[MUSIC] Module five talks to the implementation action plan. We're looking at a plan that's going to help us get from where we are current state, to the desired state. So we need to do things like gap analysis, policy development, standards development, training and awareness, identify and define the metrics, and define what the intermediate goals are. Gap analysis has to look at several components of the strategy, what's our maturity level? Where are we? How are we maturing? What's the objective of the controls that we're putting in? What's the risk? And what's the impact? How much are we trying to reduce our impact? Now this exercise is going to get repeated every year, because we need to improve our performance, we need to improve our metrics. The typical approach in gap analysis, is to work backwards from the future state to the current state, and then identify intermediate milestones, or intermediate steps, that we need to do in order to accomplish the objective. And there are several tools out there, that can help us assess the gap. One of those is the capability maturity model from the Software Engineering Institute. Part of that gap analysis, that security strategy has to have senior management acceptance support, It has to be linked to the business objectives. It has to have policy that is complete, consistent with the strategy, that's supported by standards and procedures, as identified clearly all of the roles and responsibilities, and has an organizational structure that has the appropriate authority. In order to accomplish this, assets have to be identified, they have to be classified, controls have to be designed, implemented maintained. And you can read down through the list of all of these other things that we have do, and have in place. When we do policy development, policy has to have and capture management's statement of intent, because that's what's going to drive this information security strategy action plan. That completed strategy, is the basis for everything we do in terms of creating modifying policy. So what do good policies contain? It should articulate clearly and concisely, a well defined information security strategy, it has to be clear, it has to be concise. It is very rarely more than two paragraphs long, and rarely more than a few sentences long. Standards tell us how to implement that policy, how do we implement a particular policy? Standards when you develop those, you should have auditing involved, because that's the basis for auditing. When we do security awareness training too, one of the things that we train our employees on, are those policies and the standards, where are they and how do they contribute to the security strategy? And what are the metrics that the employees must know about? Speaking of metrics, how are we going to measure, and monitor our progress towards achieving those different milestones that we've identified in our gap analysis? Because potentially, we may need to do some mid course corrections if you would, in order to make sure that we achieve that final goal. There are a couple of approaches, cobit five has something called the process assurance model PAM. Software Engineering Institute has the, capability Maturity Model integration to use. But all of those metrics are going to include key performance indicators, critical success factors, key goal indicators, key risk indicators. The general consideration for metric is, that the metric has to be relevant, we can't have metrics that are meaningless like, how many times was the door to the data centre open? That's a meaningless metric. Senior management is not interested in the technical detail. What did they want to know? How are you doing with respect to the plan, with respect to budget, anytime there's a significant change in risk, what's the impact to achieving the business objectives? How many of your disaster recovery tests were actually successful? What are the audit reports and results? And I'll tell you this right now, management does not like having an audit finding. They will do anything, they will work anybody 24 hours a day, just so they don't get an audit finding. Which basically what they're saying is, how am I doing when it comes to regulatory compliance? What we need to be able to define, what we need more detailed information about, is what metrics can we put in place to identify policy compliance? How are we doing with respect to change, how are we doing with respect in making sure all of our systems are patched, and have there been any exception requests or variations against policy or against standard? To get useful metrics, sometimes they're quite often difficult to design and implement. Most of the measures are simply indicative of a potential problem, or potential impact, and they don't have what we call predictive value. They're telling us about what did occur, not what could occur. So we need to do some improvement, when we come to developing and implementing those metrics. So what are we looking at when it comes to design? What's important to management? What's important to security operations? What does the business owner want to know? And more importantly, what does senior management want to know? And how do we report that? What's the reporting process? What are some of the intermediate goals? Because once we've defined that overall strategy and that's complete, we now have to look at the business impact analysis, determine the business critical resource. And then in our gap analysis, identify those intermediate steps, or those critical milestones, so that we can achieve that future state. Those near term goals, those milestones are required. The entire objective is to state where we want to be in the long term, and we have to make sure that we are aligned ultimately with that in goal with the future state. Strategic plans, long range plans, served as an integration if you would, for the near term mid range tactical activities. One of the things that we have to avoid doing is what we call point solutions. Point solutions don't buy us anything, they increase cost, and they're very difficult to manage. [SOUND]
