information security governance and risk management
TRANSCRIPT
![Page 1: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/1.jpg)
Information Security
Governance
and
Risk Management
![Page 2: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/2.jpg)
2
Domain Objectives
• Security Planning and Organization
• Roles of Individuals in a Security Program
• Differences between Policies, Standards, Guidelines, and Procedures as related to Security
• Security Awareness throughout the Organization
• Risk Management Practices and Tools
![Page 3: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/3.jpg)
3
Information Security TRIAD
Availability
ConfidentialityIntegrity
Information Security
![Page 4: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/4.jpg)
4
Introduction
• Information Security Management includes:
• Governance Structure
• Policies
• Standards
• Procedures
• Baselines
• Guidelines
![Page 5: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/5.jpg)
5
Domain Agenda
• Principles and Requirements
• Policy
• Organizational Roles and Responsibilities
• Risk Management and Analysis
• Ethics
![Page 6: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/6.jpg)
6
IT Security Requirements
•Provides confidence that security function is performing as expected
•Critical part of the security program
•Defines the security behavior of the control measure
•Selected based on risk assessment
Assurance Requiremen
tsFunct
ional
Requir
em
ent
s
Complete Security Solutions
![Page 7: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/7.jpg)
7
Organizational & Business Requirements
• Focus on the mission of the organization
• Each type of organization has differing security requirements
• Security must make sense and be cost effective
![Page 8: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/8.jpg)
8
• Integral Part of Overall Corporate Governance
• Three Major Parts
• Leadership
• Structure
• Processes
IT Security Governance
![Page 9: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/9.jpg)
9
• ISO 17799
• Code of Practice - Guidance and Support
• Management Focus
• ISO 27001:2005
• Management System Standard (Certifiable and Measurable Requirements)
• Assurance Focus
ISO 17799 & ISO 27001
![Page 10: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/10.jpg)
10
Security Blueprints
• Used to identify and design security requirements
• Infrastructure Security Blueprints
![Page 11: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/11.jpg)
11
Domain Agenda
• Principles and Requirements
• Policy
• Organizational Roles and Responsibilities
• Risk Management and Analysis
• Ethics
![Page 12: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/12.jpg)
12
Policy Overview
THE “ENVIRONMENT”
Overarching Organizational
Policy
(Management’s Security
Statement)
Regulations
Organizational Objectives
Laws
Organizational Goals
Shareholders’ Interests
![Page 13: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/13.jpg)
13
Policy Overview
Overarching Organizational Policy
(Management’s Security Statement)
Overarching Organizational Policy
(Management’s Security Statement)
Functional Implementing Policies
(Management’s Security Directives)
Standards Baseline
s
GuidelinesProcedures
![Page 14: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/14.jpg)
14
Management’s Security Policy
“Security is essential to this company and its
future”
Management’s Security Policy
•Provides Management’s Goals and Objectives in Writing
•Documents compliance
•Creates security culture
J.T. Lock, CEO
![Page 15: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/15.jpg)
15
Management’s Security Policy
•Anticipates and protects from surprises
•Establishes the security activity/function
•Holds individuals personally responsible/accountable
•Addresses potential future conflicts
![Page 16: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/16.jpg)
16
Management’s Security Policy
• Ensures employees and contractors are aware of organizational policy and changes
• Mandates an incident response plan
• Establishes processes for exception handling, rewards, discipline
Security Violation ReprimandTO: I.M. Wrong
FOR: Failing to follow established policies
![Page 17: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/17.jpg)
17
Policy Infrastructure
• Functional Policies
• Implement and interpret the high level security policies of the organization
Functional Policies
Management’sSecurity Policy
“Security is essential to
this company and its future”
J.T. LockCEO
Functional Policies
![Page 18: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/18.jpg)
18
Policy Implementation
• From policies come the supporting elements
These enforce the security policy principles on
every business process and
system
StandardsProcedures
BaselinesGuidelines
![Page 19: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/19.jpg)
19
Standards
• Adoption of common hardware and software mechanisms and products
Corporate Standard Product
Corporate Standard Product
Desktop
Anti-Virus
Firewall
![Page 20: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/20.jpg)
20
Procedures
•Required Step-by-step Actions
IntrusionTampering
Material Destruction
Corporate Procedures
![Page 21: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/21.jpg)
21
Baselines• Establish consistent
implementation of security mechanisms
• Platform unique
BaselineCorporate
Configuration
BaselineCorporate
Configuration
VPN Setup IDS
Configuration
Password Rules
![Page 22: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/22.jpg)
22
TCSEC
TCSEC
Guidelines
• Recommendations for security product implementations, procurement and planning, etc.
