- -

Information Security StrategyTemplate

February 2016

1

- -

Outline

• Why develop a security strategy

• Business drivers

• Information Security Ecosystem

• BoD Level State of Security Narratives

• Organization of Information Security

• Incident Summary

• Current Priorities

• Risk Landscape

• Investment Roadmap

• Next Steps

Why Develop a Security Strategy?

3

CouldDo

Should Do

Work We Must DoBaseline protection

Proactive management

New business drivers

Help the <the business> determine acceptable levels of risk and how much investment is needed.

Manage Compliant- Ready Services

“Legally Defensible” Security

Risk-Based Decisions to Achieve Business Goals

4

Information Technology risks are identified, understood, and managed to an acceptable level across the Enterprise. Business units have the tools, resources, and expertise to make optimal decisions for business success.

Develop and measure IT security standards while enabling business autonomy and agility. Deliver value through identification of threats, assessment of risk, expert consulting, and providing foundational security services to prevent, detect, and respond to disruptions.

Top Business DriversBusiness drivers associated with IT Risks

Brand• Earn and maintain

Customer trust• Online presence with

content integrity and availability

Competitive Advantage

• Protect sensitive information to continue growth in established markets, enable global expansion

Compliance• Identify and efficiently

manage regulations

Customer & Employee Privacy

• Protect Customer and Employee data from theft or disclosure

Vision (sample)

Mission

Data

Workforce

Applications

DevicesNetworks

Physical

Data is classified, known, & protected throughout its

lifecycle

How We Think About IT Security

5

Defining an IT Security ecosystem helps organize security risks across the Business.

Applications are developed and managed

securely

A diverse collection of devices configured and managed for security

Networks are available, monitored, and resilient

Facilities are safe and accessible

Workforce is trained and empowered to protect data

Data

Identify

Protect

DetectRespond

Recover

Anomalies, Event Monitoring, Detection Processes

(alt.) How We Think About IT Security

6

Defining an IT Security framework helps organize security risks across the Enterprise.

Asset Management, Governance, Risk Management

Access Control, Training, Data Protection, Maintenance,

Protective Technology

Planning, Communications, Analysis, Mitigation, Improvements

Recovery Planning, Improvements, Communications

Corporate Business Segment Business Segment Business Segment

(NIST CSF view)

NIST Cyber Security Framework (optional narrative)

• Each step required• Historically we invested in…

• Detect and Respond provide immediate value when prevention is not mature

• Reduce impact of breaches• Prevention longer ramp up time,

even then not 100%

7

Identify

Protect

DetectRespond

Recover

State of Security (BoD Level, central org.)

8

Workforce Data Access Applications Devices Networking Physical0

1

2

3

4

5

State of Security by Maturity & Adversary

Maturity Target

Mat

urity

Adversary Model

Advanced Adversary (Nation-State)

Organized Crime

Malicious Insider

Opportunistic Crime

Hactivist

Script Kiddie

State of Security (BoD level, multiple control owners)

• Service Objective: Foster and support an appropriate security posture aligned with business goals

• Monitor control effectiveness & visibility• Develop baseline standards where needed

9

Partial

Full

No/Limited?

Control Visibility Key

Short Term Gaps

Meet Standards

Long Term Gaps

Control Posture KeyNo Standard Defined

Can use ecosystem elements

State of Security (BoD level, over time narrative)

10

IT Init.

Initiative

Initiative 2

FY XX

TargetMaturityCallout e.g.

events

Ad Hoc

Developing

Defined

Managed

Optimizing

IT Init.

Multi-year Initiative

Key IT InitiativesKey Security Initiatives

FY XX FY XX FY XXFY XX

1

4

3

5

2

Current Maturity Target Maturity

May include adversary scale

also

Incident Summary

• Significant Incident summaries• Show count by severity graphic

• Current year and multi-year

11

FY XX

• Key initiatives and budget summary to reach target maturity levels• Include 3 year plan if significant maturity gaps exist

12

- -

CISO Peer & Control Owner NarrativesAdditional detail beyond Board of Director level content

13

Organization of Information Security

14

Risk Assessment

Information Security Information Technology

Compliance Ready

Resourced, not complete

Investment Required

Disaster Recovery

Security Policy

Security Awareness

Audit Mngt.

