Follow The Yellow Brick Road - The Information Security Guide To The Emerald City And Making Metrics Matter : Day 2:  Monday 5 October 2009

Introduction To Mini-Workshop A.1 As organisations pursue cost savings and operational efficiencies with their existing business processes, they often turn to service providers either in their home countries or abroad. By leveraging service providers either at home or abroad, organisations anticipate cost savings associated with factors such as lower wages, lower operating costs and workers with experience that may or may not be available in-house. Alternatively, some organisations choose to move their operations to off-shore locations but retain control over their infrastructure, staff and processes. In either case, organisations need to manage the risks associated with safeguarding their assets and their information while complying with the various regulations and laws that govern their industry. This session examines the concepts associated with outsourcing/ off-shoring; the various pitfalls associated with sourcing and lessons learned to help management some of the risks.

Topics Covered In The Workshop A.1 • Risks involved in outsourcing or off-shore outsourcing business/IT functions • Risks associated with confidentiality, integrity and availability of information • The 4 key life cycle stages:   - Selecting the right provider and contract negotiation   - Implementation or transition: transferring existing operations to chosen provider   - Ongoing operation of the outsource or offshore   - Review stage: where the outsource or off-shore is renegotiated or terminated At The End Of The Workshop You Will Be Able To: You will learn what is meant by outsourcing, off-shoring, off-shore captive centres, the similarities and difference between various ‘sourcing’ models. Tools and practical applications of an outsourcing cycle, information security contributions on various points in the life cycle. Pitfalls and recommended actions relating to outsourcing through case examples, practical group activities and information sharing.

Meet your Expert Leader: Simone Seth Senior Director, Pricewaterhouse Coopers, UK Simone Seth is a business leader with more than twenty years of progressive program management and leadership experience in the financial services industry. She is a distinguished industry leader and visionary focused on providing fast, secure, high quality governance, information security, risk management, and regulatory compliance based solutions, generating return on investment, enabling firms to move from efficiency and productivity gains toward value creation and business effectiveness. Prior to her tenure with the ISF, Simone has held senior leadership positions at Citigroup, Deutsche Bank, JP Morgan and Chase Manhattan Bank. She has served as the Chief Privacy Officer and CISO at these institutions and has distinguished herself with her many public speaking engagements.

Introduction To Mini-Workshop A.2 The economic upheaval that organisations face today has placed a laser sharp focus on demonstrating value for spend. Metrics and reporting have become increasingly important tools for demonstrating to business and senior management how secure the organisation is as well as how effectively security investment is being managed. However, knowing what data to collect and placing it into a business context can pose a challenge. Recognising the importance of metrics as a vehicle for communicating value, information security practitioners are seeking ways to align with business reporting, reflect the risk position of the organisation and demonstrate their value to the organisation. During this highly informative session, the following questions will be tackled: • Governance: What are the key performance indicators (KPIs) needed to demonstrate   the effectiveness of the information security spend? • Risk: What metrics and key risk indicators (KRIs) most effectively demonstrate the   organisation’s information security risk profile? • Compliance: What metrics and key compliance indicators (KCIs) need to be reported   to regulators and other audiences to demonstrate the effectiveness of information   security controls across the organisation • Alignment: How can information security metrics align and integrate with business   metrics?

Topics Covered In The Workshop A.2 • Defining, understanding and applying the existing common body of metrics work (NIST,   ISF, ISO etc) • Identifying what needs to be reported, why and to whom • Prioritising which metrics are key in influencing investment in the security function • Maping metrics to compliance requirements and business objectives • Determining how information security metrics can be aligned and integrated with GRC   frameworks and business strategy • Exploring methods and tools that can be used for reporting metrics, such as   dashboards and balanced scorecards. At The End Of The Workshop You Will Be Able To: You will learn what is meant by metrics, indicators and measures and how to translate them into your day-today functions. Tool and practical exercises on metrics reported by security professions, pitfalls on where you could be going wrong within your organisation, what matters in terms of the business. Case examples on pitfalls, successes and recommended actions relating to poor reporting.