Upload
ursula-dorsey
View
218
Download
1
Tags:
Embed Size (px)
Citation preview
Information Security Governance and Risk
Chapter 2Part 3
Pages 100 to 141
Security Documents
• Policies• Procedures• Standards• Guidelines• Baselines
Security Policy
• General statement produces by senior management
• Needs to be technology and solution independent.
• Written in broad terms.• Outlines goals not specific ways of
accomplishing them.
Organizational Security Policy
• Addresses laws, regulations and liability issues• Describes scope and risk management is
willing to accept• Business objectives should drive policy• Easily understood by employees• Process for dealing with those who do not
comply
Issue-Specific Policies
• Email usage• Employees should confirm they have read and
understand the policy
Issue-Specific Policies
• Acceptable use policy• Data protection policy• Business continuity policy• See pages 103-4
System-Specific Policies
• Specific to actual computers, networks, applications
• How a database containing sensitive information should be protected and who can have access.
Standards
• Mandatory actions or rules• Specific products to be used• “Employees are require to wear identifications
badges at all times”• “Confidential information must be protected
with AES-256 at rest and in transit”
Baselines
• When risks have been mitigated and security put into place, a baseline is agreed upon.
• Reference point to compare against when new software is installed or when changes are made
• Are we still providing the baseline protection?
Guidelines
• Suggested and best practices
Procedures
• Detailed step-by-step tasks that should be followed
• How policies, standards, and guidelines will be implemented in an operating environment
• Set up a new user account
Implementation
• Policies, standards, procedures, baselines are often written for auditors
• Awareness training• Companies that do not do awareness training
can be held liable in the eyes of the law.• It must be clear that management staff
support these policies
Information Classification
• Table 2-11 on pages 110-111
Information Classification
• Assign value to different kinds of information• After identifying all important information, it
should be properly classified.• Determine how to allocate funds to protect
information in a cost-effective manner• Each classification should have separate
handling requirements and procedures to how that data is accessed, used and destroyed.
Data Classification Procedures
• Page 114
Board of Directors
• Goal – Shareholders’ interests are protected and the corporation is run properly
• 2002 scandals – Enron• U.S. Government & SEC– Sarbanes-Oxley Act (SOX)– Board of Directors can be held personally
responsible (fined or jailed) for fraud
Executive Management
• CEO– Day-to-day management
• CFO– Corporate financial activities
• 2002 Financial Scandal– SEC makes them personally responsible.– Can be fined or go to jail.
Executive Management
• CIO– Strategic use and management of information
systems• Chief Privacy Officer– Customer, company, and employee data is kept
safe– Usually an Attorney who understands privacy,
legal and regulatory requirements.
Privacy
• Amount of control an individual should have over their sensitive information.
• Personal identifiable information (PII)– Identity theft and financial fraud
Executive Management
• Chief Security Officer (CSO)– Understand the risks the company faces and
mitigating these risks to an acceptable level– Understanding business drivers and for creating
and maintaining a program that facilitates these drivers.
– Security compliance with regulations
Data Owner
• Usually in charge of a business unit• Responsible for protection and use of a
specific subset of information• Classifies this data• Ensure security controls and in place, backup
requirements, proper access rights
Data Custodian
• Responsible for maintain and protecting the data
User
• Must have the necessary level of access to the data to perform the duties
• Is responsible for following security procedure
Personnel Security
• In security, people are often the weakest link.• Accidentally through mistakes or lack of
training• Intentionally through fraud and malicious
intent
Preventative Measures
• Separation of duties– No one individual can complete a critical task by
herself– Example: Supervisor’s written approval– Collusion to commit destruction or fraud
Preventative Measures
• Rotation of duties– No person should stay in one position for a long
time• Mandatory vacations– While on vacation, fill-ins can usually detect fraud
• Key Terms – page 127
Hiring Practices
• Nondisclosure agreements signed by new employees
• References checked• Education verified• Detailed background check
Termination
• Employee escorted out of facility• Surrender identification badges and keys• Exit interview• User’s accounts disabled immediately• Too many companies have been hurt by
vengeful or disgruntled employees
Security-Awareness Training
• Communicate security to employees• Supported by senior management• Management must allocate resources for
training• Training must be simple to understand• Acceptable behaviors• Noncompliance repercussions• During hiring and annually thereafter
Security Governance
• Table 2-13 Company A on page 133
Metrics
• “You can’t manage something that you can’t measure.”
• Quantifiable performance based data• Continuously gathered and compared so that
improvement or drops in performance can be identified
• ISO/IEC 27004 tells to measure a security program
Quick Tips
• Pages 138 to 141