You are on page 1of 32

Enterprise Risk

Enterprise Information Security Framework


April 4, 2006

Agenda

Enterprise Information Security Framework


What are the challenges?

What problem are we trying to solve?


Overview of enterprise information security Creating an enterprise information security program in support of risk, legal and regulatory obligations Information security control frameworks

Measuring maturity of the program


Establishing an ISMS Benefits and Roadmap
1 Enterprise Security Framework POV - 2005 Deloitte & Touche LLP and affiliated entities.

Security challenges faced by organizations


Organizations are constantly challenged with information security issues with ever increasing threat profiles. Faced with these challenges, organizations continue to ask themselves;
Are our Information security initiatives aligned with our business needs? Are our customers and trading partners information security initiatives and requirements compliant and compatible with ours? Are our information security practices providing adequate assurance to meet regulation or compliance requirements? Are we perceived as a responsive organization meeting the needs of our stakeholders, our customers, and trading partners? Do our information security controls align with industry-related and internationally accepted guidelines? Are we aware of our security risks and are they being effectively managed? Are we measuring the effectiveness of our information security Investments?

Bottom Line..Are We Secure?


2 Enterprise Security Framework POV - 2005 Deloitte & Touche LLP and affiliated entities.

Security has become a critical aspect of every business solution


1. Most Enterprise Security Programs are Anything But Organizations have typically lacked a systematic, integrated security and risk management approach for designing and implementing business solutions. 2. Security Expectations and Delivery are Disconnected Board level interest in security is driving improved compliance, governance, ROI and portfolio management, yet security solutions remain largely reactive, silo-based and focused on technology.

3. Enterprise Security Requires a Truly Integrated Approach . . . that links organizational, technical, administrative and physical security to a strategic combination of IT architecture, business drivers and processes, legal requirements, threat scenarios and design.

Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

The risks are enormous and internal and external pressure continues to mount
Effective management of information security risks using a framework can drive better business and IT decisions and achieve better results. It can:

4

Avoid audit by checklist Ensure information integrity, availability and confidentiality Avoid fraud or loss of confidence Reduce compliance liability Reduce IT inefficiencies Enhance productivity and quality Protect IT assets Align IT programs with business objectives Improve customer service and responsiveness Leverage risk to support competitive opportunities Enhance and protect the Brand Reduce cost
Deloitte & Touche LLP and affiliated entities.

Escalating Costs

Compliance Liability

Unprotected Assets

Risks

Business Liability

Improve IT performance and reliability


Reduced Effectiveness Brand Erosion

Enterprise Security Framework POV - 2005

The new business reality

How do we keep balance and be secure?


5 Enterprise Security Framework POV - 2005 Deloitte & Touche LLP and affiliated entities.

Security is the balance of protection measures against the acceptance of risk


Risk Acceptance:
is a cost decision - the amount of investment required to lower the risk

is a pain decision - the ability to deal with ongoing security incidents


is a visibility decision - the potential impact to corporate reputation

should not be a surprise decision - accepting risk without knowing it

Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

Measurement of security compliance is often based on an audit driven scorecard vs. a risk driven scorecard

The traditional control implementation approach often does not address the needs
Legal, regulatory and general business
risk requirements are not consistently applied by business segments and departments

Requirements Reporting

Security Security

strategies often dont take into account operational realities or provide reasonable options policies and procedures are often created in a vacuum or solely based on Best Practices updated when system changes occur

Enterprise
Strategies

Operations Maintenance

Risk and controls are often not


Policies Procedures

Reporting is often a time consuming,


one-off exercise
7 Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

Why address information security at the enterprise level?


Enterprise Solution Approach Executive management support through strategic alignment consistent security decisions, planning and investments Facilitate accountability, authority and responsibility across the organization Integrated and leveraged set of security solutions with long lasting value Focused on eliminating root cause problems and identifying improvement opportunities Reduce total-cost-of-ownership by consolidating management and eliminating overhead
8 Enterprise Security Framework POV - 2005

Point Solution Approach IT management oversight without appropriate executive management support IT functional stove-pipes and lack of executive management visibility One-off fixes that are not integrated or leveraged as longterm investments Focused on solving immediate problems which will most likely recur over time Increased total-cost-of-ownership and disruption from overhead, redundancies and conflicts

Deloitte & Touche LLP and affiliated entities.

