Upload File

communicating about information security - cdm media · benefits of using a capability maturity...

  • Home
  • Documents
  • Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic
17
CATERPILLAR: NON CONFIDENTIAL Communicating about Information Security

Upload: others

Post on 13-Mar-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

Communicating about

Information Security

Page 2: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

Mike ZachmanDeputy CISO, Caterpillar Inc.

Currently leading Information Security transformations at two high-

risk business units to improve their capability to protect, detect and

respond to information security risks.

Previously performed the same function at the enterprise level.

Certifications include:

– Certified Internal Auditor (CIA)

– Certified Information Security Manager (CISM)

– Certified in the Governance of Enterprise IT (CGEIT)

Page 3: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

Objectives

Discuss the use of a Capability Maturity Model to

• Measure and communicate progress

• Ensure strategic alignment

• Calibrate with program management

Page 4: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

An Example Capability Maturity Model

Page 5: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

Security Program Management (SPM) frameworkErnst & Young’s model

Business drivers

Metrics and reporting

Data infrastructure

Events Alerts Logs

Go

vern

ance

an

d o

rgan

izat

ion

Strategy

Policy and standards framework

Architecture Operations Awareness

Services

Software security

Host security

Network security

Data protectionIncident

management

Business continuity management

Technology protection ResiliencyFunctional operation

Asset managementThird party

managementIdentity and access

management

Security monitoringThreat and

vulnerability management

Privacy Inte

lligence

Page 6: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

Maturity Rating Scale

Maturity level descriptions

1

Initial/Ad hoc

►Basic undocumented, changing capability is in place with some technology and tools; limited local processes, and limited organizational support.

2

Repeatable

►A partial capability is in place with a combination of some technology and tools; local processes covering some regions/business units or processes are repeatable, but may not be good practice or maintained; and limited organizational arrangement to support good practice.

3

Defined

►A defined capability is in place with significant technology and tools for some key resources and people; processes defined for some regions and/ or business units; and organizational guidance is in place for some key regions and/or business units.

4

Managed

►A mature capability is in place with advanced technology and tools for some key resources and people, consistent processes exist for some regions and/or business units, and some governance is in place (accountability/responsibility/metrics) for some key regions and/or business units.

5

Optimized

►An advanced capability is in place which is leading-edge technology and tools for all key resources and people, consistent process across regions, business units, and effective governance is in place (accountability / responsibility/continual monitoring for improvement).

The maturity rating scale is based on an industry standard Capability Maturity Model, that helps assess current maturity of the program and capabilities to determine the desired future state and identify where improvements are required.

Page 7: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

Communicating with a Capability Maturity Model

Page 8: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

Some Basic Questions Regarding Information

Security….

How are we doing?

What are our biggest concerns?

How do we compare with our industry?

Are we doing enough?

Page 9: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

IT Security Compliance – Page 1 of 10 Sample Data

Page 10: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

Capability Maturity Model Security maturity benchmark results – Year 1

Sample Data

Page 11: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

Capability Maturity Model Security maturity benchmark results – Year 1

Sample Data

A different conversation……

Page 12: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

Some More Questions Regarding Information

Security….

Are we improving?

Are we spending in the right areas?

Page 13: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

Capability Maturity Model Security maturity benchmark results – Year 2

Sample Data

Major Accomplishments:

Documented Information Security strategy aligned with enterprise objectives

CISO organization established with dotted line to Board Audit Committee

Demonstrated improved awareness during self-phishing exercises

Established a formal information security metrics program and achieved targets across several key performance indicators

Implemented mobile device management

Enterprise policies and standards documented and approved by Executive Office

`

Page 14: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

Some More Questions Regarding Information

Security….

What is our target?

How does our target compare to the industry?

Are we investing in alignment with our strategy?

Are we investing enough?

Page 15: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

Capability Maturity Model Security maturity benchmark results – Years 3+

Sample Data

Page 16: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

Benefits of Using a Capability Maturity Model

Easy to understand and communicate information security posture

Provides a holistic view of information security and the ability to establish a baseline for benchmarking

Identifies the strengths and weaknesses of an information security program and thereby, identify areas for improvement and provides justification for where the program needs to mature to prioritize investments

Does not replace the necessary mountains of operational metrics

Page 17: Communicating about Information Security - CDM Media · Benefits of Using a Capability Maturity Model Easy to understand and communicate information security posture Provides a holistic

CATERPILLAR: NON CONFIDENTIAL

Questions?