Guidelines
ISO 27001
SOX, HIPAA
ITIL
![Page 23: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/23.jpg)
23
Levels of Security Planning
• Three levels of Security Planning
• Strategic Planning
• Tactical Level Planning
• Operational Planning
• These plans must be integrated
• Seamless transition between levels
![Page 24: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/24.jpg)
24
Domain Agenda
• Principles and Requirements
• Policy
• Organizational Roles and Responsibilities
• Risk Management and Analysis
• Ethics
![Page 25: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/25.jpg)
25
Organizational Roles and Responsibilities
• Everyone has a role and responsibility
• Specific security functions must be assigned
![Page 26: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/26.jpg)
26
Specific Roles and Responsibilities
• Executive Management
• Information Systems Security Professionals
• Owners
• Custodians
![Page 27: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/27.jpg)
27
Organizational Roles and Responsibilities
• Information Systems Auditor
• Users
• IS/IT Function
![Page 28: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/28.jpg)
28
Personnel Security: Hiring of New Staff
• Background Checks/Security Clearances
• Follow-up on References and Educational Records
• Sign Employment Agreements
![Page 29: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/29.jpg)
29
Personnel Security
• Low Level Checks
• Consult the Human Resources (H.R.) department
• Termination Procedures
![Page 30: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/30.jpg)
30
Third Party Considerations
• Vendors/Suppliers
• Contractors
• Temporary Employees
• Customers
![Page 31: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/31.jpg)
31
Personnel Good Practices
• Job Descriptions and Defined Roles and Responsibilities
• Least Privilege / Need to Know
• Separation of Duties
• Job Rotation
• Mandatory Vacations
![Page 32: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/32.jpg)
32
Security Awareness, Training, and Education
• Awareness Training
• Job Training
• Professional Education
![Page 33: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/33.jpg)
33
Good Training Practices
• Address the audience
• Management
• Data Owner and Custodian
• Operations Personnel
• User
• Support Personnel
![Page 34: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/34.jpg)
34
Domain Agenda
• Principles and Requirements
• Policy
• Organizational Roles and Responsibilities
• Risk Management and Analysis
• Ethics
![Page 35: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/35.jpg)
35
Definition of Risk from NIST SP 800-30
• Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization
SP800-30
![Page 36: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/36.jpg)
36
Risk Management Concept Flow
![Page 37: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/37.jpg)
37
Risk Management Definitions
• Asset
• Threat
• Threat Agent
• Exposure
![Page 38: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/38.jpg)
38
Risk Management Terms
• Vulnerability
• Attack
• Countermeasures and Safeguards
• Risk
• Residual Risk
![Page 39: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/39.jpg)
39
Risk Management
• The purpose of Risk Management is to identify potential problems
• Before they occur
• So that risk-handling activities may be planned and invoked as needed
• Across the life of the product or project
![Page 40: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/40.jpg)
40
Risk Assessment
The Risk Equation
Risk Managemen
t
•Risk Avoidance•Risk Mitigation•Risk Acceptance•Risk
Transference•Evaluation of
risks
•Ongoing risk assessment
•Periodic evaluation
•Regulatory compliance
•Identification of risks
•Evaluation of risks
•Risk Impact•Recommendatio
n of risk-reducing measures
Risk Mitigation
Evaluation & Assurance
![Page 41: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/41.jpg)
41
Risk Factors
ThreatsAssets
Vulnerabilities
![Page 42: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/42.jpg)
42
Risk Factors
ThreatsAssets
Countermeasures
![Page 43: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/43.jpg)
43
• Risk Management identifies and reduces Total Risks (Threats, Vulnerabilities, & Asset Value)
• Mitigating controls: Safeguards & Countermeasures reduce risk
• Residual Risk should be set to an acceptable level
Risk Management
![Page 44: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/44.jpg)
44
Purpose of Risk Analysis
• Identifies and justifies risk mitigation efforts
• Describes current security posture
• Conducted based on risk to the organization’s objectives/mission
![Page 45: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/45.jpg)
45
Benefits of Risk Analysis
• Focuses policy and resources
• Identifies areas with specific risk requirements
• Part of good IT Governance
• Supports
• Business continuity process
• Insurance and liability decisions
