Sie sind auf Seite 1von 101

Headline / Subhead Vertical Spacing

V4

Build a Security Governance and


Management Plan
Establish the missing bridge between security and the business to support tomorrows
enterprise with minimal resources.

Info-Tech Research Group, Inc. is a global leader in providing IT research and advice.
Info-Techs products and services combine actionable insight and relevant advice with
ready-to-use tools and templates that cover the full spectrum of IT concerns.
1997-2016 Info-Tech Research Group Inc.

Info-Tech Research Group

Our understanding of the problem


This Research is
Is Designed For:

This Research Will Help You:

CISOs, CSOs, CEOs, CIOs, IT leaders, and

Develop a customized comprehensive

business leaders who would like to improve


alignment between security and business
activities, optimize security resources,
implement an effective risk mitigation strategy,
and improve the transparency of security
initiatives.

CISOs, CSOs, and CIOs who would like to


better support the business.

information security governance and


management framework.

Apply your security governance framework to


your organization and create a roadmap for
implementation.

Develop a measurement program to


continuously improve your security
governance.

This Research Will Also


Assist:
Assist:

This Research Will Help You:


Them:

CEOs, CFOs, and other business leaders.


Business stakeholders that are continually

Understand the value of information security

affected by security.

governance and management, as it has the


ability to close any security gaps.

Info-Tech Research Group

Executive summary
Situation

Security programs tend to focus on technology to protect

organizations, while often neglecting the people, processes, and


policies needed to manage the program.
It seems like a daunting and almost useless project to undertake.

Complication

This leads to several problems:


o The security team doesnt know whether its supporting business
goals.
o The organization has no sense of direction in terms of what
securitys priorities or initiatives should be.
o Risks are not treated appropriately.

Info-Tech Insight

Technology is not enough alone


security governance and management
is needed.
Governance and management ensures
that your processes, people, and policies
support organizational security. It provides
a unifying direction and vision for the entire
program, instead of having ad hoc controls
for each new initiative.

Resolution

To bring your security program to the next level, security governance and management is needed.
Your security governance and management program needs to be customized to your organizations needs.
This project will guide you through the process of creating a customized security governance and management plan that

is comprehensive enough to cover all your bases, while keeping costs to a minimum.
Begin defining your needs through a security pressure posture analysis and use best practices to determine what your
security program should include.
Conduct a gap analysis to collect the initiatives you need to reach your target state.
Create an action plan and implement this project with the tools and templates provided by Info-Tech.

Info-Tech Research Group

Use these icons to help direct you as you navigate this research
Use these icons to help guide you through each step of the blueprint and direct you to content related to
the recommended activities.

This icon denotes a slide where a supporting Info-Tech tool or template will help you perform
the activity or step associated with the slide. Refer to the supporting tool or template to get
the best results and proceed to the next step of the project.

This icon denotes a slide with an associated activity. The activity can be performed either as
part of your project or with the support of Info-Tech team members, who will come onsite to
facilitate a workshop for your organization.

Info-Tech Research Group

Info-Tech offers various levels of support to best suit your


needs

DIY Toolkit

Our team has already


made this critical
project a priority, and
we have the time and
capability, but some
guidance along the
way would be helpful.

Guided
Implementation

Workshop

Consulting

Our team knows that


we need to fix a
process, but we need
assistance to
determine where to
focus. Some check-ins
along the way would
help keep us on track.

We need to hit the


ground running and
get this project kicked
off immediately. Our
team has the ability to
take this over once we
get a framework and
strategy in place.

Our team does not


have the time or the
knowledge to take this
project on. We need
assistance through the
entirety of this project.

Diagnostics and consistent frameworks used throughout all four options

Info-Tech Research Group

Security Governance and Management Project Overview


Assess security
requirements
1.1 Understand the value of
security governance and
management
1.1 Create a convincing
business case
2.1 Define your risk tolerance
2.2 Determine your security
pressure posture
Best-Practice
Toolkit
Understand the value and
challenges of security
governance and
management to create
your business case.

Guided
Implementations

Define your risk tolerance


and determine your
security pressure posture.

Perform a gap
analysis
3.1a Understand the different
components of a security
governance and management
program
3.1b Self-assess your security
governance and management
capabilities and maturity levels
3.2 Define the governance and
management target state

Perform a current state


assessment of your
capabilities and maturity
levels.
Establish the governance
and management target
state.

Develop gap
initiatives

Implement gap
initiatives

4.1 Identify existing gaps


4.2 Build initiatives to bridge
the gap
4.3 Estimate the resources
needed

5.1 Finalize roadmap and


action plan
5.2 Build out governance and
management deliverables
6.1 Develop your security
metrics

4.4 Build an effort map


4.5 Determine start time and
accountability

Identify where there are


existing gaps and where
initiatives should be built.
Prioritize the gaps based
on resources and efforts to
create an implementation
timeline.

6.5 Develop a cycle of


continuous improvement
through your measurement
program
Review and finalize the
governance and
management roadmap and
action plan.
Build out your governance
and management
deliverables.

Module 1:
Assess security requirements

Module 2:
Perform a gap analysis

Module 3:
Develop gap initiatives

Module 4:
Implement gap initiatives

Phase 1 Results:
Understanding of the
pressure posture and
security governance.

Phase 2 Results:
Identified gaps in the
program.

Phase 3 Results:
Actionable initiatives to
continue building out
security governance.

Phase 4 Results:
Completed governance and
management deliverables.

Onsite
Workshop

Info-Tech Research Group

Workshop overview

Deliverables

Activities

Contact your account representative or email Workshops@InfoTech.com for more information.


Workshop Day 1

Workshop Day 2

Workshop Day 3

Workshop Day 4

Workshop Day 5

Assess security
requirements

Perform a gap analysis

Develop gap initiatives

Implement initiatives

Communicate and
continue to implement

2.1 Understand the


different components
of a security
governance and
management program
2.2 Self-assess your
security governance
and management
capabilities and
maturity levels
2.3 Define the
governance and
management target
state

3.1 Identify existing gaps


3.2 Build initiatives to
bridge the gap
3.3 Estimate the
resources needed
3.4 Build an effort map
3.5 Determine start time
and accountability

4.1 Finalize roadmap and


action plan
4.2 Build out governance
and management
deliverables
4.3 Develop your security
metrics
4.4 Develop a cycle of
continuous
improvement through
your measurement
program

1. Current maturity levels


of the security
governance and
management
capabilities.
2. Established target state
for the capabilities.

1. Identified gaps in the


existing security
program.
2. Gap initiatives in order
to close the gaps.
3. Prioritization of the
gaps, assisting in
implementation.

1. Finalized roadmap and


action plan.
2. Completed governance
and management
deliverables.
3. Developed security
metrics.

1.1 Understand the value


of security
governance and
management
1.2 Create a convincing
business case
1.3 Define your risk
tolerance
1.4 Determine your
security pressure
posture

1. Business case for


security governance
and management.
2. Defined risk
tolerance.
3. Defined security
pressure posture.

5.1 Finalize deliverables


5.2 Support
communication efforts
5.3 Identify resources in
support of priority
initiatives

1. Security governance
and management plan
and roadmap.
2. Mapping of Info-Tech
resources against
individual initiatives.

Info-Tech Research Group

PHASE
Assess Security Requirements

Phase

Info-Tech Research Group

Phase 1 outline
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 23 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 1: Assess security requirements


Proposed Time to Completion: 1 week

Step 1.1: Create a convincing business case

Step 2.1-2.2: Define your risk tolerance and determine


your security pressure posture

Start with an analyst kick off call:

Understand your organizational risk:

Understand the value and challenges of security


governance and management.

Determine the organizations risk tolerance exercise with


the help of an analyst.
Determine your inherent risk through a pressure posture
analysis.

Then complete these activities

Then complete these activities

Create your business case by documenting your goals,


objectives, and challenges.

Determine the risk tolerance and define the security


pressure posture.

With these tools & templates:

With these tools & templates:

Security Governance and Management Challenge Analysis


Tool
Information Security Governance and Management
Business Case Template

Security Pressure Posture Analysis Tool

Phase 1 Results & Insights:

Assessment of the organizations requirements for a security governance and management program.

Info-Tech Research Group

Step 1: Make the Case


1
Make the
case

2
Determine the
security
pressure posture

3
Establish
target state

4
Conduct a
gap analysis

5
Implement
governance
initiatives

6
Develop metrics

This step will walk you through the following activities:

This step involves the following participants:

Launch a business case for your security governance and


management.
Understand the main challenges facing security
governance and management.

CISO/Head of Security
Security Engineer
CIO

Outcomes of this step


Understanding of what security governance and management means for your organization.
Goals behind implementing a proper framework in place.
Identified challenges facing the organization.

Info-Tech Research Group

10

1.1

Understand the elements involved in information security


governance and management
Security Governance Definition

Security Management Definition

Information security governance includes the elements


required to provide senior management assurance that
its direction and intent are reflected in the security
posture of the organization by utilising a structured
approach to implementing an information security
program.
ISACA, Information Security Governance, Guidance
for Information Security Managers

Information Security Management refers to the processes


that ensure confidentiality, integrity, and availability of an
organizations assets, information, data, and IT services.

Security governance is an integral part of IT


governance and corporate governance.
Security governance involves
the following activities:
Corporate
Governance
Evaluating current security
activities and its impact on
business objectives.
Providing direction for the
IT
Security
security team by determining
Governance
Governance
a risk appetite, allocating
investment and resources,
etc.
Monitoring the effectiveness of the security program.
Regular communications with stakeholders regarding
security activities and performance.

ITIL v3

Security Governance
Executes based
on governance

Directs, evaluates,
and monitors

Security Management
Security management executes based on direction
from security governance. Some activities involved in
security management include:
Building and executing a metrics program.
Creating policies.
Executing risk management based on a risk appetite
defined by security governance.
Developing and executing a training and awareness
program.
Developing a security charter and organizational
structure.
Ensuring compliance.

Info-Tech Research Group

11

1.1

Understand where information security and governance


fit in a complete security program

Info-Tech covers a
wide range of security
areas including
network security
services, asset
security services, and
identity security
services.
Information security
governance and
management is the
foundation for a
complete information
security program.

Security governance ensures that the right things are done. Comparatively, security
management ensures that things are done right.

Info-Tech Research Group

12

1.1

Data breaches are resulting in major costs across


industries

Incident detection and escalation costs.


Forensic and investigative activities,
assessment and audit services, crisis team
management, and communications to
executive management and board of
directors. Average costs are at an all time
high of $0.61 million per breach.
Notification costs. Creation of contact
databases, determination of regulatory
requirements, engagement of outside experts,
postal expenses, secondary contacts to mail
or email bounce-backs, and inbound
communication set-up. Average cost was
$0.56 million per breach.
Post data breach costs. Help desk activities,
communications, investigative activities,
remediation activities, legal costs, product
discounts, identity protection services, and
regulatory interventions. Average cost
increased to $1.64 million per breach.
Lost business costs. Abnormal turnover of
customers, increased customer acquisition
activities, reputation losses, and diminished
goodwill. Average cost was $3.72 million per
breach.

