Transcription of Information Security Governance and Benchmarking
1 Eijiroh OhkiEijiroh OhkiProfessor, Kogakuin UniversityProfessor, Kogakuin Security Governance Information Security Governance and Benchmarkingand Benchmarking2009/02/20 AgendaAgendaInformation Security Governance and Benchmarking1. Managing Information Security Business and Information Security Security Controls and Management2. Information Security Governance What is Governance How to establish Governance Risk Factors and Risk Treatment Governance Structure3. Information Security Measures Benchmarking Major issues and three tools What is, How it works, How to utilize2IS Governance and BenchmarkingFebruary 2009IS Governance and BenchmarkingBusiness and Information SecurityConfidentialityIntegrityAvailabi lityPersonal Data ProtectionTrade SecretDisaster RecoveryMessage Proof Capacity PlanningDenial of ServicesAccuracy of financial statementsBCP/BCMJ-SOXCIA3 February 2009 Risk assessmentRisk assessmentAwarenessAwarenessResponsibili tyResponsibilityReassessmentReassessment ResponseResponseSecurity managementSecurity managementEthicsEthicsDemocracyDemocracy Security design and implementation Security design and implementationOECD OECD GuidelinesGuidelinesfor the Securityfor the Securityof Informationof InformationSystemsSystems Culture of Security OECD Security Guidelines 1992.
2 2002 Participants should be aware of the need for Security of Information systems and networks and what they can do to enhance participants are responsible for the Security of Information systems and should act in a timely and co- operative manner to prevent, detect and respond to Security should respect the legitimate interests of others. The Security of Information systems and networks should be compatible with essential values of a democratic should conduct risk should incorporate Security as an essential element of Information systems and should adopt a comprehensive approach to Security management. Participants should review and reassess the Security of Information systems and networks, and make appropriate modifications to Security policies, practices.
3 Measures and 20094IS Governance and BenchmarkingInformation Security Management CycleInformation Security Management scope of assessment Risk assessment RisksIdentify RisksAssess for Options for treatment of Risks treatment of Risks controlsSelect Management of Risk Formulate Risk treatment plantreatment Risk Implement Risk treatment plantreatment and awareness Controls RisksReview Management the identified and preventive intended objectivesEstablish ISMSI mplement & OperateMonitor and reviewMaintain and improvePlanDoCheckActAnnex AControl objectives and controlsISO/IEC 270015IS Governance and BenchmarkingFebruary 2009 JapanJapan s National Strategy on Information Securitys National Strategy on Information Security -- Priority Policies for FY2006 Priority Policies for FY2006--2008 2008 --6IS Governance and BenchmarkingBusinesses.
4 Implementing Information Security measures so as to be highly regarded by the marketFebruary 2009 Security and Stage of IT investmentDepartmentOptimizationCompanyO ptimizationGroupOptimizationInformation Information sharing within sharing within a departmenta departmentInformation Information sharing within sharing within a companya companyOrganization reformOrganization reformcustomer viewpointcustomer viewpointRequired Required level of level of Information Information SecuritySecurityMore comprehensive Information Security Management required as IT investment advances to next stageInformation Information sharing within sharing within a groupa groupFocus of IT investmentStage IStage IIStage IIIF ebruary 20097IS Governance and BenchmarkingImportance of End-to-End Security most important Information usually shared among companies within a value chainevery company in the chain needs to establish Security management to reduce and maintain risks under allowable level not only technology measuresnot only technology measuresFebruary 20098IS Governance and BenchmarkingAgendaAgendaInformation Security Governance and Benchmarking1.
5 Managing Information Security Business and Information Security Security Controls and Management2. Information Security Governance What is Governance How to establish Governance Risk Factors and Risk Treatment Governance Structure3. Information Security Measures Benchmarking Major issues and three tools What is, How it works, How to utilize9IS Governance and BenchmarkingFebruary 2009IS Governance and BenchmarkingWhat is Information Security Governance ?What is Information Security Governance ?Source: Report compiled by the Research Group for Studying What Information Security Should be at Corporations, Ministry of Economy, Trade and Industry, March build and operate corporate Governance inside companies, takiTo build and operate corporate Governance inside companies, taking social ng social responsibility and the mechanism of internal control, which suppresponsibility and the mechanism of internal control, which supports corporate orts corporate Governance , from the standpoint of Information Security into congovernance, from the standpoint of Information Security into considerationsiderationThe principal goals of company management are fulfillment of the company s responsibilities to stakeholders such as shareholders.