A sound enterprise information security strategy should have proper balance and integration with the security governance, architecture and operations

A security strategy is supported by three critical components

Strategy links security initiatives with business and technology objectives

Strategy

Architecture provides technology standards, models and technologies to be leveraged by the business

Enterprise Security Framework POV - 2005

Architecture Deloitte & Touche LLP and affiliated entities.

Creating true enterprise security the journey. How do I get there?


Business Mission Information Security Vision & Mission Information Security Strategy Information Security Principles Risk Tolerance Legislation and Regulatory Compliance Motivation Implication Motivation Information Security Architecture Information Security Architecture Design Principles Information Security Conceptual Architecture Information Security Policy Framework Information Security Policies Information Security Standards Information Security Management Processes
10 Enterprise Security Framework POV - 2005

Corporate Policies

Information Security Functional Architecture Information Security Physical Architecture

Information Security Operational Processes Information Security Controls

Deloitte & Touche LLP and affiliated entities.

What does the information security program look like? Define the Information Security Program Framework
Information Security Framework
Information Security Drivers
Business, Risk Tolerance, Legislation & Regulations

Information Security Management


Strategy Requirements & Planning

Information Security Governance


Risk Management

Principles Policies Standards Guidelines Procedures

Information Security Architecture

Operations
Audit Enforcement Monitoring & Management Measurement & Assessment

Awareness & Training

11

Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

How does the information security program operate? Define the links
ISO 27001 Information Security Management System

INFORMATION TECHNOLOGY & SECURITY OPERATING MODEL


Strategic Planning
STANDARDIZATION
Normalized Normalized Normalized Requirements Requirements Requirements Exceptions Exceptions Exceptions Policy Policy Policy Enterprise Enterprise Enterprise Architecture Architecture Architecture Tools && Tools Tools & Infrastructure Infrastructure Infrastructure Approved Approved Approved Asset List Asset List Asset List Risk Control Risk Control Risk Control Library Library Library Compliance Compliance Compliance Reporting Reporting Reporting Risk Risk Risk Reporting Reporting Reporting

RESILIENCE

Information Security Program

Backup & Backup & Backup & Restoration Restoration Restoration

Diversification Diversification Diversification Network Network Network Defense Defense Defense

Redundancy Redundancy Redundancy

GOVERNANCE
Executive Executive Steering Steering Committee Committee Architecture Architecture Architecture Definition Definition Definition Committee Committee Committee Policy Policy Policy Definition Definition Definition Committee Committee Committee Project/Portfolio Project/Portfolio Project/Portfolio Review Review Review Committee Committee Committee Third Party Third Party Third Party Management Management Management Committee Committee Committee Performance Performance Performance Metrics && Metrics Metrics & Incentives Incentives Incentives Risk Budget Risk Budget Risk Budget & & & Planning Planning Planning

SECURITY MANAGEMENT

ACCESS MANAGEMENT

OPERATIONS MANAGEMENT
Change Change Change Management Management Management Configuration Configuration Configuration Management Management Management Vulnerability Vulnerability Vulnerability Management Management Management Incident Incident Incident Management Management Management Customer Customer Customer Support Support Support Systems Systems Systems Management Management Management

Delivery

Risk Office Risk Office Risk Office Management Management Management Training Training && Training & Awareness Awareness Awareness

Policy Policy Policy Management Management Management Risk Risk Risk Management Management Management

Certification && Certification Certification & Accreditation Accreditation Accreditation Compliance Compliance Compliance Management Management Management

Identity Identity Identity

Data Data Data

Application Application Application

Infrastructure Infrastructure Infrastructure

Personnel Personnel Personnel

Physical Physical Physical

12

Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

The information security program provides a reference that can be used to measure how the program operates and its effectiveness
ISO 27001 Information Security Management System

Information Security Framework


Information Security Drivers
Business, Risk Tolerance, Legislation & Regulations

INFORMATION TECHNOLOGY & SECURITY OPERATING MODEL


Strategic Planning
STANDARDIZATION
Normalized Normalized Normalized Requirements Requirements Requirements Exceptions Exceptions Exceptions Policy Policy Policy Enterprise Enterprise Enterprise Architecture Architecture Architecture Tools && Tools Tools & Infrastructure Infrastructure Infrastructure Approved Approved Approved Asset List Asset List Asset List Risk Control Risk Control Risk Control Library Library Library Compliance Compliance Compliance Reporting Reporting Reporting Risk Risk Risk Reporting Reporting Reporting

