BISM3205: Business Information Security

Week 03: Planning for Security (Ch. 4)

Semester 2, 2023
Introduction learning outcomes
Our learning outcomes from this week’s material:
– Define management’s role in the development, maintenance, and enforcement of
information security policy, standards, practices, procedures, and guidelines.
– Discuss what an information security blueprint is, identify its major components, and
explain how it supports the information security program
– Discuss two security governance frameworks (in preparation for risk management
module)

2
Overview – 2 major steps – vitally important!
1. POLICIES: Creation of information security program begins with creation and/or review of
an organization’s information security policies, standards, and practices.

2. ARCHITECTURE/BLUEPRINT: Then, selection or creation of information security

architecture and the development and use of a detailed information security blueprint
creates a plan for future success.

• Without policy, blueprints, and planning, an organization is unable to meet information

security needs of various communities of interest

3
Information Security Planning and Governance
Planning levels – overall strategic plan -> strategic plans for each major division or
operation -> translate these plans into operational objectives/directions (day to day
performance)

Information Security Governance (IT Governance Institute)

• Set of responsibilities and practices exercised by the board
and executive management
• Goal to provide strategic direction, ensuring that
objectives are achieved.
• Ascertaining that risks are managed appropriately and
verifying that the enterprise’s resources are used
responsibly.

Image: NIST SP 800-100, Information Security Handbook 4

Five goals of information security governance
• Strategic alignment of IS Sec. with business strategy
• Risk management – manage and mitigate risks
• Resource management – using IS Sec knowledge and infrastructure effectively’
• Performance measurement
• Value delivery by optimizing IS Sec. investments (adding value)

IT Governance Institute, Information Security Governance Guidance

5
for Boards of Directors and Executive Management.
Security governance components (explained in detail on next slides)
1. Strategic planning
2. Organizational structure
3. Establishment of roles and responsibilities
4. Integration with the enterprise architecture
5. Documentation of security objectives in policies and guidance

NIST SP 800-100 6
1. Strategic planning
Enterprise strategic planning
• Defining long-term goals for the organization
• Development of strategic plan to achieve those goals
IT strategic planning
• Alignment of IT management and operation with enterprise
strategig planning
• IT management guided by strategic planning to meet
challenges (e.g., new technologies introducing new risks)
Security strategic planning
• Alignment of security management and operation with both
• IT‘s delivery of value to organization includes risk mitigation

REMEMBER: security is a concern at all levels of an organization’s governance and decision-making

processes, and security strategic planning is an essential component of strategic planning.
https://www.informit.com/articles/article.aspx?p=2931571&seqNum=3 7
Example: elements of a strategic plan document
Section Description
Definition
Mission, vision, and Defines the strategy for aligning the information security program with organizational goals and objectives, including the role of individual
objectives security projects in enabling specific strategic initiatives.
Priorities Describes factors that determine strategy and the priorities of objectives.
Defines success criteria for the information security program. Includes risk management, resilience, and protection against adverse business
Success criteria
impacts.
Integration Strategy for integrating the security program with the organization’s business and IT strategy.

Threat defense Describes how the security program will help the organization defend against security threats.
Execution
An annual plan to achieve agreed objectives that involves agreeing on budgets, resources, tools, policies, and initiatives. This plan (a) can be used
Operations plan for monitoring progress and communicating with stakeholders and (b) ensures that information security is included from the outset in each
relevant project.
This plan involves planning and maintaining a stakeholder feedback loop, measuring progress against objectives, and ensuring that strategic
Monitoring plan
objectives remain valid and in line with business needs.
Adjustment plan This plan involves ensuring that strategic objectives remain valid and in line with business needs as well as procedures to communicate the value.
Review
Review plan This plan describes procedures and individuals/committees involved in regular review of the information security strategy.

8
2. Organizational Structure

ITU X.1054 9
3. Establishment of roles and responsibilities
• The responsibility for information security
should also be placed at the manager
level that is responsible for the business
process.

• The responsibility for information security

should not be placed at the ICT
department as they typically do not know
all characteristics of the business
processes!

• The ‘security officer’ is not responsible

for information security but making sure
that other take their responsibility.

