The most successful information security strategies are:
Build an Information Security Strategy Research & Tools1. Information Security (IS) Strategy Research – A step-by-step document that helps you build a holistic, risk-based, and business-aligned IS strategy.Your security strategy should not be based on trying to blindly follow best practices but on a holistic risk-based assessment that is risk aware and aligns with your business context. Use this storyboard to augment your security strategy by ensuring alignment with business objectives, assessing your organization's risk and stakeholder expectations, understanding your current security state, and prioritizing initiatives and a security roadmap. 2. Information Security Requirements Gathering Tool – A tool to make informed security risk decisions to support business needs.Use this tool to formally identify business goals and customer and compliance obligations and make explicit links to how security initiatives propose to support these business interests. Then define the scope and boundaries for the security strategy and the risk tolerance definitions that will guide future security risk decisions. 3. Information Security Pressure Analysis Tool – An evaluation tool to invest in the right security functions using a pressure analysis approach.Security pressure posture analysis helps your organization assess your real security context and enables you to invest in the right security functions while balancing the cost and value in alignment with business strategies. Security pressure sets the baseline that will help you avoid over-investing or under-investing in your security functions. 4. Information Security Program Gap Analysis Tool – A structured tool to systematically understand your current security state.Effective security planning should not be one size fits all – it must consider business alignment, security benefit, and resource cost. To enable an effective security program, all areas of security need to be evaluated closely to determine where the organization sits currently and where it needs to go in the future. 5. Information Security Strategy Communication Deck – A best-of-breed presentation document to build a clear, concise, and compelling strategy document.Use this communication deck template to present the results of the security strategy to stakeholders, demonstrate the progression from the current state to the future state, and establish the roadmap of the security initiatives that will be implemented. This information security communication deck will help ensure that you’re communicating effectively for your cause. 6. Information Security Charter – An essential document for defining the scope and purpose of a security project or program.A charter is an essential document for defining the scope and purpose of security. Without a charter to control and set clear objectives for this committee, the responsibility of security governance initiatives will likely be undefined within the enterprise, preventing the security governance program from operating efficiently. This template can act as the foundation for a security charter to provide guidance to the governance of information security. Member TestimonialsAfter each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say. Cameron County, TX Guided Implementation 10/10 $12,599 20 Mr. Hebert was very patient and worked with us step by step, as we have a new group of cybersecurity individuals and that made the process optimal. We were only able to book him once a month and a month in advanced, so when we had a conflict we lost add... Midis Services FZ - LLC Guided Implementation 9/10 $12,599 20 America-Mideast Educational and Training Services, Inc. Guided Implementation 8/10 $1,259 29 The best part is having all of the security controls from different standards aggregated and organized in one sheet. This helped us in performing the security assessment and to ensure that we have covered all critical areas. Ida did a great job in explai... Tailor best practices to effectively manage information security. Now Playing: Academy: Security Strategy | Executive Brief An active membership is required to access Info-Tech Academy
Workshop: Build an Information Security StrategyWorkshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully. Module 1: Assess Security RequirementsThe PurposeUnderstand business and IT strategy and plans. Key Benefits AchievedDefined security obligations, scope, and boundaries. ActivitiesOutputs1.1 Define business and compliance.
1.2 Establish security program scope.
1.3 Analyze the organization’s risk and stakeholder pressures.
1.4 Identify the organizational risk tolerance level.
Module 2: Perform a Gap AnalysisThe PurposeDefine the information security target state. Key Benefits AchievedSet goals and Initiatives for the security strategy in line with the business objectives. ActivitiesOutputs2.1 Assess current security capabilities.
2.2 Identify security gaps.
2.3 Build initiatives to bridge the gaps.
Module 3: Complete the Gap AnalysisThe PurposeContinue assessing current security capabilities. Key Benefits AchievedIdentification of security gaps and initiatives to bridge them according to the business goals. ActivitiesOutputs3.1 Identify security gaps.