Per Capita Cost by Industry Classification of


Benchmarked Companies
Health
Pharmaceutical
Financial
Energy
Transportation
Communications
Education
Services
Consumer
Industrial
Retail
Media
Technology
Research
Hospitality
Public

$398
$298
$259
$256
$252
$237
$225
$219
$218
$190
$189
$185
$178
$166
$135
$73

$0

$100

$200

$300

$400

$500

Per capita cost by industry

Average data breach costs per compromised record hit an


all time of $217. $74 is direct cost (e.g. legal fees, technology
investment). $143 is indirect cost (e.g. abnormal customer churn).
Source: 2015 Cost of Data Breach Study, United States, Ponemon Institute

Info-Tech Research Group

13

1.1

Recognize the value of a good security program for your


organization
Tangible cost savings from a security program
Cost savings from incident reduction.
Cost savings achieved through optimizing information
security investments, resulting in savings from
previously misdiagnosed issues.
Cost savings from ensuring that dollars spent on security
initiatives support business strategy.
Security controls that reduce the per record cost of a
data breach
Security Control

Per record cost reduction

Incident response team

$23.8

Extensive use of encryption

$19.0

BCM investment

$13.6

CISO appointed

$12.2

Employee training

$11.0

Board-level involvement

$9.8

Insurance protection

$7.9

Intangible cost savings from a security


program
Improving your information security
governance program drives value through the
following:
Improved reputation and brand equity
achieved through a proper evaluation of the
organizations security posture.
Improved reputation and brand equity achieved
through a BCP/BCM process that will enable
the business to recover faster from disasters.
Continuous improvement achieved through a
good security measurement program.
Ability to plan for the future since less
security time will be spent firefighting.

Source: 2015 Cost of Data Breach Study, United States, Ponemon Institute

Info-Tech Research Group

14

1.1

Security programs have moved from cost centers to


business enablers
Security programs historically have fought to prove
their value versus cost
Organizations could not justify the costs.
Little appreciation for the benefits of existing controls.
Underestimation of potential costs of a data breach.

Information Security Budget (in millions) by


Company Size (revenue)
$10.30 $10.80

$2.80 $3.00
$0.92 $0.73
Small (Revenues less than Medium (Revenues $100
$100 million)
million-$1 billion)

2013

Large (Revenues more


than $1 billion)

2014

Source: Managing cyber risks in an interconnected world, Key findings


from The Global State of Information Security Survey 2015, PWC

Security programs are being viewed in a new light


Mature organizations are investing substantially into
security programs to move them beyond the group
that just says no to business requests.
CEOs and CFOs are starting to no longer consider
security programs as cost centers but as business
enabling units.

Security programs are essential to


remaining competitive in todays world
A strong security program can be a
competitive differentiator when
customers and consumers are selecting
products, services, and business partners.
Prevention controls protect critical data
and assets from theft and compromise
and eliminate costs and losses.
Response processes can limit the
impact and associated costs from an
eventual attack and potential data
compromise.

The best way to deal with security is through a holistic perspective. Ad hoc security is almost an oxymoron.
Ad hoc is like locking all the doors to a building and leaving all the windows wide open. The bad guys will
figure out that the windows are open quite quickly and not worry about the doors after that.
Consulting, NZ
Info-Tech Research Group

15

1.1

Use a convincing business case to highlight the


importance of security governance and management

Address a common security governance challenge by helping leadership within your


organization understand the benefits of a strong security governance and management
program through a business case.
The business case will serve three main goals:

A business case will help you secure executive sponsorship, funding, commitment for the project, and the eventual
governance program. To do this, the business case must present a convincing argument for how the governance program
will bring positive business benefits.

A business case will also identify responsibilities of the security governance program to drive ownership.
Finally, the business case will also help you clarify your goals for the project.
Know your audience:

Target the executives who are most affected by security issues to get them on board first. They may be able to help you
advocate for the project.

Tailor your business case to address the specific issues senior executives are currently experiencing.
Create your business case, keeping in mind that your audience will be concerned about its impact to the overall business,
not just security. Avoid using technical jargon and provide an estimated cost and benefit value.
Senior management engagement and a top-down approach is critical to a successful security governance and
management program.

Info-Tech Research Group

16

1.1

Document your business goals and how information


security will support these goals
1.1

Estimate: 30 minutes

Build a business case, using the Information


Security Governance and Management
Business Case Template, in order to describe
the overall goals, benefits, challenges, and
value proposition of your security governance
and management program.

Steps:

Complete the section on security governance and


management drivers and goals in the Information
Security Governance and Management Business
Case Template.

Document the benefits you expect from this project


in the business case.
Record in Info-Techs Information Security
Governance and Management Business
Case Template.

Info-Tech Research Group

17

1.2

Explore common security governance challenges to


understand your own
1.2

Estimate 30 minutes

Complete the Security Governance Challenge section in the Security


Governance and Management Challenge Analysis Tool.
Common Security Governance Challenges

Description

Difficulty building an information security governance


framework

Organizations often lack the resources and knowledge to


build a suitable information security governance framework.

Difficulty achieving buy-in and budget approval from


senior management

Senior management may not see the value in implementing


security governance and management initiatives.

Difficulty identifying various requirements and maintaining


updated knowledge of them

Compliance requirements, business requirements, and


stakeholder requirements are constantly changing.
Organizations often have difficulty identifying requirements
that apply to them and keeping up with the changes.

Difficulty prioritizing and initiating security-related


activities

Prioritizing and initiating security-related activities can be


difficult when there arent any metrics in place to provide
direction.

A risk appetite thats not clearly defined

Many organizations dont have a clearly defined risk


appetite. This makes it difficult to have a systematic and
consistent way of treating risk.

Difficulty incorporating security into business initiatives

Organizations often have difficulty making sure that


information security considerations are taken into account
when business initiatives are formed or executed.

Info-Tech Research Group

18

1.2

Explore common security management challenges to


understand your own
1.2

Estimate 30 minutes

Complete the Security Management Challenge section in the Security


Governance and Management Challenge Analysis Tool.
Common Security Management Challenges

Description

Lack of a sufficient management framework because


security is not incorporated in the early stages of IT
system design

Security is sometimes a last consideration in business


information system design and often gets relegated to the
status of a few add-on fixes when all other design decisions
have been made.

Difficulty integrating various security solutions

Security solutions are often isolated and incapable of being


integrated together or operating together. A large variety of
security solutions can lead to increased complexity and
cost of support.

Ensuring that the current policies are defined and


sufficient

It can be a challenge to build necessary security policies to


provide security guidance.

Creating a security-aware environment

Non-malicious staff can pose a large threat to security if


they are unaware of security policies and procedures.
However, creating awareness for security can be a
challenge.

Difficulty defining clear roles and responsibilities

Document roles and responsibilities can be vague, resulting


in an inefficient allocation that does not achieve desired
results.

Info-Tech Research Group

19

1.3

Develop your business case for security governance

Using the Information Security Governance and Management Business Case Template, complete Section 1 (Value
Proposition and Strategic Assessment) and Section 2 (Challenge Identification) based on the data collected throughout
this module.

Info-Tech Research Group

20

Step 2: Determine the Security Pressure Posture


1
Make the
case

2
Determine the
security
pressure posture

Establish
target state

Conduct a
gap analysis

5
Implement
governance
initiatives

6
Develop metrics

This step will walk you through the following activities:

This step involves the following participants:

Identification of the organizational risk level.


Assessment of your security pressure posture.

CISO/Head of Security
Security Engineer
CIO
Member of Compliance and Audit Team
Member of Legal Department

Outcomes of this step


Determination of the organizations risk level and risk tolerance.
Assessment of the security pressure posture.
Understanding of how the organization carries an inherent risk through its regular business function.

Info-Tech Research Group

21

2.1

A defined risk tolerance is essential for determining a


security target state and gaining buy in

What is risk tolerance level?

Risk Tolerance Curve

Keep in mind there is no generally accepted security risk assumption model


template. Some organizations are driven by compliance. Some are driven by
customer security requirements. Some are driven by the security risks of their IT
systems.
An organizations risk
tolerance level should take
into account numerous
drivers:
Compliance drivers
Privacy risks
Security threats
Data and asset value
Industry and competitive
pressure
Management preferences

Do not accept
the risk

Probability

An organizations risk tolerance level is how much corporate data and how
many systems can be risked to an acceptable level.
Having a defined risk tolerance level means the security program knows
the degree that management requires the organization to be protected
against confidentiality, integrity, or availability compromise.
NIST SP 800-39 defines risk tolerance as the level of risk or degree of
uncertainty that is acceptable to organizations and is a key element of the
organizational risk frame.

Reality check on what is needed:


A very clear conversation has to occur with
the organizations senior management and/or
the board on what is the acceptable level of
risk for which data and information needs to
be protected.
The conversation must result in clear outputs
such as the organization adopting a moderate
risk level due to determining that customer
and employee information should have a low
risk level while non-confidential information
can tolerate high risk levels.

Accept the
risk
Impact

Only a quarter of risk


executives articulated that
their organizations had set
up a formal risk appetite
statement. While all
agreed risk appetite was
important, most are still
challenged in bringing it
all together in a formal
risk appetite statement.
KPMG

Info-Tech Research Group

22

2.1

Determine your organizations risk tolerance level


Estimate 60 minutes. All steps should be group discussion.

Steps

Have each group member write down on sticky notes any threats your organization could
face. Place these sticky notes on a whiteboard.
Identify different attack types and attack actors.

Materials

In a group discussion, using a five-point scale, rate each identified threat for its potential
impact on your organization (1 being low impact, 5 being extremely high) and the potential
likelihood your organization could experience that threat (1 being not likely at all, 5 being
almost certain).
For potential impact, consider data exposure, regulatory fine, reputational damage,
lawsuits, business disruptions, lost revenue, etc.
For each rated threat (attack type and attack actors) rate it on a five-point scale for how
important mitigating that threat is.
Identify specific drivers of the mitigation levels.

Repeat steps 2 to 3, but for data and other assets.


Using the data scope determined earlier, and using a five-point scale, rate each data
sets value/importance to the organization. Then rate how important is protecting that
data on a five-point scale.

The difference between the mitigation levels


and the threat level or asset value indicates
your risk tolerance level. The lower the
difference, the lower the risk tolerance.

Whiteboard and markers


Sticky notes

Participants
Business stakeholders
IT leaders
Security team members
Output
Identified and prioritized
threats and assets and
required levels of
mitigation

Record in Info-Techs Information Security


Awareness and Training Program Workbook.

Info-Tech Research Group

23

2.1

Determine your organizations risk tolerance level


continued
Estimate 60 minutes

Steps

Identify who has risk authority for assuming and signing off on risk:
The board and the CEO should ultimately hold delegation authority for risk
decisions.
The CISO or CIO should also be able to make security risk decisions in the
same way that a CFO has the authority to make financial risk decisions that
are enterprise wide.
Business unit leaders should have a degree of security risk authority for some
risk decisions that are largely contained within their business units.

Identify potential risk decisions scenarios and perform hypothetical discussions on what
would happen.

Identify known and unknown risks and related incidents for those risks your
organization may face.

Ask yourself what the consequences of this risk are and what the likely actions
are that would be taken against that risk by whoever has risk authority in that
situation.

Materials
Whiteboard and markers
Documents outlining risk
authority

Participants
Business stakeholders
IT leaders
Security team members
Output
Understanding of
organizations real risk
tolerance level

The goal is to answer the question: what is the likely reaction of


whoever has risk authority? Any probable responses can tell
your organizations risk tolerance stance in a real situation and
should be considered against the previous activities results.

Info-Tech Research Group

24

2.1

Risk tolerance level descriptions

High

Moderate

Low

Most likely your organization does


not operate within the following
areas:
o Finance
o Health care
o Telecom
o Government
o Research
o Education
You have no compliance
requirements.
You dont have sensitive data.
Customers do not expect you to
implement and maintain strong
security controls.
Innovation and revenue
generation comes before security,
so more risk is accepted.
Organization does not have
remote locations.

Most likely your organization


operates within the following
areas:
o Government
o Research
o Education
You have some compliance
requirements (e.g. HIPAA,
PIPEDA).
You have some sensitive data,
and are required to retain
records.
Customers will eventually need
strong security controls for their
activities.
Due to the sensitive data,
information security is more
visible to senior management.
Organization has some remote
locations.

