This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Info-Tech Research Group 1Info-Tech Research Group 1
Info-Tech Research Group, Inc. is a global leader in providing IT research and advice.Info-Tech’s products and services combine actionable insight and relevant advice with
Info-Tech Research Group 3Info-Tech Research Group 3
Resolution
Situation
Complication
Info-Tech Insight
Executive Summary
Technology sophistication and business adoption, the proliferation of hacking techniques, and the expansion of hacking motivations from financial to now social, political, or strategic motivations have resulted in organizations facing major security risk. Every organization needs some kind of information security program to protect their systems and assets. Organizations today face pressures from regulatory or legal obligations, customer requirements, and now senior management expectations.
Performing an accurate assessment of your current security operations and maturity levels can be extremely hard when you don’t know what to assess or how, not to mention an assessment alone is only the starting point. Senior management wants to know that adequate targets have been determined and there is a robust plan on how they are going to be met.
Info-Tech has developed and tested a robust information security framework with supporting methodologies to generate your organization’s comprehensive, highly actionable, and measurable security strategy and roadmap: • Info-Tech’s best of breed security framework combines COBIT 5, PCI DSS, ISO 27000 series, NIST SP 800-53, and
SANS security components to ensure all areas of security are considered and covered. • Robust security requirements gathering across the organization, key stakeholders, customers, regulators, and other
parties ensure the security strategy is built in alignment to and support of enterprise and IT strategies and plans.• A comprehensive current state assessment, gap analysis, and initiative generation ensures nothing is left off the table. • Tested and proven rationalization and prioritization methodologies ensure the strategy you generate is not only the one
the organization needs, but the one the organization will support.
Best of BreedIt’s hard to know which security framework is best. Info-Tech analyzed and integrated frameworks to ensure an exhaustive approach to security. AlignmentSecurity is still a friction point and viewed as a cost center. Align your security strategy with corporate and IT strategies to ensure support. CommunicationTo have a strategy implemented, you need to communicate to stakeholders in their language and show their concerns and perspectives were accounted for.
Info-Tech Research Group 4Info-Tech Research Group 4
Use these icons to help direct you as you navigate this research
This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.
This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team analysts, who will come onsite to facilitate a workshop for your organization.
Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.
Info-Tech Research Group 8Info-Tech Research Group 8
Info-Tech’s framework integrates several best practices to create a best-of-breed security framework
COBIT 5
ISO 27000 SeriesComprehensive standard providing best practices associated with each control
PCI-DSSProvides more detailed instructions than most other best practices but not much breadth
SANS Twenty Critical Security ControlsProvides a great list of controls for effective cyber defence
NIST SP800 SeriesProvides a detailed list of security controls along with many implementation best practices intended for federal information systems and organizations
COBIT 5 for SecurityMore principle and process-based than other best practices
Info-Tech Research Group 11Info-Tech Research Group 11
Info-Tech’s Information Security Methodology and Maturity Level Model
Context and Leadership
Evaluation and Direction
Compliance and Review Prevention Detection Response
and Recovery Measurement
ML: 5
ML: 4
ML: 3
ML: 2
ML: 1
Each security area has five possible maturity levels • This generates a security maturity
matrix and is the basis for the framework.
Collectively, these seven areas form Info-Tech’s information Security Framework • These areas were designed by Info-Tech to be process- and management-based areas that can
be evaluated independently of each other. • Each security component has many sub-components
1
2 All seven security areas are evaluated on the five-level maturity model • Using info-Tech scoring methodology, sub
components are evaluated individually with the aggregate scores generating the component scores.
3
Target scores for each security area are identified • The security maturity model is used to identify maturity levels that meet
the organization’s security requirements.• From the current state maturity levels and target levels, gaps are
identified and developed into initiatives to be completed.
4
The best advice I can give is to bring everything together end to end. Don’t limit yourself in any one focused area…If you take an end-to-end approach instead of trying to focus on specific areas and compartmentalize them, you will be 100% more successful.
– Technology Services, USA
Building a holistic framework ensures that all your bases are covered while preventing duplications of the same functions, resulting in a more efficient program.