Firewall/IDS Mngt.

Access Mngt.

User Provisioning

Remote Access

Event Monitoring

Incident Response

Data Loss Prevention

Sys. Implementation

System Updates

Technical Standards

Change Mngt.

Capacity Mngt.

Data Inventory

Vendor Mngt.

Mobile Mngt.

H/W, S/W Inventory

Security Architecture

Security Engineering

Legend

Analyst & Operational Responsibilities

Vulnerability Mngt.

Mngt. & ReportingTier 1 Investigation

Business Units

Access Mngt.

Data Encryption

Secure Programming

Audit Oversight

Purchasing

Internal Consulting

Data Analytics

Compliance

Application Mngt.

Business Continuity

Unknown

Operations

Show ownership across security services

Current State Summary

15

• wins

• Need help

1.

Next Steps

Progress

Challenges

Risks Grouped By Business Driver (example)

• Protect Brand• Focus: Incident Response, Device

Support & Vulnerabilities• Impact estimates: loss of service or

data affecting patient adoption & retention

• 6 High risks

• Privacy• Focus: Malware & Unencrypted Data

• Enable Business• Meet Partner requirements• Strengthen remote authentication

• Compliance• 7 risks across foundational controls

16Accept Evaluate Act

3

4

5

6

7

8

9

10

3 4 5 6 7 8 9 10

Compliance

Protect Brand

PrivacyEnable Business

Current Risk Landscape

17

• Risks Needing Decision• Count: xx• Foundational controls missing or

partially implemented

• Mitigation In Progress• Count: x• Key risks: managing vulnerabilities,

backup-restore, upgrade software

• Mitigated• Count: x• Vendor managed assessed and

managed3

4

5

6

7

8

9

10

3 4 5 6 7 8 9 10

Shared ID's

Backup-restore

Unencrypted DataNo 2-Factor

Sanction Policy

DoS

Media destruction

Terminated Users

Data inventory

Password Policies

Validate Access

Wireless controls

Vuln. mngt.

Business continuity

Incident Response

Risk managementVendor Compromise

Background checks

Appropriate access

Partner Requirements

Attack Chain: malware

Obsolete Software

Phishing victims

Device Malware/Abuse

Active In Progress Mitigated

IT Security Performance

• Measuring xx Performance indicators across Business Units

18

Title Status Trend

Master Security Index

Protect Brand

Increase Revenue

Support Business

Reduce Costs

Comply Efficiently

Basic AAA

Align Controls To Agent Impacts

19

Controls: Investment & Process Maturity

Hactivists

Criminals

AdvancedAdversary

For IP

Basic SDL

Vuln Scans

Fraud Detection

Advanced SDL

Full Packet Capture Analysis

Response & Forensics Expertise

DoS

Script Kiddie

MaliciousInsider

Device Mngt.

AdvancedAAA

1 2 3 4 5

IRM

Custom MalwareDetection

Moti

ve, S

kill,

& P

erse

vera

nce

Adv. Awareness Edu.

Security Roadmap Funding Priorities

• Investment priorities evaluated by• Risk Priority• Business Support• IT Capacity• Cost (internal labor & Op. Ex.)

• Top Priorities- Funding Approval Request (blue icons)

• Incident Response Plan• Mature Vulnerability Mngt.• Device Malware Management• IT Risk Management• Update Security Policy

• Next Priorities• Back-up Restore• Remote 2-Factor• Replace Obsolete Systems• Access Mngt. (terminated users)

20

0

20

40

60

80

100

$0$25$50$75$100

Unique IDs Plan

Backup-RestoreEncrypt Data at rest

Business Impact Analysis

Sanction Policy

Mature Vuln. Mngt,

Anti-DoS Update PolicyMedia Destruction

Access Management

Inventory Data

Replace Obsolete Software

Strengthen Wireless Plan

Incident Response Proposal Plan

IT Risk Mngt.

