how much investment is needed.
New business
drivers
Proactive
management
Baseline
protection
Could
Do
Should Do
Work We Must Do
Risk-Based Decisions to
Achieve Business Goals
“Legally Defensible”
Security
Manage CompliantReady Services
3
Vision (sample)
Information Technology risks are identified, understood, and managed to an acceptable
level across the Enterprise. Business units have the tools, resources, and expertise to
make optimal decisions for business success.
Top Business Drivers
Business drivers associated with IT Risks
Brand
• Earn and maintain
Customer trust
• Online presence with
content integrity and
availability
Competitive
Advantage
• Protect sensitive
information to continue
growth in established
markets, enable global
expansion
Customer &
Employee Privacy
• Protect Customer and
Employee data from
theft or disclosure
Compliance
• Identify and efficiently
manage regulations
Mission
Develop and measure IT security standards while enabling business autonomy and
agility. Deliver value through identification of threats, assessment of risk, expert
consulting, and providing foundational security services to prevent, detect, and
respond to disruptions.
4
How We Think About IT Security
Defining an IT Security ecosystem helps organize security risks across the Business.
Workforce is trained and
empowered to protect data
Facilities are safe and
accessible
Workforce
Physical
Applications are
developed and managed
securely
Applications
Data
Networks are available,
monitored, and resilient
Data is classified, known, &
protected throughout its
lifecycle
Networks
Devices
A diverse collection of
devices configured and
managed for security
5
(alt.) How We Think About IT Security
(NIST CSF view)
Defining an IT Security framework helps organize security risks across the Enterprise.
Asset Management,
Governance, Risk Management
Identify
Recovery Planning, Improvements,
Communications
Recover
Protect
Data
Access Control, Training, Data
Protection, Maintenance,
Protective Technology
Planning, Communications, Analysis,
Mitigation, Improvements
Respond
Detect
Anomalies, Event
Monitoring, Detection Processes
Corporate
Business Segment
Business Segment
Business Segment
6
Show ownership across
security services
Organization of Information Security
Information Security
Mngt. & Reporting
Information Technology
Business Units
Analyst & Operational Responsibilities
Operations
Tier 1 Investigation
Disaster Recovery
Security Architecture
Event Monitoring
System Updates
Security Engineering
Security Awareness
Firewall/IDS Mngt.
Mobile Mngt.
Data Inventory
Vulnerability Mngt.
Access Mngt.
Change Mngt.
Data Loss Prevention
User Provisioning
Sys. Implementation
Data Encryption
Remote Access
Capacity Mngt.
Risk Assessment
Audit Mngt.
Incident Response
Technical Standards
Security Policy
Access Mngt.
Application Mngt.
Data Analytics
Secure Programming
Purchasing
Vendor Mngt.
Compliance
Audit Oversight
H/W, S/W Inventory
Internal Consulting
Business Continuity
Legend
Compliance Ready
Resourced, not complete
Investment Required
Unknown
7
Incident Summary
• Significant Incident summaries
8
Security Visibility & Posture (Example)
• Service Objective: Foster and support an appropriate security posture aligned with
business goals
• Monitor control effectiveness & visibility
• Develop baseline standards where needed
Can use
ecosystem
elements
Control Visibility Key
Full
Control Posture Key
No Standard Defined
Meet Standards
Partial
?
No/Limited
Short Term Gaps
Long Term Gaps
9
Current State Summary
Progress
• wins
Challenges
• Need help
Next Steps
1.
10
Risks Grouped By Business Driver (example)
• Protect Brand
• Focus: Incident Response, Device
Support & Vulnerabilities
• Impact estimates: loss of service or
data affecting patient adoption &
retention
• 6 High risks
• Privacy
• Focus: Malware & Unencrypted
Data
• Enable Business
• Meet Partner requirements
• Strengthen remote authentication
• Compliance
• 7 risks across foundational controls
10
Protect Brand
9
Enable Business
Privacy
8
7
Compliance
6
5
4
3
3
4
Accept
5
6
7
Evaluate
8
9
Act
10
11
Current Risk Landscape
• Risks Needing Decision
• Count: xx
• Foundational controls missing or
partially implemented
10
Attack Chain: malware
Backup-restore
• Mitigated
• Count: x
• Vendor managed assessed and
managed
Incident Response
Partner Requirements
Unencrypted Data
8
• Mitigation In Progress
• Count: x
• Key risks: managing vulnerabilities,
backup-restore, upgrade software
Vuln. mngt.
