SECURITY POLICY &

GOVERNANCE - 6KS01
• Text Book: Michael E. Whitman, Herbert J.
Mofford, “Management of Information Security”
Sixth Edition, Cengage Learning, 2016.
• Reference Books:
• Robert F Smallwood, “Information Governance for
Business Documents and Records” Wiley 2014.
• Michael E. Whitman and Herbert J. Mofford,
“Principles of Information Security” Sixth Edition,
Cengage Learning, 2018.
 SECURITY POLICY & GOVERNANCE
Introduction to Security: In general, security means being
free from danger. To be secure is to be protected from the risk
of loss, damage, unwanted modification.
Information Security is about securing information from
unauthorized access use, disclosure, modification, inspection,
recording or destruction of information. Information can be
physical or electronic one. Information can be anything like
your details or we can say your profile on social media, your
data in mobile phone, your biometrics etc
Key Terms to Security –
Asset An organizational resource that is being protected. An
asset can be logical, such as a Web site, software information,
or data; or an asset can be physical, such as a person, computer
system, hardware, or other tangible object.
• Information asset The focus of information
security; in formation that has value to the
organization, and the systems that store, process,
and transmit the information.
• Information security (lnfoSec) Protection of the
confidentiality, integrity, and availability of
information assets
• Security A state of being secure and free from
danger or harm. In addition, the actions taken to
make someone or something secure.
 Specialized areas of security
• Physical security - The protection of physical items,
objects, or areas from unauthorized access and misuse.
• Operations security - The protection of the details of
an organization's operations and activities.
• Communications security- The protection of all
communications media, technology, and content.
• Cyber (or computer) security- The protection of
computerized information processing systems and the
data they contain and process.
• Network security - A subset of communications
security and cyber security; the protection of voice and
data networking components, connections, and content.
 Committee on National Security
Systems (CNSS)
• Formerly known as the National Security
Telecommunications and Information Systems
Security Committee (NSTISSC) known as the
Mccumber Cube, which is named after its developer,
John Mccumber.
• Shows the three dimensions that are central to the
discussion of InfoSec: information characteristics,
information location, and security control categories. If
you extend the relationship among the three
dimensions that are represented by the axes in the
figure, you end up with a 3 x 3 x 3 cube with 27 cells.
• Each cell represents an area of intersection among
these three dimensions, which must be addressed
to secure information. These cells deal with
people, hardware, software, data and procedure
 Information and the C.I.A. triangle
• C.I.A. model characteristics of confidentiality,
integrity and availability
• Confidentiality means limiting access to information
only to those who need it, and preventing access by
those who do not. When unauthorized individuals or
systems can view information, confidentiality is
breached. To protect the confidentiality of
information, a number of measures are used,
including:
• Information classification
• Secure document (and data) storage
• Application of general security policies
• Cryptography ( encryption)
• Integrity
• The integrity or completeness of information is
threatened (harmful/danger) when it is exposed to
corruption, damage, destruction of its authentic
state. Corruption can occur while information is
being entered, stored, or transmitted. Many
computer viruses and worms, for example, are
designed to corrupt data. For this reason, the key
method for detecting whether a virus or worm has
caused an integrity failure to a file system is to look
for changes in the file's state, as indicated by the
file's size or, in a more advanced operating system
File corruption is not always the result of deliberate
attacks.
• Availability
• Availability of information means that users, either
people or other systems, have access to it in a usable
format. Availability does not imply that the
information is accessible to any user; rather, it means
it can be accessed when needed by authorized users.
 Key Terms
• Accountability The access control mechanism that ensures all actions
on a system authorized or unauthorized can be attributed to an
authenticated identity.
• Authentication The access control mechanism that requires the
validation and verification of an unauthenticated entity's
• Authorization The access control mechanism that represents the
matching of an authenticated entity to a list of information assets
• Availability An attribute of information that describes how data is
accessible and correctly formatted for use without interference
• Integrity An attribute of information that describes how data is
whole, complete, and uncorrupted.