• Legitimizes security awareness programs
![Page 46: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/46.jpg)
46
Emerging Threats Factor
• Risk Assessment must also address emerging threats
• Can come from many different areas
• May be discovered by periodic risk assessments
![Page 47: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/47.jpg)
47
Sources to Identify Threats
• Users
• System Administrators
• Security Officers
• Auditors
• Operations
• Facility Records
• Community and Government Records
• Vendor/Security Provider Alerts
![Page 48: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/48.jpg)
48
Risk Analysis Key Factors
• Obtain senior management support
• Establish the risk assessment team
• Risk Team Members
![Page 49: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/49.jpg)
49
Use of Automated Tools for Risk Management
• Objective is to minimize manual effort
• Can be time consuming to setup
• Perform calculations quickly
![Page 50: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/50.jpg)
50
Preliminary Security Evaluation
• Identify vulnerabilities
• Review existing security measures
• Document findings
• Obtain management review and approval
![Page 51: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/51.jpg)
51
Risk Analysis Types
• Two types of Risk Analysis
• Quantitative Risk Analysis
• Qualitative Risk Analysis
• Both provide unique capabilities
• Both are often required to get a full picture
![Page 52: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/52.jpg)
52
Quantitative Risk Analysis
• Assign independently objective numeric monetary values
• Fully quantitative if all elements of the risk analysis are quantified
• Difficult to achieve
• Requires substantial time and personnel resources
RISK = MONEY
![Page 53: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/53.jpg)
53
Quantitative Analysis Steps
• Three primary steps
Estimate potential losses
Conduct a threat analysis
Determine annual loss expectancy
1
2
3
![Page 54: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/54.jpg)
54
Determining Asset Value
• Cost to acquire, develop, and maintain
• Value to owners, custodians, or users
• Liability for protection
• Recognize cost and value in the real world
![Page 55: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/55.jpg)
55
Quantitative Risk Analysis - Step One
Estimate potential losses
SLE – Single Loss Expectancy
• SLE = Asset Value ($) X Exposure Factor (%)
• Exposure Factor is percentage of asset loss when threat is successful
• Types of loss to consider
1
![Page 56: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/56.jpg)
56
Quantitative Risk Analysis - Step Two
Conduct threat analysis
ARO - Annual Rate of Occurrence
• Number of exposures or incidents that could be expected per year
• Likelihood of an unwanted event happening
2
![Page 57: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/57.jpg)
57
Quantitative Risk Analysis - Step Three
Determine Annual Loss Expectancy (ALE)
• Combine potential loss and rate/year
• Magnitude of risk = Annual Loss Expectancy
• Purpose of ALE
• Justify security countermeasures
ALE = SLE * ARO
3
![Page 58: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/58.jpg)
58
Qualitative Risk Analysis - Second Type
• Scenario Oriented
• Does not attempt to assign absolute numeric values to risk components
• Purely qualitative risk analysis is possible
![Page 59: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/59.jpg)
59
Qualitative Risk Analysis Critical Factors
• Rank seriousness of threats and sensitivity of assets
• Perform a carefully reasoned risk assessment
![Page 60: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/60.jpg)
60
Risk Levels (AS/NZ 4360 Standard)
Consequence:
Insignificant Minor Moderate Major Catastrophic
Likelihood: 1 2 3 4 5
A (almost certain) H H E E E
B (likely) M H H E E
C (possible) L M H E E
D (unlikely) L L M H E
E (rare) L L M H H
E Extreme Risk: Immediate action required to mitigate the risk or decide to not proceed
H High Risk: Action should be taken to compensate for the risk
M Moderate Risk: Action should be taken to monitor the risk
L Low Risk: Routine acceptance of the risk
![Page 61: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/61.jpg)
61
Other Risk Analysis Methods
• Failure Modes and Effects Analysis
• Examine potential failures of each part or module
• Examine effects of failure at three levels
• Fault Tree Analysis
• Sometimes called ‘spanning tree analysis’
• Create a “tree” of all possible threats to, or faults of the system
![Page 62: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/62.jpg)
62
Risk Mitigation Options
•Risk Acceptance
•Risk Reduction
•Risk Transference
•Risk Avoidance
![Page 63: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/63.jpg)
63
• Cost/Benefit Analysis - balance between the cost to protect and asset value
The Right Amount of Security
Security is a Balancing Act!
