Governance and Strategic Planning for Security
At a Glance
Instructors Manual Table of Contents
Class Discussion Topics
In chapter 3, students are introduced to the different roles within an organization that are involved in the planning process, and how the planning process is applied to information security. The different aspects of creating a plan are covered, as well as tactical planning and operational planning. Information security governance and its benefits are discussed. Finally, students will learn about the security systems development life cycle.
After reading this chapter and completing the exercises, the student will be able to:
Identify the roles in organizations that are active in planning
Explain strategic organizational planning for information security (InfoSec)
Discuss the importance, benefits, and desired outcomes of information security governance and how such a program would be implemented
Explain the principal components of InfoSec system implementation planning in the organizational planning scheme
The Role of Planning
1. Reiterate the importance of proper planning for information security, and explain the role of a chief information security officer (CISO) or chief security officer (CSO).
2. Explain how planning can involve different groups that can be internal or external to an organization.
3. Define a stakeholder as a person or organization that has a stake in a specific part of plan or operation. Explain stockholders as entities that hold stock in a particular organization. Students should understand the differences between these two terms.
4. Emphasize the importance of understanding an organizations planning process in order to ensure successful planning.
5. Describe how organizational planning should involve organizational leadership in the creation of general objectives in order to guide an organizations path, with the goal of creating detailed plans.
End users themselves can be considered stakeholders in a project, especially if a project will change how end users perform their day to day tasks. It is absolutely critical to consider all potentially affected aspects of a business when creating a plan.
Precursors to Planning
1. Educate students on important elements to be considered prior to planning, such as specifically stating ethical, entrepreneurial, and philosophical perspectives. Discuss with students what can occur when actual approaches differ from an organizations stated perspectives.
1. Describe how a mission statement is used to indicate the primary business of an organization and its intended area of operations.
2. Explain that organizations may require the creation of a mission statement for each of its major departments, including the information security department.
3. Discuss the example mission statement from Information Security Roles and Responsibilities Made Easy, by Charles Cresson Wood.
1. Detail the vision statement as a statement containing the aspirations of an organization and what it intends to achieve.
2. Note that a vision statement does not necessarily have to be realistic, but should serve to guide an organizations future.
1. Stress the importance of the values statement, which sets the standard by which an organization can evaluate itself and its current practices.
2. Provide students with examples of values statements, such as Microsofts values statement on its website.
For more examples of mission statements, see the following page:
1. Explain strategic planning as guiding an organization to the creation of specific goals, and re-iterate that a good strategic plan utilizes a top-down approach.
2. Discuss how a multilayered approach is used to accomplish the creation of a general strategy and contribute to overall strategic planning. Refer to Figure 3-2 in your discussion.
Creating a Strategic Plan
1. Educate students on how a strategic plan is created by providing an example of how different levels of management would function in the top-down approach.
2. Emphasize how important it is for an organizations top management to fully understand the strategic goals of the organization, in order to create a strategic plan.
1. Explain to students that the next step in strategic planning is to create tasks with objectives.
2. Note that the strategic plan is used to create tactical plans, and that tactical plans are used to create operational plans.
3. Tactical plans should be explained as consisting of specific, incremental objectives. Students should understand what should be included as part of a tactical plan, such as project plans, resource acquisition planning documents, project budgets, project reviews, and monthly / annual reports.
4. Explain that tactical plans are sometimes called process project planning or intermediate planning, when they are created for a specific project.
5. Describe how an operational plan is used to outline day-to-day tasks, and discuss what objectives may be included in an operational plan, such as the selection, configuration, and deployment of hardware, or the design and implementation of a SETA program.
Planning and the CISO
1. Discuss how a strategic plan should be structured, and list some of the basic components of a typical strategic plan:
a. Executive Summary
b. Mission, Vision and Values Statement
c. Organizational Profile and History
d. Strategic Issues and Challenges
e. Corporate Goals and Objectives
f. Major Business Units Goals and Objectives
2. Explain how appendices can assist in the identification of new directions or the elimination of unprofitable directions.
3. Provide students with an overview of Brian Wards tips for planning, and explain how these tips help create a successful plan.