Your organization operates


within the following areas:
o Finance
o Health care
o Telecom
You have multiple compliance
requirements and house
sensitive data, such as medical
records.
Customers require and expect
your organization to have and
maintain strong security
controls.
Information security is highly
visible to senior management
and public investors.
Organization has multiple
remote locations.

Info-Tech Research Group

25

2.2

Assess your security pressure posture

An organizations security pressure posture represents the forces and


drivers an organization is experiencing to develop a strong security program.
The organization needs to be able to identify major pressures and drivers it is experiencing around having an
information security program.

Assessing your security pressure posture will answer many board-level questions:

How attractive to hackers is our organization?

How much pressure are our customers placing on us for security?

How much pressure are our regulatory and legal requirements placing on us?

What organizational factors are driving our need for security?

Value of assessing your security


pressure posture:
Gain a holistic view of how much actual
force your organization is experiencing to
have an information security program.
Provide rationale and backing to support
resource or budget requirements.
Understand your security pressure points
to implement just enough security to
achieve your objectives while keeping
costs minimal.

Info-Tech bases a security pressure


posture on the following variables:

Company industry

Company type

Company users

Compliance obligations

Customer security requirements

Business requirements

Corporate data

Complexity of technology environment

Security risk management

Security incidents

Physical location profile

Budget and resource constraints

Info-Tech Research Group

26

Assess your security risk profile

2.2

Estimate 120 minutes. Complete tool with a group and in open discussion.

Steps:
1

Go to the Security Pressure Posture Analysis Tool.


Discuss the importance of each risk variable for your organization and input your
custom weighting for each risk variable.
Discuss each question and input the most appropriate response.
Go to the Output tab. Discuss the following:
What does your security risk profile suggest about your organization?
Do you agree with the security risk profile suggested?
Are you surprised about your security risk profile?
Did you initially assume a higher or lower security risk profile?
How will your security risk profile impact your target state?

Materials
Laptop
Projector

Participants
Business stakeholders
IT leaders
Security team members

OUTPUT
Organizational security
pressure posture

Record in Info-Techs Security Pressure


Posture Analysis Tool.

Info-Tech Research Group

27

2.2

Security pressure level descriptions

High

Moderate

Low

Organizations with a high security


pressure posture have numerous
factors driving the need for a
strong information security
program. Usually there is a
combination of being highly
attractive to cyber attackers and
having customers, business units,
senior management, and
regulators demanding strong
security controls.
These organizations require very
strong and solid security risk
governance, management, and
assurance in terms of high-level
compliance requirements and
strong business drivers.
Usually, they have low risk
tolerance. A proactive approach is
taken that leverages strong
security intelligence to support
their analysis. Information security
is one of the critical topics on their
boardroom's agenda.

Organizations with a medium


security pressure posture will
have several factors driving their
need for a strong information
security program. They are
usually attractive to cyber
attackers for financial reasons (i.e.
valuable data or another way to
make money from compromise)
while also feeling various levels of
pressure to have a strong security
program from customers, the
business, and/or regulators.
These organizations require
strong security risk controls and
assurance in terms of a certain
level of compliance requirements
and some business drivers.
They usually have a medium risk
tolerance. Usually, they will
leverage best practices as their
baseline and balance the cost and
security risks when designing and
implementing security solutions.

Organizations with a low security


pressure posture are either in a
position that is less attractive to
cyber attackers, or they can
accept more risk on security
controls and processes due to
less restrictive compliance
requirements and unclear
business drivers. The
organizations strategy, operating
models, and supporting IT
indicate there are low levels of
pressure being placed on the
organization to have a strong
information security program.
These organizations generally
have a high risk tolerance.
However, it does not necessarily
mean they are more comfortable
with risk. They may be unable to
afford the right technologies, or
stakeholders would prefer to
invest in the business rather than
security.

Info-Tech Research Group

28

If you want additional support, have our analysts guide


you through this phase as part of an Info-Tech workshop
Book a workshop with our Info-Tech analysts:
To accelerate this project, engage your IT team in an Info-Tech workshop with an InfoTech analyst team.
Info-Tech analysts will join you and your team onsite at your location or welcome you to
Info-Techs historic Toronto office to participate in an innovative onsite workshop.
Contact your account manager (www.infotech.com/account), or email
Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:
Understand the value of security governance and management

1.1

An analyst will walk through the importance of information security governance and
management. This will provide the rationale for pursuing this for any non-security
professionals at the workshop and provide insights into todays world of security.

Create a convincing business case

1.1

For business stakeholders not present at the workshop, develop and build a business
case that describes the value proposition and strategic assessment of governance
and management, while identifying any existing challenges as well.

Info-Tech Research Group

29

If you want additional support, have our analysts guide


you through this phase as part of an Info-Tech workshop
Book a workshop with our Info-Tech analysts:
Define your risk tolerance

2.1

Your organizations risk level dictates the degree to which the organization protects
itself. With a facilitator, review identified threats and determine the potential impact of
the threat as well as the importance of mitigating the threat. Identify hypothetical
situations on these threats occurring and determining the risk tolerance for threats,
data, and assets.

Determine your security pressure posture

2.2

Assess how attractive the organization is to hackers, and how much pressure
customers and regulatory requirements are placing on the organization. Complete
your risk profile around your industry, customer requirements, number of employees,
number of locations, and other risk variables.

Info-Tech Research Group

30

PHASE
Perform a Gap Analysis

Phase

Info-Tech Research Group

31

Phase 2 outline
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 23 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 2: Perform a Gap Analysis


Proposed Time to Completion: 2 weeks

Step 3.1: Understand the different components of the


program and self-assess

Step 3.2: Define the governance and management target


state

Start with an analyst kick off call:

Review findings with analyst:

Understand the different components of a security


governance and management program.

Review the current state of your program.


Establish the target state for your governance and
management components.

Then complete these activities

Then complete these activities

Perform a current state of your governance and


management capabilities and maturity levels.

Determine the target state of your overall information


security governance and management program.

With these tools & templates:

With these tools & templates:

Information Security Governance and Management Gap


Analysis and Roadmap Tool

Information Security Governance and Management Gap


Analysis and Roadmap Tool

Phase 2 Results & Insights:

Identified gaps in the program.

Info-Tech Research Group

32

Step 3: Establish the target state


2

1
Make the
case

Determine the
security
pressure posture

Establish
target state

Conduct a
gap analysis

5
Implement
governance
initiatives

6
Develop metrics

This step will walk you through the following activities:

This step involves the following participants:

Assess the current maturity state of your security controls


and processes.
Understand what is needed for your program and consider
its relevance.
Determine the target state needed for the organization.

CISO/Head of Security
Entire Security Team
CIO
Business Leaders

Outcomes of this step


Understanding of the different components that make up a larger security governance and management framework.
Current maturity levels of existing security controls.
Determination of the future target state for the organization.

Info-Tech Research Group

33

Examine commonalities of a success security governance and


management programs
Attributes of security governance and management programs vary by
organization but successful programs share certain commonalities.
All information security goals and initiatives come from business needs.
A business-oriented approach to information security ensures that security is working on the right initiatives to maximize its
value to the organization. All security activities should be derived from an analysis of business requirements.
The security governance and management framework fits into the bigger picture.
Security governance and management is an essential component of IT governance, corporate governance, enterprise
architecture, etc. The security governance and management framework needs to be compatible with the existing frameworks,
policies, guidelines, and terminology. When organizations forget to align different frameworks, it causes confusion for
employees and decreases the legitimacy and effectiveness of the program.
There is a single holistic security governance and management framework.
When organizations develop their frameworks in an ad hoc way, they often develop programs that are not comprehensive
enough or too cumbersome for organizational needs. Building a holistic framework ensures that all areas are covered while
preventing duplications of the same functions, resulting in a more efficient program.
Management commitment to security governance is demonstrated through a top-down approach.
Both management buy-in and commitment are essential to security success. Executive sponsors and stakeholders need to
understand that security governance requires active participation and commitment, not just a budget approval.
The security governance and management program is easy to execute and maintain
Simpler security governance programs are easier to adopt and maintain. Even if the proposed program isnt ideal initially, its
easier to execute and continuously improve upon than it is to start off with a large complex program.

Info-Tech Research Group

34

Consider how your new security framework will interact with


your existing frameworks
Security does not work in a silo in any organization. Its interactions with
other departments need to be considered when designing a framework.

The integration of security and other frameworks is often overlooked, but can be essential to the success of your security
program. At each stage of planning and implementation, ask yourself how the new framework will interact with your
existing ones.
Info-Tech Research Group

35

Info-Techs framework integrates several best practices to


create a best of breed
ISO 27000 Series
Comprehensive list of controls.
Provides best practices
associated with each control.
Likely some of the best
standalone best practices.

NIST SP800 Series


Provides a detailed list of security
controls along with many
implementation best practices
intended for federal information
systems and organizations in the
US to meet FIPS199/200.
Provides more depth than ISO
27000 series since there are
individual implementation guidance
publications available.
NIST SP800-53 defines 18 security
controls.
COBIT 5 for Security
More principle and process based
than other best practices.
Provides best practices from an
internal control perspective.
Does not cover as much breadth as
ISO 27000 series and is not as
detailed as PCI-DSS.

ISO
27000
Series
NIST
SP80053

PCI-DSS

COBIT
5

SANS
Critical
Controls

PCI-DSS
Provides more detailed
instructions than most other
best practices but does not
cover as much breadth as
the ISO 27000 series.
Focus is for organizations
that need to become PCI
compliant due to credit card
processing.
SANS Twenty Critical
Security Controls
Provides a great list of
controls for effective cyber
defence.
Includes step-by-step
implementation directions
and customized actions for
advanced implementations
and for organizations looking
for quick wins.
Only covers controls for
cyber defence, so many
other aspects of information
security are missing (e.g.
physical security).
Info-Tech Research Group

36

Visualize the components of security governance and


management to understand their relationship with each other
Information security governance and management can have a broad scope. This project focuses on
developing the processes and capabilities of the areas highlighted below. Use this diagram as reference to
how each component in security governance and management fit together to form a holistic picture.

Info-Tech Research Group

37

Distinguish the elements of your security governance and


management program
Information security governance sets the direction and strategy for security, monitors the performance of security, and
communicates this to stakeholders. Information security management supports information security governance by executing
and running various areas in security.
Security governance and management programs vary largely by organization. There are some fundamental components and
many components that may be less relevant for your organization. Use the fundamental components as a starting point and
add the extensions as needed.
The next set of slides will examine each component in more detail to understand its purpose in a security governance and
management program and assess its relevance for your organization.
Context & Leadership

Evaluation & Direction

Compliance, Audit, & Review

Information Security Charter


Organizational Structure
Security Culture and Awareness

Security Risk Management


Security Policies
Security Strategy and
Communication
Security Services

Security Prevention

Security Response & Recovery

Measurement Program

HR Security
Vendor Management

Metrics Program
Continuous Improvement

Security Incident Management


Security eDiscovery and Forensic
Backup and Recovery
InfoSec in BCM

Security Compliance Management


Security External Audit
Security Internal Audit
Management Review of Security

Info-Tech Research Group

38

Understand the importance of a security charter to your


security governance and management framework
Purpose

Context & Leadership

It establishes a mandate for information security within the organization.


It communicates executive commitment to risk and information security

Information Security
Charter
Organizational Structure
Security Culture and
Awareness

management.
It outlines high-level responsibilities for information security within the
organization.
It establishes awareness of information security within the organization.