Source: Corporate Governance Task Force Report, “Information Security

Governance: A Call to Action,” April 2004, National Cyber Security Task Force.
10
4. Integration with the enterprise architecture:
Information security policies, standards, and practices
• Communities of interest must consider policies as the basis for all information security efforts
• Policies direct how issues should be addressed and technologies used
• Policies should never contradict law
• Security policies are the least expensive controls to execute but most difficult to implement properly
• Shaping policy is difficult

• Policy: course of action used by organization to convey instructions from management to

those who perform duties
• Standards: more detailed statements of what must be done to comply with policy
• Practices, procedures, and guidelines effectively explain how to comply with policy
• For a policy to be effective, it must be properly disseminated, read, understood, and agreed to by
all members of organization and uniformly enforced.

11
Information security policies, standards, guidelines and procedures

12
Information security policies, standards, and practices (examples)

• Policy: Employees must use strong passwords on their accounts. Passwords must be changed
regularly and protected against disclosure

• Standard: (Provides specifics to help employees comply with policy) Password length – must
include at least 1 lowercase, 1 upper case, one numerical digit, one special character – not written
down – changed every 90 days – not held on insecure media.

• Practice: US‐CERT recommends: 15 characters for admin accounts; use alphanumeric passwords
and symbols; cannot reuse previous passwords; no personal information; minimum password
length of 8 characters for standard users; ‐ and more

• Guidelines (provide examples/recommendations): In order to create strong yet easy‐to‐

remember passwords (NIST SP 800‐118): Mnemonic Method; altered passphrases

13
5. Documentation of security objectives in policies and guidance
Enterprise Information Security Policy (EISP)
• Sets strategic direction, scope, and tone for all security efforts within the organization
• Executive-level document, usually drafted by or with CIO of the organization
• Typically addresses compliance in two areas:
– Ensure meeting requirements to establish program and responsibilities assigned therein to various
organizational components
– Use of specified penalties and disciplinary action for non-compliance

• EISP elements:
– An overview of the corporate philosophy on security
– Information on the structure of the information security organization and individuals who fulfill the
information security role
– Fully articulated responsibilities for security that are shared by all members of the organization
(employees, contractors, consultants, partners, and visitors)
– Fully articulated responsibilities for security that are unique to each role within the organization

14
Components of the Enterprise Information Security Policy
Just an overview!

15
Example UQ
Enterprise ISP

https://ppl.app.uq.edu.au/content/6.30.01-cyber-security-policy 16
Issue-Specific Security Policy (ISSP) (1/2)
• Addresses specific areas of technology (e.g., e‐mail, Internet use, anti‐malware configuration of
computers)
• Requires frequent updates
• Contains statement on organization’s position on specific issue

Three approaches when creating and managing ISSPs:

• Create a number of independent ISSP documents
• Create a single comprehensive ISSP document
• Create a modular ISSP document

17
Issue-Specific Security Policy (ISSP) (2/2)
Components of an Acceptable Use policy
• Statement of Purpose (scope, technology addressed, responsibilities)
• Authorized Access and Usage of Equipment (user access, fair/responsible use)
• Prohibited Use of Equipment (misuse, criminal, copyright, etc)
• Systems Management (e.g. monitoring of employees – virus protection)
• Violations of Policy (procedures for reporting violations, penalties)
• Policy Review and Modification
• Limitations of Liability (cannot protect employees – may assist in prosecution)

Week 3 Q&A file has more detailed descriptions

18
Example UQ
Acceptable Use Policy at UQ

https://ppl.app.uq.edu.au/content/6.20.06-acceptable-use-uq-ict-
19
resources
Systems-Specific Security Policy (SysSP)
• SysSPs frequently function as standards and procedures used when configuring or maintaining
systems

• Systems‐specific policies fall into two groups

- Managerial guidance (most often lead to ‘technical specs’)
- Technical specifications

• Example (Access Control Lists or ACLs)

- ACLs can restrict access for a particular user, computer, time, duration—even a particular file
- ACLs focus on the organizational asset. Capability tables focus on users
 Who can access the system (individual identity or group membership)
 What authorized users can do (Read, Write, Create, Modify, Delete)
 When authorized users can access the system
 Where authorized users can access the system from (local/remote)

20
 Example: Local security policy setting
Windows 10

21
Policy Management
• Policies must be managed as they constantly change
• To remain viable, security policies must have:
– Individual responsible for the policy (policy administrator)
– A schedule of reviews
– Method for making recommendations for reviews
– Specific policy issuance and revision date

Have a look at one of UQ‘s policies: can you identify who is responsible? The revision
dates?

22
Who is responsible? The revision dates?

23
Security education, training, and awareness program
• Once general security policies exist, implement a security education, training, and awareness
(SETA) program.