3.2 Build initiatives to bridge the maturity gaps.
3.3 Identify initiative list and task list.
3.4 Define criteria to be used to prioritize initiatives.
Module 4: Develop the RoadmapThe PurposeCreate a plan for your security strategy going forward. Key Benefits AchievedSet path forward to achieving the target state for the business through goal cascade and gap initiatives. ActivitiesOutputs4.1 Conduct cost/benefit analysis on initiatives.
4.2 Prioritize gap initiatives based on cost and alignment with business.
4.4 Determine state times and accountability. 4.5 Finalize security roadmap and action plan. 4.6 Create communication plan. Module 5: Communicate and ImplementThe PurposeFinalize deliverables. Key Benefits AchievedConsolidate documentation into a finalized deliverable that can be used to present to executives and decision makers to achieve buy-in for the project. ActivitiesOutputs5.1 Support communication efforts.
5.2 Identify resources in support of priority initiatives.
Set your security strategy up for success. “Today’s rapid pace of change in business innovation and digital transformation is a call to action to information security leaders. Too often, chief information security officers find their programs stuck in reactive mode, a result of years of mounting security technical debt. Shifting from
a reactive to proactive stance has never been more important. Unfortunately, doing so remains a daunting task for many. While easy to develop, security plans premised on the need to blindly follow ‘best practices’ are unlikely to win over many stakeholders. To be truly successful, an information security strategy needs to be holistic, risk-aware, and business-aligned.” Research Director – Security, Risk & Compliance Info-Tech
Research Group The most successful information
security strategies are: Fifty-eight percent of companies surveyed that experienced a breach were small businesses. Eighty-nine percent of breaches have a financial or espionage motive. Source: Ponemon Institute, “2019 Global Cost of Data
Breach Study” of businesses have experienced an external threat in the last year. of IT professionals consider security to be their number one priority. of organizations claimed to have experienced an insider attack in
the previous 12 months. 1 of businesses believe the frequency of attacks is increasing. 2 Effective IT leaders approach their security strategy from an understanding that attacks on their organization will occur. Building a strategy around this assumption allows your security team to understand the gaps in your current approach and become proactive instead of being reactive. Sources: 1 Kaspersky Lab, “Global IT Security
Risks Survey”; 2 CA Technologies, “Insider Threat 2018 Report” Sources: 1 Accenture, “2019 The Cost of Cyber Crime Study”; 2,3 Verizon, “2019 Data Breach Investigations Report” New threat trends in information security aren’t new. Previously understood attacks are simply an evolution of
prior implementations, not a revolution. Traditionally, most organizations are not doing a good-enough job with security fundamentals, which is why attackers have been able to use the same old tricks. However, information security has finally caught the attention of organizational leaders, presenting the opportunity to implement a comprehensive security program. Source: Ponemon Institute, “2019 Cost of a Data Breach Study: Global Overview” Primary incident type (with a confirmed data breach)
Personal records tend to be the most compromised data types, while databases tend to be the most frequently involved asset in breaches. Source: Verizon, “2019 Data Breach Investigations Report” Security threats are not going awayWe continue to see and hear of security breaches occurring regularly.An attacker must be successful only once. The defender – you – must be successful every time. Info-Tech’s approachMaturing from reactive to strategic information securityIndicates Info-Tech tools included in this blueprint.The Info-Tech difference:
Info-Tech’s Security Strategy ModelThe Info-Tech difference:An information security strategy model that is:
Info-Tech’s best-of-breed security frameworkInfo-Tech’s approachCreating an information security strategy
The Info-Tech difference:Evolve the security program to be more proactive by leveraging Info-Tech’s approach to building a security strategy.