RESILIENCE

Information Security Management


Strategy Requirements & Planning

Information Security Program

Backup & Backup & Backup & Restoration Restoration Restoration

Diversification Diversification Diversification Network Network Network Defense Defense Defense

Redundancy Redundancy Redundancy

Information Security Governance


Risk Management

GOVERNANCE
Executive Executive Steering Steering Committee Committee Architecture Architecture Architecture Definition Definition Definition Committee Committee Committee Policy Policy Policy Definition Definition Definition Committee Committee Committee Project/Portfolio Project/Portfolio Project/Portfolio Review Review Review Committee Committee Committee Third Party Third Party Third Party Management Management Management Committee Committee Committee Performance Performance Performance Metrics && Metrics Metrics & Incentives Incentives Incentives Risk Budget Risk Budget Risk Budget & & & Planning Planning Planning

Principles Policies Standards Guidelines Procedures

Information Security Architecture

SECURITY MANAGEMENT

ACCESS MANAGEMENT

OPERATIONS MANAGEMENT
Change Change Change Management Management Management Configuration Configuration Configuration Management Management Management Vulnerability Vulnerability Vulnerability Management Management Management Incident Incident Incident Management Management Management Customer Customer Customer Support Support Support Systems Systems Systems Management Management Management

Delivery

Risk Office Risk Office Risk Office Management Management Management Training Training && Training & Awareness Awareness Awareness

Policy Policy Policy Management Management Management Risk Risk Risk Management Management Management

Certification && Certification Certification & Accreditation Accreditation Accreditation Compliance Compliance Compliance Management Management Management

Operations
Audit Enforcement Monitoring & Management Measurement & Assessment

Identity Identity Identity

Data Data Data

Application Application Application

Awareness & Training

Infrastructure Infrastructure Infrastructure

Personnel Personnel Personnel

Physical Physical Physical

13

Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

As a first phase, strategic planning is crucial


1. Executive Level Sponsorship 2. Business Alignment 3. Corporate Risk Tolerance
Information Security Framework
Information Security Drivers
Business, Risk Tolerance, Legislation & Regulations

Information Security Management


Strategy Requirements & Planning

Information Security Governance


Risk Management

Principles Policies Standards Guidelines Procedures

Information Security Architecture

Operations
Audit Enforcement Monitoring & Management Measurement & Assessment

Awareness & Training

4. Legislation and Regulatory Compliance

5. Security Strategy and Planning

14

Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

Information Security Governance defines the control and accountability environment


1. Information Security Principles

2. Information Security Policy Framework


Information Security Policies and Standards Information Security Guidelines and Procedures
Information Security Framework

3. Audit
4. Enforcement

Information Security Drivers


Business, Risk Tolerance, Legislation & Regulations

Information Security Management


Strategy Requirements & Planning

Information Security Governance


Risk Management

Principles Policies Standards Guidelines Procedures

Information Security Architecture

Operations
Audit Enforcement Monitoring & Management Measurement & Assessment

Awareness & Training

15

Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

Information Security Architecture defines the solution, Operations monitors and manages the environment and Measurement provides program effectiveness reporting.

1. Information Security Architecture


Conceptual, Functional and Physical

2. Operations Management
Change Management Vulnerability Management Incident Management Monitoring

Information Security Framework


Information Security Drivers
Business, Risk Tolerance, Legislation & Regulations

Information Security Management


Strategy Requirements & Planning

Information Security Governance


Risk Management

3. Risk Management 4. Awareness and Training 5. Measurement and Assessment


16

Principles Policies Standards Guidelines Procedures

Information Security Architecture

Operations
Audit Enforcement Monitoring & Management Measurement & Assessment

Awareness & Training

Awareness and Training, Risk Management and Measurement round out the program
Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

The Information Security Architecture provides a mechanism to deliver a consistent approach to information security decisions and solutions

Conceptual (Models)
- Security Principles - Security Policies - Security Design Objectives - Threat/Risk Profile - Security Architecture Principles
User Communities Business Partners Stakeholders Trust Model Availability Security Zones Information Flow Control Security Operation, Administration, Monitoring & Compliance

Functional (Components)
- Security Standards - Security Design Decisions - Security Design Patterns (Logical) - Security Component Definition
Identity Authentication Authorization Credential Management Role Based Access Control

Confidentiality Business Continuity Backup & Recovery Non-repudiation Trusted Time Secure Storage & Destruction Physical Security

Intrusion Detection Network Access Control Network Segmentation Content Management DMZ

