Security Program and Policies

Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1of 28

Security Program and

Policies
Principles and Practices

by Sari Stern Greene

Chapter 4: Governance and


Risk Management
Objectives

 Explain the importance of strategic alignment


 Know how to manage information security policies
 Describe information security-related roles and
responsibilities
 Identify the components of risk management
 Create polices related to information security
policy, governance, and risk management

Copyright 2014 Pearson Education, Inc. 2


Copyright 2014 Pearson Education, Inc. 3
Understanding Information
Security Policies
 The goal of the information security policies is to
protect the organization from harm
 The lesson of ISP domain is the 3 fold, they are
 Policies should be written
 Policies should be supported by management
 Policies should be strategically aligned-ie the
companies’ security policy with business requirements
and relevant laws and regulations
 ISO 27002:2013 can provide a framework for
developing security policies

Copyright 2014 Pearson Education, Inc. 4


Understanding Information
Security Policies cont.
 What is strategic alignment?
 Two approaches to information security
 Parallel approach
 Integrated approach
1. User version ISP:
 Policies can serve as teaching documents to influence behavior
 Acceptable Use Policy – should be distributed to the users, they should
acknowledge it, that they have understood it.

2. Vendor version ISP


 Companies can outsource their work, but not their responsibility and liability.
 Companies should create vendor versions of information security policies,
 The vendor version should only contain policies that are applicable to third
parties and should be sanitized as to not disclose any confidential information

Copyright 2014 Pearson Education, Inc. 5


 Client Synopsis:
 In this context, client refers to companies to which the
organization provides services.
 A synopsis of the information security policy should be
available upon request to clients.
 As applicable to the client base, the synopsis could be
expanded to incorporate incident response and business
continuity procedures, notifications, and regulatory cross-
references.
 The synopsis should not disclose confidential business
information unless the recipients are required to sign a
non-disclosure agreement.

Copyright 2014 Pearson Education, Inc. 6


Regulatory Requirements

 Gramm-Leach Bliley (GLBA) Section 314.4


 HIPAA/HITECH Security Rule Section
164.308(a)
 Payment Card Industry Data Security
Standard (PCI DDS) section 12.5
 201 CMR 17: Standards for Protection of
Personal Information of the Residents of the
Commonwealth–Section 17.0.2

Copyright 2014 Pearson Education, Inc. 7


Who authorize ISP?
 A policy is a reflection of the organization’s commitment, direction, and
approach.
 Information security policies should be authorized by executive management.
 Depending on the size, legal structure, and/ or regulatory requirements of the
organization, executive management may be defined as owners, directors,
or executive officers
 The National Association of Corporate Directors (NACD), the leading
membership organization for Boards and Directors in the U.S., recommends
four essential practices:
 ■■ Place information security on the Board’s agenda.
 ■■ Identify information security leaders, hold them accountable, and ensure
support for them.
 ■■ Ensure the effectiveness of the corporation’s information security policy
through review and approval.
 ■■ Assign information security to a key committee and ensure adequate
support for that committee

Copyright 2014 Pearson Education, Inc. 8


Revising ISP- Change Drivers:
 Because organizations change over time, policies need to be
revisited.
 Change drivers are events that modify how a company does
business. Change drivers can be demographic, economic,
technological, and regulatory or personnel related.
 Examples of change drivers include company acquisition, new
products, services or technology, regulatory updates, entering into a
contractual obligation, and entering a new market.
 Change can introduce new vulnerabilities and risks.
 Change drivers should trigger internal assessments and ultimately a
review of policies.
 Policies should be updated accordingly and subject to
reauthorization.

Copyright 2014 Pearson Education, Inc. 9


Evaluating Information Security
Policies
 Policies can be evaluated internally or by independent third
parties
 Audit
 Systematic, evidence-based evaluation
 Include interviews, observation, tracing documents to management
policies, review or practices, review of documents, and tracing data to
source documents
 Audit report containing the formal opinion and findings of the audit
team is generated at the end of the audit
 Capability Maturity Model (CMM)
 Used to evaluate and document process maturity for a given area
 The term maturity relates to the degree of formality and structure, ranging from ad hoc to optimized
processes. Funded by the United States Air Force, the CMM was developed in the mid-1980s at the
Carnegie Mellon University Software Engineering Institute. The objective was to create a model for the
military to use to evaluate software development.