Use Info-Tech’s blueprint to save one to three monthsIterative benefitOver time, experience incremental value from your initial security strategy. Through continual updates your strategy will evolve but with less associated effort, time, and costs. These estimates are based on experiences with Info-Tech clients throughout the creation of this blueprint. Key deliverable:Information Security Strategy Communication Deck (PPT)Present your findings in a prepopulated document that can summarizes all key findings of the blueprint. Blueprint deliverablesEach step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:Information Security Requirements Gathering ToolDefine the business, customer, and compliance alignment for your security program. Information Security Pressure Analysis ToolDetermine your organization’s security pressures and ability to tolerate risk. Information Security Program Gap Analysis ToolUse our best-of-breed security framework to perform a gap analysis between your current and target states. Information Security CharterEnsure the development and management of your security policies meet the broader program vision. Info-Tech offers various levels of support to best suit your needsDIY Toolkit“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” Guided Implementation“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” Workshop“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” Consulting“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” Diagnostic and consistent frameworks are used throughout all four options.Guided ImplementationWhat does a typical Guided Implementation on this topic look like? Guided Implementation #1 - Assess security requirements
Guided Implementation #2 - Build a gap initiative strategy
Guided Implementation #3 - Prioritize initiatives and build roadmap
Guided Implementation #4 - Execute and maintain
A Guided Implementation is series of calls with an Info-Tech analyst to help implement our best practices in your organization.A typical Guided Implementation is between 2-12 calls over the course of 4 to 6 months.Workshop OverviewContact your account representative for more information, or contact or 1-888-670-8889.
Executive Brief Case StudyCredit Service CompanyIndustry: Financial ServicesSource: Info-Tech Research groupFounded over 100 years ago, Credit Service Company (CSC)* operates in the United States with over 40 branches located across four states. The organization services over 50,000 clients. SituationIncreased regulations, changes in technology, and a growing number of public security incidents had caught the attention of the organization’s leadership. Despite awareness, an IT and security strategy had not been previously created. Management was determined to create a direction for the security team that aligned with their core mission of providing exceptional service and expertise. SolutionDuring the workshop, the IT team and Info-Tech analysts worked together to understand the organization’s ideal state in various areas of information security. Having a concise understanding of requirements was a stepping stone to beginning to develop CSC’s prioritized strategy. ResultsOver the course of the week, the team created a document that concisely prioritized upcoming projects and associated costs and benefits. On the final day of the workshop, the team effectively presented the value of the newly developed security strategy to senior management and received buy-in for the upcoming project. *Some details have been changed for client privacy. Phase 1Assess Security Requirements
Phase 1
Phase 2
Phase 3
Phase 4This phase will walk you through the following activities:1.1 Define goals and scope of the security strategy. 1.2 Assess your organization’s current inherent security risks. 1.3 Determine your organization’s stakeholder pressures for security. 1.4 Determine your organization’s risk tolerance. 1.5 Establish your security target state. 1.1.1 Record your business goalsOnce you have identified your primary and secondary business goals, as well as the corresponding security alignment goals, record them in the Information Security Requirements Gathering Tool. The tool provides an activity status that will let you know if any parts of the tool have not been completed. 1. Record your identified primary and secondary business goals in the Goals Cascade tab of the Information Security Requirements Gathering Tool. Use the drop-down lists to select an appropriate goal or choose “Other.” If you do choose “Other,” you will need to manually enter an appropriate business goal. 2. For each of your business goals, select one to two security alignment goals. The tool will provide you with recommendations, but you can override these by selecting a different goal from the drop-down lists. A common challenge for security leaders is how to express their initiatives in terms that are meaningful to business executives. This exercise helps to make an explicit link between what the business cares about and what security is trying to accomplish. 1.1.2 Review your goals cascadeEstimated Time: 15 minutes