Remote Access: 2-Factor

Background Checks

Replace Obsolete Software Plan

Anti-phishing program

Device Standards/Mngt.

Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4

FYxxFYxxFYxxPriority Initiative

21

Security Roadmap TemplateCurrent Focus

FY xx Investments

Project Sustained Process

FYxx Investments

TransitionPl

anni

ng

Plan

nin

g

Plan

ning

Next Steps

• Execute current commitments

• Formalize “Organization of Information Security”• Fund priority investment requests• Complete 3 year roadmap during FYxx planning

22

Additional ContentAppendix (additional stories)

23

Primary Services: Current State

24

Service Maturity Capacity Org. Alignment

Primary Service1(from previous slide)

Select a light and/or short description (see

notes)Select a light or short

descriptionSelect a light or short

description

Primary Service2

• Optional: show process maturity, capacity, or org. alignment visuals

25

Group Title ScoreProtect Brand Backup-restore 68

Protect Brand Denial of Service 45

Protect Brand Terminated Users 68

Protect Brand Vuln. mngt. 85

Protect Brand Business continutity 38

Protect Brand Incident Response 78

Protect Brand Attack Chain: malware 65

Protect Brand Obsolete Software 73

Protect Brand Phishing victims 55

Privacy Unencrypted Data 71

Privacy Media distruction 41

Privacy Data inventory 48

Privacy inventory 59

Privacy Appropriate access 35

Privacy Device Malware/Abuse

64

Enable Business No 2-Factor 64

Enable Business Partner Requirements 59

Compliance Shared ID's 35

Compliance Sanction Policy 36

Compliance Password Policies 42

Compliance Validate Access 37

Compliance Wireless controls 41

Compliance Risk management 55

Compliance Background checks 35

Risk By Business Driver

Accept Evaluate Act

3

4

5

6

7

8

9

10

3 4 5 6 7 8 9 10

Compliance

Protect Brand

PrivacyEnable Business

26

Data Related Threats

• Threats• Regulatory Costs

• Fines associated with accidental loss or theft of Data• Initiated by report or compliant to Office of Civil Rights (OCR)

• Criminal Organizations• Data theft and discovery

• Complaint from OCR, Health & Human Services (HHS), or patient

• OCR Fines, Audit, and Remediation Costs• Required annual compliance program and audit regardless of breach volume• Subjective fine determination based on knowledge of loss, control awareness, and effectiveness (see

notes for references)• Fines range from $2 to $5,208 per record

• Avg. fine $255 per record

• Examples• Wellpoint: Inadequate general controls, loss of 612,402 records, $1.7M fine• North Idaho Hospice: “unsecured Data,” <500 records, $50k fine

Specific to industry, leverage ISACs, intel. services

Local Industry Collaboration

• Project to meet & collaborate with <peer> security leaders• Information Security priorities• Investment levels• Optimal organizational structure

27

Summarize outreach efforts for industry

comparison

Calibrated Risk Scale Definitions

28

Value Direct Costs Indirect Costs Examples

10...

Revenue: Missed Targets of $xxx,xxxRegulatory: Fines & Audits of...

Competitive: Differentiator of...Goodwill: Customer departure of...

Focus: Mitigate Risk e.g. material loss estimated above $xx,xxx,xxx.

6 Revenue: Limited to department...Regs: Increased scrutiny...

Goodwill: Customer churn of 5-10%...

Focus : Owner Judgment e.g. business considerations.

Value Description ARO Guide Examples

10...

Strong evidence of imminent realization, precedent exists, reliable intelligence.

> 1 annually, see risk details for estimates

Known control weaknesses of..., confirmed agent...

6 Difficult to exploit without internal...

Realized once in 4 years...

