SlideShare a Scribd company logo

Fadi Mutlak - Information security governance

N
nooralmousa
1 of 24
Download to read offline
May 2011
There is no single universal model for organizational structure to ensure that the Information Security requirements for the organization are adequately met. There is still some uncertainty regarding what such Information Security Governance actually consists of Information Security Governance does not function in isolation Information Security Governance, Management and Operations have very different functions, and clarity among them is fundamental to the performance of each. How do Organizations currently operate Globally & in the Middle East? 3 Information Security Governance @ 2011 Deloitte & Touche
17% of Organizations Globally have a person responsible for Information Security. 33% in the Middle East 40% of the CISOs Globally report directly to IT related positions (CIO, IT executive and CTO). 31% in the Middle East Only 67% of respondents indicate that have a security governance structure. 49% in the Middle East Only 56% of respondents indicate they have a documented and approved information security strategy. 38% in the Middle East Only 18% of respondents have established metrics that have been aligned to business value and report on a scheduled basis. 15% in the Middle East Only 30% of respondents state that there is appropriate alignment between the business and information security initiatives. 32% in the Middle East 4 Information Security Governance @ 2011 Deloitte & Touche
Corporate governance is the set of processes, customs, policies, laws, and institutions affecting the way a corporation (or company) is directed, administered or controlled. includes the relationships among the many Corporate governance also stakeholders involved and the goals for which the corporation is governed. Subsets of Corporate Governance include: • Financial Governance • Information Technology Governance • Enterprise Risk Governance • Information Security Governance 6 Information Security Governance @ 2011 Deloitte & Touche
The structure, oversight and management processes which ensure the delivery of Corporate the of overall corporate governance Governance requires integration between the different subsets of the Corporate Governance Model Enterprise Information Legal Risk Technology Governance An organization’s Information Governance Governance Security Governance can be defined as "the processes that ensure that reasonable and appropriate actions are taken to protect the organization's Information information resources, in the most Security Governance effective and efficient manner, in pursuit of its business goals“ Information Information Security Security Management Operations Information Security Organization @ 2011 Deloitte & Touche 7 Information Security Governance
―Information Security governance―, ―Information Security Management" and ―Information Security Operations" are broad terms, and we must bring these topics into focus. Members of governance committees must understand the difference between them in order to avoid dysfunction and meet Business, Risk and IT goals Very Broadly, Information Security Governance: Exists to ensure that the security program adequately meets the strategic needs of the business. Information Security Management: Implements that program. Information Security Operations: executes or manages security-related processes relating to current infrastructure on a day-to-day basis. Each of these layers must engage with corresponding layers throughout the enterprise. 8 Information Security Governance @ 2011 Deloitte & Touche
Information Security Steering Commitee 3rd Party Service Corporate Risk Providers Management Chief Infromation Officer (CIO) Lines of Business IT Operations Management Information Security Governance Information Security Information Security Communication Advisory Board Forum 3rd Party Service Information Security Information Security 3rd Party Service Providers Management Operations Providers 9 Information Security Governance @ 2011 Deloitte & Touche
Prudent CISOs are building their Security Governance Strategies based on the current economic climate, changes in the technology landscape, and most importantly, to meet and exceed the business expectations. Yet despite their best intentions, many are still struggling to improve relationships with the business that they operate in. Without alignment, Information Culture Security Governance operates in a vacuum and will implement security controls that are Controls 1. Plan Process invariably either too strong — and thus, is expensive and restrictive — or too weak, 3. Manage resulting in too much residual 2. Implement 4. Monitor risk. People Security Governance Integration Technology 11 Information Security Governance @ 2011 Deloitte & Touche
The following 4 domains must be considered when establishing an Information Security Governance Program Plan Implement Manage Monitor Security Program Develop Governance Accountabilities Project Oversight Strategy Processes Institute Governance Security Architecture Funding Value Assessments Forums Security Policy Conflict Conciliation Operational Security Budget Review and and Arbitration Oversight Development Governance Policy Program and Project Metrics and Management Oversight Measurement 12 Information Security Governance @ 2011 Deloitte & Touche
Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Plan Security Program Strategy Security Program 1. Current State Strategy 2. Desired State 3. Gap Analysis Security Architecture 4. Project and Initiatives Derived from the Gap Analysis 5. A Reporting Framework Security Budget Governance Policy Management 13 Information Security Governance @ 2011 Deloitte & Touche
Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Plan Security Architecture Security architecture is the planning discipline that provides the Security Program foundational models, templates and principles that support the Strategy program strategy. These artifacts are used to develop security technology and process solutions that match business requirements while maximizing standardization and reuse Security Architecture • Security Operations • Security Monitoring and Review • User Management Security Budget • User Awareness • Application Security • Database / Metadata Security • Host Security Governance Policy • Internal Network Security Management • Network Perimeter Security • Physical and Environmental Security 14 Information Security Governance @ 2011 Deloitte & Touche
Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Plan Security Budget Planning The process of allocating financial resources to information Security Program security projects and operational Strategy activities Security Architecture Governance Policy Management Sets the principles for policy management, specifically regarding issues such as: Security Budget • Ownership • Documentation standards • Approval and formalization procedures Governance Policy • Enforcement regimes Management • Review and exception procedures 15 Information Security Governance @ 2011 Deloitte & Touche
Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Implement Develop Governance Processes Design the governance processes: Develop Governance • The goal of the process Processes • The action steps to be taken and in what sequence • The responsibilities associated with the process • The process flow Institute Governance Forums Integrate the security governance framework with existing IT frameworks and Information Security Management frameworks in order to leverage the commonalities between the frameworks Security Policy Review and Development Institute Governance Forums Establish Governance forums and steering committee • Establish the accountabilities and responsibilities for information security within the organization. • Oversee the governance processes. • Commission and sponsor the corporate information security program. 16 Information Security Governance @ 2011 Deloitte & Touche
Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Implement Security Policy Review and Development Assess the (1) completeness (2) effectiveness and (3) practicality of Develop Governance enforcement of your organization’s information security policy. Processes Identify major strengths and weaknesses of the policy and provide recommendations for improvement. Institute Governance Forums Security Policy Review and Development 17 Information Security Governance @ 2011 Deloitte & Touche
Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Manage Design and explain management processes to the respective stakeholders for implementation: Accountabilities Process Process Description Accountabilities and responsibilities for information security are Accountabilities executed effectively. Manage effective allocation of financial resources for security Funding Funding initiatives as decided in the budget process. Facilitate assessment of conflicting security requirements Conflict Conciliation between different stakeholders. Ensure specific policy and Conflict Conciliation and Arbitration controls decisions are based on adequate consideration of and Arbitration individual and collective requirements. Program and Project Track security program and projects, deliverables, and costs to Program and Project Oversight ensure they remain within acceptable tolerances. Oversight 18 Information Security Governance @ 2011 Deloitte & Touche
Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Monitor Design and explain monitoring processes to the respective stakeholders for implementation: Project Oversight Process Process Description Assess project results. Report on objectives achieved and Project Oversight missed, as well as unexpected results and consequences. Value Assessments Periodically assess the value of information security Value Assessments investments. Is the organization getting the anticipated benefits from investments involving information security? Operational Ensure that the execution of the information security Oversight program, and all its associated processes and activities, is Operational Oversight done within the parameters set out by the program strategy, architecture, and policy strategy. Measuring and reporting on the impact of the information Metrics and Metrics and Measurement security program on overall IT governance and Corporate Measurement Governance. 19 Information Security Governance @ 2011 Deloitte & Touche
Strategic Alignment of information security with business strategy to support organizational objectives Risk Management by executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to an acceptable level Resource Management by utilizing information security knowledge and infrastructure efficiently and effectively Performance Measurement by measuring, monitoring and reporting information security governance metrics to ensure that organizational objectives are achieved Value Delivery by optimizing information security investments in support of organizational objectives 21 Information Security Governance @ 2011 Deloitte & Touche
Leader, Security & Privacy – Middle East Fadi Mutlak +971 4 369 8999 fmutlak@deloitte.com @ 2011 Deloitte & Touche
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Member of Deloitte Touche Tohmatsu Limited