Identify your compliance obligationsMost conventional regulatory obligations are legally mandated legislation or compliance obligations, such as:Sarbanes-Oxley Act (SOX)Applies to public companies that have registered equity or debt securities within the SEC to guarantee data integrity against financial fraud. Payment Card Industry Data Security Standard (PCI DSS)Applies to any organization that processes, transmits, or stores credit card information to ensure cardholder data is protected. Health Insurance Portability and Accountability Act (HIPAA)Applies to the healthcare sector and protects the privacy of individually identifiable healthcare information. Health Information Technology for Economic and Clinical Health (HITECH)Applies to the healthcare sector and widens the scope of privacy and security protections available under HIPAA. Personal Information Protection and Electronic Documents Act (PIPEDA)Applies to private sector organizations that collect personal information in Canada to ensure the protection of personal information in the course of commercial business. Compliance obligations also extend to voluntary security frameworks:NISTNational Institute of Standards and Technology; a non-regulatory agency that develops and publicizes measurement CIS – 20 CSCCenter for Internet Security – 20 Critical Security Controls; foundational set of effective cybersecurity practices. ISO 27001An information security management system framework outlining policies and procedures. COBIT 5An information technology and management and governance framework. HITRUSTA common security framework for organizations that use or hold regulated personal health information. 1.1.3 Record your compliance obligationsEstimated Time: 30 minutes
Establish your scope and boundariesIt is important to know at the outset of the strategy: what are we trying to secure? This includes physical areas we are responsible for, types of data we care about, and departments or IT systems we are responsible for. This also includes what is not in scope. For some outsourced services or locations, you may not be responsible for their security. In some business departments, you may not have control of security processes. Ensure that it is made explicit at the outset what will be included and what will be excluded from security considerations. Physical Scope and Boundaries
IT Systems Scope and Boundaries
Organizational Scope and Boundaries
Organizational scope considerationsMany different groups will fall within the purview of the security strategy. Consider these two main points when deciding which departments will be in scope:
Physical scope considerationsList physical locations by typeOfficesThe primary location(s) where business operations are carried out. Usually leased or owned by the business. Regional OfficesThese are secondary offices that can be normal business offices or home offices. These locations will have a VPN connection and some sort of tenant. Co-LocationsThese are redundant data center sites set up for additional space, equipment, and bandwidth. Remote AccessThis includes all remaining instances of employees or contractors using a VPN to connect. Clients and VendorsVarious vendors and clients have dedicated VPN connections that will have some control over infrastructure (whether owed/laaS/other). List physical locations by nature of the locationCore areas within physical scopeThese are many physical locations that are directly managed. These are high-risk locations with many personal and services, resulting in many possible vulnerabilities and attack vectors. Locations on the edge of controlThese are on the edge of the physical scope, and thus, in scope of the security strategy. These include remote locations, remote access connections, etc. Third-party connectionsNetworks of third-party users are within physical scope and need defined security requirements and definitions of how this varies per user. BYODMostly privately owned mobile devices with either on-network or remote access. It would be overkill and unhelpful to list every single location or device that is in scope. Rather, list by broad categories as suggested above or simply list exceptional cases that are in/out of scope.IT systems scope considerationsConsider identifying your IT systems by your level of control or ownership.Fully owned systemsThese are systems that are wholly owned or managed by your organization. IT is almost always the admin of these systems. Generally they are hosted on premises. All securitization through methods such as patching or antivirus is done and managed by your IT department. Cloud/remote hosted (SaaS)These are systems with a lot of uncertainties because the vendor or service provided is either not known or what they are doing for security is not fully known. These systems need to be secured regardless, but supplier and vendor relationship management becomes a major component of how to manage these systems. Often, each system has varying levels of risk based on vendor practices. Hybrid