Logging & Monitoring Incident Management Reporting Security Operation Centre Vulnerability & Configuration Management

Physical (Nodes)
- Technical Operating Standards - Product Standards - Security Design Patterns (Physical) - Process Documents - Configuration Guidebooks - Security Node Definitions
Credentials Profiles Authorization Rules Credential Repository

Encryption Private Keys & Certificates Message Digest Digital Signature NTP

Firewalls/VPNs Switches/Routers IPS, NIDS & HIDS Anti-Spam Anti-Virus URL Filter

SIM & SEM KPIs & Dashboard Vulnerability Assessment Security Baseline

Access Management

Trust & Assurance

Network & Infrastructure

Security Management

17

Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

Establishing security requirements


1. Assess the risks to the organization, taking into account the organizations overall business strategy and objectives.
Through a risk assessment, threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated.

2. Legal, statutory, regulatory, and contractual requirements


requirements that an organization, its trading partners, contractors, and service providers have to satisfy, and their socio-cultural environment.

3. The principles, objectives and business requirements for information processing that an organization has developed to support its operations.

Standard: ISO/IEC 17799:2005, BS-7799-3


18 Enterprise Security Framework POV - 2005 Deloitte & Touche LLP and affiliated entities.

ISO 17799 presents a comprehensive set of controls considered to be best practices in information security including policies, practices, procedures, organizational structures and software functions
ISO 17799:2005
Security Policy Organizing Information Security Acquisition, Development & Maintenance Asset Management Human Resources Security Business Continuity Management Physical & Environmental Security Communications & Operations Management

Access Control

Security Incident Management

Compliance

11 Clauses

39 Objectives What It Is

146 Controls

Over 500 Detailed Controls What It Is NOT

Addresses information assets security from a riskbased perspective by way of policies and best practices. Critical component of an overall enterprise security architecture Recognized Information Security Management System Standard
19 Enterprise Security Framework POV - 2005

Definitive details or How-Tos implement security A comprehensive list of required controls to satisfy the requirements of every organization. Other controls may be required as a complement An Information Security Methodology A Technical Standard

Deloitte & Touche LLP and affiliated entities.

Sarbanes-Oxley Compliance relies on COSO and CobiT to provide a structure for controls
CobiT Objectives
P O lan rg a an nd iz e A cq Im ui pl re em an en d t

COSO is the control framework of choice for SOX compliance All 5 COSO layers must be considered when evaluating internal controls

el i Su v e r pp an or d t

Control Environment

COSO Components

Risk Assessment

on Ev ito al r a ua nd te

Section 404

CobiT is a widely accepted IT control framework


CobiT provides 4 domains of IT control Controls in each domain address all 5 layers of COSO

Section 302

Control Activities

Information and Communication

Monitoring

20

Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

ISO 17799 is mapped to CobiT

ISO 17799 provides a more detailed control framework for information security

Provides the linkage between the information security decisions (ISO 17799) and the control objectives (CobiT)

ISO 17799 ISMS

21

Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

Use the IT & Security Operating Framework to establish a baseline and track progression over time

Systematically Build and Improve Privacy & Security Capabilities

ISO 27001 Information Security Management System

INFORMATION TECHNOLOGY & SECURITY OPERATING MODEL


Strategic Planning
STANDARDIZATION
Normalized Normalized Normalized Requirements Requirements Requirements Exceptions Exceptions Exceptions Policy Policy Policy Enterprise Enterprise Enterprise Architecture Architecture Architecture Tools && Tools Tools & Infrastructure Infrastructure Infrastructure Approved Approved Approved Asset List Asset List Asset List Risk Control Risk Control Risk Control Library Library Library Compliance Compliance Compliance Reporting Reporting Reporting Risk Risk Risk Reporting Reporting Reporting

RESILIENCE

Information Security Program

Backup & Backup & Backup & Restoration Restoration Restoration

Diversification Diversification Diversification Network Network Network Defense Defense Defense

Redundancy Redundancy Redundancy

GOVERNANCE
Executive Executive Steering Steering Committee Committee Architecture Architecture Architecture Definition Definition Definition Committee Committee Committee Policy Policy Policy Definition Definition Definition Committee Committee Committee Project/Portfolio Project/Portfolio Project/Portfolio Review Review Review Committee Committee Committee Third Party Third Party Third Party Management Management Management Committee Committee Committee Performance Performance Performance Metrics && Metrics Metrics & Incentives Incentives Incentives Risk Budget Risk Budget Risk Budget & & & Planning Planning Planning

