Unit-3 Governance and Strategic Planning for Security

Que 1. What is planning? How does an organization determine if planning is necessary?

Planning :

Planning encompasses general organizational planning as well as the specific processes involved in planning for InfoSec. Planning helps to manage resources in organizations.

Chief information security officer (CISO) can generate an urgent response to an immediate threat, they are well advised to utilize a portion of their routinely allocated resources in planning for the long-term viability of the
InfoSec program.

It helps to achieve specific goals during a defined period of time, and then controlling the implementation of these steps.

Planning provides direction for the organization’s future.

Such an uncoordinated effort would not only fail to meet objectives, it will result in an inefficient use of resources.

Organizational planning, when conducted by the appropriate segments of the organization, provides a coordinated and uniform script that increases efficiency and reduces waste and duplication of effort by each organizational unit.

Planning usually involves many interrelated groups and organizational processes

Stakeholder : A person or organization that has a “stake” or vested interest in a particular aspect of the planning or operation of the organization in this case, the information assets used in a particular organization.

When planning, members of the InfoSec community of interest use the same processes and methodologies.

Planning is the dominant means of managing resources in modem organizations It entails the enumeration of a sequence of actions intended to achieve specific goals during a defined period of time, and then controlling the
implementation of these steps.

Que 2. Describe top-down strategic planning. How does it differ from bottom-up strategic planning? Which is more effective in implementing security in large, diverse organization?

Top-down strategic planning involves high-level managers providing resources and giving directions. Directors issue policies, procedures, and processes and dictate the goals and expected outcomes of the project, as well as determine who is accountable for each of the required actions.

A clearly directed strategy flows from top to bottom, and a systematic approach is required to translate it into a program that can inform and lead all members of the organization.

Strategic plans formed at the highest levels of the organization are used to create the overall corporate strategy.

At lower levels (moving down the hierarchy), these high-level plans are evolved into more detailed, more concrete planning.

Higher-level plans are translated into more specific plans.

High-level goals are translated into lower-level goals (for each division)
and objectives.

The layer of strategic planning) is then converted into tactical planning for supervisory managers & eventually provides direction for the operational plans undertaken by non management members of the organization.

Difference between top-down strategic planning and bottom-up strategic planning :

In top-down planning, managers give directions on how projects should be handled, while in bottom-up planning, system administrators give directions on how projects should be handled.

Effective :

Of the two, top-down planning is the more effective security strategy, because it encompasses critical features such as coordination between departments, coordinated plans from top management, provision of sufficient resources, and support from end users.

Que 3. Explain supporting documents included in GES.

The GES includes three supporting documents, referred to as Articles:

• Article 1: Characteristics of Effective Security Governance
• Article 2: Defining an Effective Enterprise Security Program
• Article 3: Enterprise Security Governance Activities

Article 1: Characteristics of Effective Security Governance

Article 1 focuses on answering the question “What is effective security governance?” by
providing a list of 11 characteristics:

1. Information security is an organization-wide issue and affects everything within the organization.
2. Organizational leaders are accountable for information security, as well as for their stakeholders, their communities, and the business environment.
3. Information security should be viewed as a business requirement and aligned with the organization’s strategic goals.
4. The ESP should be risk-based, and incorporate an effective risk management program.
5. ESP roles and responsibilities should be clearly defined and “de-conflicted” to prevent conflicts of interest.
6. ESP requirements should be specified and enforced through organizational policies and procedures.
7. The ESP should have appropriate and adequate resources- including personnel, funding, time, and formal managerial support.
8. Organizations should have effective security education, training, and awareness (SETA) programs in place and enforced.
9. All systems and software developed within the organization should have information security integrated throughout their development life cycles.
10. ESPs should be formally planned and managed, with defined measurement programs that are appropriately assessed and reviewed.
11. The BRC should periodically review and audit the ESP to ensure compliance with its desired intent and the goals and objectives of the organization.