owned (IaaS/PaaS)You likely have a good understanding of control for these systems, but they may not be fully managed by you (i.e. ownership of the infrastructure). These systems are often hosted by third parties that do some level of admin work. A main concern is the unclear definition of responsibility in maintaining these systems. These are managed to some degree by third parties; it is challenging for your security program to perform the full gamut of security or administrative functions. Unknown/unowned systemsThere are often systems that are unowned and even unknown and that very few people are using. These apps can be very small and my not fall under your IT management system framework. These systems create huge levels of risk due to limited visibility. For example, unapproved (shadow IT) file sharing or cloud storage applications would be unknown and unowned. 1.1.4 Record your scope and boundariesEstimated Time: 30-60 minutes
1.2 Conduct a risk assessmentEstimated Time: 1-3 hours
Input
Output
Materials
Participants
Download the Information Security Pressure Analysis Tool 1.2.1 Complete the risk assessment questionnaireEstimated Time: 60-90 minutes
Info-Tech InsightUnderstanding your organization’s security risks is critical to identifying the most appropriate level of investment into your security program. Organizations with more security risks will need more a mature security program to mitigate those risks. 1.2.2 Review the results of the risk assessmentEstimated Time: 30 minutes
It is important to remember that the assessment measures inherent risk, meaning the risk that exists prior to the implementation of security controls. Your security controls will be assessed later as part of the gap analysis.1.3 Conduct pressure analysisEstimated Time: 1-2 hours
Input
Output
Materials
Participants
Download the Information Security Pressure Analysis Tool Risk tolerance considerationsAt this point, we want to frame risk tolerance in terms of business impact. Meaning, what kinds of impacts to the business would we be able to tolerate and how often? This will empower future risk decisions by allowing the impact of a potential event to be assessed, then compared against the formalized tolerance. We will consider impact from three perspectives: FFunctional ImpactThe disruption or degradation of business/organizational processes. IInformational ImpactThe breach of confidentiality, privacy, or integrity of data/information. RRecoverability ImpactThe disruption or degradation of the ability to return to conditions prior to a security incident. Consider these questions:
ANALYST PERSPECTIVEIt is crucial to keep in mind that you care about a risk scenario impact to the main business processes. For example, imagine a complete functional loss of the corporate printers. For most businesses, even the most catastrophic loss of printer function will have a small impact on their ability to carry out the main business functions. On the flip side, even a small interruption to email or servers could have a large functional impact on business processes. Risk tolerance descriptionsHigh
Moderate
Low
1.4.1 Complete the risk tolerance questionnaireEstimated Time: 30-60 minutes
1.4.2 Review the results of the risk tolerance analysisEstimated Time: 30 minutes
A low risk tolerance will require a stronger information security program to ensure that operational security risk in the organization is minimized. If this tool reports that your risk tolerance is low, it is recommended that you review the results with your senior stakeholders to ensure agreement and support for the security program. 1.5 Establish your target stateEstimated Time: 30-60 minutes
Download the Information Security Pressure Analysis Tool Input
Output
Materials
Participants
Understanding security target statesMaturity models are very effective for determining information security target states. This table provides general descriptions for each maturity level. As a group, consider which description most accurately reflects the ideal target state for information security in your organization.
1.5.1 Review the results of the target state recommendationEstimated Time: 30-60 minutes
Info-Tech InsightHigher target states require more investment to attain. It is critical to ensure that all key stakeholders agree on the security target state. If you set a target state that aims too high, you may struggle to gain support and funding for the strategy. Taking this opportunity to ensure alignment from the start will pay off dividends in future. 1.5.2 Review and adjust risk and pressure weightingsEstimated Time: 30 minutes
Case StudyCredit Service CompanyIndustry: Financial ServicesSource: Info-Tech Research groupBelow are some of the primary requirements that influenced CSC’s initial strategy development. External PressurePressure Level: High
ObligationsRegulatory: Numerous regulations and compliance requirements as a financial institution (PCI, FFIEC guidance). Customer: Implicitly assumes personal, financial, and health information will be kept secure. Risk ToleranceTolerance Level: Low