Typically, the following elements are included in a security charter

Security Mission: An overarching statement about the ultimate goal of security within the organization and how it will be

achieved.
Security Objectives: Specific security objectives and their relationship to the overall strategy of the organization.
Statement of Corporate Commitment: A statement that clarifies the extent to which the organization is committed to
security.
High-Level Responsibilities: These high-level responsibilities should emphasize where the primary accountability for
information security lies and include general responsibilities of all employees, suppliers, and customers.
Principles: A set of principles to govern and promote good practice in information security.
The information security should be documented, and available and communicated to the entire organization.
A security charter can formalize and define your
security governance, and provide value in implementing
your security strategy. Involving multiple stakeholders in
the creation of the charter will allow you to build a
charter that is truly reflective of your organization.

Build your charter using Info-Techs


Information Security Charter template.

Info-Tech Research Group

39

Understand the importance of a formalized security


organizational structure to your framework
Purpose

Context & Leadership

A formalized security organizational structure assigns and defines the roles and
responsibilities of different members in the organization regarding security. Clarity of
responsibilities makes sure owners are accountable.

Information Security Charter


Organizational Structure
Security Culture and
Awareness

Typically, the following elements are included in a formalized security organizational structure

Organizational reporting lines.


An explicit allocation of information security responsibilities and accountabilities.
The definition of a security steering committee.
A statement of managements commitment to information security.
Details about how information security activities will be co-ordinated by
representatives from different parts of the organization.
A list of appropriate contacts with authorities or special interest groups.

Different lines of reporting can have various impacts on the information


security culture within the organization. Out of organizations that have a Chief
Information Security Officer or an equivalent:
33% of them reported to a Chief Information Officer (CIO).
35% reported to a Chief Executive Officer (CEO).
Build your organizational structure using Info 28% reported directly to the Board of Directors.
Techs Security Governance Organizational
Structure template.
Source: PricewaterhouseCoopers Annual Information Security Survey, 2011

Info-Tech Research Group

40

Understand the importance of a training and awareness


program for your security framework
Purpose

Context & Leadership

Educating and creating awareness for security policies and procedures lowers the
risk of security threats caused non-maliciously by internal staff and promotes
accountability for security within the organization. A training and awareness program
will provide information security awareness and knowledge training for various or all
employees within the organization.

Technology

Process

Information Security Charter


Organizational Structure
Security Culture and
Awareness

People

Security governance is responsible for setting security training objectives and


initiatives and creating a security-aware culture. Security managements role is to
execute these training objectives and awareness initiatives.

For further research on


developing an
awareness program,
reference, Build a
Security Awareness and
Training Program.

A key factor about information security is having a culture in place. When Im talking about culture, Im not
talking about senior management anymore. Im talking about managers, middle managers, and end users.
Because everyone knows that the weakest link in the security chain is a human being.
IT Director, City Services
Info-Tech Research Group

41

Understand the importance of systematic risk management to


your security governance and management framework
Purpose

Evaluation & Direction

Managing information security risks in a systematic way involves identifying the


organizational risk tolerance and assessing all risks for treatment options based on
the risk tolerance.
By taking this systematic approach, organizations can be sure that unacceptable
risks are being identified and addressed properly, and that money and effort arent
being wasted by mistreating insignificant risks. It also provides senior management
with visibility in to the organizational risk profile and risk treatment priorities to
support their ability to make strategic decisions.

Security Risk Management


Security Policies
Security Strategy and
Communication
Security Services

Basic process
Identify risk tolerance
Analyze risk (Risk = f(Asset, Vulnerability, Threat))
Decide on risk treatment (accept, mitigate, transfer, avoid)
Information security risk management is a part of IT risk management, which is a component of enterprise risk
management. There needs to be consistency between each risk management function.

Enterprise Risk Management


IT Risk Management
InfoSec Risk Management

46% of respondents to Ponemon


Institutes 2013 US Research Survey
have an ad hoc or no risk
management strategy.

Info-Tech Research Group

42

Understand the importance of security policies to your


security governance and management framework
Purpose

Evaluation & Direction

Security policies provide direction for information security, while taking into account
business requirements and relevant laws and regulations, to ensure critical business
information assets maintain confidentiality and integrity, and are available.

Security Risk Management


Security Policies
Security Strategy and
Communication
Security Services

Generally, enterprises with


policies report a greater sense
of security. (Info-Tech, N=114)

14%
28%
60%

50%

82%

38%
22%

No Policies
Not Secure

4%

Partial Policies

2%

Full Policies

Somewhat Secure

Information security policies are


usually approved by
management, published, and
communicated to all employees
and relevant external parties.
Theyre reviewed on a regular
basis or whenever significant
changes occur to ensure their
continuing suitability, adequacy,
and effectiveness.

Business, Legal,
Contractual
Requirements

Security Policies

Functional Areas

Secure

For further research on


developing security
policies, reference InfoTechs Develop & Deploy
Security Policies

Business, legal, and contractual


requirements shape the policies in an
organization. The policies are then
applied to standards and procedures.

Info-Tech Research Group

43

Understand the importance of a security strategy to determine


its relevance for your framework
Purpose

Evaluation & Direction

Building your information security strategy drives value through


the following:
Improved reputation and brand equity achieved through a proper evaluation of the
organizations security posture.
Improved reputation and brand equity achieved through a BCP/BCM process that
will enable the business to recover faster from disasters.
Continuous improvement achieved through a good security measurement
program.
Ability to plan for the future since less security time will be spent firefighting.
Reduction in the total number of security incidents.
Coordination of different security initiatives.

Security Risk Management


Security Policies
Security Strategy and
Communication
Security Services
For further research on
developing security policies,
reference Information Security.

The security strategy needs to account for changing business strategies and
technologies. Security management should be up to date on the strategic
direction of the business and plan for it in advance. Doing this will enable you to
manage security proactively.

When organizations develop their frameworks in an ad hoc way, they often develop programs that are not
comprehensive enough or are too cumbersome for their needs. Building a holistic framework ensures that
all your bases are covered while preventing duplications of the same functions, resulting in a more
efficient program.

Info-Tech Research Group

44

Understand the purpose of security service management to


determine its relevance for your framework
Purpose

Evaluation & Direction

Security services refer to the products and services offered by your security
department to the business. A formalized security services document sets clear
expectations of the security departments capabilities and can justify the cost of
security. A security services document also allows the security team to determine the
resources required to enable business activities.

Security Risk Management


Security Policies
Security Strategy and
Communication
Security Services

Elements involved in a security services document


Service Name

A formal list of security services should be in place and updated on a regular basis. Be fairly specific here, and keep
in mind that this is for the end user.

Service Capability

List any service capabilities that fall under the main security service.

Description

Provide a clear description of the service.

Target Audience

Who is this security service being provided for? Is there a specific audience? Consider role-based views of the
service catalog.

Delivery Process

The security team should formalize the delivery process of security services.

IT Owner

Indicate the IT staff member who would serve as the contact person for any issues arising from this specific service.

Supporting Technology

List all the technology that is needed either for the end user or for IT to deliver this service to the end user.

Benefit

Describe the benefit of using that service.

Quality Goal/ Service


Level Agreement (SLA)

Each security service should have at least one formal SLA. The SLAs provide information on required resources
and justify security costs.

Workflow

Indicate the workflow that is necessary for the service to be provided for the end user. Provide enough information
so you can be specific about any SLAs.

Metric

Metric is internal to the security team. You want to know how you are going to measure. Be as specific as possible
around what you are measuring. Look at how you are going to get the metric.
Info-Tech Research Group

45

Understand the purpose of security compliance management


to determine its relevance for your framework
Purpose
Security compliance ensures that the organization does not breach any statutory,
regulatory, or contractual obligations. The security governance process ensures that
compliance requirements are identified and monitored for changes (e.g. PCI-DSS
updates every three years). Security management builds and implements controls to
meet these compliance requirements.

Compliance, Audit, & Review

Security Compliance
Management
Security External Audit
Security Internal Audit
Management Review of
Security

Elements involved in compliance management


There are three types of compliance:
1. Compliance with legislative and regulatory requirements
E.g. PCI-DSS, SOX, PIPEDA
2. Compliance with contracts
E.g. Ensure validity of security controls as required by contractual obligations
3. Compliance with security policies, standards, procedures, and technical requirements
E.g. Managers need to ensure that all security procedures within their area of
responsibility are carried out to comply with security policies and standards

Management of compliance involves tracking, reporting, disclosure, and adherence to compliance as an organization. For
many of the legal and regulatory requirements, they are serious legal and financial consequences for non-compliance.

Info-Tech Research Group

46

Understand the purpose of security audits to determine their


relevance for your framework
Purpose

Compliance, Audit, & Review

Audits provide objective assurance to management on how effectively the


organization is managing security practices.
The organizations approach to managing information security and its
implementation should be audited at regular intervals, and when significant changes
to security occur, to maintain assurance.

Security Compliance
Management
Security External Audit
Security Internal Audit
Management Review of
Security

There are two types of audits: internal audits (firstparty audit) and external audits (second-party audit
and third-party audit).
Internal audits

External audits

Also known as firstparty audits.


Internal audits are
useful tools for an
organization to be
assured that security
is operating as
needed.

Also known as
second-party and
third-party audits.
External audits are
necessary for some
organizations due to
compliance
requirements.

Info-Tech Research Group

47

Understand the importance of the regular management review


of security to determine its relevance for your framework
Purpose

Compliance, Audit, & Review

Management review of security ensures that management is continually involved in


the security process. This includes regular communication of security as well as
collecting necessary inputs into overall program. As a result, outputs will be created
that benefit the entire organization.

Elements involved in a management review of security


1. Collecting necessary management input for the
review of security.

Collect
input

2. Defining which content will be reviewed by senior


management.
3. Receiving the output and feedback from the
management review.

Security Compliance
Management
Security External Audit
Security Internal Audit
Management Review of
Security

Review,
evaluate,
and update

Define
content

Follow up

Review
output

4. Tracking the outputs as action plans are created and


implemented.
5. Following up with management as governance and
management are increased.
6. Continually reviewing, evaluating, and updating the
process

Track
output

Info-Tech Research Group

48

Understand the purpose of human resources (HR) security


management to determine its relevance for your framework
Purpose
Security management involves managing HR-related security issues such as setting
new employees up with access to appropriate systems and software, or terminating
access when employees leave the organization. A security management framework
should outline basic processes to address these HR-related activities.

Security Prevention

HR Security
Vendor Management

Elements involved in HR security


Prior to employment:
Security needs to work with HR to ensure that
employees, contractors, and third-party users
understand their responsibilities and are suitable for the
roles they are considered for. This will reduce the risk of
theft, fraud, or misuse of facilities.
During employment:
Security needs to work with HR to ensure that all
employees, contractors, and third-party users are aware
of information security threats and concerns as well as
their responsibilities and liabilities, and are equipped to
support organizational security policy in the course of
their normal work.
Termination or change of employment:
Security needs work with HR to ensure that employees,
contractors, and third-party users exit an organization or
change employment in an orderly manner. This includes
termination of employee access and user accounts.

Info-Tech Research Group

49

Understand the purpose of vendor management to determine


its relevance for your framework
Purpose

Security Prevention

Vendor management needs to maintain the security of the organizations information


by ensuring that third-parties are meeting the necessary organizational security
requirements. Security needs to be considered from all stages including selection
and implementation with any vendor.

HR Security
Vendor Management

Elements involved in vendor management

Identification of risks related to external parties.


Identification of security requirements for third parties
before theyre given access to the organizations
information or assets.
A third-party service delivery agreement, which includes the
following:
o Service objectives, scope, content, and deliverables.
o Specified service level.
o Criteria defining acceptable service and completion
criteria.
o Reporting structure and formats of third-party service
monitoring and reviews.
o An escalation process for problem resolution.
o A change management process for changes made to
the provision of services.