Copyright 2014 Pearson Education, Inc. 10


Copyright 2014 Pearson Education, Inc. 11
Copyright 2014 Pearson Education, Inc. 12
Information Security Governance

 The process of managing, directing,


controlling, and influencing organizational
decisions, actions, and behaviors
 The Board of Directors is usually responsible
for overseeing the policy development
 Effective security requires a distributed
governance model with the active
involvement of stakeholders, decision
makers, and users
Copyright 2014 Pearson Education, Inc. 13
Distributed Governance Model
 Chief information security officer (CISO)
 to provide expert leadership.
 is positioned to be a leader, teacher, and security
champion.
 coordinates and manages security efforts across the
company, including IT, human resources (HR),
communications, legal, facilities management, and other
groups.
 This position generally reports directly to a senior functional
executive (CEO, COO, CFO, General Counsel) and should
have an unfiltered communication channel to the Board of
Directors.

Copyright 2014 Pearson Education, Inc. 14


Information security steering
committee
 They provide advice and counsel,
 their mission is to spread the gospel
(teaching )of security to their colleagues,
coworkers, subordinates, and business
partners

Copyright 2014 Pearson Education, Inc. 15


Organization Roles and Responsibilities
 Compliance Officer—Responsible for identifying all applicable information security–
related statutory, regulatory, and contractual requirements.
 Privacy Officer—Responsible for the handling and disclosure of data as it relates to
state, federal, and international law and customs.
 Internal audit—Responsible for measuring compliance with Board-approved policies
and to ensure that controls are functioning as intended.
 Incident response team—Responsible for responding to and managing security-
related incidents.
 Data owners—Responsible for defining protection requirements for the data based
on classification, business need, legal, and regulatory requirements; reviewing the
access controls; and monitoring and enforcing compliance with policies and
standards
 Data custodians—Responsible for implementing, managing, and monitoring the
protection mechanisms defined by data owners and notifying the appropriate party of
any suspected or known policy violations or potential endangerments.
 Data users—Are expected to act as agents of the security program by taking
reasonable and prudent steps to protect the systems and data they have access to.

Copyright 2014 Pearson Education, Inc. 16


Information Security Risk
 Three factors influence information security decision making and
policy creation
 Guiding principles
 Regulatory requirements
 Risk associated with achieving business objectives
 Risk: The potential of undesirable or unfavorable outcome from a
given action.
 Risk tolerance: How much undesirable outcome the risk taker is
willing to accept - Risk tolerance is tactical and specific to the target being evaluated. Risk tolerance
levels can be qualitative (for example, low, elevated, severe) or quantitative (for example, dollar loss, number of
customers impacted, hours of downtime)

 Risk appetite: The amount of risk an entity is willing to accept in


pursuit of its mission
 The motivation for “taking a risk” is a favorable outcome. “Managing risk” implies that other actions are
being taken to either mitigate the impact of the undesirable or unfavorable outcome and/or enhance the
likelihood of a positive outcome

17
Risk Assessment

 Objective : to Evaluate what can go wrong


and the likelihood of a harmful event
occurring
 Risk assessment involves
 Identifying the inherent risk based on relevant
threats, threat sources, and related vulnerabilities
 Determining the impact of a threat if it occurs
 Calculating the likelihood of occurrence
 Determining residual risk

Copyright 2014 Pearson Education, Inc. 18


Risk Assessment cont.
 Inherent risk - The level of risk before security measure are applied
 Residual risk - The level of risk after security measures are applied
 Threat - Natural, environmental, or human event that could cause harm
 Vulnerability - A weakness that could be exploited by a threat
 Impact - The magnitude of a harm
 The likelihood of occurrence is a weighted factor or probability that a
given threat is capable of exploiting a given vulnerability (or set of
vulnerabilities).
 A control is a security measure designed to prevent, deter, detect, or
respond to a threat source.
 Residual risk is the level of risk after security measures are applied. In its
most simple form,residual risk can be defined as the likelihood of
occurrence after controls are applied, multiplied by the expected loss.
Residual risk is a reflection of the actual state. As such, the risk level can
run the gamut from severe to nonexistent.