Recommended

CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 ismsCraig Willetts ISO Expert
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing OCTF Industry Engagement
 

Recommended

CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 ismsCraig Willetts ISO Expert
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing OCTF Industry Engagement
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Isms
IsmsIsms
Ismspenetration Tester
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
COBIT and IT Policy Presentation
COBIT and IT Policy PresentationCOBIT and IT Policy Presentation
COBIT and IT Policy PresentationSarah Cortes
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Cybersecurity isaca
Cybersecurity isacaCybersecurity isaca
Cybersecurity isacaAntoine Vigneron
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartJames W. De Rienzo
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Maxime CARPENTIER
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResiliencePriyanka Aash
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architectureVladimir Jirasek
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
Information Governance
Information GovernanceInformation Governance
Information GovernanceVicky Makhija
 

More Related Content

What's hot

How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
COBIT and IT Policy Presentation
COBIT and IT Policy PresentationCOBIT and IT Policy Presentation
COBIT and IT Policy PresentationSarah Cortes
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Maxime CARPENTIER
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResiliencePriyanka Aash
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architectureVladimir Jirasek
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
 

What's hot (20)

How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
Isms
IsmsIsms
Isms
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
COBIT and IT Policy Presentation
COBIT and IT Policy PresentationCOBIT and IT Policy Presentation
COBIT and IT Policy Presentation
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
Cybersecurity isaca
Cybersecurity isacaCybersecurity isaca
Cybersecurity isaca
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP Certification
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your Organziation
 

Similar to Fadi Mutlak - Information security governance

Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
Information Governance
Information GovernanceInformation Governance
Information GovernanceVicky Makhija
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGArul Nambi
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security GovernanceLeo de Sousa
 
Valiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostValiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostGuardEra Access Solutions, Inc.
 
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT SecuritySeccuris Inc.
 
Secure by design building id based security
Secure by design building id based securitySecure by design building id based security
Secure by design building id based securityArun Gopinath
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIskcon Ahmedabad
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
IT Governance with Digité Enterprise
IT Governance with Digité EnterpriseIT Governance with Digité Enterprise
IT Governance with Digité EnterpriseDigite Inc
 
ITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docx
ITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docxITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docx
ITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docxvrickens
 
rethinking marketing
rethinking marketingrethinking marketing
rethinking marketingNavneet Singh
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Briefwdjohnson1
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance frameworkAnne ndolo
 
Mike2.0 Information Governance Overview
Mike2.0 Information Governance OverviewMike2.0 Information Governance Overview
Mike2.0 Information Governance Overviewsean.mcclowry
 
ITS 833 – INFORMATION GOVERNANCEChapter 2 – Information Go.docx
ITS 833 – INFORMATION GOVERNANCEChapter 2 – Information Go.docxITS 833 – INFORMATION GOVERNANCEChapter 2 – Information Go.docx
ITS 833 – INFORMATION GOVERNANCEChapter 2 – Information Go.docxvrickens
 

Similar to Fadi Mutlak - Information security governance (20)

Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
Information Governance
Information GovernanceInformation Governance
Information Governance
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security Governance
 
Valiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostValiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & Cost
 
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance Requirements
 
TripleTree eDiscovery
TripleTree eDiscoveryTripleTree eDiscovery
TripleTree eDiscovery
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT Security
 
Secure by design
Secure by designSecure by design
Secure by design
 
Secure by design building id based security
Secure by design building id based securitySecure by design building id based security
Secure by design building id based security
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consulting
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
IT Governance with Digité Enterprise
IT Governance with Digité EnterpriseIT Governance with Digité Enterprise
IT Governance with Digité Enterprise
 
Dit yvol4iss40
Dit yvol4iss40Dit yvol4iss40
Dit yvol4iss40
 
ITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docx
ITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docxITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docx
ITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docx
 
rethinking marketing
rethinking marketingrethinking marketing
rethinking marketing
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Brief
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance framework
 
Mike2.0 Information Governance Overview
Mike2.0 Information Governance OverviewMike2.0 Information Governance Overview
Mike2.0 Information Governance Overview
 
ITS 833 – INFORMATION GOVERNANCEChapter 2 – Information Go.docx
ITS 833 – INFORMATION GOVERNANCEChapter 2 – Information Go.docxITS 833 – INFORMATION GOVERNANCEChapter 2 – Information Go.docx
ITS 833 – INFORMATION GOVERNANCEChapter 2 – Information Go.docx
 

