Beruflich Dokumente
Kultur Dokumente
When it comes to Information Security management, one of the most interesting and difficult
task is developing an Information Security strategy and program. Why is a Strategy required?
Lets see the following statement:
Developing and maintaining an information security strategy is essential to the success of your
program. This strategy serves as the road map for establishing your program and adapting it to
future challenges. By following a consistent methodology for developing your strategy, you are
more likely to achieve high-quality results during the process and complete the project in a
timely manner [1]
So, what is the difference between a strategy and a program? Well, they are related in the
following way:
An Information Security strategy will set long-term objectives (or security objectives),
normally by determining the Organizations current state and the desired state in
information security matters. The planning horizon is normally for 5 years.
An Information Security program is what will take the Organization from that current
state to the desired state, by executing short, long and mid-term projects.
more likely to achieve high-quality results during the process and complete the project in a
timely manner [1]
So, what is the difference between a strategy and a program? Well, they are related in the
following way:
An Information Security strategy will set long-term objectives (or security objectives),
normally by determining the Organizations current state and the desired state in
information security matters. The planning horizon is normally for 5 years.
An Information Security program is what will take the Organization from that current
state to the desired state, by executing short, long and mid-term projects.
The program should be based on a Strategy. We know that the core of any security program will
be Risk Management, Policies, procedures & standards, information security organization
structures, information classification and awareness & education. But depending on the
Organization and where it wants to set its security objectives, these core foundations will be
modified depending on their strategy.
For starters
The following steps are the basic foundations for a successful Information Security Strategy
(ISS):
The combination of all the standards and frameworks creates what I like to call the ISS
Framework that we will use to define the security objectives. Also this can be known as the
Corporate Security Framework.
define the
Information Security objectives (long term) for the Organization. For
example:
Two critical things should be considered when defining the objectives: the Risk Appetite of the
Organization and the strategic alignment.
Risk appetite should be considered since it will modify the desired state. An Organization with
a greater risk appetite will not fully implement all controls, while one with almost cero risk
tolerance will implement almost every control.
Finally, objectives that do not support the Organizations business strategy should not be
considered.
criticality, business objectives, resources available, technologies, etc. Normally, the ISP will
involve 5 year projects (aligned to the 5 year planning horizon of the strategy) and a very
important fact is that it is never definite. Why? Because of the nature of its contents: Information
Security always changes!
So it is important to consider constrains that may appear when developing the ISP:
Law
Physical capacity
Ethics
Culture
Costs
Funds
Personnel
Resources
Capabilities
Time
Risk appetite
What are the resources that will be used to achieve various parts of the strategy and use
in the ISP are, among others:
Policies
Standards
Processes
Methods
Controls
Technologies
People
Skills
Training
Education
Step 9: KPI
It will be required to establish a way to analyze the progress of the ISP execution. In order to
achieve this, Key Performance Indicators must be planned, established and executed. Which
KPIs must we use? Well, all projects must be tracked for Schedule and Costs. Other ways that
this can be achieved is by using CMM to monitor how a specific area evolves.
Act: On deviations found, take the necessary corrective actions in order to get on track
ISO/IEC 27000-series
From Wikipedia, the free encyclopedia
The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for short)
comprises information security standards published jointly by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC).
The series provides best practice recommendations on information security management, risks
and controls within the context of an overall information security management system (ISMS),
similar in design to management systems for quality assurance (the ISO 9000 series) and
environmental protection (the ISO 14000 series).
The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT
or technical security issues. It is applicable to organizations of all shapes and sizes. All
organizations are encouraged to assess their information security risks, then implement
appropriate information security controls according to their needs, using the guidance and
suggestions where relevant. Given the dynamic nature of information security, the ISMS concept
incorporates continuous feedback and improvement activities, summarized by Deming's "plando-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of
information security incidents.
The standards are the product of ISO/IEC JTC1 (Joint Technical Committee 1) SC27
(Subcommittee 27), an international body that meets in person twice a year.
At present, twenty-three of the standards in the series are published and available, while several
more are still under development. The original ISO/IEC standards are sold directly by ISO, while
sales outlets associated with various national standards bodies also sell various versions
including local translations.
Contents
1 Published standards
2 In preparation
3 See also
4 External links
Published standards
In preparation
See also
BS 7799, the original British Standard from which ISO/IEC 17799, ISO/IEC
27002 and ISO/IEC 27001 were derived
SarbanesOxley Act
History
The FFIEC was established March 10, 1979, pursuant to title X of the Financial Institutions
Regulatory and Interest Rate Control Act of 1978 (FIRA).
The FFIEC was given additional statutory responsibilities by section 340 of the Housing and
Community Development Act of 1980 to facilitate public access to data that depository
institutions must disclose under the Home Mortgage Disclosure Act of 1975 (HMDA) and the
aggregation of annual HMDA data, by census tract, for each metropolitan statistical area (MSA).
The Council has established, in accordance with the requirement of the statute, an advisory State
Liaison Committee composed of five representatives of state supervisory agencies.
The Appraisal Subcommittee (ASC) was established within the FFIEC pursuant to title XI of the
Financial Institutions Reform, Recovery and Enforcement Act of 1989 (FIRREA). The ASC
oversees The Appraisal Foundation, whose work is in turn accomplished by three independent
Boards: the Appraiser Qualifications Board (AQB), the Appraisal Standards Board (ASB), and
the Appraisal Practices Board (APB), whom collectively regulate real estate appraisal in the
United States.
External links