Example: stock market

Information Security Governance and …

Eijiroh OhkiEijiroh OhkiProfessor, Kogakuin UniversityProfessor, Kogakuin Security Governance Information Security Governance and Benchmarkingand Benchmarking2009/02/20 AgendaAgendaInformation Security Governance and Benchmarking1. Managing Information Security Business and Information Security Security Controls and Management2. Information Security Governance What is Governance How to establish Governance Risk Factors and Risk Treatment Governance Structure3. Information Security Measures benchmarking Major issues and three tools What is, How it works, How to utilize2IS Governance and BenchmarkingFebruary 2009IS Governance and BenchmarkingBusiness and Information SecurityConfidentialityIntegrityAvailabi lityPersonal Data ProtectionTrade SecretDisaster RecoveryMessage Proof Capacity PlanningDenial of ServicesAccuracy of financial statementsBCP/BCMJ-SOXCIA3 February 2009 Risk assessmentRisk assessmentAwarenessAwarenessResponsibili tyResponsibilityReassessmentReassessment ResponseResponseSecurity managementSecurity managementEthicsEthicsDemocracyDemocracy Security design and implementation Security design and implementationOECD OECD GuidelinesGuidelinesfor the Securityfor the Securityof Informationof InformationSystemsSystems Culture of Security OECD Security Guidelines 1992, 2002 Participants should be aware of the need for Security of Information systems and networks and what th

1. Managing Information Security Business and Information Security Security Controls and Management 2. Information Security Governance What is I.S. Governance How to establish I.S. Governance Risk Factors and Risk Treatment Governance Structure 3. Information Security Measures Benchmarking Major issues and three tools What is, …

Tags:

  Information, Security, Governance, Benchmarking, Information security governance and

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Advertisement

Transcription of Information Security Governance and …

1 Eijiroh OhkiEijiroh OhkiProfessor, Kogakuin UniversityProfessor, Kogakuin Security Governance Information Security Governance and Benchmarkingand Benchmarking2009/02/20 AgendaAgendaInformation Security Governance and Benchmarking1. Managing Information Security Business and Information Security Security Controls and Management2. Information Security Governance What is Governance How to establish Governance Risk Factors and Risk Treatment Governance Structure3. Information Security Measures benchmarking Major issues and three tools What is, How it works, How to utilize2IS Governance and BenchmarkingFebruary 2009IS Governance and BenchmarkingBusiness and Information SecurityConfidentialityIntegrityAvailabi lityPersonal Data ProtectionTrade SecretDisaster RecoveryMessage Proof Capacity PlanningDenial of ServicesAccuracy of financial statementsBCP/BCMJ-SOXCIA3 February 2009 Risk assessmentRisk assessmentAwarenessAwarenessResponsibili tyResponsibilityReassessmentReassessment ResponseResponseSecurity managementSecurity managementEthicsEthicsDemocracyDemocracy Security design and implementation Security design and implementationOECD OECD GuidelinesGuidelinesfor the Securityfor the Securityof Informationof InformationSystemsSystems Culture of Security OECD Security Guidelines 1992.

2 2002 Participants should be aware of the need for Security of Information systems and networks and what they can do to enhance participants are responsible for the Security of Information systems and should act in a timely and co- operative manner to prevent, detect and respond to Security should respect the legitimate interests of others. The Security of Information systems and networks should be compatible with essential values of a democratic should conduct risk should incorporate Security as an essential element of Information systems and should adopt a comprehensive approach to Security management. Participants should review and reassess the Security of Information systems and networks, and make appropriate modifications to Security policies, practices, measures and 20094IS Governance and BenchmarkingInformation Security Management CycleInformation Security Management scope of assessment Risk assessment RisksIdentify RisksAssess for Options for treatment of Risks treatment of Risks controlsSelect Management of Risk Formulate Risk treatment plantreatment Risk Implement Risk treatment plantreatment and awareness Controls RisksReview Management the identified and preventive intended objectivesEstablish ISMSI mplement & OperateMonitor and reviewMaintain and improvePlanDoCheckActAnnex AControl objectives and controlsISO/IEC 270015IS Governance and BenchmarkingFebruary 2009 JapanJapan s National Strategy on Information Securitys National Strategy on Information Security -- Priority Policies for FY2006 Priority Policies for FY2006--2008 2008 --6IS Governance and BenchmarkingBusinesses.

