Building a Strategic Plan for Information Security

You've hired an Information Security Professional, allocated hundreds of thousands or even millions of dollars to security technologies, training, awareness, policies & standards, human resources, tweaked old processes and... [ view full abstract ]

You've hired an Information Security Professional, allocated hundreds of thousands or even millions of dollars to security technologies, training, awareness, policies & standards, human resources, tweaked old processes and developed some new, but no one is really sure what's going on and there doesn't seem to be a clear path forward.  

The CISO/Director/Manager has come up with a 150 page tome that they call an Information Security Strategy and there is a lot of detail. It references ISO 27001-2, PCI, CoBiT, ITIL, FIPPA/HIPA/PEPIDA and the top 20 Security Controls. Only the CISO/Director/Manager has read it all the way through, but it isn't clearly connected to either the IT Strategic Plan or the University's Strategic Plan.  In the mean time the University is trying to become PCI compliant; various departments/faculties/division have presented you with the defacto cloud solution to their business problems; the Privacy Office is demanding that your provide PIA information; the last audit indicated that the University's controls could use some basic remediation for passwords, access control, encryption, etc; and the Board would like to know what risks this cyber security stuff really posses to the University, but the most urgent need is to deal with the most recent incident, and while recovering from that everyone knows that the next major incident is only a click away.

This probably sounds all too familiar and there are no magic bullets.  Can your University get to an information security strategic plan? Will it make any difference?

In this interactive presentation, we will have the opportunity to see how one medium sized school is doing and consider what's working and what isn't.