For help with vendor selection, review


Info-Techs research, Optimize IT
Procurement.

Info-Tech Research Group

50

Understand the importance of incident management to your


security governance and management framework
Purpose
Security incident management establishes a systematic process to follow in the
event of a security incident to best address the incident and prevent it from occurring
again in the future.

Elements involved in incident management

Security Response and


Recovery
Security Incident
Management
Security eDiscovery and
Forensics
Backup and Recovery
InfoSec in BCM

The definition of a security incident, security event, and each severity level.
A process work flow diagram of how an incident or event will be treated from its
initial report or finding to the end.
A more detailed explanation of how the event or incident will be identified,
assessed, treated, tracked, and recorded for continuous improvement.

Sample workflow
shown on the left

Info-Tech Research Group

51

Understand the purpose of forensics and eDiscovery


management to gauge its relevance for your framework
Security Response and
Recovery

Purpose
Forensics and eDiscovery management can help you make a shift from ad hoc
eDiscovery practices to a formal process based on the eDiscovery reference model.
Use the table below to understand the difference between computer forensics and
eDiscovery.

Security Incident Management


Security eDiscovery and
Forensics
Backup and Recovery
InfoSec in BCM

Factors

Computer Forensics

Electronic Discovery (eDiscovery)

Type of data

Live, resurrected, reconstructed fragments

Live (unless other data provided by forensics partner)

Recover deleted or
temporary data

Yes

No (unless provided by forensics process)

Type of collection

Bit image only

Bit image and/or copy

Downtime of client
computers

Usually

No

Scope of data

Entire universe of data stored on a targeted


device (i.e. a hard disk drive)

Usually only focuses on a smaller grouping of data stored on


the targeted device

Scope of work

Forensic experts can partner with attorneys to


pinpoint keywords related to the case and then
cross-reference those keywords against the
collected data.

eDiscovery experts typically do not analyze the data they


collect.
They dont usually clarify the intent of a computer user and
or provide clients with legal advice.

The respective
timelines

A full forensic investigation may be tied to


incident response, requiring rapid action to
acquire a snapshot of systems and data. This
incident response may be measured in minutes
or hours.

An eDiscovery process is likely to be slower. Need to


preserve and collect information in response to a legal
requirement, a slower process than incident response,
measured in weeks and months, if not years.

Info-Tech Research Group

52

Understand the purpose of backup and recovery management


to determine its relevance for your framework
Security Response and
Recovery

Purpose
Backup and recovery management supports business operational activities by
backing up information and recovering lost information.

Elements involved in backup and recovery

Security Incident Management


Security eDiscovery and
Forensics
Backup and Recovery
InfoSec in BCM

Many companies take unnecessary risks when it comes to backup. It often takes a
major disaster before an organization begins to evaluate its investment in backup.
Few organizations are currently confident in their approach to backup and recovery.
55% of organizations polled reported feeling very confident or completely
confident in their ability to meet their backup window.
44% of organizations felt very confident or completely confident in their ability to
meet the recovery time objective.
Source: Info-Tech, N=74

For further research on backup and


recovery management, see Info-Techs
blueprint Optimize Backup Operations
with a Recovery Services Plan.

Info-Tech Research Group

53

Understand the purpose of BC/DR management to determine


its relevance for your framework
Purpose
BC/DR (business continuity/disaster recovery) management ensures that business
processes are recovered within the defined recovery time objective (RTO) and
recovery point objective (RPO) in a consistent and cost-effective manner.

Elements involved in BC/DR management

Security Response and


Recovery
Security Incident Management
Security eDiscovery and
Forensics
Backup and Recovery
InfoSec in BCM

1. Create a pilot project charter.


2. Identify key applications and dependencies.
3. Determine desired (target) recovery timeline.
4. Determine achievable recovery timeline and gaps.
5. Identify projects to close recovery timeline gaps.
6. Document your incident response plan.
7. Complete the BC/DR process.
However, through this whole process, information security must be considered
as part of an effective BC/DR plan. This is to ensure that security services
continue to be provided as needed to the organization in the case of any
incidents.

Info-Tech Research Group

54

Understand the importance of a metrics program and


continuous improvement to determine its relevance
Purpose
Measuring your information security program will allow you to have increased visibility
into your operations and provide increased accountability and better communication
with executives as a result of having hard evidence of security performance. As a
result, there can be continuous improvement as there is an understanding of what is
working and is not working.

Measurement Program

Metrics Program
Continuous Improvement

Elements involved in security metrics


A metrics program is more than just a group of metrics. It also needs to outline the
following explicitly:
1. What information you need to collect
2. How you will collect this information
3. How relevant the metrics are to each group of your stakeholders
4. How youre going to analyze the metrics
5. How youre going to report on the metrics

Metrics Best Practices:


Aim to develop SMART (Specific, Measureable, Actionable, Relevant, Timely) metrics.
Specific Use specific metrics that dont leave room for vagueness and objectivity to avoid the possibility of
misinterpretation.
Measureable Use measurable metrics that you can compare with other data to generate meaningful analysis.
Actionable Use metrics that provide directive information for the organization to execute on.
Realistic Use metrics that are realistic to track over time, based on the organizations constraints (e.g. is it cost effective?).
Timely Consider whether your metrics analyze data in real-time or if they must be analyzed over time.

Info-Tech Research Group

55

Self-assess your security governance and management


capabilities and maturity levels

3.1

Estimate 4 hours. Complete on a projector and encourage open discussion.

Steps:
1

Open the Information Security Governance and Management Gap Analysis and
Roadmap Tool. Hand each participant a set of cards and a maturity level description
sheet.

For each security area, and with the maturity level description sheet as a guide, all the
participants will have a minute to decide and then simultaneously flip the card they feel
best represents the maturity level of the area. Start with Context and Leadership.

The person who chose the highest maturity level and the person who chose the lowest
maturity level in the area must justify their maturity score. Discuss the rationale until a
consensus is reached. Record the maturity level in the Information Security Governance
and Management Program Gap Analysis and Roadmap Tool.

Repeat steps 2-3 for each of the following areas:

Materials
Cards with 1-5
Maturity level description
sheet
Laptop

Participants
IT and security leaders
Network, server,
desktop, help desk staff
Security team members

OUTPUT
Context and leadership
Evaluation and direction
Compliance and review
Security prevention
Security response and recovery
Measurement program

Document the results of your security governance


and management target framework in your business
case.

Security capabilities and


performance report

Record your results in Info-Techs Security


Governance and Management Gap Analysis
and Roadmap Tool.

Info-Tech Research Group

56

Define the security governance and management future


state

3.2

Estimate 120 minutes. Complete on a projector and encourage open discussion.

Determine the target levels for governance and what


management program will be aiming for.
Steps:
1
2

Open the Information Security Governance and Management Gap Analysis and
Roadmap Tool. Hand each participant a set of cards and a maturity level description
sheet.
For each security area, and with the maturity level description sheet as a guide, all the
participants will have a minute to decide and then simultaneously flip the card they feel
best represents a good target maturity level of the area. Start with Context and
Leadership.
Consider what aligns with your risk tolerance level, what your resource constraints
are, what will get approved, what will improve security versus maintaining current
levels, etc.
The person who chose the highest maturity level and the person who chose the lowest
maturity level in the area must justify their maturity score. Discuss the rationale until a
consensus is reached.
Repeat steps 2-3 for each of the following areas:
Context and leadership
Evaluation and direction
Compliance, audit and review
Security prevention
Security response and recovery
Measurement program

Materials
Laptop
Projector

Participants
IT and security leaders
Network, server,

desktop, help desk staff


Security team members

OUTPUT
Security future state

Record your results in Info-Techs Security


Governance and Management Gap Analysis
and Roadmap Tool.

Info-Tech Research Group

57

If you want additional support, have our analysts guide


you through this phase as part of an Info-Tech workshop
Book a workshop with our Info-Tech analysts:
To accelerate this project, engage your IT team in an Info-Tech workshop with an InfoTech analyst team.
Info-Tech analysts will join you and your team onsite at your location or welcome you to
Info-Techs historic Toronto office to participate in an innovative onsite workshop.
Contact your account manager (www.infotech.com/account), or email
Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

3.1

Self-assess your security governance and management capabilities


and maturity levels
Move through the major security practices and security components that make up the
security governance and management program. A facilitator will get the participants
to indicate the specific maturity levels, with open discussion on where the
organization currently stands.

Define the security governance and management future state

3.2

Determine the future state for the components of the security governance and
management program, with open discussion as to what the target should be for the
organization.

Info-Tech Research Group

58

PHASE
Develop Gap Initiatives

Phase

Info-Tech Research Group

59

Phase 3 outline
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 23 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 3: Develop gap initiatives


Proposed Time to Completion: 2 weeks

Step 4.1-4.2: Identify existing gaps and build initiatives

Step 4.3-4.5: Estimate resources needed and build


roadmap

Start with an analyst kick off call:

Review findings with analyst:

Identify any existing gaps in your governance and


management program.
Build initiatives to bridge the gaps.

Identify resources needed for each initiative and prioritize


them accordingly.
Begin to build out your roadmap and action plan

Then complete these activities

Then complete these activities

Document any gaps and indicate what the initiatives are


that will be closing these gaps.

Document the roadmap and action plan for the prioritized


initiatives.

With these tools & templates:

With these tools & templates:

Information Security Governance and Management Gap


Analysis and Roadmap Tool

Information Security Governance and Management Gap


Analysis and roadmap Tool

Phase 3 Results & Insights:

Actionable initiatives to continue building out security governance.

Info-Tech Research Group

60

Step 4: Conduct a gap analysis


1
Make the
case

2
Determine the
security
pressure posture

3
Establish
target state

4
Conduct a
gap analysis

5
Implement
governance
initiatives

6
Develop metrics

This step will walk you through the following activities:

This step involves the following participants:

Determine where there are existing gaps in the


framework.
Develop the initiatives needed to close any gaps.
Prioritization of the gaps based on resources, cost, and
overall benefits.

CISO/Head of Security
Entire Security Team
CIO

Outcomes of this step

Identified areas of security governance and management where gaps exist.


Consolidated initiatives to close the existing gaps.
Prioritized gap initiatives.
Roadmap of all the initiatives over the next three years, with assigned owners for each initiative.

Info-Tech Research Group

61

Examine common gaps in the industry to reflect on your own


Based on interviews with industry experts, most security programs are
currently missing some vital components in their security governance and
management plan.
Common gaps
Lack of comprehensive security governance and management framework.
A perspective on the importance of a comprehensive security framework: The only way to deal with security is through a
holistic perspective. Ad hoc security is almost an oxymoron. Ad hoc is like locking all the doors to a building and leaving
all the windows wide open. The bad guys will figure out that the windows are open quite quickly and not worry about
the doors after that.
Marcus Simons, Integration Works, NZ

Its a challenge to get our security program into a formal framework from its ad hoc origins.
Higher Education, US

Lack of security measurement and reporting.


Lack of awareness and training.
No objective security posture.
No formalized risk tolerance.

No buy-in for security governance.


When I started talking at upper management meetings about information security governance, theyd look at me weird
and say, Why are you talking about governance?
Dennis Leon, Wood Buffalo Housing & Development Corporation, US

Info-Tech Research Group

62

4.1

Identify your security program gaps


Estimate 120 minutes

With a clear understanding of the target state and the current maturity levels, document any
gaps and determine why these gaps exist through this exercise.
1. Compare your target state to your current state and review your risk recommendation
based on the Security Pressure Posture Analysis Tool.