Copyright 2014 Pearson Education, Inc. 19


Categories of Risk
 In a business context, risk is further classified by
category, including strategic, financial, operational,
personnel, reputational, and regulatory/compliance risk:
 Strategic risk relates to adverse business decisions.
 Financial (or investment) risk relates to monetary loss.
 Reputational risk relates to negative public opinion
 Operational risk relates to loss resulting from inadequate or failed
processes or systems.
 Personnel risk relates to issues that affect morale, productivity,
recruiting, and retention.
 Regulatory/compliance risk relates to violations of laws, rules,
regulations, or policy.

Copyright 2014 Pearson Education, Inc. 20


Risk Assessment Methodologies
 Components of a risk assessment methodology include
 Defined process
 Risk model
 Assessment approach
 Standardized analysis
 Three well-known information security risk assessment
methodologies
 Operationally Critical Threat, Asset, and Vulnerability Evaluation
(OCTAVE)
 Factor Analysis of Information Risk (FAIR)
 NIST Risk Management Framework (RMF)

Copyright 2014 Pearson Education, Inc. 21


NIST- Risk Magmt methodology

 NIST SP 800-30 and SP 800-39


 Guide to Conducting Risk Assessments, is
divided into four steps:
 Prepare for the assessment,
 conduct the assessment,
 communicate the results,
 and maintain the assessment.

Copyright 2014 Pearson Education, Inc. 22


Risk Management

 The process of determining an acceptable level


of risk, calculating the current risk level,
accepting the level of risk, or taking steps to
reduce it to an acceptable level
 Risk acceptance - Risk acceptance indicates that the organization is willing to accept
the level of risk associated with a given activity or process.

 Risk mitigation – one of the 4 actions


 Risk reduction – implement countermeasures
 Risk transfer – transfer the risk to someother entity
 Risk sharing – share it with other entity
 Risk avoidance – modify or stop the risk causingactivity

Copyright 2014 Pearson Education, Inc. 23


Risk reduction
 Risk reduction is accomplished by implementing one or more
offensive or defensive controls in order to lower the residual risk.
 An offensive control is designed to reduce or eliminate
vulnerability, such as enhanced training or applying a security patch.
 A defensive control is designed to respond to a threat source(for
example, a sensor that sends an alert if an intruder is detected).
 Prior to implementation, risk reduction recommendations should be
evaluated in terms of their effectiveness, resource requirements,
complexity impact on productivity and performance, potential
unintended consequences, and cost.
 Depending on the situation, risk reduction decisions may be made
at the business unit level, by management or by the Board of
Directors.

Copyright 2014 Pearson Education, Inc. 24


Risk transfer, sharing and avoidance
 Risk transfer shifts the entire risk responsibility
or liability from one organization to another organization. This is often
accomplished by purchasing insurance.
Risk sharing shifts a portion of risk responsibility or liability to other
organizations. The caveat to this option is that regulations such as
GLBA (financial institutions) and HIPAA/HITECH (healthcare
organizations) prohibit covered entities from shifting compliance liability.
Risk avoidance may be the appropriate risk response when the identified
risk exceeds the organizational risk appetite and tolerance, and a
determination has been made not to make an exception.
Risk avoidance involves taking specific actions to eliminate or
significantly modify the process or activities that are the basis for the
risk.

Copyright 2014 Pearson Education, Inc. 25


Cyber insurance
 Two general categories of risks and potential liabilities
are covered by cyber-insurance: first-party risks and
third-party risks:
 ■■ First-party risks are potential costs for loss or
damage to the policyholder’s own data, orlost income or
business.
 ■■ Third-party risks include the policyholder’s potential
liability to clients or to various governmental or regulatory
entities

Copyright 2014 Pearson Education, Inc. 26


Copyright 2014 Pearson Education, Inc. 27
Summary

 Information security policies should be reviewed at least


annually to ensure they are relevant and accurate
 Information security audits should be conducted to ensure
policies are accepted and integrated
 Governance is the process of managing, directing,
controlling, and influencing organizational decisions,
actions, and behaviors
 Risk management is the process of determining an
acceptable level of risk, calculating the current risk level,
accepting the level of risk, or taking steps to reduce it to an
acceptable level

Copyright 2014 Pearson Education, Inc. 28

You might also like