Article 2: Defining an Effective Enterprise Security Program

Provides a methodology for the specification and implementation of an ESP, both as an instructional tool for planners and an information role for an organization’s senior leadership.

This approach involves a hierarchy of programs with

• the risk management plan at the top,
• over the enterprise security strategy,
• over the enterprise security plan, and
• over the various plans, policies, procedures, and architectures of the business units.

Specifies the composition and responsibilities of the BRC, recommending
that the BRC include a collection of high-level directors that report directly
to the organization’s board of directors.

Article 3: Enterprise Security Governance Activities

Providing additional details on the GES and the ESP.

It describes the roles and responsibilities of the BRC and executive management.

This group is mandated to

• establish the governance structures,
• assign roles and responsibilities within this structure, including the reporting framework, and
• develop all needed high-level policies related to governance and the ESP.

Que 4. What is InfoSec governance? Mention benefits of InfoSec governance.

InfoSec governance :

Strategic planning and corporate responsibility are best accomplished using an approach industry refers to as governance, risk management, and compliance (GRC).

Governance: The set of responsibilities and practices exercised by the board and executive management with the goal of

• providing strategic direction,
• ensuring that objectives are achieved,
• ascertaining that risks are managed appropriately, and
• verifying that the enterprise’s resources are used responsibly.

InfoSec governance consists of the :

• leadership,
• organizational structures, and
• Processes that safeguard information

For success of all these structures and processes:
effective communication among all parties, which requires

• constructive relationships,
• a common language, and
• shared commitment to addressing the issues

Five Basic Outcomes of InfoSec Governance :

1. Strategic arrangement of InfoSec with business strategy to support organizational objectives
2. Risk management by executing appropriate measures to manage and reduce threats to information resources
3. Resource management by utilizing InfoSec knowledge and infrastructure efficiently and effectively
4. Performance measurement by measuring, monitoring, and reporting InfoSec governance measures to ensure that organizational objectives are achieved
5. Value delivery by optimizing InfoSec investments in support of organizational objectives

Benefits of InfoSec governance:

1. An increase in share value for organizations
2. Increased predictability and reduced uncertainty of business operations by lowering information-security-related risks to definable and acceptable levels
3. Protection from the increasing potential for civil or legal liability as a result of information inaccuracy or the absence of due care
4. Optimization of the allocation of limited security resources
5. Assurance of effective InfoSec policy and policy compliance
6. A firm foundation for efficient and effective risk management, process improvement, and rapid incident response
7. A level of assurance that critical decisions are not based on faulty information
8. Accountability for safeguarding information during critical business activities, such as mergers and acquisitions, business process recovery, and regulatory response.

Que 5. Explain the importance of vision and mission statement.

Vision Statement :

• The vision statement is an idealistic expression of what the organization wants to become and works hand in glove with the mission statement.
• The vision statement expresses where the organization wants to go, while the mission statement describes how it wants to get there.
• The mission, vision, and values statements provide the philosophical foundation for planning and guide the creation of the strategic plan.
• Vision statements should be ambitious; after all, they are meant to express the aspirations of the organization and to serve as a means for visualizing its future
• vision statements are not meant to express the probable, only the possible.

Example:
Random Widget Works will be the preferred manufacturer of choice for every business’s widget equipment needs, with an RWW widget in eve, ygizmo in use.

Mission Statement :

• The mission statement explicitly declares the business of the organization and its intended areas of operations.
• The mission statement must explain what the organization does and for whom.
• It is the organization’s identity card.
• A mission statement should be concise, should reflect both internal and external operations, and should be robust enough to remain valid for a period of four to six years.
• Many organizations encourage or require each division or major department including the InfoSec department- to generate its own mission statement

Example:
The Information Security Department is charged with identifying, assessing, and appropriately managing risks to Company X’s information and information systems. It evaluates the options for dealing with these risks, and works with departments throughout Company X to decide upon and then implement controls that appropriately and proactively respond to these same risks.