Materials
Laptop
Projector

2. Using the Need for Subcomponent column, use the drop down to indicate if this is a
control that is necessary, nice to have, or not needed.
Participants
3. Using the drop-down menu, determine if there is no gap, a small gap, a moderate gap,
or a substantial gap.
4. Document why the gap is this size and what is preventing the current state from
becoming the target state under the column for gap description.
Include why the control was given its status under the Need for Subcomponent
column.
Be descriptive of the gap that exists.
When describing why the gap currently exists, think of your people, processes,
and technology.

IT and security leaders


Network, server, desktop,

help desk staff


Security team members

Output
Identification of where
there are existing gaps

Record your results in Info-Techs Information


Security Governance and Management
Business Case Template.

Info-Tech Research Group

63

Evaluate current security projects

4.2

Estimate 30 minutes.

Steps:
1

Make a list of all the


current security projects
on the whiteboard.
Compare each of the
security projects listed on
the whiteboard to the
initiatives suggested by
the Information Security
Governance and
Management Target State
and Gap Analysis Tool.
Discuss the following:
Are any initiatives
suggested by the tool
already underway?
Take note of these
initiatives.
Are there any initiatives
that dont fit with your
security target state or
security needs? Is
cancelling this initiative
a possibility?

Security target
state initiatives

Current security
projects

Materials
Whiteboard
List of current security
initiatives

Formalize security
organizational structure

Formalize security
organizational structure
Participants

Conduct internal audits

Develop a security
metrics program

Develop a security
metrics program

Develop a security
services catalog

IT and security leaders


Network, server, desktop,

help desk staff


Security team members

Output
Opportunities for gaps
to be closed with
existing projects

Info-Tech Research Group

64

Build initiatives to bridge the gaps

4.2

Estimate 4 hours. Consider initiatives that span across security practices and components.
In order to reach your target state, determine what initiatives are needed in order to close any
existing gaps. These initiatives will then formalize what needs to be part of the roadmap for the
security team.

Laptop
Projector

Steps:

Review the gap drop down and the gap description.

Document what initiative can be used to close this gap, under the column for gap
initiative.

When building your security initiatives

Participants
IT and security leaders
Network, server, desktop,

At this point, do not consider the associated costs such as resourcing or budget allocation.
Focus on what is needed within the organization in order to close the gap.
Keep in mind the three main tenets of information security people, process, and
technology.
Ensure that the initiatives are realistic and actionable, as opposed to lofty initiatives.
o Example of a lofty initiative: Start internal audits.
o Example of a realistic initiative: Assign an
individual to perform internal audit of security
requirements quarterly, with the results presented
to management.

Materials

help desk staff


Security team members

Output
Security initiatives to
close any maturity gaps

Record your results in Info-Techs Security


Governance and Management Gap Analysis
and Roadmap Tool.

Info-Tech Research Group

65

Estimate the resources needed

4.3

Estimate 30 minutes
Steps

Define and document what are low, medium, and high resource allocation and other
variables for your gap initiatives in the Security Program Gap Analysis and Roadmap
Tool. These variables include:
Initial monetary cost one-time capital costs.
Ongoing monetary cost annual recurring operating expenses.
Initial staffing hours needed for project lifecycle from creation to maintenance.
Ongoing staffing required full-time employee dedication for ongoing operations
and maintenance.
Alignment with the organization how well does the gap initiative align with
strategic corporate goals and objectives? Can be represented by alignment with
defined corporate strategy, alignment with stakeholders, or other means.
Security benefit relative security benefit or risk reduction provided by the
initiative.

The purpose is to compare gap initiatives based on a standardized list of prioritization


variables with known parameters.
When considering these parameters, consider using already existing project
management resource allocations definitions.
See the next slide for examples of these determinations.

For each gap initiative determine if they are low,


medium, or high for the resource allocation
variables using the Security Program Gap
Analysis and Roadmap Tool.

Materials
Laptop
Projector

Participants
IT and security leaders
Network, server, desktop,

help desk staff


Security team members

Output
Clear parameters
around high, medium,
and low variables for the
initiatives

Record your results in Info-Techs Security


Program Gap Analysis and Roadmap Tool.

Info-Tech Research Group

66

4.3

Standardize your resourcing levels to keep consistency


CASE
STUDY

Industry: Health Care

Industry: Manufacturing

Source: Anonymized Info-Tech Client

Source: Anonymized Info-Tech Client

Cost and Benefit to Your Organization on Average


High $100,000+
Initial Cost Medium $1,000-$100,000
Low
<$1,000
High
$20,000+
Ongoing
Cost
Medium $200-$20,000
(annual)
Low <$200
High 300+ hours
Initial
Staffing
Medium 80-300 hours
Hours
Low <80 hours
High 1+ FTE
Ongoing
Staffing
Medium 0.5-1 FTE
Hours
Low <0.5 FTE
(annual)
Directly supports a critical clinical
High
Alignment
strategy
with
Medium Indirectly supports clinical strategy
Business
Low All other
Directly impacts or improves clinical,
High
compliance, or legal risk reduction
Indirectly impacts or improves clinical,
Benefit
Medium
compliance, or legal risk reduction
Foundational compliance
Low
control/visibility improvement

Cost and Benefit to Your Organization on Average


High
Initial Cost

Ongoing Cost
(annual)
Initial Staffing
Hours
Ongoing Staffing
Hours (annual)

Alignment with
Business

Benefit

Medium

$100,000+
$10,000-$100,000

Low

<$10,000

High

$20,000+

Medium

$4,000-$20,000

Low

<$4,000

High

80+ hours

Medium

20-80 hours

Low

Under 20 hours

High

2,000+ hours

Medium

100-2,000 hours

Low

<100 hours

High

Board/executive support
Functional head/
department head/ plant
manager support

Medium
Low

User or IT-only support

High

Significant

Medium

Moderate

Low

Minimal

Info-Tech Research Group

67

Build an effort map

4.4

Estimate 90 minutes

Steps:

Determine your three


axes for your effort
map. This includes the
X-axis (horizontal), Yaxis (vertical), and Zaxis (depth).
When mapping cost
as an axis it is
recommended to
combine monetary
costs and staffing as
both can be
considered a cost.
Place your gap
initiatives onto the
effort map based on
your determined axes.
Discuss the overall
effort map for all
compliance gap
initiatives.

Example:

Low Cost
High
Alignment

Medium
Alignment

Materials
Whiteboard
Sticky notes
Laptop

Low
Alignment

High
Benefit

Low
Benefit

Participants
IT and security leaders
Network, server, desktop,

An effort map is
an easy way to
communicate with
stakeholders how
your compliance
gap initiatives
were prioritized.

help desk staff


Security team members

Output
Communicable
deliverable to
demonstrate the effort
behind each initiative
High Cost

Record your results in Info-Techs Security


Governance and Management Gap Analysis
and Roadmap Tool.

Info-Tech Research Group

68

Design your security roadmap by determining the start


and end times of your gap initiatives

4.5

Estimate 120 minutes. Review the timeline as you move forward.

Steps:

Go through each phase in sequential order and determine the start time and end
times of each gap initiative. Consider taking a quarterly approach to this activity.

Materials
Laptop
Projector

Use the phased approach from Step 3.4 to create the timelines for the gap initiatives
as needed.

Go through each gap initiative and assign primary responsibility for implementing
the gap initiative.

Suggestion

After every five initiatives, review tab 7, Gantt Chart, to


visualize your timelines and ensure that these follow your
expectations.

Note: The associated roadmap tool is quite flexible, so this


can be taken from a quarterly, monthly, or other any other
time-based approach.
Consider how each phase/initiative can take different amounts
of time. For example, all of phase 1 may about two quarters
since phase 1 usually has smaller initiatives. However, later
phases generally could be placed across many quarters or
years.

Participants
IT and security leaders
Network, server, desktop,

help desk staff


Security team members

Output
Initial roadmap of your
initiatives

Record your results in Info-Techs Security


Governance and Management Gap Analysis
and Roadmap Tool.

Info-Tech Research Group

69

If you want additional support, have our analysts guide


you through this phase as part of an Info-Tech workshop
Book a workshop with our Info-Tech analysts:
To accelerate this project, engage your IT team in an Info-Tech workshop with an InfoTech analyst team.
Insert your
headshot
here

Info-Tech analysts will join you and your team onsite at your location or welcome you to
Info-Techs historic Toronto office to participate in an innovative onsite workshop.
Contact your account manager (www.infotech.com/account), or email
Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:
Identify existing gaps

4.1

Determine where there are gaps between the target state and the current state.
Review if these components are necessary, nice to have, or not needed, while
determining if the gap is substantial or not.

Build initiatives to bridge the gap

4.2

Create initiatives that close the gap and bring the components to the desired levels.
Determine where initiatives can be combined into larger projects, or when they can
be combined with existing projects, with the help of an Info-Tech facilitator.

Info-Tech Research Group

70

If you want additional support, have our analysts guide


you through this phase as part of an Info-Tech workshop
Book a workshop with our Info-Tech analysts:

4.3

Estimate the resources needed


An Info-Tech analyst will help decide what boundaries to set around your cost,
staffing, and benefit variables in a low, medium, and high setting. This will then be
used to classify each initiative to then allow for a clear prioritization through a cost
benefit analysis.

Build an effort map

4.4

Using a quadrant, create an effort map along the variables of cost and benefit.
Further, extend this to when there is high, medium, and low alignment to existing
security and business projects.

Design your security roadmap by determining the start and end


times of your gap initiatives

4.5

Using the prioritized initiatives, indicate how the projects should be implemented
through the use of a Gantt chart. Assign owners to take responsibilities for these
projects, while checking that projects are completely in a timely manner.

Info-Tech Research Group

71

PHASE
Implement Gap Initiatives

Phase

Info-Tech Research Group

72

Phase 4 outline
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 23 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 4: Implement gap initiatives


Proposed Time to Completion: 2-4 weeks

Step 5.1-5.2: Finalize roadmap and build deliverables

Step 6.1: Develop your security metrics

Start with an analyst kick off call:

Review findings with analyst:

Review the final roadmap to ensure that its actionable.


Identify which deliverables need to be built out and use the
many templates to build them.

Bring any existing deliverables and have the analyst


provide feedback as needed.
Discuss relevant metrics that can be used for your program.

Then complete these activities

Then complete these activities

Build out component deliverables, with the extensive list of


tools and templates that are currently available on the
website.

Determine which metrics will be used by the organization to


measure its overall security program.

With these tools & templates:

With these tools & templates:

Tools & templates available on the website.

Security Metrics Assessment Tool

Phase 4 Results & Insights:

Completed governance and management deliverables.

Info-Tech Research Group

73

Step 5: Implement Governance Initiatives


1
Make the
case

2
Determine the
security
pressure posture

3
Establish
target state

4
Conduct a
gap analysis

5
Implement
governance
initiatives

6
Develop metrics

This step will walk you through the following activities:

This step involves the following participants:

Review of the security roadmap.


Creation of complementary security deliverables to
enhance and enable the security governance and
management program.

CISO/Head of Security
Entire Security Team
CIO

Outcomes of this step


Finalized security governance and management roadmap and action plan.
Finalized deliverables in areas of information security charter, organizational structure, culture and awareness, risk
management, policies, services, compliance management, external and internal audit, HR security, vendor management,
incident management, eDiscovery and forensic, backup and recovery, and InfoSec in BCM.

Info-Tech Research Group

74

5.1

Finalize security governance and management roadmap


and action plan
Estimate 30 minutes.
Review the final Gantt chart to review the expected start and end dates for your security
initiatives as part of your roadmap.

Materials
Projector
Laptop

Participants
IT and security leaders
Network, server, desktop,

help desk staff


Security team members

OUTPUT
Questions to think about:
Does this roadmap make sense for our organization?

Finalized security
roadmap

Do we focus too much on one quarter over the others?


