Mrs Bianca Pasipanodya, the Group ICT executive for First Mutual Group an esteemed speaker at the ISACA Harare Chapter, gives her remarks about the implementation of an effective Information Security Management System” in Zimbabwe.
2. Information security program
management
Information security program
management is the discipline of
designing, implementing and maturing
security practices to protect critical
business processes and IT assets across
the enterprise.
The future of enterprises depends on
the quality of security and risk
management—information,
information systems and technologies
may bring about numerous benefits to
any organization; however, they can
also become its main source of
vulnerability if they are not managed
efficiently.
3. Information Security Management System
Its objectives, among others, are to:
• Protect the organization and its information assets by keeping security at a
desired level
• Manage risks by identifying assets, discovering threats and estimating the
risk
• Provide direction for security by documenting security policies, procedures,
etc.
• Plan and justify budgets and resources related to security
• Assess effectiveness of the implemented controls by using metrics and
indicators.
4. Ensure You have C-
Suite support
• Security culture and support
for security comes from the
top
• It is important to ensure a
common understanding of the
threats
• How do you find out whether
you have support? Ask!
5. Align to Business Strategy
• Determine aims to
achieve during a defined
period
• Influenced, to a great
deal, by the organization’s
business strategy. Align
with organization’s vision,
mission, goals, strategy.
6. Environmental
Trends
• Trends in the economic,
business, market, regulatory,
political and technology
environments can have a great
impact on the security risk
facing the enterprise.
• Widespread cyber threats to
businesses include:
Spam; phishing emails; viruses;
Trojans; spyware; malware;
ransomware; rootkits; drive-by
downloads; password decryption;
denial-of-service (DoS) attack;
out-of-date, unpatched software
7. Security Assessment
Assess the overall effectiveness
and efficiency of security in the
company by performing:
- Vulnerability assessments and
penetration tests to assess the
technical infrastructure
- Risk assessments to balance the
investment on controls
appropriate to the actual risks
- Internal and external audit
results to assess the effectiveness
of policy and controls compliance
and more
8. Organisation’s Risk Appetite
• The consequence and likelihood of the risk
occurring should determine the level of
acceptable risk
• management can prioritize resources for
taking action based on the appetite it has set
Consider risk appetite in these areas:
• Asset management.
• Access control.
• Cryptography.
• Physical and environmental security.
• Operations security.
• Communications security.
• System acquisition development and maintenance.
• Supplier relationships.
• Information security incident management.
• Business continuity management
9. Gap Analysis
• Consists of mapping the
current state against the
vision statement,
identifying the
• gaps between the two
states in order to derive
the actions and projects
required to close these
gaps.
10. Prioritization
Almost no organization will have the
resources required to execute on all of
the identified security projects and
activities. Prioritization criteria include
the following:
- The level of risk reduction potentially
achieved by a given project/activity
- The resources (skills, staff and systems)
required
- The financial cost
- The "time to value", the period
between the initial investment and the
point at which the project will start
accruing value to the organization.
11. Approval
• The final step is to obtain
executive approval and budget.
• The strategy should be
communicated using a written
report and an executive
presentation clearly
• describing the current state, the
desired state, and how the
projects with their respective
phases and milestones will help
to achieve the desired state.
12. Review & Reporting
• Use Metrics that Matter -
False Positive Reporting, incident
response volumes, Fully Revealed
Incidents Rate, Percentage Of
Security Incidents Detected By An
Automated Control
• Measure Performance, Not
Activity
• Measure to Objectives
• Progress should be
reported to the Upper
Management on a regular
basis.
13. Security Awareness
Security education is an important component
of any organization's information security
program.
If employees don't know their security
responsibilities they cannot be depended
upon to do their part
14.
15. Security Programs Success
Security programs will be successful when they are:
Supported by executive
Aligned with organisational goals
Risk-based, aligned with business and risk appetite
Standards-based, evolve over time
Capture present and target state accurately
Plans are realistic and actionable
Resourced effectively
Focused on building security in from the ground up
Measured/monitored
Continuous improvement
Communicated appropriately
Executed on
16. Digital strategic initiatives
• Business innovation means extending
beyond the enterprise. Organizations
leverage information technology to
power their innovation efforts, while
battling mounting regulation and
escalating threats to information.
Without the right security strategy,
business can be stifled or put the
organization at great risk.
• Enter new markets, launch new
products or services, create new
business models, establish new
channels or partnerships, or achieve
operational transformation.
• Need to work on business problems,
not compliance issues