More from nooralmousa

Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration TestingMr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testingnooralmousa
 
Mr. Bulent Teksoz - Security trends and innovations
Mr. Bulent Teksoz - Security trends and innovationsMr. Bulent Teksoz - Security trends and innovations
Mr. Bulent Teksoz - Security trends and innovationsnooralmousa
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
Mr. Khalid Shaikh - emerging trends in managing it security
Mr. Khalid Shaikh - emerging trends in managing it securityMr. Khalid Shaikh - emerging trends in managing it security
Mr. Khalid Shaikh - emerging trends in managing it securitynooralmousa
 
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...nooralmousa
 
Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.nooralmousa
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelnooralmousa
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldnooralmousa
 
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsRenaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsnooralmousa
 
Ahmed Al Barrak - Staff information security practices - a latent threat
Ahmed Al Barrak - Staff information security practices - a latent threatAhmed Al Barrak - Staff information security practices - a latent threat
Ahmed Al Barrak - Staff information security practices - a latent threatnooralmousa
 
Mohammed Al Mulla - Best practices to secure working environments
Mohammed Al Mulla - Best practices to secure working environmentsMohammed Al Mulla - Best practices to secure working environments
Mohammed Al Mulla - Best practices to secure working environmentsnooralmousa
 
Pradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for cisoPradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for cisonooralmousa
 
Nabil Malik - Security performance metrics
Nabil Malik - Security performance metricsNabil Malik - Security performance metrics
Nabil Malik - Security performance metricsnooralmousa
 
Khaled al amri using fingerprints as private and public keys
Khaled al amri using fingerprints as private and public keysKhaled al amri using fingerprints as private and public keys
Khaled al amri using fingerprints as private and public keysnooralmousa
 
Hisham Dalle - Zero client computing - taking the desktop into the cloud
Hisham Dalle - Zero client computing - taking the desktop into the cloudHisham Dalle - Zero client computing - taking the desktop into the cloud
Hisham Dalle - Zero client computing - taking the desktop into the cloudnooralmousa
 
Ghassan farra it security a cio perspective
Ghassan farra it security a cio perspectiveGhassan farra it security a cio perspective
Ghassan farra it security a cio perspectivenooralmousa
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudnooralmousa
 

More from nooralmousa (17)

Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration TestingMr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
 
Mr. Bulent Teksoz - Security trends and innovations
Mr. Bulent Teksoz - Security trends and innovationsMr. Bulent Teksoz - Security trends and innovations
Mr. Bulent Teksoz - Security trends and innovations
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Mr. Khalid Shaikh - emerging trends in managing it security
Mr. Khalid Shaikh - emerging trends in managing it securityMr. Khalid Shaikh - emerging trends in managing it security
Mr. Khalid Shaikh - emerging trends in managing it security
 
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
 
Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity model
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsRenaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
 
Ahmed Al Barrak - Staff information security practices - a latent threat
Ahmed Al Barrak - Staff information security practices - a latent threatAhmed Al Barrak - Staff information security practices - a latent threat
Ahmed Al Barrak - Staff information security practices - a latent threat
 
Mohammed Al Mulla - Best practices to secure working environments
Mohammed Al Mulla - Best practices to secure working environmentsMohammed Al Mulla - Best practices to secure working environments
Mohammed Al Mulla - Best practices to secure working environments
 
Pradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for cisoPradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for ciso
 
Nabil Malik - Security performance metrics
Nabil Malik - Security performance metricsNabil Malik - Security performance metrics
Nabil Malik - Security performance metrics
 
Khaled al amri using fingerprints as private and public keys
Khaled al amri using fingerprints as private and public keysKhaled al amri using fingerprints as private and public keys
Khaled al amri using fingerprints as private and public keys
 
Hisham Dalle - Zero client computing - taking the desktop into the cloud
Hisham Dalle - Zero client computing - taking the desktop into the cloudHisham Dalle - Zero client computing - taking the desktop into the cloud
Hisham Dalle - Zero client computing - taking the desktop into the cloud
 
Ghassan farra it security a cio perspective
Ghassan farra it security a cio perspectiveGhassan farra it security a cio perspective
Ghassan farra it security a cio perspective
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloud
 