• Identification The access control mechanism whereby unverified
entities who seek access to a resource provide a label by which they
are known to the system.
• Privacy The right of individuals or groups to protect themselves and
their information from unauthorized access, providing confidentiality.
 Key Concepts of InfoSec: Threats and
•
Attacks
What Is a Network Attack?
• A network attack is an attempt to gain unauthorized
access to an organization’s network, with the objective
of stealing data or perform other malicious activity.
There are two main types of network attacks:
• Passive: Attackers gain access to a network and can
monitor or steal sensitive information, but without
making any change to the data, leaving it intact.
• Active: Attackers not only gain unauthorized access
but also modify data, either deleting, encrypting or
otherwise harming it.
 Distinguish network attacks from
other types of attacks
• Endpoint attacks—gaining unauthorized access to
user devices, servers or other endpoints, typically
compromising them by infecting them with
malware.
• Malware attacks—infecting IT resources with
malware, allowing attackers to compromise
systems, steal data and do damage.
 Common Types of Network Attacks
• 1. Unauthorized access Unauthorized access refers to
attackers accessing a network without receiving
permission. Among the causes of unauthorized access
attacks are weak passwords, previously compromised
accounts, and insider threats.
• 2. Distributed Denial of Service (DDoS) attacks
Attackers build botnets(is a network of computers infected
by malware that are under the control of a single attacking
party), large fleets of co-operated devices, and use them to
direct false traffic at your network or servers. DDoS can
occur at the network level, for example by sending huge
volumes of SYN/ACC packets which can crush a server,
for example by performing complex SQL queries that bring
a database to its knees.
• 3. Man in the middle attacks A man in the middle
attack involves attackers intercepting traffic, either
between your network and external sites or within
your network. If communication protocols are not
secured or attackers find a way to avoid that security,
they can steal data that is being transmitted, obtain
user credentials and hijack their sessions.
• 4. Code and SQL injection attacks Many websites
accept user inputs and fail to validate and sanitize
those inputs. Attackers can then fill out a form or
make an API call, passing malicious code instead of
the expected data values. The code is executed on the
server and allows attackers to compromise it.
• 5. Privilege escalation (Increase) Once attackers
penetrate your network, they can use privilege
escalation to expand their reach. Horizontal
privilege escalation involves attackers gaining
access to additional, adjacent systems, and vertical
escalation means attackers gain a higher level of
privileges for the same systems.
• 6. Insider threats A network is especially weak to
malicious insiders, who already have privileged
access to organizational systems. Insider threats can
be difficult to detect and protect against, because
insiders do not need to penetrate the network in
order to do harm.
 Categories of Threats
• 1. Compromises to Intellectual Property:
Intellectual property (IP) can be trade secrets,
copyrights, trademarks, and patents. IP is protected by
copyright and other laws. For example, the use of a
song in a movie or a photo in a publication may require
a specific payment or royalty. This category includes
two primary areas:
• a) Software piracy- The most common IP breach is the
unlawful use or duplication of software-based
intellectual property, more commonly known as
software piracy. Many individuals and organizations do
not purchase software as mandated by the owner's
license agreements
• b) Copyright protection and user registration - A
number of technical mechanisms digital
watermarks, embedded code, copyright or activation
codes, and even the intentional placement of bad
sectors on software media- have been used to
enforce copyright laws.
• 2. Deviations in Quality of Service An
organization's information system depends on the
successful operation of many interdependent
support systems, including power grids, data and
telecommunications networks, parts suppliers,
service vendors.
• Subcategories of this threat include the following:
• a) Internet service issues- In organizations that rely
heavily on the Internet and the Web to support
continued operations, ISP failures can considerably
undermine the availability of information
• b) Communications and other service provider
issues- Among these are telephone, water,
wastewater, trash pickup, cable television, natural or
propane gas, and secure services. The loss of these
services can impair the ability of an organization to
function.
• c) Power irregularities- Irregularities from power
utilities are common and can lead to fluctuations such
as power excesses, power shortages, and power
losses.