SECURITY MANAGEMENT

ACCESS MANAGEMENT

OPERATIONS MANAGEMENT
Change Change Change Management Management Management Configuration Configuration Configuration Management Management Management Vulnerability Vulnerability Vulnerability Management Management Management Incident Incident Incident Management Management Management Customer Customer Customer Support Support Support Systems Systems Systems Management Management Management

Delivery

Risk Office Risk Office Risk Office Management Management Management Training Training && Training & Awareness Awareness Awareness

Policy Policy Policy Management Management Management Risk Risk Risk Management Management Management

Certification && Certification Certification & Accreditation Accreditation Accreditation Compliance Compliance Compliance Management Management Management

Identity Identity Identity

Data Data Data

Application Application Application

Infrastructure Infrastructure Infrastructure

Personnel Personnel Personnel

Physical Physical Physical

Capabilities are characteristic of individuals, not of the organization

Process established and repeating; reliance on people is reduced

Policies, processes and standards defined and formalized across the organization

Risks measured and managed quantitatively and aggregated on an enterprise-wide basis

Organization focused on continuous improvement of privacy and security risk management

Initial
22

Repeatable

Defined

Managed

Optimized

Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

by assessing the maturing level of the implemented control environment


INFORMATION TECHNOLOGY & SECURITY OPERATING MODEL
Strategic Planning
STANDARDIZATION
Normalized Normalized Normalized Requirements Requirements Requirements Exceptions Exceptions Exceptions Policy Policy Policy Enterprise Enterprise Enterprise Architecture Architecture Architecture Tools Tools & Tools& & Infrastructure Infrastructure Infrastructure Approved Approved Approved Asset Asset List List Asset List Risk Risk Control Control Risk Control Library Library Library Compliance Compliance Compliance Reporting Reporting Reporting Risk Risk Risk Reporting Reporting Reporting

RESILIENCE
Backup Backup && Backup & Restoration Restoration Restoration

MATURITY MATURITY LEGEND LEGEND


0 Non- existent 1 - Initial

Diversification Diversification

2 - Repeatable 3 - Defined

Redundancy Redundancy Redundancy

Network Network Network Defense Defense Defense

4 - Managed 5 - Optimized

Capability Analysis

GOVERNANCE
Executive Executive Executive Steering Steering Steering Committee Committee Committee Architecture Architecture Architecture Definition Definition Definition Committee Committee Committee Policy Policy Policy Definition Definition Definition Committee Committee Committee Project/Portfolio Project/Portfolio Project/Portfolio Review Review Review Committee Committee Committee Third Third Party Party Third Party Management Management Management Committee Committee Committee Performance Performance Metrics Metrics & & Incentives Incentives Risk Risk Budget Budget & & & Planning Planning

SECURITY MANAGEMENT

ACCESS MANAGEMENT
Identity Identity Identity

OPERATIONS MANAGEMENT
Change Change Change Management Management Management Configuration Configuration Configuration Management Management Management Vulnerability Vulnerability Vulnerability Management Management Management Incident Incident Incident Management Management Management Customer Customer Customer Support Support Support Systems Systems Systems Management Management Management

Delivery

Risk Risk Office Office Risk Office Management Management Management Training Training & & Training & Awareness Awareness Awareness

Policy Policy Policy Management Management Management Risk Risk Risk Management Management Management

Certification Certification && Certification & Accreditation Accreditation Accreditation Compliance Compliance Compliance Management Management Management

Data Data

Application Application

Infrastructure Infrastructure Infrastructure

Personnel Personnel

Physical Physical

23

Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

Define and Implement an Information Security Management System (ISMS)


A management system establishes the policy and the objectives and the process used to achieve those objectives. The ISMS is put into effect by defining and implementing:
The organizational structure Systematic processes and associated resources The measurement and evaluation methodology A review process to ensure problems are corrected and opportunities for improvement are recognized and implemented when justified

What gets monitored gets measured, what gets measured gets managed.
24 Enterprise Security Framework POV - 2005 Deloitte & Touche LLP and affiliated entities.

Manage the information security program through a formalized process


Policy (demonstration of commitment and principles for action) Planning (identification of needs, resources, structure, responsibilities) Implementation and operation (awareness building and training) Performance assessment (monitoring and measuring, handling non-conformities, audits) Improvement (corrective and preventive action, continual improvement) Management review
25 Enterprise Security Framework POV - 2005 Deloitte & Touche LLP and affiliated entities.