Fadi Mutlak - Information security governance

  • 2.
  • 3. There is no single universal model for organizational structure to ensure that the Information Security requirements for the organization are adequately met. There is still some uncertainty regarding what such Information Security Governance actually consists of Information Security Governance does not function in isolation Information Security Governance, Management and Operations have very different functions, and clarity among them is fundamental to the performance of each. How do Organizations currently operate Globally & in the Middle East? 3 Information Security Governance @ 2011 Deloitte & Touche
  • 4. 17% of Organizations Globally have a person responsible for Information Security. 33% in the Middle East 40% of the CISOs Globally report directly to IT related positions (CIO, IT executive and CTO). 31% in the Middle East Only 67% of respondents indicate that have a security governance structure. 49% in the Middle East Only 56% of respondents indicate they have a documented and approved information security strategy. 38% in the Middle East Only 18% of respondents have established metrics that have been aligned to business value and report on a scheduled basis. 15% in the Middle East Only 30% of respondents state that there is appropriate alignment between the business and information security initiatives. 32% in the Middle East 4 Information Security Governance @ 2011 Deloitte & Touche
  • 5.
  • 6. Corporate governance is the set of processes, customs, policies, laws, and institutions affecting the way a corporation (or company) is directed, administered or controlled. includes the relationships among the many Corporate governance also stakeholders involved and the goals for which the corporation is governed. Subsets of Corporate Governance include: • Financial Governance • Information Technology Governance • Enterprise Risk Governance • Information Security Governance 6 Information Security Governance @ 2011 Deloitte & Touche
  • 7. The structure, oversight and management processes which ensure the delivery of Corporate the of overall corporate governance Governance requires integration between the different subsets of the Corporate Governance Model Enterprise Information Legal Risk Technology Governance An organization’s Information Governance Governance Security Governance can be defined as "the processes that ensure that reasonable and appropriate actions are taken to protect the organization's Information information resources, in the most Security Governance effective and efficient manner, in pursuit of its business goals“ Information Information Security Security Management Operations Information Security Organization @ 2011 Deloitte & Touche 7 Information Security Governance
  • 8. ―Information Security governance―, ―Information Security Management" and ―Information Security Operations" are broad terms, and we must bring these topics into focus. Members of governance committees must understand the difference between them in order to avoid dysfunction and meet Business, Risk and IT goals Very Broadly, Information Security Governance: Exists to ensure that the security program adequately meets the strategic needs of the business. Information Security Management: Implements that program. Information Security Operations: executes or manages security-related processes relating to current infrastructure on a day-to-day basis. Each of these layers must engage with corresponding layers throughout the enterprise. 8 Information Security Governance @ 2011 Deloitte & Touche
  • 9. Information Security Steering Commitee 3rd Party Service Corporate Risk Providers Management Chief Infromation Officer (CIO) Lines of Business IT Operations Management Information Security Governance Information Security Information Security Communication Advisory Board Forum 3rd Party Service Information Security Information Security 3rd Party Service Providers Management Operations Providers 9 Information Security Governance @ 2011 Deloitte & Touche
  • 10.
  • 11. Prudent CISOs are building their Security Governance Strategies based on the current economic climate, changes in the technology landscape, and most importantly, to meet and exceed the business expectations. Yet despite their best intentions, many are still struggling to improve relationships with the business that they operate in. Without alignment, Information Culture Security Governance operates in a vacuum and will implement security controls that are Controls 1. Plan Process invariably either too strong — and thus, is expensive and restrictive — or too weak, 3. Manage resulting in too much residual 2. Implement 4. Monitor risk. People Security Governance Integration Technology 11 Information Security Governance @ 2011 Deloitte & Touche
  • 12. The following 4 domains must be considered when establishing an Information Security Governance Program Plan Implement Manage Monitor Security Program Develop Governance Accountabilities Project Oversight Strategy Processes Institute Governance Security Architecture Funding Value Assessments Forums Security Policy Conflict Conciliation Operational Security Budget Review and and Arbitration Oversight Development Governance Policy Program and Project Metrics and Management Oversight Measurement 12 Information Security Governance @ 2011 Deloitte & Touche
  • 13. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Plan Security Program Strategy Security Program 1. Current State Strategy 2. Desired State 3. Gap Analysis Security Architecture 4. Project and Initiatives Derived from the Gap Analysis 5. A Reporting Framework Security Budget Governance Policy Management 13 Information Security Governance @ 2011 Deloitte & Touche