• Espionage or trespass is a well-known and broad
category of electronic and human activities that can
crack the confidentiality of information. When an
unauthorized person gains access to information an
organization is trying to protect, the act is
categorized as espionage or trespass.
• Some information-gathering techniques are legal-
for example, using a Web browser to perform
market research. These legal techniques are
collectively called competitive intelligence. When
information gatherers employ techniques that cross
a legal or ethical threshold, they are conducting
industrial espionage.
• Hackers A person who accesses systems and
information without authorization and often
illegally.
• Expert hacker A hacker who uses extensive
knowledge of the inner workings of computer
hardware and software to gain unauthorized access
to systems and information.
• Cracker A hacker who intentionally removes or
bypasses software copyright protection designed to
prevent unauthorized duplication or use.
• Cracking Attempting to reverse-engineer, remove,
or bypass a password or other access control
protection, such as copyright protection on software.
• Phreaker A hacker who manipulates the public
telephone system to make free calls or disrupt
services.
• Jailbreaking or Rooting. Owners of certain
smartphones can download and use particular tools
to gain control over system functions, often against
the original intentions of the designers. The term
Jailbreaking is more commonly associated with
Apple's iOS devices, while the term Rooting is
more common with Android-based devices.
• 4 Forces of Nature
• Forces of nature, sometimes called acts of God, can
present some of the most dangerous threats because
they usually occur with little warning and are
beyond the control of people. These threats, which
include events such as fires, floods, earthquakes,
and lightning as well as volcanic eruptions and
insect infestations, can disrupt not only people's
lives but also the storage, transmission, and use of
information. Some typical force of nature attacks
include the following: Fire, Flood, Earthquake,
Lightning, Landslide or mudslide, Tsunami etc
• 5 Human Error or Failure When people use
information systems, mistakes happen. Similar
errors happen when people fail to follow established
policy. Inexperience, improper training, and
incorrect assumptions are just a few things that can
cause human error or failure. Regardless of the
cause, can produce extensive damage.
• 6. Information Extortion
• Information extortion the act of an attacker or
trusted insider who steals information from a
computer system and demands compensation for its
return or for an agreement not to disclose the
information. Also known as cyber extortion.
• 7 Software Attacks Deliberate software attacks occur
when an individual or group designs and deploys
software to attack a system. This type of attack is
usually part of a campaign that integrates a variety of
tools, techniques, and procedures (TTP) to merge
specially crafted (created) software and social
engineering methods that seek to trick users into
installing computer code onto their systems.
• There are several forms of software attacks
• Malware The most common form of software attack is
malware. Malware referred as malicious code or
software. Malicious code attacks include the execution
of viruses, worms, Trojan horses, and active Web
scripts with the intent to destroy or steal information.
• Virus - A computer virus consists of code segments
(programming instructions) that perform malicious
actions. The virus - controlled target program then
carries out the virus plan by replicating itself into
additional targeted systems computer viruses are
passed from machine to machine via physical media, e-
mail, or other forms of computer data transmission.
When these viruses infect a machine, they may
immediately scan it for e-mail applications or even
send themselves to every user in the e-mail address.
• Macro virus, which is embedded in automatically
executing macro code used by word processors, which
infects the key operating system files in a computer's
boot sector.
• Worm can continue replicating itself until it
completely fills available resources, such as
memory, hard drive space, and/or network
bandwidth. The complex behaviour of worms can be
initiated with or without the user downloading or
executing the file. Once the worm has infected a
computer, it can redistribute itself to other systems
connected to the compromised systems using e-mail
directories and network links found on the infected
system. Furthermore, a worm can deposit copies of
itself onto all Web servers that the infected system
can reach; users who subsequently visit those sites
become infected.
• A Trojan horse may frequently be disguised as a
helpful, interesting, or necessary piece of
software, such as the readme.exe files often
included with shareware or freeware packages.
once Trojan horses are brought into a system,
they become activated and can cause confusion
on the unsuspecting user. Trojan horse program
was installing itself into the user's system. The
program continued to propagate itself by
following up every e-mail the user sent with a
second e-mail to the same recipient and with the
same attack program attached.
