The East African Information Security Conference _and B… · Peter Kahiigi, CISSP, CISM Director Information Security National Information Technology Authority. Information Security

Information Security Governance & Business Continuity

The East African Information Security Conference

August 2013

Peter Kahiigi, CISSP, CISMDirector Information Security

National Information Technology Authority

Information Security

Directorate for Information Security 2013

Means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction

Information security involves the preservation of:Confidentiality: Ensuring information is disclosed to, and reviewed exclusively by intended recipients / authorized individuals

Integrity: Ensuring the accuracy and completeness of information and processing methods

Availability: Ensuring that information and associated assets are accessible, whenever necessary, by authorized individuals (BC’s main focus)

Information Security Governance (ISG)


ISG consist of the• Leadership,• Organizational structures,• Processes / procedures,• Compliance enforcement / monitoring mechanisms &• Technologies

that ensure that the confidentiality, integrity and availability ofthe organization’s electronic assets (data, information,software …) are maintained at all time.

all risks against the organization’s electronic assetsmediated and countered.

ISG is the responsibility of board of directors & senior management

Benefits of ISG 1/2


1. An increase in share value for organizations that practicegood governance

2. Increased predictability and reduced uncertainty ofbusiness operations by lowering IS-related risks todefinable and acceptable levels

3. Protection from the increasing potential for civil or legalliability as a result of information inaccuracy or theabsence of due care

4. The structure and framework to optimize allocation oflimited security resources

Benefits of ISG 2/2


6. Assurance of effective IS policy and policy compliance

7. A firm foundation for efficient and effective riskmanagement, process improvement, and rapid incidentresponse related to securing information

8. A level of assurance that critical decisions are not basedon faulty information

9. Accountability for safeguarding information during criticalbusiness activities, such as mergers and acquisitions,business process recovery, and regulatory response

Value of benefits from ISG


1. Improving trust in customer relationships

2. Protecting the organization’s reputation

3. Decreasing likelihood of violations of privacy

4. Providing greater confidence when interacting with tradingpartners

5. Enabling new and better ways to process electronictransactions

6. Reducing operational costs by providing predictableoutcomes—mitigating risk factors that may interrupt theprocess

What should ISG deliver?


1. Strategic Alignment of IS with business strategy to support organizational objectives

2. Risk Management by executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to an acceptable level

3. Resource Management by utilizing IS knowledge and infrastructure effectively and efficiently

4. Performance Measurement by measuring, monitoring, and reporting ISG metrics to ensure that organizational objectives are achieved

5. Value Delivery by optimizing IS investments in support of organizational objectives

ISG delivery – Strategic Alignment


1. Ensure transparency and understanding of IT security costs, benefits, strategy, policies and service levels.

2. Develop a common and comprehensive set of IT security policies

3. Communicate the IT strategy, policies and control framework.

4. Enforce IT security policies.

5. Define security incidents in business impact terms.

6. Establish clarity on the business impact of risks to IT objectives and resources.

7. Establish IT continuity plan that supports business continuity plans.

ISG delivery – Risk Management


1. Account for and protect all IT assets.

2. Establish and reduce the likelihood and impact of IT security risks.

3. Perform regular risk assessments with senior managers and keystaff.

4. Permit access to critical and sensitive data only to authorizedusers.

5. Ensure critical and confidential information is withheld from thosewho should not have access to it.

6. Identify, monitor and report security vulnerabilities and incidents.

7. Develop IT continuity plans that can be executed and are tested and maintained.

ISG delivery – Resource Management


1. Maintain the integrity of information and processinginfrastructure.

2. Account for and protect all IT assets.

3. Ensure that IT services and infrastructure can resist andrecover from failures due to error, deliberate attack ordisaster.

