Governance and Risk Management

If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do” (Marcus J. Ranum).

Good policies can prevent failures from weaknesses and eliminate errors by a lack of security guidance.

A good policy should contain the following information:

  • Title
  • Purpose
  • Author/sponsor
  • Reference to other policies
  • Scope
  • Measurement of expectations
  • Exceptions process
  • Accountability
  • Compliance management and measurement description
  • Effective/expiration date
  • Definitions

4 Types of Policies:

  • Program-level policy: Highest level. Describe the need for infosec. The mission statement for the IT security program
    • The purpose clearly states the purpose of the program- Goals – CIA
    • Scope: Which resources, facilities, hardware, software, etc.
    • Responsibilities: Role of management – Application owner, Owner, Users Services, etc.
    • Compliance: Penalties and disciplinary actions for admins or users who violate the standard.
  • Program-framework policy: A framework policy adds detail to the program by describing the elements and organization of the program and department that will carry out the security mission.
    • Business continuity planning (BCP) framework
    • Physical security requirements framework for data centers
    • Application development security framework
  • Issue-specific policy: Address specific issues of an organization – PCI- SOX- GLBA, etc.
    • Usually come from CIO or CISO, for example, of Internet access, Mail and VPN access
    • Applicability clearly states where, how, when, to whom, and to what a particular policy applies.
    • Roles and responsibilities assign roles and responsibilities to the issue.
    • Compliance describes the infractions and states the corresponding penalties.
    • Points of contact and supplementary have Admins, Managers and engineers contact information for addressing different situations.
      • For example, Email acceptable use, Internet acceptable use, Laptop security policy, Wireless security policy
  • System-specific policy: Specific system. Lab systems, Manufacturing, etc.
    • State security objectives of a specific system, How to operate the system, etc.
      • Who is allowed to read or modify data in the system?
      • Under what conditions can data be read or modified?
      • Are users allowed to connect the computer system from home or on the road?

Developing and Managing Policy requires derives security rules from security goals

  • Security objectives: analyzing confidentiality, integrity, and availability
  • Operational Security: list the rules for operating a system. Who? Can do? What?
  • Policy implementation: How to enforce policies (Security) and Access Control

Policy Support Documents:

  • Regulations: Laws passed by regulators and lawmakers
  • Standards and baselines: Topic-specific (standards) and system-specific (baselines) documents that describe overall requirements for security
  • Guidelines: Documentation that aids in compliance with standard considerations, hints, tips, and best practices in implementation
  • Procedures: Step-by-step instructions on how to perform a specific security activity (configure a firewall, install an operating system, and others)

Standards Taxonomy:

  • Asset and data classification: Determine how much Security needed. CIA, Protection, Value of company and Decision quality improves. Public | Business sensitive | Customer confidential | Trade secret
  • Separation of duties: Limit an individual’s ability to cause harm. Separation of Development, testing, deploying. Security management. Separation of encryption keys.
  • Pre-employment hiring practices: Background check. Termination.
  • Risk analysis and management:
    • Annualized loss expectancy (ALE) = Single loss expectancy (SLE) multiplied by an annualized rate of occurrence (ARO)
    • Probability: Chance or likelihood.
    • Threat: An event whose occurrence could have an undesired impact. Things that can go wrong or that can “attack” the system. Examples include fire or fraud.
    • Control: Risk-reducing measure that acts to detect, prevent, or minimize loss.
      • Deterrent controls reduce the likelihood of an attack
      • Preventative controls protect vulnerabilities
      • Corrective controls reduce the effect of an attack
      • Detective controls discover attacks and trigger prevention or correction
      • Recovery controls restore lost computer resources
    • Vulnerability: The absence or weakness of a risk-reducing safeguard. Vulnerabilities make a system more prone to attack.
  • Education, awareness, and training: People are the weakest link in any security-related, so they need Security training. A Learning Management System (LMS) tracking employee training progress.

Everyone who use I.T responsible for maintaining Security

  • CISO: maintains security and risk management program
  • Information resources manager: maintains policies procedures
  • Information resources manager: Direct policies, identifies vulnerabilities and develops security awareness
  • Owners of information resources: Managers who responsible for the business function
  • Custodians of information resources: Service provider responsible for supporting and implementing
  • Technical managers (network and system administrators): Provide technical support for the security of information resources.
  • Internal auditors: Conduct periodic risk-based reviews for infosec policies and procedures.
  • Users: Have access to information resources in accordance with Access rules.