• SETA is a control measure designed to reduce accidental security breaches.

• Security education and training builds on the general knowledge the employees must possess to do
their jobs, familiarizing them with the way to do their jobs securely

• The SETA program consists of: security education; security training; and security awareness

24
 Comparative Framework of SETA
Awareness
Attribute Seeks to teach members of the
organization what security is
and what the employee should
do in some situations
Level Offers basic information about
threats and responses
Objective Members of the organization
can recognize threats and
formulate simple responses
Teaching • Media videos
methods • Newsletters
• Posters
• Informal training
Assessment True/false or multiple choice
(identify learning)
Impact time Short-term
frame
Training
Seeks to train members of the
organization how they should react and
respond when threats are encountered
in specified situations
Offers more detailed knowledge about
detecting threats and teaches skills
needed for effective reaction
Members of the organization can mount
effective responses using learned skills
• Formal training
• Workshops
• Hands-on practice
Problem solving (apply learning)
Intermediate
Education
Seeks to educate members of the
organization as to why it has prepared in the
way it has and why the organization reacts in
the ways it does
Offers the background and depth of
knowledge to gain insight into how processes
are developed and enables ongoing
Improvement
Members of the organization can engage in
active defense and use understanding of the
organization's objectives to make continuous
improvement
• Theoretical instruction
• Discussions/seminars
• Background reading
Essay (interpret learning)
Long-term
25
The Information Security Blueprint
• After policy/standard development – then develop blueprint (what is a ‘blueprint’ ‐ what
are we talking about here?)
• After risk assessment ‐ why?
• Should specify tasks to be accomplished and the order in which they are to be realized
• Should also serve as scalable, upgradeable, and comprehensive plan for information
security needs for coming years
• We should look to recognized standards to assist!

26
The ISO 27000 Series
1. One of the most widely referenced and often discussed security models
2. ISO27002 provides a common basis for developing organizational security:
- Via a list of 14 control areas, addresses 39 control objectives and more than 110 individual controls
3. ISO27002 is a (long) list of IS controls – experience shows that ‘just’ implementing controls is not
enough – we need very good ‘security management’
4. Therefore, the ISO27002 is complemented with ISO27001 which describes ‘security management’.
- It is fundamental that ISO27001 considers that IS Security is seen as a continual improvement
process – and not as implementing a security product.
5. ISO 27001/27002 together function as a framework for information security:
- Organizational security policy is needed to provide management direction and support – its purpose
is to give recommendations for IS security management.

REMEMBER: ISO 27001 provides information on how to implement ISO 27002 and how to set up an
information security management system (ISMS).

27
The ISO 27000 Series (cont‘d)
• Based on the ideas of quality management systems (ISO 9001).
- ISO 9001 has become the most widely used and implemented quality management
system in the world.
• Many such management systems exist, e.g.:
– Information Security management (ISO 27001)
– Digital certificate management (ETSI TS 101 456)
– Environment management (ISO 14001)
– Occupational Health & Safety management (BSI OHSAS 18001)

• As with all management systems also an organization’s ISO 27001 implementation can
be formally certified.

REMEMBER: The key purpose of the ISO 27000 series is to give recommendations for IS management with the
goal of certification.

28
The ISO 27000 Series (cont‘d)
• ISO/IEC 27000 - Information security management systems; overview and vocabulary
• ISO/IEC 27001 - Information technology; security techniques; information security management
systems – 27001 focuses on processes for security!
• ISO/IEC 27002 - Code of practice (controls) for information security management - 27002 focuses on
the controls for security!
• ISO/IEC 27003 - Information security management system implementation guidance

• ISO/IEC 27004—Information security management; measurement

• ISO/IEC 27005—Information security risk management
• ISO/IEC 27006—Requirements for bodies providing audit and certification of information security
management systems
• ISO/IEC 27007—Guidelines for information security management systems auditing (focused on the
management system)

… and many more standards for IS security!

29
The ISO 27000 Series (cont‘d)
https://www.iso.org/home.html (is on landing page!)

30
The ISO 27000 Series (cont‘d)
Access from
UQ Library:
Implementing
the ISO/IEC
27001:2013
ISMS Standard

31
The ISO 27001 & 27002 – a framework
• The 27001 & 27002 combine to function as a framework – not as ‘project-based point solutions.

