Developing an Information Security Strategy & Program

When it comes to Information Security management, one of the most interesting and difficult
task is developing an Information Security strategy and program. Why is a Strategy required?
Lets see the following statement:
Developing and maintaining an information security strategy is essential to the success of your
program. This strategy serves as the road map for establishing your program and adapting it to
future challenges. By following a consistent methodology for developing your strategy, you are
more likely to achieve high-quality results during the process and complete the project in a
timely manner [1]
So, what is the difference between a strategy and a program? Well, they are related in the
following way:

An Information Security strategy will set long-term objectives (or security objectives),
normally by determining the Organizations current state and the desired state in
information security matters. The planning horizon is normally for 5 years.

An Information Security program is what will take the Organization from that current
state to the desired state, by executing short, long and mid-term projects.

Information Security by Agustin Chernitsky

This blog is dedicated to the Information Security Community. I will post all articles / research
published by me here. Hope it's useful for all!

Sunday, October 23, 2011

Developing an Information Security Strategy & Program
When it comes to Information Security management, one of the most interesting and difficult
task is developing an Information Security strategy and program. Why is a Strategy required?
Lets see the following statement:
Developing and maintaining an information security strategy is essential to the success of your
program. This strategy serves as the road map for establishing your program and adapting it to
future challenges. By following a consistent methodology for developing your strategy, you are

more likely to achieve high-quality results during the process and complete the project in a
timely manner [1]
So, what is the difference between a strategy and a program? Well, they are related in the
following way:

An Information Security strategy will set long-term objectives (or security objectives),
normally by determining the Organizations current state and the desired state in
information security matters. The planning horizon is normally for 5 years.

An Information Security program is what will take the Organization from that current
state to the desired state, by executing short, long and mid-term projects.

The program should be based on a Strategy. We know that the core of any security program will
be Risk Management, Policies, procedures & standards, information security organization
structures, information classification and awareness & education. But depending on the
Organization and where it wants to set its security objectives, these core foundations will be
modified depending on their strategy.

For starters
The following steps are the basic foundations for a successful Information Security Strategy
(ISS):

Step 1: Strategic Alignment

Creating an ISS is not an easy thing and its not 100% Information Security related either. A good
ISS has to be aligned with the business process and objectives of the Organization that we are
creating it for. In other words, we have to know and understand the Organizations mission and
align our ISS that same way. This is not an easy thing but it is critical.

Step 2: Executive Management Support

Another key of success is having Executive Management support. Now again, this is not easy,
but is one of the most important things. Management must understand that Information
Security is not a bunch of firewalls, Antivirus software and having strong passwords.
Information Security is a living thing that requires its management, hence, a definition for
Information Security Management would be all the activities that properly identify and value an
Organizations information assets and that together, provide confidentiality, integrity and
availability to them.
A Steering Committee can be established with Executive Management to formally include them
in the process (basis for an Information Security Governance initiative).

Step 3: Regulatory Requirements

And finally, what are our regulatory requirements? Based on the Organizations business process
and objectives, we will be able to define what regulatory requirements the Organization must be
compliant with. For example, if an Organization sells Health related products (drugs or
equipment), they must comply with FDA requirements. Also, if they handle Protected Health
Information (PHI), they must also be compliant with HIPAA.

How to Develop a Strategy

So, once we have Executive support, we know the Organizations business objectives and
regulatory requirements, we need to know two things: where we are standing and where we want
to go to.

Step 4: Information Security Strategy

Framework
So, to know where the Organization is standing in Information Security matters, we need to
compare its current state against Industrys best practices (standards and frameworks). These
must be the same ones that we are going to use to define the desired state. Why? Because by
using the same standards and frameworks, we can perform a more accurate GAP analysis (its
like comparing apples with apples).
So what best practices should we use? Again, depends on what are the Organizations objectives.
Normally, I would recommend on a standard / frameworks like NIST, ISO 27.002, CMMI,
CobiT, ITIL, COSO and then add required controls by regulatory requirements (call
it PCI, HIPAA, FDA, FFEIC). Normally a Mapping analysis between different standards and
regulatory requirements will be necessary in order to avoid control repetition.
Also, it is possible to combine two or more standards or frameworks. For example, we can use
the ISO 27.002 11 security control clauses in combination of Capability Maturity Model (CMM)
where for each clause we could estimate the current state:

The combination of all the standards and frameworks creates what I like to call the ISS
Framework that we will use to define the security objectives. Also this can be known as the
Corporate Security Framework.

Step 5: Current State

Now that we have defined an ISS Framework, we need to determine our current state. In order to
do that, two things must be done: a GAP analysis against the ISS Framework and a Risk
Analysis.
It recommended that a Risk Assessment framework is used (ie NIST SP800-30, CobiT, RiskIT,
etc.). Also, the ISS Framework controls can be included as part of the Risk Analysis when
performing the Vulnerability Identification (from NIST SP800-30), since missing or not fully
implemented controls introduce vulnerabilities and resulting risks.