• Back Doors Using a known or newly discovered
access mechanism, an attacker can gain access to
a system or network resource through a back
door. Viruses and worms can have a payload that
installs a back door or trap door component in a
system, allowing the attacker to access the system
at will with special privileges. Sometimes these
doors are left behind by system designers or
maintenance staff, and are thus also referred to as
a maintenance hook.
• Buffer Overflow A buffer overflow is a
programming error that occurs when more data is
sent to a buffer than it can handle.
• Denial-of-Service (DoS) and Distributed
Denial-of-Service (DDoS) Attacks
• In a denial-of-service (DoS) attack, the
attacker sends a large number of connection or
information requests to a target. So many
requests are made that the target system
becomes overloaded and cannot respond to real
requests for service. The system may crash or
simply become unable to perform ordinary
functions. In a distributed denial-of-service
(DDoS) attack, a coordinated stream of
requests is launched against a target from many
locations at the same time.
• E-mail Attacks Unwanted e-mail, especially bulk
commercial e-mail or spam, is a common problem
for e-mail users A form of e-mail attack that is
also a DoS attack is called a mail bomb.
• Communications Interception Attacks
• S/W-based attacks include four subcategories
• a) Packet sniffer/network sniffer can monitor
data traveling over a network. Sniffers can be used
both for legitimate (real) network management
functions and for stealing information.
Unauthorized sniffers can be extremely dangerous
to a network's security because they are virtually
impossible to detect and can be inserted anywhere.
• Sniffers often work on TCP/IP networks.
Sniffers add risk to networks because many
systems and users send information on local
networks in clear text. A sniffer program shows
all the data going by, including plain-text
passwords, the data inside files.
• b) Spoofing- To engage in IP spoofing, hackers
use a variety of techniques to obtain trusted IP
addresses and then modify the packet headers to
insert forged (fake) addresses. Newer routers
and firewall arrangements can offer protection
against IP spoofing.
• Pharming- Pharming attacks often use Trojans,
worms, or other virus technologies to attack an
Internet browser's address bar so that the valid
URL the user types is modified to be that of an
illegal Web site. A form of pharming called
Domain Name System cache destroying.
• Man-in -the-middle- In the well-known man-in-
the-middle attack, an attacker monitors packets
from the network, modifies them, and inserts
them back into the network. Also called as TCP
hijacking attack. Allows the attacker to change,
delete, reroute, add, forge (illegal copy), or divert
data.
• 8. Technical Hardware Failures or Errors
• Technical hardware failures or errors occur when
a manufacturer distributes equipment containing a
known or unknown fault. These defects can cause
the system to perform outside of expected
parameters, resulting in unreliable service or lack
of availability. Equipment can sometimes stop
working or work in unexpected ways.
• 9. Technical Software Failures or Errors
• Large quantities of computer code are written,
debugged, published, and sold before all their
bugs are detected and resolved. Sometimes,
combinations of certain software and hardware
reveal new failures that range from bugs to
untested failure conditions.
• 10. Theft
• The illegal taking of another's property, which
can be physical, electronic, or intellectual.
 Management and Leadership
• Leadership. The process of influencing others
and gaining their willing cooperation to achieve
an objective by providing purpose, direction, and
motivation.
• Management. The process of achieving
objectives by appropriately applying a given set of
resources. Management involves using resources
to get a job done.
• Manager is a member of the organization
assigned to marshal and administer resources,
coordinate the completion of tasks, and handle the
many roles necessary to complete the desired
objectives.
• Managers have many roles to play within
organizations, including the following:
• Informational role - Collecting, processing, and
using information that can affect the completion
of the objective.
• Interpersonal role - Interacting with superiors,
subordinates, outside stakeholders, and other
parties that influence or are influenced by the
completion of the task.
• Decisional role - Selecting from among
alternative approaches and resolving conflicts,
problems, or challenges.