Private system, agent unconfirmed

Impact

Frequency

Strategy Communication

29

Mission success requires stakeholder awareness, support, & participation

Stakeholder Communication Means Frequency

Board of Directors State & Compliance Summary BoD Summary Semi-Annual

Executive Team State, Compliance, & Initiative Summary

Executive SummaryMetric Summary Quarterly

Business Lines State, Compliance, & Initiative Detail

IT IntranetBrown bags

MetricsSemi-Annual

IT State, Compliance, & Initiative Detail

IT IntranetBrown bags

MetricsMonthly

Employees/Customers Awareness Training & Measurement

Awareness TrainingUser Intranet

Engagement PortalSemi-Annual

30

Key Performance Indicators

Security Incidents

Access Management Device Security Application

SecurityIT/Biz Project

SupportSecurity Program

•No. critical & emergency incidents

•No. of moderate incidents

•% accounts de-provisioned within standard

•% of production servers compliant to minimum standards

•% apps with security assessment completed

•# Critical vulns in production

•# Long-term engagements

•# Medium & Short term engagements

•# of unplanned, short projects

•% security initiatives completed on time

(Reference Master Metrics List - starter set below)

31

Risk

Impact

Direct

Regulatory

Recovery

Revenue

Indirect

Goodwill

Scrutiny

Competitive

Corrective Capability

Frequency

Vuln. Attributes

Complexity

Vector

Access

Availability

Control Effectiveness

Roles

Awareness

Tools

Policy & Process

Detect/Deter

Agent

Capability-motivation

Occurrence

Complete Risk Statements

Executive Discussion Example (unsorted)

Question Answer (in strategy deck) Balanced Score Card Category High Level Measurements

Has anything bad happened?

• # High incidents• # Medium incidents• # Near misses

• Financial• # High incidents• # Medium incidents• # Near misses

What are the top risks?

• Top risk estimates e.g. Heat Map • Financial

• % risks with treatment decisions• % unacceptable risks under mitigation• +/- % Annual budget

What are we doing about them?

• Funded initiatives• Future initiatives

• Learning & Growth

• +/- % Initiative budget (amount)• $ estimate future initiatives

Are we improving internally? • Target process maturity • Learning &

Growth• % Processes at target maturity• +/- # Process improvement initiatives (count)

How are we helping the business?

• Strategy alignment• Training• Consulting

• Customer• % business strategies aligned with Security • % training objectives met• # business & IT consulting projects

Is our environment resilient? • Control metrics • Internal

Business• % key controls with metrics• % metrics at/above target

Are we compliant?• Passed last year• Overdue findings• Repeat findings

• Internal Business

• # overdue findings• # repeat findings

Are we efficient? • Initiatives on time & budget

• Internal Business

• Budget to Forecast variance• % Initiatives completed on time & budget

32

Balanced Security Scorecard (Example)

33

FinancialRisks• % risks with treatment decisions• % unacceptable risks under mitigation• +/- % Annual budgetIncidents• # High incidents• # Medium incidents• # Near misses

Internal BusinessResiliency• % Key controls with metrics• % Metrics at/above targetCompliance• # Overdue findings• # Repeat findingsEfficiency• Budget to forecast variance• % Initiatives completed on time & Budget

Learning & Growth• $ Initiative budget (+/- last

year)• # process improvement

initiatives (+/- last year)• $ Estimate future initiatives• % Processes at target maturity

Customer• % Business strategies aligned

with Security Services• % Training objectives met• # Business & IT consulting

projects (+/- % budgeted)

<Services> Maturity Plan

3434

Component Current State FY15 FY16 FY17

Assessment Services

Security Operations & Engineering

Emergency Preparedness

Program Administration

Governance, Compliance, Reporting

Investigations & Response

Ad Hoc Optimized

1 2 3 4 5

Ad Hoc Optimized

1 2 3 4 5

Ad Hoc Optimized

1 2 3 4 5

Ad Hoc Optimized

1 2 3 4 5

Ad Hoc Optimized

1 2 3 4 5

Ad Hoc Optimized

1 2 3 4 5

35

Risk Assessment Deliverables

Type Output Purpose Duration

Ad Hoc Risk Statement Email, Meeting Clarify Policy 1-2 Hours

Position Paper 1-2 Page Document Official Team Statement 1 Week

Project Support Document Identify Security Requirements Varies

Detailed Assessment Document Active Evidence Collection, Testing 2-3 Weeks

Strategic Presentation & Document Prioritize Budget Quarterly Updates –

Annual Budget