Information Security Management

The main governance and management activities can be grouped into nine categories. This framework allows you to concentrate on most important issues.
Information security is no longer limited to setting up technical protection measures. As a strategic area of business in the connected world and the digital economy, it requires a rigorous approach to its governance and management to ensure compliance with regulations, laws and best practices, accountability at all levels, including the Board and senior management and the effective management of security risks and investments.

But, do you have the right tools?

Ask yourself the following questions...

Do you have a written security Policy? How should you establish a policy?

Is your security Strategy defined? How should you develop a security strategy?

What is your security Organization? What are your governing and management bodies?

Are your security Risks identified? How are they managed and what measures are being taken to mitigate them?

How is your security Programme managed? How should you prioritize investments?

Do you have a security Reporting system? How should you design dashboards?

Do you have an Asset management system? Do you have an Inventory of sensitive data and applications?

Are you Compliant with security-related regulations? How should you organize compliance projects?

Do you have Metrics or KPIs for security? How should you design them to be effective?

Whether you wish to straighten information security management as a whole or just in some specific domains such as Cybersecurity or Identity and Access Management, or if you have projects to build compliance in Data Protection or Data Privacy, we can bring solid experience in similar projects and proven methods and tools.

The Three-Layer Control Framework canvas can be used to identify major gaps and inconsistencies in security governance and management.

Our added value:

  • Awareness workshops for the board, management and staff on security governance and management activities.
  • Proven methodology and tools for security governance, management and compliance assessment.

Security Management Self-Assessment

The strategy is a plan, approved by the management, presenting the vision and changes needed for its information security program

Our added value:

  • Method and tools for identifying business objectives, prioritizing and articulating a comprehensive information security strategy.
  • Examples of information security strategies.
1

Security Strategy

An information security policy and lower-level documents (standards and guidelines) are part of a well-defined document framework.

Our added value:

  • Provision of a method and tools for defining the security policy and documentation framework.
  • Contents and examples of security policies.
2

Security Policies and Framework

The security organization reflects strategy. Functions should be well defined to cope with essential security objectives.

Our added value:

  • Definition or revision of all security functions. Security governance and management bodies.
  • Method for the development or assessment of a security organizational chart.
3

Security Organization

Risk mitigation is the sole objective of a security program. However, managing security risks is challenging mainly because of the poorly defined granularity, metrics and KRIs.

Our added value:

  • Definition of the security risk management process.
  • Pragmatic approach in defining risk scenarios.
  • Metrics and KRIs for security risk measurement (probability, impact).
4

Security Risk Management

The objective of information security program management is to maintain the appropriate level of security and to manage resources so that targets can be met.

Our added value:

  • Method and examples for developing reports on security status, and objective completeness.
  • Method for developing control catalogs and maturity assessment.
5

Security Program Management

The objective of reporting is to depict the state of security at a given time, to present facts about trends and to impose a single language of communication among stakeholders.

Our added value:

  • Method for designing effective business oriented security reports and dashboards.
  • Examples of reports, dashboards and best practices.
6

Security Reporting Design

Knowing what to protect and what information and knowledge is essential for the business is a sine-qua-non for adequate security.

Our added value:

  • Method and tools for developing effective and pragmatic asset inventorymetrics, maturity models, Goal Question Metrics, benchmarks, etc.
  • Examples of metrics and a metrics catalog.
7

Security Asset Management

Knowing the legal and regulatory security framework that applies to the business and how to achieve compliance with it is essential for every security program.

Our added value:

  • Self-assessment worksheets for major data protection regulatory frameworks (e.g. GDPR).
  • Defining a compliance program strategy and project management.
  • Maturity assessment worksheets and expertise.
8

Security Compliance Management

Metrics should provide indicators that make it possible to answer questions such as: “Is our security adequate? Is our security expenditure justified? What will be the return on security investments?”

Our added value:

  • Provision of metrics tools: balanced scorecard for security, risk-associated metrics, maturity models, Goal Question Metrics, benchmarks, etc.
  • Examples of metrics and KPIs.
9

Security Metrics and KPIs