Bruce Forman

Chief Information Security Officer UMass Memorial

INFORMATION SECURITY

Presenting to the Board of Directors

Congratulations! You’re a ____________

•  CIO •  CISO •  Director Information Technology •  Directory Information Security

Agenda

I.  Board Purpose and Function

II.  The “Basics”

III.  Preparation

IV.  Presentation

V.  References

VI.  Take-Aways

What this Presentation is NOT:

A comprehensive one size fits all approach.

The ONLY solution.

What this Presentation IS… •  A proposed framework for presenting to the

Board of Directors

•  Some things that have worked for me

•  Some things that have worked for some of my peers

Board Purpose and Function As it relates to Information Security… Delegate responsibility to the CISO to:

•  Establish Policy

•  Monitor and Report

•  Regulatory Compliance

•  Security Awareness

“The Board’s purpose is or should be governance”

The “Basics” •  Talk in Business Terms

•  Establish Credibility

•  Present Security as a Value Proposition

•  Be viewed as an enabler not as “Dr No.” (Yes, and here’s how)

•  Borrow from other department heads to determine appropriate level of detail

•  Know your customer

•  Act as translator from regulatory language

•  Advocate for “correct” (reasonable) degree for managing security & compliance

Preparation •  REALLY IMPORTANT! Review the recommendations with the

Executive Team first. No surprises!

•  Talk to an advocate such as the VP of internal audit about the Board members backgrounds and what they want to hear.

•  Review key issues with any Board member known to be an advocate of a particular issue or aligned with the issue

•  Determine what you need to communicate.

•  Focus the presentation to meet their needs and backgrounds

•  Answer the questions from Midwest checklist

Recognize that 80% of the time they will ask questions about something you think they won’t ask about.

Preparation (Midwest Checklist - Sample)

•  What percent of our IT budget is dedicated to IT risk/security? (Note: typical range is between 4-10% based on industry in a steady/mature state. Higher for financial services/technology, lower for manufacturing)

•  How has the security budget changed in recent years? How much change has been driven by or allocated to emerging risk areas (e.g., APT, cloud computing, mobile devices)?

•  What is the level of access among our executives? Do the executives have too much access to the company’s systems? How does that affect the risk profile of the company?

Presentation

•  What is or what has changed in the current risk and regulatory environment?

•  What is your Organization’s current risk profile and how are you going to reduce the Organization’s risk profile?

•  What is the current status of the projects for which investments have been made?

…any presentation to the Board will address one or more of these topics.

Regulatory and Risk Environment

•  Review changes such as enforcement actions and new regulatory

requirements

•  Address up and coming issues they might hear about and how they relate to the organization

•  Identify any security incidents or breaches and the current status of the incident response.

Regulatory and Risk Environment

Organizational Risk Profile Develop Organizational Heat Map

•  Use ISO 27001 (or other Standard)

•  Describe how are you assessing risk.

•  Provide “drill-down” to show what makes up risk ratings

Provide detailed information for each individual risk to include:

•  Description of the risk and potential impact

•  Business Area affected

•  Trending = same, getting better, or getting worse.

•  Reason 1-2 sentences why this is up or why it’s down

•  Action Plan to reduce risk

Organizational Risk Profile 1.  Organization of

Information Security 2.  Asset Management 3.  Human Resources

Security 4.  Physical and

Environmental Security: 5.  Communications and

Operations Management

6.  Access Control 7.  Security Auditing and

Monitoring 8.  Information Systems

Acquisition Development and Maintenance

9.  Information Security Incident Management

10.  Business Continuity Management

11.  Contracts for Information Systems or Technology Resources

12.  Compliance

Communications & Operations Management 1.  Wireless Security 2.  Data Loss Prevention 3.  Social Engineering 4.  Unauthorized Access to

EPHI 5.  Intrusion Detection

Unauthorized Access to EPHI

Finding: Although logs are collected there are no proactive monitoring, alerting and response activities.

Impact:

For compliance and reporting, access to EPHI is difficult or impossible to monitor effectively with manual processes.

Business Area: HealthCare System

Trending -

Action Plan:

Identified and ordered appliance based solution to aggregate EMR log events. When implemented by January 2013, will allow reporting and automated alerting for primary EMR systems.

Unauthorized Access to ePHI

Performance Against Metrics

• Major projects accomplished and planned

•  Performance metrics related to the

Security Team, the Organization, or both

Performance Against Metrics

What is your effectiveness as a group? For Example:

1.  Identify capital expense and headcount

2.  Metrics measure things that you can count:

a.  # of vendor security assessments this year b.  # of security awareness presentations this year c.  # of issues in annual penetration test

Performance Against Metrics

Takeaways

1.  Review with Executive team first.

2.  Know your Board and tailor presentation to their needs.

3.  Review the “Midwest Checklist”

4.  Know what you want to communicate.

References •  Epstien Becker Green 2012 Privacy and Security Year in Review •  Questions the audit committee should ask the CIO and CISO •  Source for ISO 27001 Standard

Special thanks to…

Robert Weaver

Former CISO, ING Direct

Chris Schroeder Vice President, Information Security

Enterprise Risk at Lowe's Companies, Inc.