Is the current implementation more feasible than the others?
Should an initiative be moved from one quarter to another based on expected resourcing?
Will the business be going through any significant changes during the upcoming years that will
directly impact this project?

Info-Tech Research Group

75

5.2

Implement your gap initiatives using Info-Techs library


of tools and templates
Information Security Governance and Management Gap Analysis and Roadmap Tool
Information Security Charter
Information Security Governance Organizational Structure
Information Security Risk Management Template
Information Security Compliance Template
ISO 27001: 2013 Annex A Self-Check List
MSSP RFP Template
Employee Termination Process Checklist IT Security Example
Physical Access Policy Template
Information Security Incident Response Process Template
Backup Operating Procedures Template
Recovery Operating Procedures Template
eDiscovery Procedure for Legal Search
Security Service Catalog Template
DR Team Build Sheet
Information Security Training Tool
Security Governance and Management Communication Plan

Info-Tech Research Group

76

Build a security charter

5.2

Estimate 120 minutes


A security charter can formalize and define
your security governance, and provide
value in implementing your security
strategy. Involving multiple stakeholders in
the creation of the charter will allow you to
build a charter that is truly reflective of your
organization.

Steps
Build out your charter by using
Info-Techs Information
Security Charter template.

This template will go over:

Materials
Projector
Laptop

Participants
Business leaders
IT leaders
Security team members
Output
Security charter

Vision
Mission
Scope
Security Objectives
Responsibilities
Principles
Corporate and Management Commitment to the Charter
Charter Evaluation and Renewal Requirements

Build your charter using Info-Techs


Information Security Charter template.

Info-Tech Research Group

77

Create and institutionalize a formalized security


organizational structure

5.2

60 minutes
An organizational structure demonstrates
the roles, responsibilities, and
accountabilities of the different staff
members that are related to security.

Steps
Build out your charter by using
Info-Techs Security
Governance Organizational
Structure template.

Best practices:
The security organizational structure should demonstrate the senior managements commitment to security, along with
clear and explicit assignments of their information security responsibilities. Management should also show acknowledgement
of their responsibilities.
The personnel responsible and accountable for each responsibility needs to be documented and made available for the
organizations reference.
Appropriate contacts with special interest groups, specialist security forums, and other professional associations should also
be maintained.
The information security responsibilities of all personnel should be assigned based on their knowledge, experience, and
skill sets.

Info-Tech Research Group

78

5.2

Determine your information security awareness and


training program appropriateness
45 minutes

Steps:
Complete Info-Techs Information Security
Awareness and Training Appropriateness Tool to
determine the level of need that your organization
has for this program.
It will also help to identify the drivers behind the
program as well as the benefits that you will be
able to realize with the completion of this project.
This will assist in making the case for training
within your organization. Without a key focus on
your needs and benefits, it will be difficult to
explain to other stakeholders why this will be
necessary.

Some questions you may want to consider include:

Will this allow for significant savings for the organization and IT department?
Will the training allow for fewer security-related breaches?
Are your end users going to change their behavior or continue making the same mistakes?
If your training or awareness plan is completed, will the security posture of your organization actually strengthen?
Info-Tech Research Group

79

Formalize your risk posture and create a risk


management process

5.2

180 minutes
Both security governance and management
are involved in this process. The security
governance function needs to define the
organizations risk appetite and the security
management function needs to outline a risk
management process.

Steps:
Complete or adapt Info-Techs Security
Risk Management Workbook for your
organization.

Tip
Avoid using vague risk-related terms such as moderate
level of risk. Ensure that all such terms have a more
explicit definition.

For related research on security risk


management, refer to Info-Techs
Develop and Implement a Security
Risk Management Program.

Info-Tech Research Group

80

5.2

Create security policies for your organization


60 minutes. Can increase greatly, if policies are being created as well.
Steps:
1. Determine required policies.
a) Identify the assets that need to be protected.
b) Identify vulnerabilities and threats.
c) Create measures that will protect the identified
assets in the most cost-effective way.
2. Prioritize the policies.
3. Develop and distribute the policies.

Tips:
Reviewing and creating certain policies with other departments will
provide each department with an opportunity to voice their concerns
and make an impact on the policies. When the leader of a
department is involved, theyre more likely to support the policies
and encourage their teams to follow them.
Remember to communicate policies in an easily understandable
language. Vagueness and technical jargon impede policy adoption.
The policies should be easily accessible for all employees (e.g.
companys employee handbook) and in some cases, the employees
should formally acknowledge that theyve read and understood the
policies.
The policy should be overseen by someone who has enough status
in the organization to enforce it.

Info-Tech has a large list of security


policies including, but not limited to:

Information Security Policy Charter Template


Access Control Policy Template
Communications Security Policy Template
Risk Assessment Policy Template
Cryptography Policy Template
Human Resources Security Policy Template
Information Security Aspects of Business
Continuity Planning Policy Template
Information Security Incident Management
Policy Template
IT Security Risk Strategy Policy Template
Operations Security Policy Template
Identity and Access Management Policy
Data Protection Policy
Physical and Environmental Security Policy
Template
Security in Supplier Relationships Policy
Template

Info-Tech Research Group

81

5.2

Create a process to formalize and manage your services


through a security services catalog
120 minutes

Steps:
Complete or adapt Info-Techs Security Service Catalog Tool for
your organization.

Use this list as a starting point to build your security


service catalog.
Provide security assessments and testing.
Provide security training and awareness.
Provide security project support.
Provide security policy management services.
Provide user access and access rights to support
business requirements.
Provide adequately secured and configured systems.
Provide adequate protection against malware, external
attacks, and intrusion attempts.
Provide adequate incident response measures.
BCM support.
Provide security backup and recovery services.

For real world examples, look at the service catalogs provided by University of Victoria and
the State of North Carolina.

Info-Tech Research Group

82

5.2

Be prepared to manage security audits


60 minutes
Steps:

Build out your audit processes around the following:

Audit Planning

Ensure that the auditors have most, if not all, of


the requested information delivered to them when
they arrive for the audit.

Onsite Arrival

Prepare for the arrival of auditors by establishing


a clear schedule for interview and other logistics.

Audit Execution

This continues from the arrival of the auditors until


the end of the audit to review documents, conduct
interviews, and provide status meetings.

Report Issuance and Finding Remediation

Control deficiencies will now be known and should


be communicated to the appropriate
stakeholders.

Complete Info-Techs ISO 27001: 2013 Annex A SelfCheck List to evaluate your current maturity level in
preparation for an audit.

Info-Tech Research Group

83

Create a process for security vendor management

5.2

60 minutes
There are four major steps to managing vendors:

Identify the need to outsource.


a. Create a business case to outsource.
b. Anticipate potential problems.
c. Assign organizational roles.
d. Prepare a specification and RFP.
e. Specify financial terms and pricing.

Select a provider.
a. Scope vendors.
b. Choose a vendor.
c. Negotiate the arrangement.

If looking for a vendor to provide security,


complete or adapt Info-Techs MSSP RFP Template
for your organization.

Manage the arrangement.


a. Address performance factors and metrics.
b. Monitor performance.

out if the arrangement ends.


4 Transition
a. Continue to monitor vendor performance.

b.
c.
d.
e.

Ensure all property is returned to its original owner.


Ensure documentation is fully maintained and up to date.
Ensure that data owned by each party is returned.
Ensure requirements for confidentiality and non-disclosure
continue to be followed.
Info-Tech Research Group

84

5.2

Create a process for HR security management


60 minutes

HR Security Considerations
Prior to Employment:

During Employment:

Security roles and responsibilities of


the new employee, contractor, or third
party must be defined and
documented.

Management should require all


employees, contractors, and thirdparty users to follow security
procedures.

Potential personnel will be given a


background check prior to hire to
minimize the risk of attacks from
internal sources.

Information security awareness,


education, and training should be
provided.

New employees, contractors, and


third-party users need to agree and
sign the terms and conditions of their
employment contract, which will state
their responsibilities for organizational
security.

A formal disciplinary process should


be defined for employees whove
committed a security breach.

Termination or Change of
Employment:
Responsibilities for performing
employee termination or change of
employment should be clearly
defined and assigned.
All employees, contractors, and
third-party users need to return the
organizations assets upon
termination of employment.
The access rights of all employees,
contractors, and third-party users
must be removed upon termination
of their employment.

Steps

Develop an employee termination process checklist by


completing or adapting Info-Techs IT Security
Employee Termination Process Checklist template to
kick-start HR security management for your
organization.
Info-Tech Research Group

85

Create and institutionalize a security incident


management process

5.2

120 minutes

Steps:
Complete or adapt Info-Techs
Information Security Incident
Management Guide.

Typical Security Incident Management Process


Identification &
Classification
Confirmation

Analyze the situation, scope, and impact.


Confirm the severity level of the security
incident and problem.

Containment

Contain the incidents to prevent any


further damage to information assets.

Investigation

Systematically investigate the potential


causes to provide cost-effective
suggestions and solutions.

Escalation

For related research on security risk


management, refer to Info-Techs
Develop and Implement a Security
Incident Management Program.

Escalate incident or event for support


when further capabilities, resources, or
time is needed.

Resolution

Resolve incidents as quickly as possible.


It is important to find the root cause of the
problem and implement appropriate
solutions.

Recording
and
Tracking

Security incidents and events are


recorded in an incident and problem
inventory log for tracking, analysis, and
reporting purposes.

Info-Tech Research Group

86

Create a process to manage eDiscovery and forensic


processes

5.2

90 minutes

Steps:
Complete or adapt Info-Techs
Information eDiscovery Procedure for
Legal Search template.

General phases of eDiscovery and computer


forensics:
Data Collection

Data collection involves identifying, labeling, recording,


and acquiring relevant data while following guidelines
and procedures that preserve the integrity of the data.

Collection is usually performed in a timely manner to


minimize the likelihood of losing dynamic data.
Examination

Examination refers to forensically processing large


amounts of collected data using a combination of
automated and manual methods to extract data of
interest while preserving its integrity.
Analysis

The results of the examination are analyzed to derive


useful information that addresses the driver for the
investigation.
Reporting

The reporting aspect may include describing the


process or actions used, explaining how tools and
procedures were selected, and determining what other
actions are needed. The formality of the reporting is
largely dependent on the situation.
Info-Tech Research Group

87

5.2

Create a process for backup and recovery management


120 minutes
Follow the process below to build a process for backup and recovery management.
1. Define your current backup procedures.
2. Determine what you should back up based on its importance to the organization and the cost of backing it up.

Remember that backups minimize loss but dont eliminate it completely.


Conduct this step with your users and stakeholders to determine what their needs are.
Prioritize what needs to be backed up starting by identifying activities that are critical for the business to
function and are compliance requirements.
Identify critical applications that support your business activities and map dependencies to determine
applications that require backup.

3. Build a comprehensive strategy that addresses backup of hardware, software, and processes.
4. Determine your RPO and RTO capabilities.
5. Communicate your backup and recovery capabilities through Service Level Agreements (SLAs) with your users and
stakeholders.

Clarify your SLA through a detailed description of the services you can offer (e.g. data recovery with specific
recovery points and backup granularity), standards of service (e.g. how quickly you can respond to requests),
processes and procedures youll follow, and how youll measure your success.

6. Ensure recoverability through regular scheduled restore tests.

Regularly test your recovery capabilities to demonstrate reliability to your users and stakeholders; document
each restore test.

Complete or adapt Info-Techs Backup and Recovery SOP templates for your organization.
Info-Tech Research Group

88

Create and formalize a security process within the BC/DR


plans for your organization

5.2

120 minutes
Follow best practices for creating a DR plan and team, while keeping security front of mind.