Summary of Security RequirementsDefine and implement dynamic information security program that understands and addresses the business’ inherent pressure, requirements (business, regulatory, and customer), and risk tolerance. Phase 2Build a Gap Initiative Strategy
Phase 1
Phase 2
Phase 3
Phase 4
This phase will walk you through the following activities:2.1 Review the Info-Tech frameworkEstimated Time: 30-60 minutes
Input
Output
Materials
Participants
Download the Information Security Gap Analysis Tool Understand the Info-Tech frameworkInfo-Tech’s security framework uses a best-of-breed approach to leverage and align with most major security standards, including:
A best-of-breed approach ensures holistic coverage of your information security program while refraining from locking you in to a specific compliance standard. 2.1.1 Configure the Information Security Gap Analysis ToolEstimated Time: 30 minutes Review the Setup tab of the Information Security Gap Analysis Tool. This tab contains several configurable settings that should be customized to your organization. For now, the three settings you will need to modify are:
2.2 Assess current state of securityEstimated Time: 8-16 hours
Input
Output
Materials
Participants
Download the Information Security Gap Analysis Tool Example maturity levelsTo help determine appropriate current and target maturity levels, refer to the example below for the control “Email communication is filtered for spam and potential malicious communications.” AD HOC 01There is no centrally managed spam filter. Spam may be filtered by endpoint email clients. DEVELOPING 02 There is a secure email gateway. However, the processes for managing it are not documented. Administrator roles are not well defined. Minimal fine-tuning is performed, and only basic features are in use. DEFINED 03There is a policy and documented process for email security. Roles are assigned and administrators have adequate technical training. Most of the features of the solution are being used. Rudimentary reports are generated, and some fine-tuning is performed. MANAGED 04Metrics are produced to measure the effectiveness of the email security service. Advanced technical features of the solution have been implemented and are regularly fine-tuned based on the metrics. OPTIMIZED 05There is a dedicated email security administrator with advanced technical training. Custom filters are developed to further enhance security, based on relevant cyber threat intelligence. Email security metrics feed key risk indicators that are reported to senior management. 2.2.1 Conduct current state assessmentEstimated Time: 8-16 hours
2.2.1 Conduct current state assessmentEstimated Time: 8-16 hours
Review the Gap Analysis DashboardUse the Gap Assessment Dashboard to map your progress. As you fill out the Gap Analysis Tool, check with the Dashboard to see the difference between your current and target state. Use the color-coded legend to see how large the gap between your current and target state is. The legend can be customized further if desired. Security domains that appear white have not yet been assessed or are rated as “N/A.” 2.2.3 Identify actions required to close gapsEstimated Time: 4-8 hours
Input
Output
Materials
Participants
Download the Information Security Gap Analysis Tool 2.3.1 Identify gap closure actionsEstimated Time: 4-8 hours
Considerations for gap closure actions
2.3.2 Define gap closure action effectivenessEstimated Time: 1-2 hours For each of the gap closure actions, optionally enter an estimated gap closure percentage to indicate how effective the action will be in fully closing the gap.
Completing this step will populate the “Security Roadmap Progression” diagram in the Results tab, which will provide a graphic illustration of how close to your target state you will get based upon the roadmap. Phase 3Prioritize Initiatives and Build RoadmapPhase 1
Phase 2
Phase 3
Phase 4
This phase will walk you through the following activities:
3.1 Define tasks and initiativesEstimated Time: 2-4 hours
Input
Output
Materials
Participants
Download the Information Security Gap Analysis Tool 3.1.1 Finalize your task listEstimated Time: 1-2 hours
Info-Tech InsightTasks are not meant to be managed to the same degree that initiatives will be. However, they are still important. It is recommended that you develop a process for tracking these tasks to completion. 3.1.2 Consolidate your gap closure actions into initiativesEstimated Time: 2-3 hours
Initiative consolidation exampleIn the example below, we see three gap closure actions within the Security Culture and Awareness domain being consolidated into a single initiative “Develop security awareness program.” We can also see one gap closure action within the same domain being grouped with two actions from the Security Policies domain into another initiative “Update security policies.” Info-Tech InsightAs you go through this exercise, you may find that some actions that you previously categorized as tasks could be consolidated into an initiative. 3.1.3 Finalize your initiative listEstimated Time: 30 minutes