Quick Quiz 1
1. Which of the following is used to declare the intended areas of operation for a business?
A. Values statement
B. Vision statement
C. Objectives statement
D. Mission Statement
2. True or False: The CISO is another name for a CIO, as both roles perform the same tasks.
3. Which of the following is not a component of a typical strategic plan?
A. Executive summary
B. Archived profile
C. Organizational profile
D. Strategic issues and challenges
4. Which of the following best describes a stakeholder?
A. An individual or group that owns financial stock in an organization
B. A competing organization
C. An individual who buys an organizations products
D. An individual or group who has a vested interest
5. Which of the following is used to establish a formal set of organizational principles and qualities for an organization?
A. Values statement
B. Vision statement
C. Mission statement
D. Morals statement
Information Security Governance
1. Define the governance, risk management, and compliance (GRC) approach to executive-level strategic planning.
2. Make students aware of the fact that information security is a managerial responsibility, and stress the importance of management involvement in ensuring information security.
The ITGI Approach to Information Security Governance
1. Discuss the Information Technology Governance Institute (ITGI) recommendations for information security supervision.
1. Elaborate on the elements that are critical to information security governance, such as effective communication, constructive relationships, common language, and shared commitment.
2. Discuss the five basic outcomes of information security governance, and the National Association of Corporate Directors (NACD) recommendations on essential practices for boards of directors.
Benefits of Information Security Governance
1. Discuss with students some of the benefits of information security governance, such as increased share value or increased predictability and reduced uncertainty.
2. List some of the different aspects of an information security governance program that designers should consider, such as the risk management methodology and effective security organizational structure.
NCSP Industry Framework for Information Security Governance
1. Educate students on the core set of activities recommended by the Corporate Governance Task Force (CGTF) for implementation of security governance.
2. Make students aware of the CGTFs recommendation regarding the use of a governance framework, such as the initiating, diagnosing, establishing, acting, and learning (IDEAL) model. Refer students to Figure 3-4 in your discussion.
3. Use Figure 3-5 to discuss the various responsibilities of the different functional roles as defined in the IDEAL framework.
CERT Governing for Enterprise Security Implementation
1. Explain to students that according to GES, Enterprise Security Program (ESP) governance activities should be driven by a Board Risk Committee (BRC) in addition to the organizations executive management.
2. Discuss the three supporting documents included in the GES:
a. Article 1: Characteristics of Effective Security Governance
b. Article 2: Defining an Effective Enterprise Security Program
c. Article 3: Enterprise Security Governance Activities
ISO/IEC 27014:2013 Governance of Information Security
1. Introduce students to ISO 27014:2013 standard, which specifies the following six high-level action-oriented information security governance principles:
a. Establish organization-wide information security
b. Adopt a risk-based approach
c. Set the direction of investment decisions
d. Ensure conformance with internal and external requirements
e. Foster a security-positive environment
f. Review performance in relation to business outcomes
2. Discuss the five governance processes promoted by the ISO 27014:2013 standard:
3. Be sure to point out the overall goals of governance as assessed in ISO/IEC 27014:2013:
a. Alignment of objectives and strategies between the information security program and the overall organization
b. Increased value added to the organization, its executive management, and stakeholders
c. Effective assignment of risk to the appropriate responsible party
1. Discuss with students how security-related governance within organizations has merged over time, and note that accountability for information security has broadened across different management roles.
2. Explain how enterprise risk management (ERM) can be used to better align security functions with an organizations mission, and note that it includes IT security and physical security elements.
3. Educate students about the report on GRC functions from the Open Compliance and Ethics Group, and discuss how ERM can be properly utilized in a way that benefits an organization.
Planning for Information Security Implementation
1. Teach students about the roles of the CIO and CISO in turning a strategic plan into a tactical and operational plan. Note that the objectives of the CIO and CISO may differ, and that a CISO usually reports to the CIO.
2. Discuss the example of a CISOs job description from Charles Cresson Woods Information Security Roles and Responsibilities Made Easy.
3. Define the bottom-up approach as involving system administrators who work to secure information systems without coordinated planning from upper management.
4. Compare the top-down approach to the bottom-up approach. Note the benefits that are available when supported by upper-management.
5. Explain the role of a champion, which is ideally an executive, who has the influence to move a project forward.
6. Define a joint application design (JAD) team as a group of individuals who are affected by a project that are assigned to a team to assist in development. Discuss recommended key steps for a JAD, such as identification of project objectives and limitations, or identification of critical success factors.
