Information Security

Governance and
Compliance
Chapter 2

1
Learning Outcomes
1. Establish and/or maintain an information security
governance framework.
2. Integrate information security governance into corporate
governance.
3. Establish and maintain information security policies to
guide the development of standards, procedures, and
guidelines.
4. Develop business cases to support investments in
information security.
5. Establish, communicate, and maintain organizational
information security policies, standards, guidelines,
procedures, and other documentation.
6. Identify legal, regulatory, organizational, and other
applicable compliance requirements.

2
This Chapter Cover:
• Governance
• Policy Documents
• Complying with Laws and Regulations

• Security Control Verification and Quality

Control

3
Governance

Governance programs are the sets of procedures and controls put in

place to allow an organization to effectively direct its work

Implementation of GRC program

Information Security Governance

GRC: governance, risk, and compliance 4

Corporate Governance

5
Developing Business Cases
Scope statement – the proposed initiative

Strategic context

Cost analysis

Evaluation of alternatives

Project plan

Management plan
6
 • Master service agreements (MSA)
• umbrella contract
• Service-level agreements (SLAs)
• conditions of service
Third Party • Memorandum of understanding (MOU)
• informal mechanism to avoid future
Relationships misunderstandings.
• Business partnership agreements (BPAs)
• two organizations agree to do business
• Nondisclosure agreements (NDAs)
• protect the confidentiality of information

7
Understanding Policy Documents

POLICIES STANDARDS PROCEDURES GUIDELINES

8
Policies

Policies are broad statements of management intent

• A statement of the importance of cybersecurity to the organization
• Requirements that all staff and contracts take measures to protect the
confidentiality, integrity, and availability of information and information systems
• Statement on the ownership of information created and/or possessed by the
organization
• Designation of the CISO or other individual as the executive responsible for
cybersecurity issues
• Delegation of authority granting the CISO the ability to create standards,
procedures, and guidelines that implement the policy

9
Centers for
Medicare &
Medicaid
Services (CMS)
Roles and
Responsibilities
Chart

10
Standards
Standards provide
mandatory requirements
describing how an
organization will carry out
its information security
policies

Excerpt from UC Berkeley Minimum Security Standards for

Electronic Information

11
Procedures
Procedures are detailed, step-by-step processes that
individuals and organizations must follow in specific
circumstances
• Monitoring procedures
• how the organization will perform security monitoring
activities
• Evidence production procedures
• how the organization will respond to court orders, and
other legitimate requests
• Patching procedures
• frequency and process of applying patches

12
Guidelines

Guidelines provide best practices and recommendations related to a

given concept, technology, or task

Compliance with guidelines is not mandatory

Guidelines are offered in the spirit of providing helpful advice

13
 • Mechanism for exceptions to rules
• Compensating controls
• mitigate the risk associated with exceptions
to security standards
Exceptions
• find alternative means to achieve an
and Compensating objective when the organization cannot meet
Controls the original control requirement
• address a temporary exception to a security
requirement

14
Developing Policies

Obtain input from all Follow the chain

relevant stakeholders of command

Accommodate Meet internal

the organizational and external
culture requirements

15
Complying with Laws and Regulations

Potential adverse incidents can impact individuals, government, and society

Some of the major information security regulations facing organizations:

• Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry Data Security Standard (PCI DSS)
• Gramm–Leach–Bliley Act (GLBA)
• Sarbanes–Oxley (SOX)
• General Data Protection Regulation (GDPR)
• Family Educational Rights and Privacy Act (FERPA)
• Various data breach notification laws

16
Adopting Standard Frameworks

COBIT NIST Cybersecurity NIST Risk ISO Standards Benchmarks and

Framework Management Secure Configuration
Framework Guides

17
Control Objectives for Information
Technology (COBIT)
• Six principles for a governance system:
• Satisfy stakeholder needs and generate value
• Enterprise information and technology is built from many components that
work together
• Dynamic
• Distinguish between governance and management activities and structures
• Tailored to the enterprise’s needs
• Cover the enterprise end-to-end

18
COBIT IT Governance
• Three principles for IT governance
• Based upon a conceptual model
• Open and Flexible
• Align to relevant major related standards, frameworks, and regulations
• Five domains
• Evaluate, Direct, and Monitor (EDM)
• Align, Plan, and Organize (APO)
• Build, Acquire, and Implement (BAI)
• Deliver, Service, and Support (DSS)
• Monitor, Evaluate, and Assess (MEA)
19
 • Cybersecurity Framework (CSF) designed to assist
organizations attempting to meet one or more of
the following five objectives:
NIST • Describe their current cybersecurity posture
Cybersecurity • Describe their target state for cybersecurity
• Identify and prioritize opportunities for
Framework improvement
• Assess progress toward the target state
• Communicate among internal and external
stakeholders about cybersecurity risk
• Framework Core
• Framework Implementation
• Framework Profiles

NIST: National Institute for Standards and Technology

20
NIST Cybersecurity Framework Core Structure

https://www.givainc.com/blog/index.cfm/2019/7/24/5-key-changes-made-to-the-nist-cybersecurity-framework-v11 21
 Asset
Management
Cybersecurity
Framework

22
NIST
Cybersecurity
Framework
Implementation

23
NIST Risk
Management
Framework

24
International Organization for Standardization
(ISO) Standards
ISO publishes a series of standards that offer best practices for cybersecurity and privacy

ISO 27001: includes control objectives covering 14 categories

ISO 27002: describes the actual controls that an organization may implement to meet cybersecurity objectives

ISO 27004: helps organizations implement a consistent process for monitoring, measurement, analysis, and evaluation

ISO 27701: guidance for managing privacy controls

ISO 31000: guidelines for risk management programs

25
Benchmarks
and Secure
Configuration
Guides
Center for Internet Security (CIS):
an organization that benchmarks
for commonly used platforms

26
Security Control Verification and Quality Control

• Service organization controls (SOC) assessment:

• SOC 1: assess controls that might impact the accuracy of financial reporting
• SOC 2: assess controls that affect the security and privacy of information stored in a
system
• SOC 3 assess controls that affect the security and privacy of information stored in a
system, but the results are intended for public disclosure
• Type 1 report: provides the auditor’s opinion on the description and the
suitability of the design
• Type 2 report: provides the auditor’s opinion on the operating effectiveness of
the controls

27
Summary

• Information security governance programs

ensure that the function achieves its
objectives.
• Policies form the basis of every strong
information security program.
• Security frameworks, such as COBIT, the NIST
Cybersecurity Framework, and ISO 27001,
provide a common structure for security
programs.
• Organizations should implement and test
security controls.

28
Reference
CISM Certified Information
Security Manager Study Guide
by Mike Chapple

29