6 Customers, suppliers, employees, and society, namely, enhancement of corporate values and accomplishment of social responsibility. Risk management is defined as one of the vital activities that support these variety of risks exist. Building and operating a mechanism* to arouse awareness of undertaking activities and thoroughly implementing process activities based on them for the purpose of managing Information asset risks is defined as Information Security Governance .(* Means a mechanism of management decision policy and monitoring the status within the organization and mechanism of disclosure to stakeholders and evaluation by stakeholders.)Source : Interim Report of the Basic Information Security Problem Committee, Industrial Structure Council June 200810 February 2009 Governance and Management of Information Security Governance and Management of Information Security Board of DirectorsExecutivesManagersEmployeesStak eholdersStrategic levelOperational levelManagementGovernanceFebruary 200911IS Governance and BenchmarkingHow to establish IS GovernanceHow to establish IS Governance1) Define direction and objectives on Information Security clea1) Define direction and objectives on Information Security clearlyrlyWhat to be protectedWhat to be protected.
7 Importance of Information assets, Compliance, CSR,importance of Information assets, Compliance, CSR,to Which levelto Which level .. decide allowable residual riskdecide allowable residual risk===> ===> develop Information Security Policy and Standardsdevelop Information Security Policy and Standards2) Establish Internal Control mechanism2) Establish Internal Control mechanismRoles and ResponsibilityRoles and to define allowable risk level, to develop Security standardsto define allowable risk level, to develop Security to reduce risks below allowable risk level to reduce risks below allowable risk level .. to audit, to conduct actions to improve to audit, to conduct actions to improve Name the CSO, CISO and Security staffs, provide education and trName the CSO, CISO and Security staffs, provide education and trainingainingDesign and Implement Security measures Design and Implement Security measures.
8 Build into business processes and ITsbuild into business processes and ITsRespond Incidents, Develop and Test Business Continuity PlanRespond Incidents, Develop and Test Business Continuity Plan3) Ensure Business Information Security End3) Ensure Business Information Security End--toto--EndEnd4) Develop Accountability reports to stakeholders4) Develop Accountability reports to stakeholdersFebruary 200912IS Governance and BenchmarkingRisk Factors of Information SecurityRisk Factors of Information SecurityRisk and Business Impact Analysis Business Process Application System NetworkNecessary Safeguards Risk CostRisk FactorsThreatsVulnerabilitiesAssetsValue sProtection RequirementsSafeguardsRisksISO TR 13335 GMITSG uidelines for Management of Information Technology SecurityFebruary 200913IS Governance and BenchmarkingRisk TreatmentRisk TreatmentRiskOwn RiskOwn RiskOwn RiskAccept RiskAccept RiskAccept RiskTransfer RiskTransfer RiskTransfer RiskAvoid RiskAvoid RiskAvoid RiskReduce RiskReduce RiskReduce RiskRiskTreatmentRiskTreatmentRisk FactorsRisk
9 FactorsThreatVulnerabilityValue ofInformation Assets9 Acceptable Risk Level 9 Cost effectivenessFebruary 200914IS Governance and BenchmarkingISO/IEC 27001 ISMS RequirementsISO/IEC 27001 ISMS RequirementsGeneral RequirementsEstablish ISMSI mplement & Operate ISMSM onitor & ReviewISMSM aintain& ImproveISMSD ocumentation RequirementsManagement Responsibilities PlanDoCheckActzManagement commitmentzResource managementa. establish an Information Security policyb. ensure that Information Security objectives and plans are establishedc. establishing roles and responsibilities for Information securityd. communicate the importancee. provide sufficient resourcesf. decide the acceptable level of riskg. ensure that ISMS internal audit is conductedh.
10 Conduct management reviewsFebruary 200915IS Governance and BenchmarkingInformation Security Governance structureInformation Security Information Security GovernanceGovernanceInformation Security Information Security ManagementManagementSecurity ControlsSecurity Controls Direction Objectives Monitoring Establish Management system PDCA management cycle Sets of Controls 911 Area939 objectives 9133 controls9 Many sub-controlsDecide acceptable level of riskRealize Risk Reduction16IS Governance and BenchmarkingFebruary 2009 AgendaAgendaInformation Security Governance and Benchmarking1. Managing Information Security Business and Information Security Security Controls and Management2. Information Security Governance What is Governance How to establish Governance Risk Factors and Risk Treatment Governance Structure3.