The scope of the Risk Assessment

must include all applications and
devices that transmit, process or store
critical information (i.e. critical

applications and general support

systems). In order to do this, the following
conditions have to be met:

1.Information assets and resources properly

identified
2.Information assets and resources are properly
valuated
3.Information assets are classified according to its
confidentiality, integrity and availability
requirements.
Without those conditions, a sound ISS cannot be achieved.
The output of the Risk Analysis (plus GAP analysis) will be the current threat profile and
the identified risks to the Organization. If we are using another standard or framework, like
CMMI, then we would need to assign a level to each control clause based on the results obtained.
An important thing to define in this step is the Risk Appetite of the Organization. When we talk
about the risk appetite, we are talking about the amount of risk an enterprise is prepared to
accept. Risk appetite can and will be different amongst enterprises, hence there is no absolute
norm or standard of what constitutes acceptable and unacceptable risk.

Step 6: Desired State

With the Organization actual status, we can define the desired state. Again, we have to use the
same ISS Framework we defined in step 4. Now its time to

define the
Information Security objectives (long term) for the Organization. For
example:

Become PCI compliant.

Become HIPAA compliant

Implement Asset Management control clause (at least level 4)

Implement Business Continuity Management (at least level 5)

Two critical things should be considered when defining the objectives: the Risk Appetite of the
Organization and the strategic alignment.
Risk appetite should be considered since it will modify the desired state. An Organization with
a greater risk appetite will not fully implement all controls, while one with almost cero risk
tolerance will implement almost every control.
Finally, objectives that do not support the Organizations business strategy should not be
considered.

Build the Roadmap

Now that we have the desired state or the information security strategy, what will take us from
the current state to that desired state is the Information Security Program (ISP). The ISP consists
of all the activities that together provide Information Security. Normally, it will consist of
short and medium term projects with some of them being recurring ones, such as Risk
Assessments and Awareness & Education.

Step 7: Information Security Program (ISP) framework

It is important to define what framework we are going to use to develop the ISP. There is no
straight answer here, we can have a custom made framework like 1) Plan / Organize, 2)
Implement, 3) Maintain / Operate 4) Monitor / Evaluate or we could apply the PDCA (Plan Do
Check Act) from the ISO 27.001 standard.
Whatever is the framework that we apply, as long as it has a planning phase, execution phase,
control phase and feedback / adjustments phase, it should work.

Step 8: Create the ISP

So, based on the Information Security long term objectives (desired state or strategy), we should
break them down in different smaller projects that will help us achieve them. As it was
mentioned before, these projects should be sized based on many factors, like fundings,

criticality, business objectives, resources available, technologies, etc. Normally, the ISP will
involve 5 year projects (aligned to the 5 year planning horizon of the strategy) and a very
important fact is that it is never definite. Why? Because of the nature of its contents: Information
Security always changes!
So it is important to consider constrains that may appear when developing the ISP:

Law
Physical capacity
Ethics
Culture
Costs
Funds
Personnel
Resources
Capabilities
Time
Risk appetite

What are the resources that will be used to achieve various parts of the strategy and use
in the ISP are, among others:

Policies

Standards

Processes

Methods

Controls

Technologies

People

Skills

Training

Education

Other organizational support and assurance providers

So, continuing with our example before:

Step 9: KPI

It will be required to establish a way to analyze the progress of the ISP execution. In order to
achieve this, Key Performance Indicators must be planned, established and executed. Which
KPIs must we use? Well, all projects must be tracked for Schedule and Costs. Other ways that
this can be achieved is by using CMM to monitor how a specific area evolves.

Step 10: Do Check Act

Once we have the ISP ready, according to the Plan - Do - Check - Act framework we should:

Do: Execute the program accordingly.

Check: Monitor the progress of the program frequently

Act: On deviations found, take the necessary corrective actions in order to get on track

ABOUT THE PCI SECURITY STANDARDS COUNCIL

The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination
and implementation of security standards for account data protection.
The PCI Security Standards Councils mission is to enhance payment account data security by driving education and awareness
of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB
International, MasterCard, and Visa Inc

ISO/IEC 27000-series
From Wikipedia, the free encyclopedia

The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for short)
comprises information security standards published jointly by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC).
The series provides best practice recommendations on information security management, risks
and controls within the context of an overall information security management system (ISMS),
similar in design to management systems for quality assurance (the ISO 9000 series) and
environmental protection (the ISO 14000 series).
The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT
or technical security issues. It is applicable to organizations of all shapes and sizes. All
organizations are encouraged to assess their information security risks, then implement
appropriate information security controls according to their needs, using the guidance and

suggestions where relevant. Given the dynamic nature of information security, the ISMS concept
incorporates continuous feedback and improvement activities, summarized by Deming's "plando-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of
information security incidents.
The standards are the product of ISO/IEC JTC1 (Joint Technical Committee 1) SC27
(Subcommittee 27), an international body that meets in person twice a year.
At present, twenty-three of the standards in the series are published and available, while several
more are still under development. The original ISO/IEC standards are sold directly by ISO, while
sales outlets associated with various national standards bodies also sell various versions
including local translations.
Contents

1 Published standards

2 In preparation

3 See also

4 External links

Published standards

ISO/IEC 27000 Information security management systems Overview and

vocabulary [1]

ISO/IEC 27001 Information security management systems

Requirements. The older ISO/IEC 27001:2005 standard relied on the Plan-DoCheck-Act cycle; the newer ISO/IEC 27001:2013 does not, but has been
updated in other ways to reflect changes in technologies and in how
organisations manage information.

