Guide for developing an

Information Security Strategy

Uploaded February 2009

References:
Frey Sigurjonsson, SITE Sweden
Kenneth Hellem, SITE Sweden
Copyright 2009 Accenture All Rights Reserved.
2
Contents
Information security strategy development process
Determine security baseline
Understand business drivers and define security objective
Identify and prioritize gaps
Develop implementation/action plans
Implement activities
Copyright 2009 Accenture All Rights Reserved.
3
The strategy for information security is developed
through a four step process
Implement
activities
Understa
nd
business
drivers
and
define
wanted
position
Develop
implementation/
action plans
Define
target
state
Determi
ne
informa
tion
security
baselin
e
Step 1 Step 2 Step 3 Step 4 Step 5
Assess how security
needs to change in
the organization in
the next three to five
years in order to
adequately support
the business
Determine the current
state of information
security, e.g.
-Information assets
-Processes
-Governance
-Organisation
-Risks
Prioritize business
needs and define a
target state
Determine solutions
to reach target state
and their associated
cost/effort, define
budget and create
road map
D
e
s
c
r
i
p
t
i
o
n

D
u
r
a
t
i
o
n

1-2 weeks 2 days 2-3 days 1 week
A
p
p
r
o
a
c
h

Collect and analyze
secondary data
Perform qualitative
and quantitative
interviews and/or
surveys of IT and
business
Perform qualitative
interviews with IT
and business
management
Articulate policy
statement
Describe target
state, e.g. as
capability
improvements
and eliminated
risks
Create roadmap of
activities to bridge
target state and
current position
Copyright 2009 Accenture All Rights Reserved.
4
ISO 17799 Information Security Domains*
The ISO Information Security Domains can be used as
a model to assess maturity
Compliance
Business
Continuity
Management
Information
Security
Incident
Management
Information
System Acq.
Dev. and Maint.
Access
Control
Communication
& Operations
Management
Physical and
Environmental
Security
Human
Resources
Security
Asset
Management
Organization of
Information
Security
Security
Policy
Information
Assets
* See appendix for domain descriptions
Copyright 2009 Accenture All Rights Reserved.
5
Risk and Strategy
What are your main security concerns and do you have plans to fix them?
Is there any security initiative, which is not progressing as you would like? In a positive case, what is slowing it down and
what would be required, in your opinion, to make it happen?
What are your thoughts on where security can be improved/ increased?
Do you have an ongoing process to classify data (Confidentiality, Integrity and Availability), assets value, threats and
vulnerabilities?
Have you identified main Business and Information Assets with their related value? This is relevant for both Risk
Assessment and Business Continuity Management.
Are you aware of any recent security incident within your organization or other competitors, which have called attention to
the press or customers?
Do you have difficulties in prioritizing security investments and receive approval from the board?

Compliance, Organization and Management
Are you currently struggling to comply with existing regulation (e.g. European Data Privacy, Sarbanes-Oxley, etc.)? If so,
which regulation?
Are you aware of new regulations you will need to comply with that will impact your security capability?
Are you planning to achieve any secure certification (e.g. ISO27001) and if so, within which timeframe?
Have you received any feedback from internal or external auditors, which requires your company to implement specific
security measures?
Are you comfortable with existing security policies, procedures, roles and responsibilities, and the level of compliance
and awareness from your permanent and temporary staff?
Which metrics do you use to monitor ongoing level of security and compliance, and which actions do you take to correct
them?
Do you feel comfortable with the existing level of security provided by third-parties and are you considering to outsource
any security-critical service to external parties?
The first step is to determine the security baseline
through qualitative and quantitative interviews
Sample qualitative questions
Copyright 2009 Accenture All Rights Reserved.
6
The first step is to determine the security baseline
through qualitative and quantitative interviews
Maturity Scale
Nothing Ad-hoc Repeatable Defined Managed Optimized



Sample quantitative questions
7.1 RESPONSIBILITY FOR
ASSETS
Is there an inventory of key
information assets (data
sources)?
7.1.1 Inventory of assets
Is it clear who owns / is
responsible for the assets?
7.1.2 Ownership of
assets
Are there guidelines for
classifying assets?
7.1.3 Acceptable use of
assets Are the assets classified?
Copyright 2009 Accenture All Rights Reserved.
7
The wanted position is determined by interviews with
business and IT and articulated in a policy statement
Sample Information Security Policy Statement
Objective
The Information Security Principles is a tool for management team at ClientCo to set direction in regards
to protecting Diaverums Information Assets (Data Sources) in regards to:
Confidentiality - Data should only be accessible by authorized users
Integrity - Data should be authentic, sufficiently accurate and reliable
Availability - Data should be accessible when needed