ISO Guide 72:2001

Position the ISMS for ISO 27001 Certification


We have the methodologies that provide the framework and accompanying processes for the information security program that helps clients Implement an Information Security Management System (ISMS) and prepare for their ISO 27001 Certification
BS7799-2:2002 Certification

Scope of ISMS Security Forum ISMS Officer

Identification of Information Assets Asset Valuation

ISMS interviews Asset inventory ISMS interviews Business Impact Assessment Risk identification Risk evaluation Risk calculation ALE Assessment Control selection Control review Control implementation status Statement of Applicability

Risk Assessment

Surveillance Audits

Risk Treatment

ISO 27001 Information Security Management System

Document Management Policies and Procedures

Information Security Framework


Information Security Drivers
Business, Risk Tolerance, Legislation & Regulations

INFORMATION TECHNOLOGY & SECURITY OPERATING MODEL


Strategic Planning
STANDARDIZATION
Normalized Normalized Normalized Requirements Requirements Requirements Exceptions Exceptions Exceptions Policy Policy Policy Enterprise Enterprise Enterprise Architecture Architecture Architecture Tools && Tools Tools & Infrastructure Infrastructure Infrastructure Approved Approved Approved Asset List Asset List Asset List Risk Control Risk Control Risk Control Library Library Library Compliance Compliance Compliance Reporting Reporting Reporting Risk Risk Risk Reporting Reporting Reporting

Policy and Procedure Creation

Approve Certify

Revise Publish

RESILIENCE

Information Security Management


Strategy Requirements & Planning

Information Security Program

Backup & Backup & Backup & Restoration Restoration Restoration

Diversification Diversification Diversification Network Network Network Defense Defense Defense

Redundancy Redundancy Redundancy

Information Security Governance


Risk Management

GOVERNANCE
Executive Executive Steering Steering Committee Committee Architecture Architecture Architecture Definition Definition Definition Committee Committee Committee Policy Policy Policy Definition Definition Definition Committee Committee Committee Project/Portfolio Project/Portfolio Project/Portfolio Review Review Review Committee Committee Committee Third Party Third Party Third Party Management Management Management Committee Committee Committee Performance Performance Performance Metrics && Metrics Metrics & Incentives Incentives Incentives Risk Budget Risk Budget Risk Budget & & & Planning Planning Planning

Principles Policies Standards Guidelines Procedures

Information Security Architecture

Internal Audit Training & Awareness

ISM Compliancy

SECURITY MANAGEMENT

ACCESS MANAGEMENT

OPERATIONS MANAGEMENT
Change Change Change Management Management Management Configuration Configuration Configuration Management Management Management Vulnerability Vulnerability Vulnerability Management Management Management Incident Incident Incident Management Management Management Customer Customer Customer Support Support Support Systems Systems Systems Management Management Management

Delivery

Risk Office Risk Office Risk Office Management Management Management Training Training && Training & Awareness Awareness Awareness

Policy Policy Policy Management Management Management Risk Risk Risk Management Management Management

Certification && Certification Certification & Accreditation Accreditation Accreditation Compliance Compliance Compliance Management Management Management

Operations
Audit Enforcement Monitoring & Management Measurement & Assessment

Identity Identity Identity

Data Data Data

Application Application Application

Awareness & Training

Infrastructure Infrastructure Infrastructure

Personnel Personnel Personnel

Physical Physical Physical

Pre-Assessment Audit

*Discretionary* Assessment of Readiness Desk top (paper) audit ID Non-conformities Certification Audit

Stage One Audit Stage Two Audit

26

Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

Mature the Information Security Program Over Time


Project Initiation Communication Strategy 1 Project Kick Off Workshop/Interview Schedule

Project Initiation Communication Strategy

2 Business Strategy CIBC Documents Orientation Workshop Assessment Workshop Threat Landscape / Risk Tolerance Methodology & Intellectual Capital CIBC Documents Industry and Reference Standards Interviews / Workshops 5

Define Project Plan

Detailed Project Plan

Project Kick Off

Workshop/Interview Schedule

IT Security Strategy Orientation and Planning 3 Workshop

IT Security Strategy Reference Framework IT Security Vision and Goals

2 Business Strategy TDBFG Documents

Define Project Plan

Detailed Project Plan

TDBFG IT Security Policy Framework Vision & Mission IT Security Policy

TDBGF IT Security Principles TDit Strategic Objectives

IT Security Standards

Organization Enterprise Risk Management


IT Principles IT Security Policy IT Security Principles Architecture Principles

Risk and Control Self Assessment Workshop 4

Risk and Control Self Assessment Findings and Analysis

Review Security Program 3 (Current State) Define Enteprise IT Security Strategy 4 Requirements