Terminated Users
9
No 2-Factor
Device
Malware/Abuse
Business continuity
Obsolete Software
7
Data inventory
Shared ID's
Vendor Compromise
Risk management
6
Appropriate access
Background checks
DoS
Wireless
controls
5
Phishing victims
Password Policies
Media destruction
Sanction Policy
4
Validate Access
3
3
4
Active
5
6
7
In Progress
8
9
10
Mitigated
12
IT Security Performance
• Measuring xx Performance indicators across Business
Units
Title
Status
Trend
Master Security Index
Protect Brand
Increase Revenue
Support Business
Reduce Costs
Comply Efficiently
13
NIST Cyber Security Framework
• Each step required
• Detect and Respond provide
immediate value when prevention
is not mature
Identify
Recover
Protect
• Reduce impact of breaches
• Prevention takes time, even then not
100%
Respond
Detect
14
Security Roadmap Funding Priorities
• Investment priorities evaluated by
•
•
•
•
Risk Priority
Business Support
IT Capacity
Cost (internal labor & Op. Ex.)
• Top Priorities- Funding Approval Request
(blue icons)
•
•
•
•
•
Incident Response Plan
Mature Vulnerability Mngt.
Device Malware Management
IT Risk Management
Update Security Policy
• Next Priorities
•
•
•
•
Back-up Restore
Remote 2-Factor
Replace Obsolete Systems
Access Mngt. (terminated users)
100
Mature Vuln. Mngt,
80
Incident Response
Proposal Plan
Replace Obsolete Software Plan
Replace Obsolete Software
Encrypt Data at rest
Backup-Restore
60
Remote Access: 2-Factor
Access
Management
Device
Standards/Mngt.
Anti-phishing program
IT Risk Mngt.
Inventory Data
Update Policy
Strengthen Wireless Plan
Anti-DoS
40
Unique IDs Plan
Media Destruction
Business Impact Analysis
Background ChecksSanction Policy
20
0
$100
$75
$50
$25
$0
15
Next Steps
• Execute current commitments
• Formalize “Organization of Information Security”
• Fund priority investment requests
• Complete 3 year roadmap during FYxx planning
16
Additional Content
Appendix (additional stories)
17
Security Roadmap Template
FY15
Current Focus
Initiative
Q1
Q2
Q3
Q4
Q1
Q2
Q3
FY17
Q4
Q1
Q2
Q3
Planning
Priority
FY16
Planning
FY16 Investments
Planning
FY 17 Investments
Project
Sustained Process
Transition
18
Q4
Primary Services: Current State
Service
Maturity
Capacity
Org. Alignment
Primary Service1
(from previous slide)
Select a light and/or
short description (see
notes)
Select a light or short
description
Select a light or short
description
Primary Service2
• Optional: show process
maturity, capacity, or org.
alignment visuals
19
Risk By Business Driver
Group
Title
Score
Protect Brand
Backup-restore
68
Protect Brand
Denial of Service
45
Protect Brand
Terminated Users
68
Protect Brand
Vuln. mngt.
85
Protect Brand
Business continutity
38
Protect Brand
Incident Response
78
Protect Brand
Attack Chain:
malware
65
Protect Brand
Obsolete Software
73
Protect Brand
Phishing victims
55
Privacy
Unencrypted Data
71
Privacy
Media distruction
41
Privacy
Data inventory
48
Privacy
inventory
59
Privacy
Appropriate access
35
Privacy
Device
Malware/Abuse
64
Enable Business
No 2-Factor
64
Enable Business
Partner Requirements
59
Compliance
Shared ID's
35
Compliance
Sanction Policy
36
Compliance
Password Policies
42
Compliance
Validate Access
37
Compliance
Wireless controls
41
Compliance
Risk management
55
Compliance
Background checks
35
10
Protect Brand
9
Enable Business
Privacy
8
7
Compliance
6
5
4
3
3
4
Accept
5
6
7
Evaluate
8
9
Act
10
20
Data Related Threats
• Threats
• Regulatory Costs
• Fines associated with accidental loss or theft of Data
Specific to industry,
leverage ISACs,
intel. services
• Initiated by report or compliant to Office of Civil Rights (OCR)
• Criminal Organizations
• Data theft and discovery
• Complaint from OCR, Health & Human Services (HHS), or patient
• OCR Fines, Audit, and Remediation Costs
• Required annual compliance program and audit regardless of breach volume
• Subjective fine determination based on knowledge of loss, control awareness, and
effectiveness (see notes for references)
• Fines range from $2 to $5,208 per record
• Avg. fine $255 per record
• Examples
• Wellpoint: Inadequate general controls, loss of 612,402 records, $1.7M fine
• North Idaho Hospice: “unsecured Data,” <500 records, $50k fine
21
Local Industry Collaboration
• Project to meet & collaborate with <peer> security leaders
• Information Security priorities
• Investment levels
• Optimal organizational structure
Summarize outreach
efforts for industry
comparison
22
Calibrated Risk Scale Definitions
Value
Impact
Frequency
Direct Costs
Indirect Costs
Examples
10
.
.
.
Revenue: Missed
Targets of $xxx,xxx
Regulatory: Fines &
Audits of...
Competitive:
Differentiator of...
Goodwill: Customer
departure of...
Focus: Mitigate Risk
e.g. material loss
estimated above
$xx,xxx,xxx.