32
The ISO 27001: PDCA model applied to ISMS processes

33
The ISO 27001: 2013 (more detailed view)

34
The ISO 27001: 2013 – major process steps

This links
with 27002

35
The ISO 27002: 2013 – content (1)

36
Example

37
Variations on ISO2700* for the medical sector (IS)
• There is also an ISO standard (27799) variant on the ISO 27002 for the medical sector ‘Health
informatics - Information security management in health using ISO/IEC 27002
(https://www.iso.org/standard/62777.html)

• It applies to health information in all its aspects, whatever form the information takes (words and
numbers, sound recordings, drawings, video, and medical images), whatever means are used to store it
(printing or writing on paper or storage electronically), and whatever means are used to transmit it (by
hand, through fax, over computer networks, or by post), as the information is always appropriately
protected.

• By implementing ISO 27799:2016, healthcare organizations and other custodians of health

information will be able to ensure a minimum requisite level of security that is appropriate to their
organization's circumstances and that will maintain the confidentiality, integrity and availability of
personal health information in their care.

38
NIST security models
• Documents available from Computer Security Resource Center of NIST (National Institute of
Standards and Technology)

– SP 800‐12, The Computer Security Handbook

– SP 800‐14, Generally Accepted Principles and Practices for Securing IT Systems
– SP 800‐18, The Guide for Developing Security Plans for IT Systems
– SP 800‐26, Security Self‐Assessment Guide for Information Technology Systems
– SP 800‐30 (Revision 1), Risk Management Guide for Information Technology Systems

• All these standards are freely available (in PDF) from www.nist.gov

… and there are many more standards for IS security (https://csrc.nist.gov)!!

39
Design of security architecture
• Spheres of security: foundation of the security framework
Levels of controls
• Management controls cover security processes designed by strategic planners and performed by security
administration
• Operational controls deal with operational functionality of security in organization (personnel/physical security,
education, equipment maintenance)
• Technical controls address technical implementations related to designing and implementing security

40
Design of security architecture (continued)
• Defense in depth
- Implementation of security in layers
- Requires that organizations establish multiple layers of security controls and safeguards
• Security perimeter
- Border of security protecting internal systems from outside threats
- Does not protect against internal attacks from employee threats or on-site physical threats

Diagrams and concepts explored later in course – introduced here

• Firewall: device that selectively discriminates against information flowing in or out of organization
• DMZs: no‐man’s land between inside and outside networks where some place Web servers
• Proxy servers: performs actions on behalf of another system
• Intrusion detection systems (IDSs): in effort to detect unauthorized activity within inner network, or
on individual machines, organization may wish to implement an IDS

41
Security perimeters

42
Security perimeters

We shall consider these in more detail in future weeks

43
Summary (first part, but see next slides)
• InfoSec governance: the application of corporate governance principles to InfoSec
• Management must use policies as the basis for all InfoSec planning, design, and deployment
• Three types of ISP: enterprise, issue-specific, systems-specific security policies
• ISP is best disseminated in a comprehensive security education, training, awareness (SETA) program
• InfoSec frameworks (ISO27000 series, NIST) are published to be used as best practices
• Defense in depth: one foundation of security architectures is the layered implementation of security

44
Security Governance Frameworks
3 Lines of Defense vs. 5 Lines of Assurance
Why care about governance frameworks?

Source: Risk Oversight Solutions Inc. 46

Why care about governance frameworks?
SOMETIMES THEY ARE LEGISLATED

Source: Risk Oversight Solutions Inc. 47

3LoD for CyberSecurity

Ho (2018), https://www.isaca.org/resources/isaca-journal/issues/2018/volume-4/roles-of-three-lines-of-defense-for-information-security-and-
governance 48
First LoD is the function that owns and manages
risk. Within the first LoD, businesses can set up
control functions (e.g., IT control, which reports to
the IT department) to faciliate the management of
risk.
Second LoD is the independent
control function (e.g., IT risk, IT
compliance) that oversees risk and
monitors the first LoD controls.
They can challenge the
effectiveness of controls and
management of risk across the
organisation.
Third LoD is internal audit, which provides
independent assurance. It provides the well-
informed sense of assurance that the risks and
controls are in balance. It provides evidence, that
risks and controls are in balance. They evaluate
how effective the other two lines of defense are.
How effective are our controls, how effective is our
risk management.
49
Owners and Key Activities of the First Line of Defense
• Operational managers that own and manage risks and controls
• Implement corrective actions to address process and control deficiencies

Common first line of defense activities:

• Administer security procedures, training, and testing
• Maintain secure device configurations, up-to-date software, and security patches
• Deploy intrusion detection systems and conduct penetration testing
• Securely configure the network to adequately manage and protect network traffic flow
• Inventory information assets, technology devices, and related software
• Deploy data protection and loss prevention programs with related monitoring
• Restrict least-privilege access roles
• Encrypt data where feasible
• Implement vulnerability management with internal and external scans
• Recruit and retain certified IT, IT risk, and information security talent

GTAG – Assessing Cybersecurity Risk – Roles of the ThreeLines of

50
Defense
Owners and Key Activities of the Second Line of Defense
• IT risk management and IT compliance functions
• Play key role in an organization‘s security posture and program design
• Responsible for:
− Cybersecurity-related risk assessment and alignment with organization‘s risk appetite
− Monitoring risks and changes to laws and regulations
− Collaborating with the first-line functions to ensure appropriate control design

GTAG – Assessing Cybersecurity Risk – Roles of the ThreeLines of

51
Defense
Owners and Key Activities of the Second Line of Defense
Common Second Line of Defense Activities:
• Design cybersecurity policies, training, and testing
• Conduct cyber risk assessments
• Gather cyber threat intelligence
• Classify data and design least-privilege access roles
• Monitor incidents, key risk indicators, and remediation
• Recruit and retain certified IT risk talent
• Assess relationships with third parties, suppliers, and service providers
• Plan/test business continuity and participate in disaster recovery exercises

GTAG – Assessing Cybersecurity Risk – Roles of the ThreeLines of

52
Defense
Owners and Key Activities of the Third Line of Defense
• Internal audit function assesses whether IT governance supports organization‘s strategies and objectives
• Coordinates with second LoD, particularly cybersecurity function
• Can be consulted regarding:
- The relationship between cybersecurity and organizational risk
- Prioritizing responses and control activities
- Auditing for cybersecurity risk mitigation across all relevant facets (e.g., privileged access)
- Assurance in remediation activities
- Raising risk awareness and coordinating with cybersecurity risk management
- Validating that cybersecurity provisions are included in the organization‘s business continuity plans

GTAG – Assessing Cybersecurity Risk – Roles of the ThreeLines of

53
Defense
Owners and Key Activities of the Third Line of Defense
Common Third Line of Defense Activities
• Provide independent ongoing evaluations of preventive/detective measures related to cybersecurity
• Evaluate IT assets of users with privileged access for standard security configurations
• Track diligence of remediation
• Conduct cyber risk assessments of service organizations, third parties, and suppliers

GTAG – Assessing Cybersecurity Risk – Roles of the ThreeLines of

54
Defense
General 3LoD

55
Overview of Five Lines of Assurance Model (5LoA)

Board of Directors

Internal Audit
CEO & C-Suite
(3. LoD)

Specialist Units Work Units

(2. LoD) (1. LoD)

56
Overview of Five Lines of Assurance Model (5LoA)
• The word "defense" has a sort of negative feel to it. Risk managers are often seen as the "office of no" but
risk avoidance as we will see is only one form of treating risk
• So moving away from this negative stereotype the people who promoted this model, wanted the risk
management unit to be seen as a function that has potential to help management to increase the
certainty that key objectives in an organisations will be obtained, while still operating within an
acceptable level of risk. So here it is about assurance, about value-creation objectives rather than
preventing value erosion
• How to make sure value is created with appropriate risk levels rather than focusing on avoiding risks at all
costs

So, the 5LoA model significantly elevates two roles. The role of CEOs and the role of the
Boards of Directors in risk governance - the C-Suite (everyone with a C or Chief in the
title, e.g. CIO, CISO, CRO etc.

57
Core Elements of 5LoA
• Uses an „objectives register“ as a foundation (see figure below)
• Clear accountability on who is responsible for reporting on residual risk status
• Risk assessment rigour and independent assurance requirements defined by C-suite and the board

58
Core Elements of 5LoA
Active board/senior management involvement and clarity around
their responsibility as the “ultimate line of defense“

59
 * More on risk treatment in our risk
management (part 2) module
Core Elements of 5LoA
Requires the full range of risk treatments* be identified and
assessed not just “internal controls“

60
Core Elements of 5LoA
• Primary focus is on the acceptability of
residual risk status
• Specific consideration whether risk treatments
are optimized

Risk Assessment and

Risk Treatment will be
our focus in the next two
weeks.

61
Thank you
Dr Lennart Jaeger | Lecturer
School of Business
[email protected]

CRICOS code 00025B