Introduction to the Security Systems Development Life Cycle
1. Define a methodology as an approach to problem solving based on structured sequence of procedures, and note that a Security Systems Development Life Cycle (SDLC) is a type of methodology.
2. Make students aware of the security systems development life cycle (SecSDLC), which is a variation of SDLC.
3. Explain the difference between SDLC-based projects that are event-driven and plan-driven.
4. Stress the importance of using structured reviews to gauge whether or not a project should proceed.
5. Educate students on the use of a waterfall model in conjunction with the SecSDLC in order to illustrate base requirements.
6. Discuss the investigation phase in SecSDLC, and note that it begins as a directive from upper management within an organization. Students should understand that information security projects often begin after a significant breach has already occurred.
7. The analysis phase should be explained as the phase where information gathered in the investigation phase is reviewed and compared to existing security policies, documented threats, and relevant legal issues. Students should be aware that risk management begins at this phase.
8. The SecSDLC design phase should be explained as consisting of two distinct parts, logical design and physical design.
9. Explain how security models can be used to ensure that all issues regarding security are properly addressed.
10. Describe how an information security policy outlines how information should and will be protected within an organization.
11. Re-iterate the importance of a SETA program in preventing human error and human failure related breaches to security.
12. Define the controls and safeguards terms as methods for protecting information against attacks, and note the three different categories of controls:
a. Managerial controls, which are executed by the security administration of an organization.
b. Operational controls, which deal with the operational functionality of security in the organization.
c. Technical controls, which address technical approaches used to implement security in the organization.
13. Elaborate on the importance of the creation of documents for handling specific incidents when they occur, such as disaster recovery plans (DRPs) and incident response plans (IR plans) and note that these documents are part of the design phase.
14. Stress the importance of addressing physical security needs, and discuss what can be considered a physical resource.
15. The implementation phase should be explained as involving the acquisition of security solutions and products, as well as the implementation and testing of products.
16. Outline the three steps that occur during the execution of the project plan:
a. Planning the project
b. Supervising the tasks and action steps
c. Wrapping up the project plan
17. List some of the different skill sets that might be involved in a development team:
b. Team leader
c. Security policy developers
d. Risk assessment specialists
e. Security professionals
f. Systems administrators
g. End users
18. Provide a list of the various roles involved in information security:
a. Chief information officer (CIO)
b. Chief security officer (CSO)
c. Chief information security officer (CISO)
d. Security managers
e. Security technicians
f. Data owners
g. Data custodians
h. Data users
19. Explain how certifications can sometimes be sought after in order to verify an individuals proficiency in a subject.
20. Discuss the maintenance phase, in which information security systems are monitored, tested, modified, updated, and repaired in accordance to an organizations established security policies.
21. Introduce students to an example maintenance model, and explain the five subject areas that a maintenance model should address:
a. External monitoring
b. Internal monitoring
c. Planning and risk assessment
d. Vulnerability assessment and remediation
e. Readiness and review
Quick Quiz 2
1. Which phase of the CGTF framework involves determining where you are relative to where you want to be?
2. True or False: InfoSec objectives must be addressed at the highest levels of an organizations management team in order to be effective and offer a sustainable approach.
3. According to the IDEAL framework, which functional role should be responsible for communicating policies to employees and coordinate training?
A. Chief Executive Officer
B. Chief Risk Officer
C. Mid-Level Manager
D. Enterprise Staff
4. Which of the following governance processes, as outlined in ISO 27014:2013, involves the review and assessment of organizational information security performance toward goals and objectives by the governing body?
5. Why is the bottom-up approach less effective than the top-down approach?
A. Lack of technical support
B. Lack of management support
C. Lack of stakeholder support
D. Lack of stockholder support
Class Discussion Topics
1. Start a class discussion on the creation of a values statement. How does the values statement dictate the goals of an organization?
2. Get students to discuss the importance of management in ensuring that a project will succeed. Why is the involvement of management crucial?
1. Task students with researching the Chief Information Officer (CIO) role. Students should research current CIOs as well as job openings for CIOs. What are the job requirements?
2. Have students research the SDLC waterfall methodology. See if they can find examples of other organizations that have used this methodology. Have them report their findings.
1. Information Security Governance Guide:
2. The IDEAL Model:
3. The Systems Development Life Cycle
Once the order is placed, the order will be delivered to your email less than 24 hours, mostly within 4 hours.
If you have questions, you can contact us here