1. Build a disaster recovery (DR) team that can effectively restore operations in a disaster situation.

Best Practices:
o Assign a disaster co-ordinator to manage recovery efforts, co-ordinate resources, and communicate with senior
management and other stakeholders.
o Clearly define the roles and responsibilities of the DR team.
o Cross-train your DR team members to create a redundancy of skills, which will increase deployment flexibility.

2. Create a process to respond to and recover from a disaster with minimal organizational impact.
There are three phases in disaster response: assessment, implementation, and restoration.
3. Test your disaster recovery capabilities.
Best practices include using a wide range of testing methods. There are four DR testing models:
o Tabletop exercises: DR team walks through DR documentation without simulating an actual disaster.
o Simulation exercises: Bring recovery systems online to make sure they have the ability to operate as needed.
o Parallel exercises: Bring recovery systems online to process historical data and ensure systems can operate as
needed.
o Full-scale exercises: Involves full migration to an alternative site with a restore of all data from the organization.

Complete or adapt Info-Techs DRP Team Build Sheet and DRP Test Worksheet for your organization.
Info-Tech Research Group

89

Step 6: Develop metrics


1
Make the
case

2
Determine the
security
pressure posture

Establish
target state

Conduct a
gap analysis

5
Implement
governance
initiatives

6
Develop metrics
and continuous
improvement

This step will walk you through the following activities:

This step involves the following participants:

Developing key metrics that can effectively measure the


entire security governance and management program.

CISO/Head of Security
Entire Security Team

Outcomes of this step


Effective metrics that measure the security program effectively.
Roadmap of when to initiate the different metrics.
Forward planning through continuous improvement.

Info-Tech Research Group

90

6.1

Understand the need for a measurement program


A poorly designed metrics program is worse than having no metrics program at all. The results of poorly
designed metrics could be misleading and provide a false sense of security.

A good security measurement program serves several


purposes:

It indicates how secure the organization is.


It indicates how well security is meeting its obligations.
It provides evidence of how security is supporting business
goals.

It enables managers to make well-informed security decisions


(e.g. where to invest in security).
Metrics can measure both quantitative and qualitative subjects.

Quantitative metrics: Metrics that measure hard benefits such as resource allocations or reductions in
operational costs.

Qualitative metrics: Metrics that measure soft benefits such as improved customer satisfaction or
employee loyalty.

Info-Tech Research Group

91

IT professionals are not the only ones driving the need for
metrics

6.1

Executives get just as much out of management metrics as the people


running them.
1

Metrics assuage executives fears


Metrics help executives (and security leaders) feel more at ease with where the company is security-wise.
Metrics help identify areas for improvement and gaps in the organizations security posture that can be
filled. A good metrics program will help identify deficiencies in most areas, even outside the security
program, helping to identify what work needs to be done to reduce risk and increase the security posture of
the organization.

Metrics answer executives questions


Numbers either help ease confusion or signify other areas for improvement. Offering quantifiable evidence,
in a language that the business can understand, offers better understanding and insight into the
information security program. Metrics also help educate on types of threats, staff needed for security, and
budget needed to decrease risk based on managements threat tolerance. Metrics help make an
organization more transparent, prepared, and knowledgeable.

Metrics help to continually prove securitys worth


Traditionally, the security team has had to fight for a seat at the executive table, with little to no way to
communicate with the business. However, the new trend is that security is being invited before they have
even asked to join. This trend allows the security team to better communicate on the organizations
security posture, describe threats and vulnerabilities, present a plan of action, and get a pulse on the
organizations risk tolerance.
Info-Tech Research Group

92

6.1

Examine the attributes of a good metrics program


SMART Metrics

Metric Program Best Practices


Metrics Program Best Practices:
A metrics program is more than just a group of metrics. It
also needs to outline the following explicitly:
1. What information you need to collect.
2. How you will collect this information.
3. How relevant the metrics are to each group of your
stakeholders.
4. How youre going to analyze the metrics.
5. How youre going to report on the metrics.

Other considerations

Metrics Best Practices:


Aim to develop SMART (Specific, Measureable,
Actionable, Relevant, Timely) metrics.
Specific Use specific metrics that dont leave room for
vagueness and objectivity to avoid the possibility of
misinterpretation.
Measureable Use measurable metrics that you can
compare with other data to generate meaningful analysis.
Actionable Use metrics that provide directive
information for the organization to execute on.
Realistic Use metrics that are realistic to track over
time, based on the organizations constraints (e.g. is it
cost effective?).
Timely Consider whether your metrics analyze data in
real-time or if they must be analyzed over time.

It is important to ensure that your metrics can be easily gathered and are relevant to the people who will be consuming
them.
Raw data often holds insignificant value to business management. You may need to translate your raw data into business
values (e.g. dollars).
Make sure someone is accountable for leading the metrics program.
Act on your metrics. The real value of metrics comes from interpreting them and using the information for improvement.

Info-Tech Research Group

93

6.1

Determine your target metrics framework and perform a


gap analysis
Estimate 30 minutes.

Start on Tab 4 of the Security Metrics Assessment Tool, as you will have already
determined your risk tolerance in the previous steps of the project.
Steps
1. Select the goal of your metrics program,
determined from your risk tolerance level.
2. The goal will dictate Recommended
Baseline Targets. Use these
recommendations to fill out the actual
Target State.
3. List the Current State, Gap Detail, and
Gap Summary.
4. Quantify the discrepancy between the
Target and Current States by indicating
the Gap Scale (1-5).
5. View the chart on the Results tab for a
quick visualization and summary to share
with the team developing this metrics
program.

Materials
Laptop
Projector

Participants
IT and security leaders
Network, server, desktop,

help desk staff


Security team members

Output
Identified gaps in the
metrics

For a more detailed analysis of developing security metrics, review Info-Techs blueprint,
Implement and Optimize an Effective Security Management Metrics Program.

Info-Tech Research Group

94

6.2

Consolidate and organize the metrics


Estimate 120 minutes

View Type: What is


the high-level
audience?
e.g. Management,
Operational, Technical

Audience: To which roles


will this metric be
relevant?
e.g. CISO, Infrastructure
Manager, Help Desk

Responsible: Who is
Metric Source(s):
the owner of this
From where will this
metric? (in charge of
metric be measured?
tracking, reporting, etc.)

Start Date / Number of


Quarters Until
Assessment: When will
the metric start being
tracked and how long
until the data is assessed
and reported?

Info-Tech Research Group

95

6.3

Prioritize the recommended metrics


Estimate 30 minutes

1. Create a grid (such as the example below) of Affordability versus Alignment with
Business Objectives (or other relevant factors) on a whiteboard or table top.
2. Assign each square an estimated start date to begin tracking metrics. The upper-right
will represent metrics with high affordability and low alignment with business objectives,
so assign it a sooner time frame (e.g. this year, next quarter).
3. Write each metric listed in the
Metrics Worksheet (step 1.4)
on a sticky note.
4. With team members, discuss
an appropriate timeline for
each metric and place it on
the grid. Make sure you can
justify each placement.
5. Analyze the resulting grid.
Use the information to fill in
the Start Date and Number
of Quarters Until Assessment
columns in tab 6. Metrics
Worksheet. This information
will be used to develop the
final Metrics Roadmap (tab 8).

Materials
Whiteboard / Table
Sticky Notes / Paper

Participants
Security team members

Output
Estimated order and
dates to begin tracking
metrics

Info-Tech Research Group

96

6.4

Develop the security metrics program roadmap


Estimate 30 minutes

Steps
1. The roadmap will automatically populate based on the Prioritization
exercise (tab 7) and Start Date and Number of Quarters Until
Assessment columns of the Metrics Worksheet (tab 6).

Materials
Laptop
Projector

2. Add an owner for each metric under the Responsibility column.


3. Use the roadmap as a guide to what is being tracked, by whom, and
when.

Participants
Security team members

Output
Roadmap of the metrics
implementation

Info-Tech Research Group

97

6.5

Develop a cycle of continuous improvement through your


measurement program

Use your metrics to determine where there are gaps in security or areas to
optimize to ensure that there is continuous improvement.
Optimize your program:
Leverage the metrics that have been created to
determine how to continually improve your program.
Find areas where security resources can be
managed more effectively.
Respond to incidents more quickly.
Communicate more effectively and efficiently
through clear metrics.
Validate any new security controls.
Create new preventive actions.
Compare and contrast performance through year
over year comparisons of the metrics.
Compare and contrast performance to industry
benchmarks.
Provide a simpler way for audits to take place.

Metrics

Implementation

Audit

Remediation &
Improvement

Info-Tech Research Group

98

If you want additional support, have our analysts guide


you through this phase as part of an Info-Tech workshop
Book a workshop with our Info-Tech analysts:
To accelerate this project, engage your IT team in an Info-Tech workshop with an InfoTech analyst team.
Info-Tech analysts will join you and your team onsite at your location or welcome you to
Info-Techs historic Toronto office to participate in an innovative onsite workshop.
Contact your account manager (www.infotech.com/account), or email
Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:
Finalize roadmap and action plan

5.1

Review the final Gantt chart of all the different initiatives to ensure that it follows
organizational needs and can be accomplished.

Build out governance and management deliverables

5.2

Through the wide range of deliverables needed for governance and management,
focus on the top three and work with an Info-Tech analyst to build these out as
needed for your organization.

Info-Tech Research Group

99

If you want additional support, have our analysts guide


you through this phase as part of an Info-Tech workshop
Book a workshop with our Info-Tech analysts:

6.1

Develop your security metrics


Build out effective security metrics that ensure that your organizations security can
be measured effectively. You will be able to define the type of metric, the audience it
will go out to, who is responsible, and where the data is being collected from.

Info-Tech Research Group

100

Bibliography
Bersin, Josh. Time to Scrap Performance Appraisals? Forbes Magazine. 5 June 2013. Web. 30 Oct 2013.
<http://www.forbes.com/sites/joshbersin/2013/05/06/time-to-scrap-performance-appraisals/>.
Cheese, Peter, et al. Creating an Agile Organization. Accenture. Oct. 2009. Web. Nov. 2013.
<http://www.accenture.com/SiteCollectionDocuments/PDF/OutlookPDF_AgileOrganization_02.pdf>.
Croxon, Bruce et al. Dinner Series: Performance Management with Bruce Croxon from CBC's 'Dragon's Den' HRPA Toronto
Chapter. Sheraton Hotel, Toronto, ON. 12 Nov. 2013. Panel discussion.
Culbert, Samuel. 10 Reasons to Get Rid of Performance Reviews. Huffington Post Business. 18 Dec. 2012. Web. 28 Oct.
2013. <http://www.huffingtonpost.com/samuel-culbert/performance-reviews_b_2325104.html>.
Denning, Steve. The Case Against Agile: Ten Perennial Management Objections. Forbes Magazine. 17 Apr. 2012. Web.
Nov. 2013. <http://www.forbes.com/sites/stevedenning/2012/04/17/the-case-against-agile-ten-perennial-managementobjections/>.
Estis, Ryan. Blowing up the Performance Review: Interview with Adobes Donna Morris. Ryan Estis & Associates. 17 June
2013. Web. Oct. 2013. <http://ryanestis.com/adobe-interview/>.
Gallup, Inc. Gallup Study: Engaged Employees Inspire Company Innovation. Gallup Management Journal. 12 Oct. 2006.
Web. 12 Jan 2012. <http://gmj.gallup.com/content/24880/Gallup-Study-Engaged-Employees-Inspire-Company.aspx>.
Gartside, David, et al. Trends Reshaping the Future of HR. Accenture. 2013. Web. 5 Nov. 2013.
<http://www.accenture.com/SiteCollectionDocuments/PDF/Accenture-Future-of-HR-Trends-Agile-Organizations.pdf>.

Info-Tech Research Group

101