IT Security Vision and Goals

Interviews / Workshops Methodology & Intellectual Capital Security Strategy Requirements

Reference Standards Legislation/Regulations

Define Enterprise IT Security Strategy Requirements

IT Security Principles Requirements IT Security Strategy


- Board Responsibilities - Education information

Methodology & Intellectual Capital Threat/Risk Assessment Architecture Strategies Security Standards/ Models

Security Architecture Requirements

Security Policy Recommendations

IT Security Strategy Requirements

Industry and Reference Standards Threat Landscape IT Security Policy

IT Security Strategy Document IT Security Strategy 6 Interviews / Workshops Survey Information Industry Standards Legend
Existing Documents Reference Documents Project Deliverables Project Tools - IT Security Mission and requirements - Relationship to the IT Security Program - Measurements - Delineation of Responsibilities - Identify any current Gaps - Position in Security Life Cycle

Document IT Security Strategy 5 Document IT Security Governance 6 Recommendations

IT Security Strategy
- IT Secuity Mission and requirements - Relationship to the IT Security Program - Measurements

Threat Landscape Interviews/Workshops

Document IT Security Strategy

Define Security Architecture Principles Define Security Architecture Strategy Define Security Architecture Conceptual

Security Architecture Principles

Interviews / Workshop

Security Architecture Strategy

IT Security Governance Recommendations


- Delineation of Responsibilities - Identify any current Gaps - Position in Security Life Cycle

Define IT Security Principles

IT Security Governance Recommendations Principle Name


- Delineation of Responsibilities - Identify any current Gaps - Position in Security Life Cycle

Stakeholder Input

IT Security Spending Analysis 7

IT Security Spending Guidelines

IT Security Principles Interviews / Workshops

Define Security Architecture Principles 7

Security Architecture Principles

Existing Documents Reference Documents Project Deliverables

- Statement Principle Name - Rationale - Statement Principle Name (Motivation) Implication -Rationale (Motivation) - Statement - Implication - Rationale (Motivation) - Implication

TDBFG Documents Reference Documents Project Deliverables

Conceptual Security Architecture

Define Security Strategy Roadmap and Next 8 Steps Completion Review

IT Security Strategy Roadmap and Next Steps - 3 Year Vision, Strategy & Organization

Functional

Interviews / Workshops

Define IT Security Architecture Framework 8 Define Security Strategy Roadmap and Next 9 Steps Completion Review

Phase I
Develop Presentation IT Security Principles Presentation
Physical

Functional Security Architecture

Enterprise IT Security Architecture Framework

Legend
Existing Documents Reference Documents Project Deliverables Project Tools

IT Security Strategy Roadmap and Next Steps

Completion Review

Technical Framework

Reference Standard

Solution Design

Technology Selection Selection Technology

Application Design Design Application

The business mission and goals of the organization The long range goals for IT security The defined responsibilites and path to achieve the IT Security Vision and Mission IT Security Vision & Mission The level of risk that the organization is willing to accept Risk Tolerance Legislation and Regulatory Compliance The legislation and regulations that the organization must be in compliance with Corporate guidance that establish a basis for IT Security Principles and Policies
Business Mission TDBFG IT Security Policy Framework TDBFG IT Security Policies and Standards Corporate Policy Template Stakeholder Input IT Security Policy Decisions Policy Name - Statement Policy Name - Name - Statement Policy -Summary
- Purpose - Scope of Application - Policy - Roles & Responsibilities - Exception Management - Ownership & Change Management - Policy Review Cycle

Business Mission

IT Security Strategy IT Security Principles Motivation Implication Motivation The statements of value, operation or belief that defines the organizations overall approach to IT Security Provides guidance to the organization by translating the business objectives and tolerance for risk into structures that can be technically implemented Security Architecture Design Principles The high-level decisions that provide overall guidance to the form and definition of the IT Security Architecture IT Security Conceptual Architecture IT Security Policy Framework The outline of responsibilities and processes for policies IT Security Functional Architecture IT Security Physical Architecture The high-level view of the trust model and relationships The specification, position and relationship of the required functions The specification of the nodes that deliver the required functions