Information technology — Security techniques — Information security … · Information technology — Security techniques — Information security for supplier relationships —

RUAG Cyber Security Security Consulting · into the customer’s protection and determine their Cyber Security Maturity. Reinforce your security posture Cyber Security Compliance

WHITE PAPER SERIES...largest corporations and agencies on how to improve their cyber security posture in their information security and physical security organizations. This series

Best Practices for Information Security and IT Governance · 2019-09-27 · Best Practices for Information Security and IT Governance - 2 - Strengthen Your Security Posture. The leading

Zscaler Cloud Security Posture Management (CSPM) | White Paper · 1 day ago · cloud infrastructure configurations, calling this category Cloud Security Posture Management (CSPM)

Building a Security Dashboard - cdn.ttgtmedia.com · A Security Dashboard Provides… • “At a GlanceAt a Glance view of your security ” view of your security posture

Information Technology Category (ITC) SIN Modernization... · formulating two major plans for maintaining a hardened security posture within Federal IT systems: Cybersecurity Strategy

Building a Better Security Posture

SECURITY POSTURE ASSESSMENT....quality information. Understanding what your current security posture looks like enables you to plan and implement security processes and technologies

Security Testing – Status Reportgtcs.cs.memphis.edu/pubs/Shiva_STEP_2012.pdf · •Ethical hacking •Posture assessment . Vulnerability scanning •Network security –Nessus,

Information Security is a people problem. Cyber Self ...theneteffect.com/resources/Security_Awareness_Training_from_The... · security posture by decreasing risky behavior. ... Social

Handbook Elements of Security Posture Transformation · to change security posture, and this is where all the hard work is. Elements of Cybersecurity Posture Transformation 6 a.Balbixgenerates

PREVENTION POSTURE ASSESSMENT - Khipu Cyber Security · The Prevention Posture Assessment summarizes the business and security risks facing Test Account by documenting key security

Information Security- Perspective for Management Information Security … · 2011-03-18 · 3 Information Security Management Information Security Management “Information security

Understand & improve your security posture

Cloud Security Posture Management (CSPM)

Project Architecture Review Board Response€¦  · Web viewOffice of the Chief Information Officer. ... confidential information that may reveal the security and/or technology posture

Kyle Taylor – increasing your security posture using mc afee epo

Security Posture Assessment - EPRIsmartgrid.epri.com/doc/ICCS_Summit/C2.1_Lee_eu summit 0415 sec po… · ICCS –European Engagement Summit April 28, 2015 Security Posture Assessment

BUILDING THE BLUEPRINT FOR INFORMATION SECURITY · Strategy Roadmap Physical Security DR /BCP Strategy Current State Posture Optimized Managed Developing Not Deployed Initial. Risk

Cloud Security Posture Management … · CloudGuard CSPM Cloud Security Posture Management Product Brief Keywords CloudGuard Cloud Security Posture Management, part of the CloudGuard

Protect Your Data: 7 Ways to Improve Your Security Posture · 7 Ways to Improve Your Security Posture 3 Data Protection Reduce threats with identity and access management Identity

CIS CentOS Linux 6 Benchmark - Information Security · This document, CIS CentOS Linux 6 Benchmark, provides prescriptive guidance for establishing a secure configuration posture

The Security Posture Survey can help you face the ......security risks through asset inventory, a baseline network traffic, and detection of abnormalities. The Security Posture Survey

AWS PREMIER CONSULTING PARTNER INTRODUCING KEY …€¦ · > Improve security posture on AWS > Identify vulnerabilities before breach > Innovate with security posture known > Enhance

SECURITY POSTURE ASSESSMENT (SPA)€¦ · MCMC MTSFB TC G016:2018 iv Foreword This technical code for Information and Network Security - Security Posture Assessment (SPA) (‘this

Security Posture and Vulnerability Management for Storage · security standards Security Posture and Vulnerability Management for Storage Uncover Hidden Security Risks to Critical

Your All-In-One Guide to Improving Your Security Posture

Risk Management Chapter 4. Risk Management Risk identification “The process of examining & documenting the security posture of an organization’s information

MT - Cloud Security Posture Assessment

Using hypervisor and container technology to increase datacenter security posture

Mindtree Cloud Security Posture Assessment - POV

A crash course in security management: better security posture

Posture difference - Welcome to PatternMaker POSTURE DIFFERENCE Information about balance, posture difference and proportions used with the patterns for women designed by Leena Leehthamaki

Modern Data Platform in the cloud - ert.com · DEFENSE (SECURITY) IN DEPTH 15 Security Enhancement Program to address ERT Security Posture Gaps and associate Security Risks. Security