3.2 Conduct cost/ benefit analysisEstimated Time: 1-2 hours
Input
Output
Materials
Participants
Download the Information Security Gap Analysis Tool 3.2.1 Define costing criteriaEstimated Time: 30 minutes
Make sure that your ranges allow for differentiation between initiatives to enable prioritization. For instance, if you set your ranges too low, all your initiatives will be assessed as high cost, providing no help when you must prioritize them. 3.2.2 Define benefits criteriaEstimated Time: 30 minutes
Some organizations prefer to use the “Security Benefit” criteria to demonstrate how well each initiative supports specific compliance goals. 3.2.3 Complete the cost/benefit analysisEstimated Time: 1-2 hours
3.2.4 Optionally enter detailed cost estimatesEstimated Time: 30 minutes
Case StudyCredit Service CompanyIndustry: Financial Services Source: Info-Tech Research Group 3.3 Prioritize initiativesEstimated Time: 2-3 hours
Input
Output
Materials
Participants
Download the Information Security Gap Analysis Tool 3.3.1 Create effort mapEstimated Time: 30 minutes
An effort map is a tool used for the visualization of a cost/benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized. In this example, the initiative “Update Security Policies” was assessed as low cost/effort (3) and high benefit (10). 3.3.2 Assign initiatives to execution wavesEstimated Time: 60 minutes
Considerations for prioritization
Info-Tech InsightUse an iterative approach. Most organizations tend to put too many initiatives into wave 1. Be realistic about what you can accomplish and take several passes at the exercise to achieve a balance. 3.3.3 Finalize prioritizationEstimated Time: 30 minutes
Any initiatives that are currently in progress should be assigned to Wave 0. 3.4 Build roadmapEstimated Time: 1-3 hours
Input
Output
Materials
Participants
Download the Information Security Gap Analysis Tool 3.4.1 Schedule initiatives using the Gantt chartEstimated Time: 1-2 Hours
Info-Tech InsightUse the Owner column to help identify resourcing constraints. If a single individual is responsible for many different initiatives that are planned to start at the same time, consider staggering those initiatives. 3.4.2 Review your roadmapEstimated Time: 30-60 minutes
3.4.3 Review your expected roadmap progressionEstimated Time: 30 minutes
Info-Tech InsightOften, internal stakeholders will ask the question “If we do everything on this roadmap, will we be at our target state?” This diagram will help answer that question. 3.4.4 Review your cost/effort estimates tableEstimated Time: 30 minutes
Phase 4Execute and MaintainPhase 1
Phase 2
Phase 3
Phase 4
This phase will walk you through the following activities:
4.1 Build your communication deckEstimated Time: 1-3 hours
Input
Output
Materials
Participants
Download the Information Security Gap Analysis Tool 4.1.1 Customize the Communication DeckEstimated Time: 1-2 hours
Consider developing multiple versions of the deck for different audiences. Senior management may only want an executive summary, whereas the CIO may be more interested in the methodology used to develop the strategy. Communication considerationsDeveloping an information security strategy is only half the job. For the strategy to be successful, you will need to garner support from key internal stakeholders. These may include the CIO, senior executives, and business leaders. Without their support, your strategy may never get the traction it needs. When building your communication deck and planning to present to these stakeholders, consider the following:
If you have already fully engaged your key stakeholders through the requirements gathering exercises, presenting the strategy will be significantly easier. The stakeholders will have already bought in to the business goals, allowing you to show how the security strategy supports those goals. Info-Tech InsightReinforce the concept that a security strategy is an effort to enable the organization to achieve its core mission and goals and to protect the business only to the degree that the business demands. It is important that stakeholders understand this point. 4.2 Develop a security charterEstimated Time: 1-3 hours
Input
Output
Materials
Participants
Download the Information Security Gap Analysis Tool 4.2.1 Customize the Information Security CharterEstimated Time: 1-3 hours
A security charter is a formalized and defined way to document the scope and purpose of your security program. It will define security governance and allow it to operate efficiently through your mission and vision. 4.3 Execute on your roadmap
Input
Output
Materials
Participants
Info-Tech InsightInfo-Tech has many resources that can help you quickly and effectively implement most of your initiatives. Talk to your account manager to learn more about how we can help your strategy succeed. Summary of AccomplishmentKnowledge Gained
Deliverables Completed
If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop. Contact your account representative for more information.
