Seriously Seeking Security The Quest for the Holy Grail? Aart Bitter 27 november 2007 SBIT congres: Taking Security Seriously Aart.Bitter@information-security-governance.com Agenda Taking Security Seriously Our clients and their boardrooms Seriously Seeking Security The Quest for the Holy Grail? 27 november 2007 SBIT congres: Taking Security Seriously 2 1
Our clients: 70% more save than 1 year ago More/Better Security Controls and Procedures 64% IT Security Becoming More of a Priority 20% Improved Third-Party Security Products 11% More Regulatory Requirements 9% Security Has Become More Centralized/Standardized 7% Increased Budgeting/IT Spending 5% More IT Staffing 5% 27 november 2007 SBIT congres: Taking Security Seriously 3 Meanwhile in the Boardroom Through 2008, information security will move lower on the list of executive priorities. Security is adequately addressed by the governance, organisational and technical investments of the past five years. Through 2008, security managers who fail to gain relevant new skills will increasingly be sidelined within the enterprise. Improved maturity of Security: from reactive technical activities to proactive, business-oriented strategy. Source: Gartner 2007 Predictions Through 2008, Will the Boardroom Seriously Seek Security? 27 november 2007 SBIT congres: Taking Security Seriously 4 2
Seriously 27 november 2007 SBIT congres: Taking Security Seriously 5 (Serious Social) Engineering 2007 27 november 2007 SBIT congres: Taking Security Seriously 6 3
Top-10 security issues (random order) 1. (Management) Committment 2. Clear Desk Policy 3. Risico-analyse en -management 4. Medewerkers (in, out en in action) 5. Security Incident Management 6. Business Continuity Management 7. Controleplannen (Compliance) 8. (Physical) Access Control (People-Process- Technology) 9. Asset management and classification 10.Information systems and Mobile devices 27 november 2007 SBIT congres: Taking Security Seriously 7 Seeking high / $ Optimal Expenditure Cost of security controls low Security Cost of security incidents high 27 november 2007 SBIT congres: Taking Security Seriously 8 4
Security 27 november 2007 SBIT congres: Taking Security Seriously 9 The Quest Plan Interested Parties Establish ISMS Interested Parties Do Implement and operate the ISMS ISO/IEC 27001 Maintain and improve the ISMS Information security requirements and expectations Monitor and review the ISMS Act Managed information security Check 27 november 2007 SBIT congres: Taking Security Seriously 10 5
Information Security Governance Verantwoordelijkheden Doelstellingen VERANTWOORDEN COMPLIACE BEHEERSEN Bewaken Bewaken Informatiebeveiligingsbeleid Informatiebeveiligingsbeleid Risico Risico management management Implementeren Implementeren STUREN GOVERNANCE TOEZICHT HOUDEN 27 november 2007 SBIT congres: Taking Security Seriously 11 The Holy Grail Responsibilities Business Objectives TOEZICHT HOUDEN STUREN GOVERNANCE COMPLIANCE BEHEERSEN VERANTWOORDEN 27 november 2007 SBIT congres: Taking Security Seriously 12 6
Maturity: pro-active businessoriented security 27 november 2007 SBIT congres: Taking Security Seriously 13 Do our clients Take Security Seriously 27 november 2007 SBIT congres: Taking Security Seriously 14 7
We Take Security Seriously Beleid Wet- en regelgeving Alignment Act Plan Scorecards Assessments Audits Evaluation Planning Risk Mgt. Normen Performance- & Risk Indicators Check Implementation Maatregelen Processen Procedures Do 27 november 2007 SBIT congres: Taking Security Seriously 15 Alignment - Beveiligingsbeleid Doelstellingen voor informatiebeveiliging Wettelijke eisen en regels Informatiebeveiliging en risicoanalyse Risicomanagementmethode Beveiligingsorganisatie Beleid 27 november 2007 SBIT congres: Taking Security Seriously 16 8
Planning - Risicomanagement Risicomanagement: Welke risico s accepteert u Welke maatregelen gaat u nemen Hoe gaat u meetregelen invoeren Hoe gaat u informatiebeveiliging meten Kans H M L Reduce accept L Risico matrix M Impact Avoid Move Beveiligingsorganisatie Personele Beveiliging Fysieke Beveiliging H Beveiligingsbeleid IT beheer Bedrijfsmiddelen Toegangsbeveiliging Systeemontwikkeling Continuïteitsmanagement Beveiligingsincidenten Naleving 27 november 2007 SBIT congres: Taking Security Seriously 17 Implementation - Invoeren IT - processen Functieprofielen Kennis & Vaardigheden Organisatiestructuur Kennis van de organisatie (zichtbaar) Planning & Control Houding Normen en Waarden Motieven Politiek Persoonlijke voorkeuren Cultuur (onzichtbaar) Drijfveren Energie Angst Gedrag 27 november 2007 SBIT congres: Taking Security Seriously 18 9
Evaluation - Bewaken Risico matrix Zeker 1 7 2 Kans Mogelijk 8 10 3 4 6 9 Onwaarschijnlijk 5 Laag Middel Hoog Impact Resultaten Security Scan 100% 90% 80% 70% 60% Score 50% 40% 30% 20% 10% 0% 1 2 3 4 5 6 7 8 9 10 Categorie uit de Code 27 november 2007 SBIT congres: Taking Security Seriously 19 Dank voor uw aandacht! Vragen Opmerkingen Suggesties Aart.Bitter@information-security-governance.com 27 november 2007 SBIT congres: Taking Security Seriously 20 10