3 Implementing Information Security measures so as to be highly regarded by the marketFebruary 2009 Security and Stage of IT investmentDepartmentOptimizationCompanyO ptimizationGroupOptimizationInformation Information sharing within sharing within a departmenta departmentInformation Information sharing within sharing within a companya companyOrganization reformOrganization reformcustomer viewpointcustomer viewpointRequired Required level of level of Information Information SecuritySecurityMore comprehensive Information Security Management required as IT investment advances to next stageInformation Information sharing within sharing within a groupa groupFocus of IT investmentStage IStage IIStage IIIF ebruary 20097IS Governance and BenchmarkingImportance of End-to-End Security most important Information usually shared among companies within a value chainevery company in the chain needs to establish Security management to reduce and maintain risks under allowable level not only technology measuresnot only technology measuresFebruary 20098IS Governance and BenchmarkingAgendaAgendaInformation Security Governance and Benchmarking1.

4 Managing Information Security Business and Information Security Security Controls and Management2. Information Security Governance What is Governance How to establish Governance Risk Factors and Risk Treatment Governance Structure3. Information Security Measures benchmarking Major issues and three tools What is, How it works, How to utilize9IS Governance and BenchmarkingFebruary 2009IS Governance and BenchmarkingWhat is Information Security Governance ?What is Information Security Governance ?Source: Report compiled by the Research Group for Studying What Information Security Should be at Corporations, Ministry of Economy, Trade and Industry, March build and operate corporate Governance inside companies, takiTo build and operate corporate Governance inside companies, taking social ng social responsibility and the mechanism of internal control, which suppresponsibility and the mechanism of internal control, which supports corporate orts corporate Governance , from the standpoint of Information Security into congovernance, from the standpoint of Information Security into considerationsiderationThe principal goals of company management are fulfillment of the company s responsibilities to stakeholders such as shareholders, customers, suppliers, employees, and society, namely, enhancement of corporate values and accomplishment of social responsibility.

5 Risk management is defined as one of the vital activities that support these variety of risks exist. Building and operating a mechanism* to arouse awareness of undertaking activities and thoroughly implementing process activities based on them for the purpose of managing Information asset risks is defined as Information Security Governance .(* Means a mechanism of management decision policy and monitoring the status within the organization and mechanism of disclosure to stakeholders and evaluation by stakeholders.)Source : Interim Report of the Basic Information Security Problem Committee, Industrial Structure Council June 200810 February 2009 Governance and Management of Information Security Governance and Management of Information Security Board of DirectorsExecutivesManagersEmployeesStak eholdersStrategic levelOperational levelManagementGovernanceFebruary 200911IS Governance and BenchmarkingHow to establish IS GovernanceHow to establish IS Governance1) Define direction and objectives on Information Security clea1) Define direction and objectives on Information Security clearlyrlyWhat to be protectedWhat to be protected.

6 Importance of Information assets, Compliance, CSR,importance of Information assets, Compliance, CSR,to Which levelto Which level .. decide allowable residual riskdecide allowable residual risk===> ===> develop Information Security Policy and Standardsdevelop Information Security Policy and Standards2) Establish Internal Control mechanism2) Establish Internal Control mechanismRoles and ResponsibilityRoles and to define allowable risk level, to develop Security standardsto define allowable risk level, to develop Security to reduce risks below allowable risk level to reduce risks below allowable risk level .. to audit, to conduct actions to improve to audit, to conduct actions to improve Name the CSO, CISO and Security staffs, provide education and trName the CSO, CISO and Security staffs, provide education and trainingainingDesign and Implement Security measures Design and Implement Security measures .. build into business processes and ITsbuild into business processes and ITsRespond Incidents, Develop and Test Business Continuity PlanRespond Incidents, Develop and Test Business Continuity Plan3) Ensure Business Information Security End3) Ensure Business Information Security End--toto--EndEnd4) Develop Accountability reports to stakeholders4)

