![Page 1: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/1.jpg)
1
GaryPerkins,MBA,CISSPChiefInformationSecurityOfficer(CISO)ExecutiveDirector,InformationSecurityBranchGovernmentofBritishColumbia
BuildinganInformationSecurityProgram:The12StepMethodApril2017
![Page 2: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/2.jpg)
2
10stepprogramStep1: Ensureyouhaveexecutivesupportforsecurity(ask!)Step2: Ensureyouarewellalignedwithgovernmentandministrystrategy,goals,
priorities(comparewithsecurityvision,mission,goalsandtheyshouldbewellaligned)
Step3: Understandorganizations’riskappetite(likelymedormed-low)Step4: Focusonarisk-basedapproachStep5: Focusonsecuritybydesign– buildingsecurityinfromthegroundup;
ensuresecurityreviewaspartofcapitalallocationprocessStep6: Determineyourapproach(risk,compliance,orcapability)Step7: UpdateandreviewhighlevelriskregistryquarterlyStep8: Identifywhatissecureenoughforyourorganization– whatissufficiento
mitigaterisktoanacceptablelevel?Whatisdefensible?(eg.hygiene+compliance)
Step9: Identifyasecuritystandardappropriateforyourorganizationandmeasurecompliance,identifygaps,prioritize,andremediate
Step10: Assemblecomponentsintoaministryspecificinformationsecurityprogram
![Page 3: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/3.jpg)
3
Step1:Ensureyouhaveexecutivesupport
§ securitycultureandsupportforsecuritycomes
fromthetop
§ ensureacommon
understandingof
thethreat
§ howdoyoufindoutwhetheryouhavesupport?
Ask!
![Page 4: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/4.jpg)
4
Step2:Alignwithorganization’svision,mission,goals,strategy
CreateacultureofexchangethroughSTUDENTMOBILITY
EnhancingtheINTERNATIONALSTUDENTEXPERIENCE
ProvidingINTERCULTURALCURRICULAforaglobal-readyinstitution
MakingavitalimpactthroughINTERNATIONALENGAGEMENT
EstablishinganEXTRAORDINARYENVIRONMENTFORINTERNATIONALIZATION
Examplestartingwith“MakingaWorldofDifference”InternationalPlan
![Page 5: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/5.jpg)
5
Step2:Alignwithorganization’svision,mission,goals,strategyExamplestartingwith“MakingaWorldofDifference”InternationalPlan
![Page 6: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/6.jpg)
- low- medium- high- veryhigh
Step3:Understandorganizationriskappetite
![Page 7: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/7.jpg)
7
mobiledevices
mobileemployees
cloudcomputing
internetofthingsoutsourcing
BYOD
consumerization
proliferationofapps
erodingnetworkperimeter
IPv6
virtualization
bigdata
growthofdata
advancedpersistentthreats
operationaltechnology
machine-to-machine(M2M)APIs
digitalnatives
talentshortage
datasovereignty
dataresidency
robotics
industrialcontrolsystems
autonomousvehicles
DevOps
convergenceofphysicalandlogical
personalcloudanalyticsblockchain
wearables
augmentedrealityartificialintelligence
cyberinsurance
regulatory,legislation
predictive
supplychain
accesstodata
nanotech
bigstorage
3Dprinting
Step4:Takearisk-basedapproachandexaminetheforceschangingtheriskprofile
???
