build an information security strategy

Info-Tech Research Group 1Info-Tech Research Group 1

Info-Tech Research Group, Inc. is a global leader in providing IT research and advice.Info-Tech’s products and services combine actionable insight and relevant advice with

ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997-2015 Info-Tech Research Group Inc.

Build an Information Security StrategyTailor best practices to effectively manage information security.


This Research is Designed For: This Research Will Help You:

This Research Will Assist: This Research Will Help You:

This Research Is Designed For: This Research Will Help You:

This Research Will Also Assist: This Research Will Help Them:

Our understanding of the problem

Security leaders or IT leaders who are tasked with developing a security strategy

CISOs/CSOs who would like to improve their security strategy and ensure that it is comprehensive enough for today’s threat landscape

Understand current security practices capabilities and performance

Understand your security obligations, scope, boundaries, and responsibilities

Establish a security target state based on your organizational context

Develop a strategy and roadmap to help you achieve your security target state

CEOs and other business leaders who want to understand which elements should be involved in a good security strategy

Understand the value of good security practices


Resolution

Situation

Complication

Info-Tech Insight

Executive Summary

Technology sophistication and business adoption, the proliferation of hacking techniques, and the expansion of hacking motivations from financial to now social, political, or strategic motivations have resulted in organizations facing major security risk. Every organization needs some kind of information security program to protect their systems and assets. Organizations today face pressures from regulatory or legal obligations, customer requirements, and now senior management expectations.

Performing an accurate assessment of your current security operations and maturity levels can be extremely hard when you don’t know what to assess or how, not to mention an assessment alone is only the starting point. Senior management wants to know that adequate targets have been determined and there is a robust plan on how they are going to be met.

Info-Tech has developed and tested a robust information security framework with supporting methodologies to generate your organization’s comprehensive, highly actionable, and measurable security strategy and roadmap: • Info-Tech’s best of breed security framework combines COBIT 5, PCI DSS, ISO 27000 series, NIST SP 800-53, and

SANS security components to ensure all areas of security are considered and covered. • Robust security requirements gathering across the organization, key stakeholders, customers, regulators, and other

parties ensure the security strategy is built in alignment to and support of enterprise and IT strategies and plans.• A comprehensive current state assessment, gap analysis, and initiative generation ensures nothing is left off the table. • Tested and proven rationalization and prioritization methodologies ensure the strategy you generate is not only the one

the organization needs, but the one the organization will support.

Best of BreedIt’s hard to know which security framework is best. Info-Tech analyzed and integrated frameworks to ensure an exhaustive approach to security. AlignmentSecurity is still a friction point and viewed as a cost center. Align your security strategy with corporate and IT strategies to ensure support. CommunicationTo have a strategy implemented, you need to communicate to stakeholders in their language and show their concerns and perspectives were accounted for.


Use these icons to help direct you as you navigate this research

This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team analysts, who will come onsite to facilitate a workshop for your organization.

Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.


Consulting

“Our team does not have the time or the

knowledge to take this project on. We need

assistance through the entirety of this project.”

Guided Implementation

“Our team knows that we need to fix a

process, but we need assistance to

determine where to focus. Some check-ins along the way would

help keep us on track.”

DIY Toolkit

“Our team has already made this critical

project a priority, and we have the time and capability, but some guidance along the

way would be helpful.”

Workshop

“We need to hit the ground running and

get this project kicked off immediately. Our

team has the ability to take this over once we get a framework and

strategy in place.”

Diagnostics and consistent frameworks used throughout all four options

Info-Tech offers various levels of support to best suit your needs


Best-Practice Toolkit

1.1 Introduce security management

1.2 Understand business and IT strategy and plans

1.3 Define security obligations, scope, and boundaries

1.4 Define risk tolerance level1.5 Assess security risk profile

2.1 Assess current security capabilities and performance

2.2 Review pen test results 2.3 Define security target state

3.1 Identify security gaps3.2 Build initiatives to bridge

the gap 3.3 Estimate the resources

needed3.4 Prioritize gap initiatives3.5 Determine start time and

accountability

4.1 Finalize security roadmap and action plan

4.2 Build a security charter4.3 Build the security program

organizational structure4.4 Create a change and

communication plan4.5 Develop a metrics program4.6 Develop a security services

catalog

Guided Implementations

Review the scope of the security strategy plans

Define the organizational risk tolerance

Assess the security risk profile of the business

Perform a current state assessment of the security controls

Determine the future target state of the security controls

Identify existing gaps and create gap initiatives to close the gaps

Determine the benefit, cost, and resources needed for each initiative

Build a roadmap based on the security initiatives

Optimize your strategy

Onsite Workshop

Module 1:Assess Security Requirements

Module 2:Perform a Gap Analysis

Module 3:Continue the Gap Analysis

Module 4:Plan for the Transition

Phase 1 Results:• Security obligations

statement• Security scope and

boundaries statement• Security risk profile• Defined risk tolerance level

Phase 2 Results:• Current security capabilities• Target future state defined

Phase 3 Results:• Security program gaps

identified• Gap initiatives defined• Estimated effort, budget,

and resource readiness assessment

Phase 4 Results:• Security roadmap and

action plan• Security charter• Change and communication

plan• Metrics program• Security services catalog

Assess Security Requirements

Perform a Gap Analysis

Develop Gap Initiatives

Plan for the Transition

Information security project overview


Workshop overview

Contact your account representative or email [email protected] for more information.

Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5

Activities

Assess security requirements Perform a gap analysis Develop gap initiatives Plan for the transition Communicate and

implement

1.1 Introduce security management

1.2 Understand business and IT strategy and plans


1.4 Define risk tolerance level

1.5 Assess security pressure posture

2.1 Assess current security capabilities and performance

2.2 Review pen test results

2.3 Define security target state

3.1 Identify security gaps3.2 Build initiatives to

bridge the gap 3.3 Estimate the

resources needed3.4 Prioritize gap

initiatives3.5 Determine start time

and accountability

4.1 Finalize security roadmap and action plan

4.2 Create a change and communication plan

4.3a Build a security charter

4.3b Build the security program organizational structure

4.3c Develop a metrics program

4.3d Develop a security services catalog

5.1 Finalize deliverables 5.2 Support

communication efforts5.3 Identify resources in

support of priority initiatives

Deliverables

1. Security obligations statement

2. Security scope and boundaries statement

3. Defined risk tolerance level

4. Security pressure posture

1. Security capabilities and performance report

2. Security future state

1. Future state–current state gap analysis

2. Initiatives to address the gap

3. Estimated effort needed

4. Budget & resource readiness analysis

1. Security roadmap and action plan

2. Security charter3. Change and

communication plan4. Metrics program5. Security services

catalog

1. Security strategy and roadmap deck/document

2. Mapping of Info-Tech resources against individual initiatives

mailto:[email protected]


Info-Tech’s framework integrates several best practices to create a best-of-breed security framework

COBIT 5

ISO 27000 SeriesComprehensive standard providing best practices associated with each control

PCI-DSSProvides more detailed instructions than most other best practices but not much breadth

SANS Twenty Critical Security ControlsProvides a great list of controls for effective cyber defence

NIST SP800 SeriesProvides a detailed list of security controls along with many implementation best practices intended for federal information systems and organizations

COBIT 5 for SecurityMore principle and process-based than other best practices

SANS Critical

Controls

NIST SP800-

53

ISO 27000 series PCI-DSS

Info-Tech’s Best-of-Breed Information Security

Framework


Practical component level of Information Security Program Framework

Info

rmat

ion

Secu

rity

Fram

ewor

k Gov

erna

nce

Man

agem

ent

Context and Leadership Evaluation and Direction Compliance, Audit and Review

Information Security Charter

Culture and Awareness

Information Security Organizational Structure

Security Risk Management

Security Strategy and Communication

Security Policies

Security Compliance Management

External Security Audit

Management Review of Security

Internal Security Audit

Prevention

Detection

Response and Recovery

Measurement

Identity and Access Management

Identity Security

Data Security

Hardware Asset Management

Data Security & Privacy

Infrastructure Security

Network Security

Metrics Program

Endpoint Security

Malicious Code

Application Security

Vulnerability Management

Cryptography Management

Physical Security

Configuration and Change Management Vendor Management

Security Threat Detection Log and Event Management

Security Incident Management

Security eDiscovery and Forensics

Backup and Recovery

Information Security in BCM

Continuous Improvement

Change and Support HR Security

HR Security

Cloud Security


Domain level of Information Security Program Framework

Info

rmat

ion

Secu

rity

Fram

ewor

k

Governance

Management

Prevention

Detection

Response and

Recovery

Assurance Measurement

Metrics Program

Continuous Improvement

Context and Leadership

Evaluation and

Direction

Compliance, Audit and

Review

Management CommitmentStrategic AlignmentConfident or Risk/Compliance Posture

Defence in DepthPeople, Process, TechnologyFlexibility to Trends

Result-OrientatedTransparencyContinuous Improvement


Info-Tech’s Information Security Methodology and Maturity Level Model

Context and Leadership

Evaluation and Direction

Compliance and Review Prevention Detection Response

and Recovery Measurement

ML: 5

ML: 4

ML: 3

ML: 2

ML: 1

Each security area has five possible maturity levels • This generates a security maturity

matrix and is the basis for the framework.

Collectively, these seven areas form Info-Tech’s information Security Framework • These areas were designed by Info-Tech to be process- and management-based areas that can

be evaluated independently of each other. • Each security component has many sub-components

1

2 All seven security areas are evaluated on the five-level maturity model • Using info-Tech scoring methodology, sub

components are evaluated individually with the aggregate scores generating the component scores.

3

Target scores for each security area are identified • The security maturity model is used to identify maturity levels that meet

the organization’s security requirements.• From the current state maturity levels and target levels, gaps are

identified and developed into initiatives to be completed.

4

The best advice I can give is to bring everything together end to end. Don’t limit yourself in any one focused area…If you take an end-to-end approach instead of trying to focus on specific areas and compartmentalize them, you will be 100% more successful.

– Technology Services, USA

Building a holistic framework ensures that all your bases are covered while preventing duplications of the same functions, resulting in a more efficient program.


Navigate the 4 phases of the blueprint using this table of contents and deliverables

Phase 1: Assess security requirements

Phase 2: Perform a gap analysis

Phase 3: Develop gap initiatives

Phase 4: Plan for the transition

1.1 Introduce Security Management 2.1 Assess current security capabilities

3.1 Identify security gaps 4.1 Finalize the security roadmap and action plan

Template: Information Security Strategy Workbook Template

Tool: Information Security Program Gap Analysis and Roadmap Tool



1.2 Understand business and IT strategy plans

2.2 Review penetration test results 3.2 Build initiatives to bridge the gap 4.2 Build a security charter


Prerequisite: Penetration Test Results Report


Template: Information Security Charter Template


2.3 Define security target state 3.3 Estimate resources needed 4.3 Build the security program organizational structure




Template: Security Governance Organizational Structure Template

1.4 Define risk tolerance level 3.4 Prioritize gap initiatives 4.4 Create a change and communication plan



Information Security Communication Plan Template

1.5 Assess security risk profile 3.5 Determine start time and accountability

4.5 Develop a metrics program

Tool: Security Pressure Posture Analysis Tool


Tool: Security Metrics Tool

4.6 Develop a security services catalog

Template: Security Services Catalog