TEXAS CISO COUNCIL. Information Security Program Essentials Guide

Transcription

1 TEXAS CISO COUNCIL Information Security Program Essentials Guide

2 Presentation Overview Challenge The Security Framework and Compliance Overload The Importance of Having (And Sticking To) a Security Framework Choosing the Right Security Framework for Your Organization Framework Challenges Back to Basics What We Did in Texas and Why Call to Action

3 Framework and Compliance Overload

4 Why Do We Need A Security Framework? Analogy The Ten Commandments Helps Us Make Sure That We Have All of the Basic Components Covered Allows Us to Build Necessary Security Capabilities and Not Overlook Security Essentials Can Support Resource and Budget Discussions Helps to Monitor and Measure Security Capabilities and Weaknesses Over Time

5 What Framework is Right For Your Organization? Are You in a Regulated Industry? Are You a Government Entity or Primarily Do Business With the Government? Are You an International Company or Organization? Are You Subject to Frequent 3 rd Party Audits and Assessments? Does Your Cybersecurity Insurance Policy Reference a Specific Framework? Do Your Customers and Trading Partners Specifically Call Out Certain Frameworks in Contracts?

6 Common Security Framework Challenges Volume of Data e.g. NIST Rev 4 is Over 450 Pages Applicability Portions of the Selected Framework Simply Do Not Apply to the Organization Squishiness Frameworks Do Not Always Provide Sufficient Detail to Support Budget and Resource Justifications Enforceability Some Frameworks (e.g. HIPAA) Have Not Been Actively and Consistently Enforced. Fines are Seen as Theoretical. Time Management How Do You Get Started?

7 Back to Basics What We Did in Texas We Created the Texas CISO Council in 2013 An Informal Volunteer Network of 45 Information Security Professionals Representing 12 Industry Verticals We Met Regularly in Different Texas Cities to Identify How We Could Make Life Easier for Security Professionals Our Focus Was to Share Our Experiences With Organizations and Professionals Who Are Struggling With Basic Security Fundamentals

8 Our First Contribution Thirteen Council Members Created the Information Security Program Essentials Guide Released in April 2015 The 37 Page Guide is a Back to Basics Approach for Information Security Management and is a Step In Simplified Framework Available for Free Download at

9 Why We Created The Guide The primary goal of creating the Guide was to offer a simplified mechanism to validate that an organization has in-place or planned solutions for key elements of an information security program and that the organization has not overlooked critical core competencies or controls.

10 Essentials Guide Overview Overview Audience Components Considerations Resources

11 Governance & Organization SLT IT RISK CSO

12 Strategy Development

13 Frameworks Maturity Mapping

14 Risk Management Components

15 Measurement & Metric References

16 What Did We Learn?

17 What s Next? Expand upon the Security Essentials Guide Security Metrics Risk Management October : Security Advisor Alliance Summit

18 Today s Call to Action Download the Guide at Evaluate Your Current Security Framework. Is it Right For Your Organization Today? Can You and Your Team Provide the Five Core Services to Your Organization? Consider Sharing the Guide With Your Team, Your Peers or Other Security Professionals Provide Feedback to the Council Web Site Contact: Parrish Gunnels: pgunnels@invitationhomes.com Brian Wrozek: brian.wrozek@optiv.com