Cost Value
![Page 64: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/64.jpg)
64
Countermeasure Selection Principles
• Based on a cost/benefit analysis
• Cost must be justified by the potential loss
• Accountability
• Absence of Design Secrecy
• Audit Capability
![Page 65: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/65.jpg)
65
Countermeasure Selection Principles
• Vendor Trustworthiness
• Independence of Control and Subject
• Universal Application
• Compartmentalization and Defense in Depth
• Isolation, Economy, and least Common Mechanism
![Page 66: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/66.jpg)
66
Countermeasure Selection Principles
• Acceptance and Tolerance by Personnel
• Minimum Human Intervention
• Sustainability
![Page 67: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/67.jpg)
67
Countermeasure Selection Principles
• Reaction and Recovery
• Override and Fail-safe Defaults
• Residuals and Reset
![Page 68: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/68.jpg)
68
Domain Agenda
• Principles and Requirements
• Policy
• Organizational Roles and Responsibilities
• Risk Management and Analysis
• Ethics
![Page 69: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/69.jpg)
69
Ethical Responsibilities
• CISSPs “set the example”
• CISSPs encourage adoption of ethical guidelines and standards
• CISSPs inform users through security awareness training
![Page 70: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/70.jpg)
70
Basis and Origin of Ethics
• Religion
• Law
• National Interest
• Individual Rights
• Common good/interest
• Enlightened self interest
• Professional ethics/practices
• Standards of good practice
• Tradition/culture
![Page 71: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/71.jpg)
71
Formal Ethical Theories
• Teleology
• Ethics in terms of goals, purposes, or ends
• Deontology
• Ethical behavior is a duty
![Page 72: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/72.jpg)
72
Common Ethical Fallacies
• Computers are a game
• Law-abiding Citizen
• Shatterproof
• Candy-from-a-baby
• Hackers
• Free Information
![Page 73: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/73.jpg)
73
Codes of Ethics
• Relevant Professional Codes of Ethics include:
• (ISC)2 and other professional codes of ethics
• Internet Activities Board (IAB)
• Auditors
• Professional codes may have legal importance
![Page 74: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/74.jpg)
74
(ISC)2 Code of Ethics Preamble
• “Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior”
• “Therefore, strict adherence to this code is a condition of certification”
![Page 75: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/75.jpg)
75
(ISC)2 Code of Ethics Canons
• “Protect society, the commonwealth, and the infrastructure”
• “Act honorably, honestly, justly, responsibly, and legally”
• “Provide diligent and competent service to principals”
• “Advance and protect the profession”
![Page 76: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/76.jpg)
76
RFC 1087
• Ethics and the Internet
• Access and use of the Internet is a PRIVILEGE and should be treated as such by all users
![Page 77: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/77.jpg)
77
Internet Activities Board (IAB)
• Any activity is unethical & unacceptable that purposely:
• Seeks to gain unauthorized access to Internet resources
• Disrupts the intended use of the Internet
• Wastes resources (people, capacity, computer) through such actions
![Page 78: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/78.jpg)
78
Internet Activities Board (IAB)
• Destroys the integrity of computer-based information
• Compromises the privacy of users
• Involves negligence in the conduct of Internet-wide experiments
![Page 79: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/79.jpg)
79
Ethical Environments
• Ethics are difficult to define
• Begin with senior management
![Page 80: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/80.jpg)
80
Domain Summary
• This domain sets the foundation for a respected and solid Information Security Management Program:
• Policies, Procedures, Baselines, Guidelines
• Roles and Responsibilities
• Risk Management
• Ethics
![Page 81: Information Security Governance and Risk Management](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56649e9d5503460f94b9f095/html5/thumbnails/81.jpg)
“Security Transcends
Technology”