IT Security Architecture

Corporate Policies

IT Security Vision & Mission TDBGF IT Security Principles Corporate Policies

IT Security Policies
Organization Enterprise Risk Management

IT Security Policy Requirements

Interviews/Workshops

IT Security Standards

The statements of expected obligations, responsibilities, and behaviours

Business Mission Reference Standards Legislation/Regulations Threats and Risks Stakeholder Input TDBFG IT Security Policy Framework IT Security Policies and Standards

IT Security Vision & Mission TDBGF IT Security Principles Corporate Policies

Organization Enterprise Risk Management

Existing Documents Reference Documents Project Deliverables

Define IT Security Policies

IT Security Policy Framework Requirements IT Security Policy Framework Decisions IT Security Policy Framework
- Contribution to IT Security Program - Management Responsibilities and Processes

IT Security Policy Interim Review

IT Security Policy Implementation Considerations

IT Security Policy Implementation Recommendations and Next Steps

Requirement for compliance to a particular means of executing a security function

Interviews/Workshops

Existing Documents Reference Documents Project Deliverables

Define IT Security Policy Management Framework

Define IT Security Policy Processes

IT Security Policy Framework Processes Policy Name - Statement Policy Name - -Statement Policy Name - -Policy Statement
- Purpose - Rationale - Implications - Definition and enhancement - Review and approval - Management and enforcement - Position in IT Security Program

Develop Presentation

IT Security Policy Presentation

Completion Review

Define IT Security Policy Topics

Policy Framework Implementation Considerations

IT Security Policy Framework Recommendations and Next Steps

Develop Presentation

IT Security Policy Framework Presentation

Completion Review

27

Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

Example Financial Institution


Information Security Key Performance Indicators
Information Security Health Check Information Security Principles Information Security Policy Framework

Information Security Policies


Information Security Strategy
Information Security Framework
Information Security Drivers
Business, Risk Tolerance, Legislation & Regulations
Business Mission Information Security Vision & Mission Information Security Strategy Information Security Principles Risk Tolerance Motivation Implication Motivation Information Security Architecture Information Security Architecture Design Principles Information Security Conceptual Architecture Information Security Policy Framework Information Security Policies Information Security Functional Architecture Information Security Physical Architecture

Information Security Management


Strategy Requirements & Planning

Information Security Governance


Risk Management

Legislation and Regulatory Compliance

Principles Policies Standards Guidelines Procedures

Information Security Architecture

Corporate Policies

Operations
Audit Enforcement Monitoring & Management Measurement & Assessment

Awareness & Training

Information Security Standards Information Security Management Processes

Information Security Operational Processes Information Security Controls

28

Enterprise Security Framework POV - 2005

Deloitte & Touche LLP and affiliated entities.

Information Security roadmap

Security Metrics

Measure the efficiency, effectiveness, value and continuous performance improvement of the individual security process

Security Management
Mandate, Operations, Incident, Problem, Change, Configuration, Monitoring

Security Capability

Initiate Stakeholder Security Program


Stakeholder sponsored program with responsibilities assigned

Policies and standards in place to define responsibilities, behaviors Clearly defined set of and criteria technologyindependent principles developed from the business strategy

Information Security Strategy & Principles

Security Policies and Standards

Information Security Controls


Security controls defined to establish a consistent basis for managing risk

Assurance
Auditing, monitoring, and reporting processes and controls in place to ensure they are meeting standards and are effective

Compliance and Certification


Establish compliance measurement and reporting system

Security Organizational Structure


Individuals and organizations assigned responsibility, accountability and authority to support the infrastructure

Conceptual Security Architecture


Architecture principles and policies in place to define core security functions

Functional & Physical Security Architecture


Establishment of standards and technologies to support stakeholder interaction

Evolution
29 Enterprise Security Framework POV - 2005 Deloitte & Touche LLP and affiliated entities.

Questions?
Glen Bruce, glebruce@deloitte.ca

30

Presentation Name

2004 Deloitte & Touche LLP and affiliated entities.

Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services through more than 6,100 people in 47 offices. Deloitte operates in Qubec as Samson Blair/Deloitte & Touche s.e.n.c.r.l. The firm is dedicated to helping its clients and its people excel. Deloitte is the Canadian member firm of Deloitte Touche Tohmatsu. Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche Tohmatsu," or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein.

Member of Deloitte Touche Tohmatsu