Information Security Governance - Course Content

1. Governance

  • What is it? How do we do it? What do get out of it?
  • Origins of Governance
  • Governance History
  • Governance Definition
  • Information Security Governance
  • Six Outcomes of Effective Security Governance
  • Defining Information, Data, Knowledge
  • Value of Information

2. Why Governance?

  • Benefits of Good Governance
  • Reducing liability for information inaccuracy or lack of due care in protection
  • Providing assurance of policy compliance.
  • Increasing predictability and reducing uncertainty of business operations by lowering risks to definable, acceptable levels
  • Providing the structure and framework to optimize allocations of limited resources.
  • Providing assurance that critical decisions are not based on faulty information
  • Ensuring accountability for safeguarding critical assets
  • Increasing trust of customers and stakeholders
  • Increasing your company’s worth - Good governance lifts share value 18 to 26 percent
  • Security is a management problem, not a technical problem

3. Addressing Legal and Regulatory Requirements

  • Disclosure
  • Transparency
  • Oversight
  • Record retention
  • Privacy
  • Attestation

4. Roles & Responsibilities

  • For the board of directors
  • For executive management
  • For the steering committee
  • For the CISO

5. Governance Metrics

  • You can’t manage what you can’t measure
  • Outcome Metrics
  • Key Performance Indicators, Critical Success factors, Key Goal Indicators for:
    - Strategic alignment
    - Risk management
    - Business Process Assurance
    - Value delivery
    - Resource management
    - Performance measurement
  • Elements of Governance

6. Strategic Goals and Direction

  • What is Strategy?
  • Failures of Strategy - Common Pitfalls:
    - Overconfidence
    - Optimism
    - Anchoring
    - Status quo bias
    - Mental accounting
    - Herding instinct
    - False consensus
    - Confirmation bias
    - Selective recall
    - Biased evaluation
    - Groupthink

7. Information Security Objectives

  • Defining Objectives
    - Determining the objectives of information security
    - Locating and identifying information resources
    - Classifying information resource criticality and sensitivity
    - Valuation of information resources
  • Determining the ‘desired state’ of security
    - CobiT
    - Capability Maturity Model
    - Balanced Scorecard
    - SABSA
    - BS ISO/IEC 17799 (27001)
    - GASSP

8. Risk Objectives

  • Current State of Security
  • Current state of Risk
  • Gap analysis

9. Developing a Security Strategy

  • Attributes of a good security strategy
  • Strategy Considerations
  • Elements of Strategy
  • Considerations for Implementing Strategy
  • Gap Analysis
  • Action Plan
    - Policies
    - Standards
    - Procedures
    - Guidelines
  • Policy Development
  • Standards Development

10. Governance Action Plan

  • Action Plan Intermediate Goals
  • Action Plan Metrics
    - Key Performance Indicators
    - Critical Success Factors
    - Key Goal Indicators
  • Risk
    - Defining Risk
    - Assessing Risk
    - Managing Risk
  • Countermeasures
  • Control Objectives
  • Control Development and Implementation
  • Training and Awareness
  • Governance Monitoring and Metrics
    - Key Performance Indicators