![Page 8: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/8.jpg)
8
Step5:FocusonSecuritybyDesign
IM/ITCapitalInvestment- SecurityConsiderations
Buildsecurityinfromthegroundup&insertreviewincapitalallocationprocess
![Page 9: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/9.jpg)
9
Step5:FocusonSecuritybyDesignIM/ITCapitalInvestment- SecurityConsiderations
![Page 10: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/10.jpg)
Step6:Considermaturitylevelinapproach
Maturity Approach Steps
Low Riskregister 1. identifykeyrisks2. rate inherentriskandtrend3. identifycontrolsinplace4. rateresidualrisk5. comparewithriskappetite
Medium Standards-basedcompliance
1. identifyanappropriate standardforyourorganization
2. assesspresentstate3. determinedesiredtargetstatebasedon
appropriatecontrols4. gapanalysis5. plan,prioritize6. execute
High Capability-based 1. reviewtrends inenvironment2. focusonchangesinriskposture3. considerrelevantupdatesinstandards4. augmentwithincreasedcapabilities
![Page 11: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/11.jpg)
Risk Definition Inherentrisk
Risktrend
Keyriskmitigationstrategies
Residualrisk
Owner
NetworkSecurity
Insufficiently proactiveapproachonidentificationofthreatsandvulnerabilitiesinnetworkinfrastructureandtimelymitigationmayresultinnetworkoutagesandexposure
H ↑
•
DataSecurity
Insufficientapplicationofadequatesecuritycontrols,heightenedbylimitationofvulnerabilitymanagementtoolsresultingininabilitytoidentifyandmediatedatabreaches,theft,destructionormanipulationofdata
H ↑
•
Step7:Updateandreviewriskregistryregularly
![Page 12: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/12.jpg)
Risk Definition Inherentrisk
Risktrend Keyriskmitigationstrategies
Residualrisk
Owner
PhysicalSecurity
Insufficientsecurityawarenessandphysicalsecuritycontrolsmayfailtomitigatephysicalriskexposuresandcouldimpactstaffandcitizensafety.
M ↔
•
PropertyRisk
Inconsistentandinadequatepreventativemeasuresaroundkeybuildingsystems(suchasHVAC,electrical,firesuppression/detection)maintenance,housekeeping(i.e.,storageofcombustibles)andsafetyproceduresmayresultinavoidablelossordamageofassetssuchasnetwork,infrastructure,computingthatcouldimpactinternalprocessesorclientserviceanddelivery.
M ↔
•
IdentityTheft&Fraud
Increasedincidentsofidentitytheftandfraudglobally,includingconstantlyevolvingcardrelatedfraud,haveheightenedtheneedforappropriatecontrolstosafeguardassets, andprotectteammemberandcitizenprivacyandbrand.
M ↑
•
Step7:Updateandreviewriskregistryregularly
![Page 13: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/13.jpg)
13
Step8:Definetargetstate
world-class
risk-basedsecurity
compliance
hygiene
defensible
Identifywhatissecureenoughforyourorganization– whatissufficienttomitigaterisktoanacceptablelevel?
![Page 14: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/14.jpg)
14
Step9:Considerastandards-basedapproach
§ ISO27000series(eg.ISO27001,27002)
§ NIST800-53
§ Industryspecific(eg.NERC)
§ Others:CIS,SANS
Identifyasecuritystandardappropriateforyourorganizationandmeasurecompliance,identifygaps,prioritize,andremediate
![Page 15: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/15.jpg)
15
Step9:CapabilityMaturityModel
§ 0– NotImplemented
§ 1– Initial
§ 2– Repeatable
§ 3– Defined
§ 4– Managed
§ 5– Optimized
![Page 16: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/16.jpg)
16
Step10:Assemblecomponentsintoaprogram
![Page 17: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/17.jpg)
17
Step11:Communicatetheplanappropriately
§ knowyouraudience
§ usetheirlanguage
§ communicateappropriately
§ makeitrelevant
§ demonstratealignmentwithstrategy
§ ensuretheyunderstandwhytheyshouldcare
![Page 18: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/18.jpg)
18
Step12:Executetheplan
§ don’tboiltheocean
§ understandyourpresentlevelofmaturity
§ setachievablegoals
§ breakthemdownintodoablechunks
§ measuretheprogress
§ communicatetheprogress
§ celebratethesuccesses
![Page 19: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/19.jpg)
19
Summary
Securityprogramswillbesuccessfulwhentheyare:§ supportedbyexecutive§ alignedwithgovernmentandministrygoals§ risk-based,alignedwithbusinessandriskappetite§ standards-based,evolveovertime§ capturepresentandtargetstateaccurately§ plansarerealisticandactionable§ resourcedeffectively§ focusedonbuildingsecurityinfromthegroundup§ measured/monitored§ continuousimprovement§ communicatedappropriately§ executedon
![Page 20: Building an Information Security Program: The 12 Step Method...10 step program Step 1: Ensure you have executive support for security (ask!) Step 2: Ensure you are well aligned with](https://reader033.vdocuments.net/reader033/viewer/2022042316/5f0458967e708231d40d867a/html5/thumbnails/20.jpg)
Questions?