4. Ensure proper use and performance of the applicationsand technology solutions.

ISG delivery – Performance Measurement


Consider the following example metrics

1. Number of incidents damaging reputation with the public

2. Number of systems where security requirements are not met

3. Time to grant, change and remove access privileges

4. Number and type of suspected and actual access violations

5. Number and type of malicious code prevented

6. Number and type of security incidents

7. Number and type of obsolete accounts

8. Number of access rights authorized, revoked, reset or changed

ISG delivery – Value delivery


1. Ensure automated business transactions and informationexchanges can be trusted.

2. Make sure that IT services are available as required.

3. Minimize the probability of IT service interruption.

4. Minimize the impact of security vulnerabilities and incidents.

5. Ensure minimum business impact in the event of an ITservice disruption or change.

6. Establish cost-effective action plans for critical IT risks.

4 essential practices for senior management


1. Place IS on management’s agenda

2. Identify IS leaders, hold them accountable and ensure support for them

3. Ensure the effectiveness of the organization’s IS policy through review and approval

4. Assign IS to a key committee and ensure adequate support for that committee

Thought-Provoking questions 1/3


1. Does the head of IS / CISO routinely meet or brief businessmanagement?

2. When was the last time top management got involved insecurity-related decisions? How often does top managementget involved in progressing security solutions?

3. Does management know who is responsible for security? Does the responsible individual know? Does everyone else know?

4. Would people recognize a security incident when they saw one? Would they ignore it? Would they know what to do about it?



5. Does anyone know how many computers the companyowns? Would management know if some went missing?

6. Are damage assessment and disaster recovery plans inplace?

7. Has management identified all information (customer data,strategic plans, financial data, research results, etc.) thatwould violate policy, legal or regulatory requirements orcause embarrassment or competitive disadvantage if it wereleaked?

8. Did the company suffer from the latest virus or malware attack? How many attacks were successful during the past 12-month period?



9. Have there been intrusions in your organization? How oftenand with what impact?

10. Does anyone know how many people are using theorganization’s systems? Does anyone care whether or notthey are allowed access, or what they are doing?

11. Is security considered an afterthought or a prerequisite?

Business Continuity Management

Directorate of Information Security 2013

From the CISSP® CBK ®: “The preparatory activities, processes, and practices required to ensure the preservation of the business in the face of major disruptions to normal business operations “Involves:• Understanding the Organization

• Recovery Strategy Selection

• Creating the Plan(s)

• Developing and Implementing Response

• Testing, Update, and Maintenance of the Plan

BCM Scope


Risk ManagementDisaster RecoveryFacilities ManagementSupply chain ManagementQuality Management

Health and safetyKnowledge ManagementEmergency ManagementSecurityCrisis Communication & PR

How much is to be covered is the organization’s decision

Factors affecting BCM Implementation 1/3


Senior management’s commitment and involvement

Senior management delegate responsibility of BCM initiatives to middle management

BCM initiatives are undertaken only for compliance purposes

Lack of collaboration between business and IT

Too much focus on technology at the cost of other organizational resources such as people, premises, data, processes and supplies

Lack of consensus about recovery parameters (RTO and RPO) between senior management and operations management

Not following a single BCM framework / standard when developing business continuity and disaster recovery plans



Inappropriate approach in executing BCM processes

Conducting a building-wide risk assessment (rather than a service-based risk assessment) when the building accommodates multiple systems owned and managed by different functions

Assigning equal weight to all risk attributes - severity, likelihood and non-detectability when doing Failure Modes and Effects Analysis (FMEA)-based risk assessment

Conducting Business Impact Analysis (BIA) in silos by functional areas, and missing the context of wider impact of a disaster on the entire location

Lack of knowledge of the BCM tool and its workflows at the time of developing BCM documentation



Lack of thorough understanding of the data dynamics and dependencies involved in data recovery by BCM practitioners

Keeping data on the end-user computing systems outside enterprise backup

Addressing failover to an alternate site, and not focusing on the need to move operations back to a restored primary location, which can be as problematic as the failover itself

Incorrect and / or inappropriate assumptions in formulating business continuity and disaster recovery plans

Failure to consider all relevant assumptions and limiting factors

Q & A session


More Information:www.nita.go.ug

Our contact:[email protected]

http://www.nita.go.ug/

mailto:[email protected]

The East African Information Security Conference _and B… · Peter Kahiigi, CISSP, CISM Director Information Security National Information Technology Authority. Information Security

Documents