Principles
Information Security has the endorsement and support of executive management and the Board
- Management is delegated to an appropriate security organization with clear roles and responsibilities
Everyone is responsible for Information Security (Clinics, HQ, Corporate and External Parties)
- Awareness is built through continuous training and communication, and clear policies
The organization strives to be compliant with all regulatory requirements
- The regulatory environment is continuously monitored, and compliance is audited regularly
Protection of data is critical in a highly regulated market
- Proper access controls is combined with high awareness of data sensitivity
Risk exposure is balanced with the cost of risk mitigation
- Risks are understood and managed based on potential business impact
Security measures are proactively implemented based on a comprehensive understanding of threats
- Industry standards (E.g. ISO17799) are used to baseline capabilities and assess potential gaps
Copyright 2009 Accenture All Rights Reserved.
8
The target state is expressed as capability
improvements and eliminated risks
Example output from target state definition
Copyright 2009 Accenture All Rights Reserved.
9
Solutions to reach the target state are identified and
combined into an implementation road map
Proposed initiatives to reach target state
Tier I: Secure
fundamentals
Tier II: Enable strategic
agenda
Tier III: Enable differentiation Actions Actions
Actions
Actions Actions Actions
Actions
Actions Actions Actions
Copyright 2009 Accenture All Rights Reserved.
10
The final step is to initiate the implementation
Initiatives
Effort
(Man days)
2009 2010 2011 2012
Ensure regulatory compliance 34
Audit and secure critical assets 28
Design security organisation 6
Develop security policy 23
Design security processes 40
Create individual policies 19
Secure standards and processes 12
Create guidelines 15
Implement ISO 27001 25
C
r
i
t
i
c
a
l

R
e
q
u
i
r
e
d

D
i
f
f
e
r
e
n
t
i
a
t
i
n
g

Example implementation road map
Copyright 2009 Accenture All Rights Reserved.
11
Appendix
Copyright 2009 Accenture All Rights Reserved.
12
Definition of CMMI Maturity levels
0. Non-existent
1. Initial
2. Repeatable
3. Defined
Complete lack of any recognizable processes. The enterprise has not even recognized that
there is an issue to be addressed.
There is evidence that the enterprise has recognized that the issues exist and need to be
addressed. There are, however, no standardized processes; instead there are ad hoc
approaches that tend to be applied on an individual or case-by-case basis. The overall
approach to management is disorganized.
Processes have developed to the stage where similar procedures are followed by different
people undertaking the same task. There is no formal training or communication of standard
procedures, and responsibility is left to the individual. There is a high degree of reliance on
the knowledge of individuals and, therefore, errors are likely.
Procedures have been standardized and documented, and communicated through training.
It is, however, left to the individual to follow these processes, and it is unlikely that deviations
will be detected. The procedures themselves are not sophisticated but are the formalizations
of existing practices.
4. Managed
It is possible to monitor and measure compliance with procedures and to take action where
processes appear not to be working effectively. Processes are under constant improvement
and provide good practice. Automation and tools are used in a limited or fragmented way.
Definition of CMMI maturity levels:
5. Optimized
Processes have been refined to a level of best practice, based on the results of continuous
improvement and maturity modeling with other enterprises. IT is used in an integrated way
to automate the workflow, providing tools to improve quality and effectiveness, making the
enterprise quick to adapt.
Copyright 2009 Accenture All Rights Reserved.
13
Description of the ISO17799 domains aim and focus: (1/2)

1. Security Policy To provide management direction and support for information
security in accordance with business requirements and relevant laws and
regulations.
2. Organization of Information Security To manage and plan information security
within the organization, taking into account the needs of both internal and external
parties.
3. Asset Management - To deliver appropriate levels of protection and ensure that
information receives a level of protection that is appropriate to its needs.
4. Human resources (personnel) Security - To ensure that staff, during
employment, after termination and during change of employment, are part of the
information security process.
5. Physical and Environmental Security To secure buildings, locations and
equipment in such a way as to prevent unauthorized physical access, damage and
interference to the organization's assets, premises and information.
Copyright 2009 Accenture All Rights Reserved.
14
6. Communications and Operations Management - To ensure that information is
treated properly, backed up correctly and handled securely to the highest
standards available.
7. Access Control - To control access to information, networks, and applications.
Preventing unauthorized access, interference, damage and theft.
8. Information Systems acquisition, development and maintenance - To ensure
that security is an integral part of the information system. Securing applications,
files and reducing vulnerabilities.
9. Information Security Incident Management To ensure information security
events and weaknesses are communicated consistently in a manner allowing
timely corrective action to be taken.
10. Business Continuity Management To counteract interruptions to business
activities and to protect critical business processes from the effects of major
failures of information systems or disasters and to ensure their timely resumption.
11. Compliance - To avoid breaches of any law, regulation or contractual obligations.
To ensure compliance without adverse affects on Information Security.
Description of the ISO17799 domains aim and focus: (2/2)