ISO/IEC 27002 Code of practice for information security management

ISO/IEC 27003 Information security management system implementation

guidance

ISO/IEC 27004 Information security management Measurement

ISO/IEC 27005 Information security risk management

ISO/IEC 27006 Requirements for bodies providing audit and certification of

information security management systems

ISO/IEC 27007 Guidelines for information security management systems

auditing (focused on the management system)

ISO/IEC TR 27008 Guidance for auditors on ISMS controls (focused on the

information security controls)

ISO/IEC 27010 Information technologySecurity techniquesInformation

security management for inter-sector and inter-organizational
communications

ISO/IEC 27011 Information security management guidelines for

telecommunications organizations based on ISO/IEC 27002

ISO/IEC 27013 Guideline on the integrated implementation of ISO/IEC

20000-1 and ISO/IEC 27001

ISO/IEC 27014 Information security governance

ISO/IEC TR 27015 Information security management guidelines for financial

services

ISO/IEC 27031 Guidelines for information and communications technology

readiness for business continuity

ISO/IEC 27032 Guideline for cybersecurity (essentially, 'being a good

neighbor' on the Internet)

ISO/IEC 27033-1 Network security overview and concepts

ISO/IEC 27033-2 Guidelines for the design and implementation of network

security

ISO/IEC 27033-3:2010 Reference networking scenarios - Threats, design

techniques and control issues

ISO/IEC 27034 Guideline for application security

ISO/IEC 27035 Security incident management

ISO/IEC 27037 Guidelines for identification, collection and/or acquisition

and preservation of digital evidence

ISO 27799 Information security management in health using ISO/IEC 27002

In preparation

ISO/IEC 27017 Information security management for cloud systems

ISO/IEC 27018 Data protection for cloud systems

ISO/IEC 27019 Information security management guidelines based on

ISO/IEC 27002 for process control systems specific to the energy utility
industry

ISO/IEC 27033 IT network security, a multi-part standard based on ISO/IEC

18028:2006 (parts 1-3 are published already)

ISO/IEC 27036 Guidelines for security in supplier relationships

ISO/IEC 27038 Specification for redaction of digital documents

ISO/IEC 27039 Intrusion detection and protection systems

ISO/IEC 27040 Guideline on storage security

ISO/IEC 27041 Assurance for digital evidence investigation methods

ISO/IEC 27042 Analysis and interpretation of digital evidence

ISO/IEC 27043 Digital evidence investigation principles and processes

See also

ISO/IEC JTC 1/SC 27 - IT Security techniques

BS 7799, the original British Standard from which ISO/IEC 17799, ISO/IEC
27002 and ISO/IEC 27001 were derived

Document management system

SarbanesOxley Act

Standard of Good Practice published by the Information Security Forum

Federal Financial Institutions Examination Council

From Wikipedia, the free encyclopedia

The Federal Financial Institutions Examination Council, or FFIEC, is a formal interagency

body of the United States government empowered to prescribe uniform principles, standards, and
report forms for the federal examination of financial institutions by the Federal Reserve Board of
Governors (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union
Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the
Consumer Financial Protection Bureau (CFPB) and to make recommendations to promote
uniformity in the supervision of financial institutions. It also oversees the systems of real estate
appraisal in the United States.

History
The FFIEC was established March 10, 1979, pursuant to title X of the Financial Institutions
Regulatory and Interest Rate Control Act of 1978 (FIRA).
The FFIEC was given additional statutory responsibilities by section 340 of the Housing and
Community Development Act of 1980 to facilitate public access to data that depository
institutions must disclose under the Home Mortgage Disclosure Act of 1975 (HMDA) and the
aggregation of annual HMDA data, by census tract, for each metropolitan statistical area (MSA).
The Council has established, in accordance with the requirement of the statute, an advisory State
Liaison Committee composed of five representatives of state supervisory agencies.
The Appraisal Subcommittee (ASC) was established within the FFIEC pursuant to title XI of the
Financial Institutions Reform, Recovery and Enforcement Act of 1989 (FIRREA). The ASC
oversees The Appraisal Foundation, whose work is in turn accomplished by three independent
Boards: the Appraiser Qualifications Board (AQB), the Appraisal Standards Board (ASB), and
the Appraisal Practices Board (APB), whom collectively regulate real estate appraisal in the
United States.

External links

Federal Financial Institutions Examination Council

U.S. Code, Title 12, Chapter 34 (FFIEC)

U.S. Code, Title 12, Chapter 34A (Appraisal Subcommittee)