Additional SupportIf you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop. To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop. The following are sample activities that will be conducted by Info-Tech analysts with your team: Information Security Program Gap Analysis ToolUse our best-of-breed security framework to perform a gap analysis between your current and target states. Information Security Requirements Gathering ToolDefine the business, customer, and compliance alignment for your security program. Related Info-Tech ResearchDevelop a Security Operations StrategyA unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement. This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization. Implement a Security Governance and Management ProgramYour security governance and management program needs to be aligned with business goals to be effective. This approach also helps to provide a starting point to develop a realistic governance and management program. This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum. Align Your Security Controls to Industry Frameworks for ComplianceDon’t reinvent the wheel by reassessing your security program using a new framework. Instead, use the tools in this blueprint to align your current assessment outcomes to required standards. Bibliography“2015 Cost of Data Breach Study: United States.” Sponsored by IBM. Ponemon Institute, May 2015. Web. “2016 Cost of Cyber Crime Study & the Risk of Business Innovation.” Ponemon Institute, Oct. 2016. Web. 25 Oct. 2016. “2016 Cost of Data Breach Study: Global Analysis.” Ponemon Institute, June 2016. Web. 26 Oct. 2016. “2016 Data Breach Investigations Report.” Verizon, 2016. Web. 25 Oct. 2016. “2016 NowSecure Mobile Security Report.” NowSecure, 2016. Web. 5 Nov. 2016. “2017 Cost of Cyber Crime Study.” Ponemon Institute, Oct. 2017. Web. “2018 Cost of Data Breach Study: Global Overview.” Ponemon Institute, July 2018. Web. “2018 Data Breach Investigations Report.” Verizon, 2018. Web. Oct. 2019. “2018 Global State of Information Security Survey.” CSO, 2017. Web. “2018 Thales Data Threat Report.” Thales eSecurity, 2018. Web. “2019 Data Breach Investigations Report.” Verizon, 2020. Web. Feb. 2020. “2019 Global Cost of a Data Breach Study.” Ponemon Institute, Feb. 2020. Web. “2019 The Cost of Cyber Crime Study.” Accenture, 2019. Web Jan 2020. “2020 Thales Data Threat Report Global Edition.” Thales eSecurity, 2020. Web. Mar. 2020. Ben Salem, Malek. “The Cyber Security Leap: From Laggard to Leader.” Accenture, 2015. Web. 20 Oct. 2016. “Cisco 2017 Annual Cybersecurity Report.” Cisco, Jan. 2017. Web. 3 Jan. 2017. “Cyber Attack – How Much Will You Lose?” Hewlett Packard Enterprise, Oct. 2016. Web. 3 Jan. 2017. “Cyber Crime – A Risk You Can Manage.” Hewlett Packard Enterprise, 2016. Web. 3 Jan. 2017. “Global IT Security Risks Survey.” Kaspersky Lab, 2015. Web. 20 October 2016. “How Much Is the Data on Your Mobile Device Worth?” Ponemon Institute, Jan. 2016. Web. 25 Oct. 2016. “Insider Threat 2018 Report.” CA Technologies, 2018. Web. “Kaspersky Lab Announces the First 2016 Consumer Cybersecurity Index.” Press Release. Kaspersky Lab, 8 Sept. 2016. Web. 3 Jan. 2017. “Kaspersky Lab Survey Reveals: Cyberattacks Now Cost Large Businesses an Average of $861,000.” Press Release. Kaspersky Lab, 13 Sept. 2016. Web. 20 Oct. 2016. “Kaspersky Security Bulletin 2016.” Kaspersky Lab, 2016. Web. 25 Oct. 2016. “Managing Cyber Risks in an Interconnected World: Key Findings From the Global State of Information Security Survey 2015.” PwC, 30 Sept. 2014. Web. “Measuring Financial Impact of IT Security on Business.” Kaspersky Lab, 2016. Web. 25 Oct. 2016. “Ponemon Institute Releases New Study on How Organizations Can Leapfrog to a Stronger Cyber Security Posture.” Ponemon Institute, 10 Apr. 2015. Web. 20 Oct. 2016. “Predictions for 2017: ‘Indicators of Compromise’ Are Dead.” Kaspersky Lab, 2016. Web. 4 Jan. 2017. “Take a Security Leap Forward.” Accenture, 2015. Web. 20 Oct. 2016. “Trends 2016: (In)security Everywhere.” ESET Research Laboratories, 2016. Web. 25 Oct. 2016. Research Contributors
What should be included in an information security strategic plan?Key elements in the model include strategic business objectives, core security functions, security objectives, constraints, strategies and initiatives.
What are the 3 major key components of information security?When we discuss data and information, we must consider the CIA triad. The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability.
What are the 6 elements included in a strategic plan?Read ahead to learn more about the six vital elements of strategic planning: vision, mission, objectives, strategy, approach, and tactics.
What are the 5 components of information security?It relies on five major elements: confidentiality, integrity, availability, authenticity, and non-repudiation.
|