  • 14. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Plan Security Architecture Security architecture is the planning discipline that provides the Security Program foundational models, templates and principles that support the Strategy program strategy. These artifacts are used to develop security technology and process solutions that match business requirements while maximizing standardization and reuse Security Architecture • Security Operations • Security Monitoring and Review • User Management Security Budget • User Awareness • Application Security • Database / Metadata Security • Host Security Governance Policy • Internal Network Security Management • Network Perimeter Security • Physical and Environmental Security 14 Information Security Governance @ 2011 Deloitte & Touche
  • 15. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Plan Security Budget Planning The process of allocating financial resources to information Security Program security projects and operational Strategy activities Security Architecture Governance Policy Management Sets the principles for policy management, specifically regarding issues such as: Security Budget • Ownership • Documentation standards • Approval and formalization procedures Governance Policy • Enforcement regimes Management • Review and exception procedures 15 Information Security Governance @ 2011 Deloitte & Touche
  • 16. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Implement Develop Governance Processes Design the governance processes: Develop Governance • The goal of the process Processes • The action steps to be taken and in what sequence • The responsibilities associated with the process • The process flow Institute Governance Forums Integrate the security governance framework with existing IT frameworks and Information Security Management frameworks in order to leverage the commonalities between the frameworks Security Policy Review and Development Institute Governance Forums Establish Governance forums and steering committee • Establish the accountabilities and responsibilities for information security within the organization. • Oversee the governance processes. • Commission and sponsor the corporate information security program. 16 Information Security Governance @ 2011 Deloitte & Touche
  • 17. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Implement Security Policy Review and Development Assess the (1) completeness (2) effectiveness and (3) practicality of Develop Governance enforcement of your organization’s information security policy. Processes Identify major strengths and weaknesses of the policy and provide recommendations for improvement. Institute Governance Forums Security Policy Review and Development 17 Information Security Governance @ 2011 Deloitte & Touche
  • 18. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Manage Design and explain management processes to the respective stakeholders for implementation: Accountabilities Process Process Description Accountabilities and responsibilities for information security are Accountabilities executed effectively. Manage effective allocation of financial resources for security Funding Funding initiatives as decided in the budget process. Facilitate assessment of conflicting security requirements Conflict Conciliation between different stakeholders. Ensure specific policy and Conflict Conciliation and Arbitration controls decisions are based on adequate consideration of and Arbitration individual and collective requirements. Program and Project Track security program and projects, deliverables, and costs to Program and Project Oversight ensure they remain within acceptable tolerances. Oversight 18 Information Security Governance @ 2011 Deloitte & Touche
  • 19. Culture Controls Process 1. Plan 3. Manage 2. Implement 4. Monitor People Security Governance Integration Technology Monitor Design and explain monitoring processes to the respective stakeholders for implementation: Project Oversight Process Process Description Assess project results. Report on objectives achieved and Project Oversight missed, as well as unexpected results and consequences. Value Assessments Periodically assess the value of information security Value Assessments investments. Is the organization getting the anticipated benefits from investments involving information security? Operational Ensure that the execution of the information security Oversight program, and all its associated processes and activities, is Operational Oversight done within the parameters set out by the program strategy, architecture, and policy strategy. Measuring and reporting on the impact of the information Metrics and Metrics and Measurement security program on overall IT governance and Corporate Measurement Governance. 19 Information Security Governance @ 2011 Deloitte & Touche
  • 20.
  • 21. Strategic Alignment of information security with business strategy to support organizational objectives Risk Management by executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to an acceptable level Resource Management by utilizing information security knowledge and infrastructure efficiently and effectively Performance Measurement by measuring, monitoring and reporting information security governance metrics to ensure that organizational objectives are achieved Value Delivery by optimizing information security investments in support of organizational objectives 21 Information Security Governance @ 2011 Deloitte & Touche
  • 22.
  • 23. Leader, Security & Privacy – Middle East Fadi Mutlak +971 4 369 8999 fmutlak@deloitte.com @ 2011 Deloitte & Touche
  • 24. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Member of Deloitte Touche Tohmatsu Limited