Information Security Governance and Risk

Chapter 2Part 3

Pages 100 to 141

Security Documents

• Policies• Procedures• Standards• Guidelines• Baselines

Security Policy

• General statement produces by senior management

• Needs to be technology and solution independent.

• Written in broad terms.• Outlines goals not specific ways of

accomplishing them.

Organizational Security Policy

• Addresses laws, regulations and liability issues• Describes scope and risk management is

willing to accept• Business objectives should drive policy• Easily understood by employees• Process for dealing with those who do not

comply

Issue-Specific Policies

• Email usage• Employees should confirm they have read and

understand the policy

Issue-Specific Policies

• Acceptable use policy• Data protection policy• Business continuity policy• See pages 103-4

System-Specific Policies

• Specific to actual computers, networks, applications

• How a database containing sensitive information should be protected and who can have access.

Standards

• Mandatory actions or rules• Specific products to be used• “Employees are require to wear identifications

badges at all times”• “Confidential information must be protected

with AES-256 at rest and in transit”

Baselines

• When risks have been mitigated and security put into place, a baseline is agreed upon.

• Reference point to compare against when new software is installed or when changes are made

• Are we still providing the baseline protection?

Guidelines

• Suggested and best practices

Procedures

• Detailed step-by-step tasks that should be followed

• How policies, standards, and guidelines will be implemented in an operating environment

• Set up a new user account

Implementation

• Policies, standards, procedures, baselines are often written for auditors

• Awareness training• Companies that do not do awareness training

can be held liable in the eyes of the law.• It must be clear that management staff

support these policies

Information Classification

• Table 2-11 on pages 110-111

Information Classification

• Assign value to different kinds of information• After identifying all important information, it

should be properly classified.• Determine how to allocate funds to protect

information in a cost-effective manner• Each classification should have separate

handling requirements and procedures to how that data is accessed, used and destroyed.

Data Classification Procedures

• Page 114

Board of Directors

• Goal – Shareholders’ interests are protected and the corporation is run properly

• 2002 scandals – Enron• U.S. Government & SEC– Sarbanes-Oxley Act (SOX)– Board of Directors can be held personally

responsible (fined or jailed) for fraud

Executive Management

• CEO– Day-to-day management

• CFO– Corporate financial activities

• 2002 Financial Scandal– SEC makes them personally responsible.– Can be fined or go to jail.

Executive Management

• CIO– Strategic use and management of information

systems• Chief Privacy Officer– Customer, company, and employee data is kept

safe– Usually an Attorney who understands privacy,

legal and regulatory requirements.

Privacy

• Amount of control an individual should have over their sensitive information.

• Personal identifiable information (PII)– Identity theft and financial fraud

Executive Management

• Chief Security Officer (CSO)– Understand the risks the company faces and

mitigating these risks to an acceptable level– Understanding business drivers and for creating

and maintaining a program that facilitates these drivers.

– Security compliance with regulations

Data Owner

• Usually in charge of a business unit• Responsible for protection and use of a

specific subset of information• Classifies this data• Ensure security controls and in place, backup

requirements, proper access rights

Data Custodian

• Responsible for maintain and protecting the data

User

• Must have the necessary level of access to the data to perform the duties

• Is responsible for following security procedure

Personnel Security

• In security, people are often the weakest link.• Accidentally through mistakes or lack of

training• Intentionally through fraud and malicious

intent

Preventative Measures

• Separation of duties– No one individual can complete a critical task by

herself– Example: Supervisor’s written approval– Collusion to commit destruction or fraud

Preventative Measures

• Rotation of duties– No person should stay in one position for a long

time• Mandatory vacations– While on vacation, fill-ins can usually detect fraud

• Key Terms – page 127

Hiring Practices

• Nondisclosure agreements signed by new employees

• References checked• Education verified• Detailed background check

Termination

• Employee escorted out of facility• Surrender identification badges and keys• Exit interview• User’s accounts disabled immediately• Too many companies have been hurt by

vengeful or disgruntled employees

Security-Awareness Training

• Communicate security to employees• Supported by senior management• Management must allocate resources for

training• Training must be simple to understand• Acceptable behaviors• Noncompliance repercussions• During hiring and annually thereafter

Security Governance

• Table 2-13 Company A on page 133

Metrics

• “You can’t manage something that you can’t measure.”

• Quantifiable performance based data• Continuously gathered and compared so that

improvement or drops in performance can be identified

• ISO/IEC 27004 tells to measure a security program

Quick Tips

• Pages 138 to 141