Information Security: The First 90 Days and Beyondstatic1.squarespace.com/static/5419be5de4b062d1159... · Information Security: The First 90 Days and Beyond Renee Guttmann VP, Information
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• Policies are structured according to a recognized
standard (e.g. ISO27001)
• Policies have been approved by executive management
• Policies been published and communicated
• Policies been formally reviewed and updated within the
last 12 months
Policies exist and are updated annually. No executive
management approval. Not developed to meet security
standards
1 Establish update process and executive approval/support $$
Information
Security Awareness
& Training
2 Medium High Moderate
• Training provided to all new staff
• Refresher training provided annually
• Training is job role related
• Training includes testing component
• Logs of training are maintained
No training for new employees and refresher training for
existing staff1
Utilize Phishme,
Catch of the Day $
Information Risk
Governance1 High High High
• Steering Committee exists
• Steering Committee is made up of corporate support
functions, executive management and security leader
• Steering Committee meets monthly
• Steering Committee is briefed on current events,
approves new projects and policy exceptions
• Minutes are kept of meeting
No information steering committee implemented. 1
Develop Strategy / Plan
Resource Plan / Staff
Steering Committee$
Information
Security Project
Risk Reviews
3 Medium Medium Moderate
• Information security requirements are integrated into
project
• Internal SDLC process includes information security
gates
• Information security is a required sign-off prior to
implementation
• Outsourcing projects are reviewed and approved by
information security
Projects that use the change management system are
reviewed by information security. Unclear if a consistent
criteria for approval is used.$$
Incident Response 3 High Medium High
• IRP developed and documented
• IRP is tested on regular basis
• Different IRP scenarios are tested
• IRP team members are trained
• Incidents are classified by risk level
IRP Plan, needs update and testing. Additional scenarios
developed1
Update IR Process
Tabletop test IR Plan scenarios $
Security Metrics 1 Low High Low
• Operational security metrics are measured and
reported
• Risk posture is measured and reported to senior
management
No security metrics 2 Establish security operations metrics $
Third Party Risk
Management1 High High High
• Inherent risk is measured for all third-parties
• Business profile risk is measured for all third parties
• Due-diligence reviews are based on level of risk
• Due-diligence is performed by risk level for all third-
parties
No third party management process 2 Implement third-party processes and reviews $$$$
Governance and Risk Management
Recommendation
The services in the Governance and Risk Management Domain provides the people, processes, and technology to properly identify and manage the overall information risk program. The key
services in this domain are designed to inform the executive team of the risk to the critical information assets, how to manage the risk and provide a governance process to report on current risk