7 Develop Accountability reports to stakeholdersFebruary 200912IS Governance and BenchmarkingRisk Factors of Information SecurityRisk Factors of Information SecurityRisk and Business Impact Analysis Business Process Application System NetworkNecessary Safeguards Risk CostRisk FactorsThreatsVulnerabilitiesAssetsValue sProtection RequirementsSafeguardsRisksISO TR 13335 GMITSG uidelines for Management of Information Technology SecurityFebruary 200913IS Governance and BenchmarkingRisk TreatmentRisk TreatmentRiskOwn RiskOwn RiskOwn RiskAccept RiskAccept RiskAccept RiskTransfer RiskTransfer RiskTransfer RiskAvoid RiskAvoid RiskAvoid RiskReduce RiskReduce RiskReduce RiskRiskTreatmentRiskTreatmentRisk FactorsRisk FactorsThreatVulnerabilityValue ofInformation Assets9 Acceptable Risk Level 9 Cost effectivenessFebruary 200914IS Governance and BenchmarkingISO/IEC 27001 ISMS RequirementsISO/IEC 27001 ISMS RequirementsGeneral RequirementsEstablish ISMSI mplement & Operate ISMSM onitor & ReviewISMSM aintain& ImproveISMSD ocumentation RequirementsManagement Responsibilities PlanDoCheckActzManagement commitmentzResource managementa.

8 Establish an Information Security policyb. ensure that Information Security objectives and plans are establishedc. establishing roles and responsibilities for Information securityd. communicate the importancee. provide sufficient resourcesf. decide the acceptable level of riskg. ensure that ISMS internal audit is conductedh. conduct management reviewsFebruary 200915IS Governance and BenchmarkingInformation Security Governance structureInformation Security Information Security GovernanceGovernanceInformation Security Information Security ManagementManagementSecurity ControlsSecurity Controls Direction Objectives Monitoring Establish Management system PDCA management cycle Sets of Controls 911 Area939 objectives 9133 controls9 Many sub-controlsDecide acceptable level of riskRealize Risk Reduction16IS Governance and BenchmarkingFebruary 2009 AgendaAgendaInformation Security Governance and Benchmarking1. Managing Information Security Business and Information Security Security Controls and Management2.

9 Information Security Governance What is Governance How to establish Governance Risk Factors and Risk Treatment Governance Structure3. Information Security Measures benchmarking Major issues and three tools What is, How it works, How to utilize17IS Governance and BenchmarkingFebruary 2009(1) Information Security Measures Benchmark(2) Model of Information Security Report(3) Guideline for Business Continuity PlanningThree Tools Three Tools recommended at METI recommended at METI s study group for s study group for Information Security Governance Information Security Governance 2005/032005/03 Major IssuesMajor Issues Difficult to decide Difficult to decide Information Security Information Security investment due to lack of investment due to lack of risk informationrisk Information Security Investment doesnSecurity Investment doesn t t have straight link to improve have straight link to improve Corporate ValueCorporate Value Importance of BCP/BCM Importance of BCP/BCM could not be aware by could not be aware by corporate executivescorporate executivesFebruary 200918IS Governance and BenchmarkingOutline of Information Security Measures BenchmarkOutline of Information Security Measures BenchmarkProvides answers to 40 questions on the WebProvides answers to 40 questions on the

10 Does your company have any policies or rules for Does your company have any policies or rules for Information Security and implement them? Information Security and implement them?19IS Governance and BenchmarkingInformation Security Measures (25 Items) Organizational Security Physical and environmental Security Communications and operations management Access control, Systems development and maintenance Security incidents and malfunctionsCorporate Profile 15 Items Number of employees, sale figures, number of basis Number of people whose Information is held, degreeof dependence on Information TechnologyAssessment Items (40 Items in Total) your company s position using a scatter your organization s score with the desirable Security level and the average in your business industry, using a radar your recommended Security Assessment ResultExample of Self Assessment Result (Scatter Chart) 2009 Diagnosis Result ofDiagnosis Result of Information Security Measures BenchmarkInformation Security Measures Benchmark20IS Governance and BenchmarkingTotal score distribution and your positionTotal score distribution and your positionYour score compared with averagesYour score compared with averagesGroups and your positionGroups and your positionMore than 13,000 usages as of Dec-2007 February 2009 Use of IS Measures BenchmarkUse of IS Measures Benchmark for Executivesfor Executives to know your company position in the industryto know your company position in the industry to verify your risk understandingto verify your risk understanding for Business Ownersfor Business Owners to satisfy Business partner requirementsto satisfy Business partner requirements for business process managersfor business process managers to understand current status, by control area, to understand current status, by control area.


Related search queries