6
Revenue: Limited to
department...
Regs: Increased
scrutiny...
Goodwill: Customer
churn of 5-10%...
Focus : Owner Judgment
e.g. business
considerations.
Value
Description
ARO Guide
Examples
10
.
.
.
Strong evidence of
imminent realization,
precedent exists, reliable
intelligence.
> 1 annually, see risk
details for estimates
Known control
weaknesses of...,
confirmed agent...
6
Difficult to exploit without
internal...
Realized once in 4
years...
Private system,
agent unconfirmed
23
Strategy Communication
Mission success requires stakeholder awareness, support, & participation
Stakeholder
Communication
Means
Frequency
Board of Directors
State & Compliance
Summary
BoD Summary
Semi-Annual
Executive Team
State, Compliance, &
Initiative Summary
Executive Summary
Metric Summary
Quarterly
Business Lines
State, Compliance, &
Initiative Detail
IT Intranet
Brown bags
Metrics
Semi-Annual
IT
State, Compliance, &
Initiative Detail
IT Intranet
Brown bags
Metrics
Monthly
Employees/Customers
Awareness Training &
Measurement
Awareness Training
User Intranet
Engagement Portal
Semi-Annual
24
Key Performance Indicators
(Reference Master Metrics List - starter set below)
Security
Incidents
•No. critical &
emergency
incidents
•No. of moderate
incidents
Access
Management
•% accounts deprovisioned
within standard
Device Security
•% of production
servers compliant
to minimum
standards
Application
Security
•% apps with
security
assessment
completed
•# Critical vulns in
production
IT/Biz Project
Support
•# Long-term
engagements
•# Medium &
Short term
engagements
•# of unplanned,
short projects
Security
Program
•% security
initiatives
completed on
time
25
Complete Risk Statements
Risk
Impact
Direct
Indirect
Frequency
Corrective
Capability
Vuln.
Attributes
Control
Effectiveness
Agent
Regulatory
Goodwill
Complexity
Roles
Capabilitymotivation
Recovery
Scrutiny
Vector
Awareness
Occurrence
Revenue
Competitive
Access
Tools
Availability
Policy &
Process
Detect/Deter
26
Align Controls To Agent Impacts
Advanced
Adversary
For IP
Criminals
Hactivists
Script Kiddie
Motive: Skill & Perseverance
Malicious
Insider
Full Packet
Capture Analysis
Advanced
AAA
Fraud Detection
Advanced SDL
Basic SDL
Basic AAA
DoS
IRM
Response
& Forensics Expertise
Custom Malware
Detection
Adv. Awareness Edu.
Vuln Scans
Device Mngt.
1
2
3
4
5
Controls: Spending & Process Maturity
27
Executive Discussion Example (unsorted)
Question
Answer (in strategy deck)
Balanced Score
Card Category
High Level Measurements
Has anything bad
happened?
•
•
•
# High incidents
# Medium incidents
# Near misses
•
Financial
•
•
•
# High incidents
# Medium incidents
# Near misses
What are the top
risks?
•
Top risk estimates e.g.
Heat Map
•
Financial
•
•
•
% risks with treatment decisions
% unacceptable risks under mitigation
+/- % Annual budget
What are we doing
about them?
•
•
Funded initiatives
Future initiatives
•
Learning &
Growth
•
•
+/- % Initiative budget (amount)
$ estimate future initiatives
Are we improving
internally?
•
Target process maturity
•
Learning &
Growth
•
•
% Processes at target maturity
+/- # Process improvement initiatives (count)
How are we helping
the business?
•
•
•
Strategy alignment
Training
Consulting
•
Customer
•
•
•
% business strategies aligned with Security
% training objectives met
# business & IT consulting projects
Is our environment
resilient?
•
Control metrics
•
Internal
Business
•
•
% key controls with metrics
% metrics at/above target
Are we compliant?
•
•
•
Passed last year
Overdue findings
Repeat findings
•
Internal
Business
•
•
# overdue findings
# repeat findings
•
Initiatives on time &
budget
•
Internal
Business
•
•
Budget to Forecast variance
% Initiatives completed on time & budget
Are we efficient?
28
Balanced Security Scorecard
(Example)
Financial
Risks
• % risks with treatment decisions
• % unacceptable risks under
mitigation
• +/- % Annual budget
Incidents
• # High incidents
• # Medium incidents
• # Near misses
Internal Business
Resiliency
• % Key controls with metrics
• % Metrics at/above target
Compliance
• # Overdue findings
• # Repeat findings
Efficiency
• Budget to forecast variance
• % Initiatives completed on time &
Budget
•
•
•
•
Learning & Growth
$ Initiative budget (+/- last
year)
# process improvement
initiatives (+/- last year)
$ Estimate future initiatives
% Processes at target maturity
Customer
• % Business strategies aligned
with Security Services
• % Training objectives met
• # Business & IT consulting
projects (+/- % budgeted)
29