• Behavioral Types of Leaders
• There are three basic behavioral types:
autocratic, democratic, and laissez-faire.
• Autocratic leaders reserve all decision-making
responsibility for themselves and are "do as I say"
types. Such leaders typically issue an order to
accomplish a task and do not usually seek or
accept alternative viewpoints.
• Democratic leaders work in the opposite way,
typically seeking input from all interested parties,
requesting ideas and suggestions, and then
formulating positions that can be supported by a
majority.
• The laissez-faire leader is also known as the
"laid-back" leader. While both autocratic and
democratic leaders tend to be action oriented, the
laissez-faire leader often sits back and allows the
process to develop as it goes, only making
minimal decisions to avoid bringing the process
to a complete halt.
 Management Characteristics
• Planning The process of developing, creating,
and implementing strategies for the
accomplishment of objectives is called planning.
• The three levels of planning are:
• Strategic planning- This occurs at the highest
levels of the organization and for a long period of
time, usually five or more years.
• Tactical planning- This focuses on production
planning and integrates organizational resources
at a level below the entire enterprise and for an
intermediate duration (such as one to five years).
• Operational planning- This focuses on the day-
to-day operations of local resources and occurs
in the present or the short term.
• There is also a category of planning used in non-
normal business operations called contingency
planning. Lack of planning can cause the kind of
confusion and frustration among managers and
staff.
 Organizing
• The management function dedicated to the
structuring of resources to support the
accomplishment of objectives is called
organizing. It includes the structuring of
departments and their associated staffs, the
storage of raw materials to facilitate
manufacturing, and the collection of information
to help in the accomplishment of the task. Recent
definitions of "organizing" include staffing,
because organizing people so as to maximize
their productivity is not significantly different
from organizing time, money, or equipment.
• Leading Leading encourages the implementation
of the planning and organizing functions. It
includes supervising employee behavior,
performance, attendance, and attitude while
ensuring completion of the assigned tasks, goals,
and objectives. Leadership generally addresses
the direction and motivation of the human
resource.
• Controlling Controlling ensures the validity of
the organization's plan. The manager ensures that
sufficient progress is made, that obstacles to the
completion of the task are resolved, and that no
additional resources are required.
 Governance
• The very top of an organization includes a special
level of management that involves planning,
organizing, leading, and controlling the
information security function. For most
organizations that have such a governing body, it
exists either at the board of directors level or the
senior executive level.
• This level of uppermost management is referred
to as governance. Just as there are governance
functions to manage the entire business side of
the organization, there are special governance
functions for IT and InfoSec.
• Solving Problems
• All managers encounter problems in the course of
the organization's day-to-day operation. Whether
a problem is low or high profile, the same basic
process can be used to solve it. Time pressures
often constrain decision making when problems
arise, however the process of gathering and
evaluating the necessary facts may be beyond
available capabilities.
• The methodology described in the following
steps can be used as a basic blueprint for
resolving many operational problems
• Step 1: Recognize and Define the Problem
• The most frequent flaw (fault) in problem solving
is failing to define the problem completely. Begin
by clearly identifying exactly which problem
needs to be solved. For example, if Iris receives
complaints at RWW (Random Widget Works
makes quality widgets and equipment for modern
businesses ) about the receipt of a large number
of unsolicited commercial e-mails (also known as
spam), she must first determine whether the
complaints are valid.
• Step 2: Gather Facts and Make Assumptions
• To understand the background and events that shape the
problem, a manager can gather facts about the
organizational, cultural, technological, and behavioral
factors that are at the root of the issue. He or she can
then make assumptions about the methods that are
available to solve the problem.
• Step 3: Develop Possible Solutions
• The next step is to begin formulating possible solutions.
Managers can use several methods to generate ideas. One
of these is brainstorming, a process in which a group of
individuals airs as many ideas as possible in a short time,
without regard for their practicality. The group then
reviews and filters the ideas to identify any feasible
options.
• Step 4: Analyze and Compare Possible
Solutions
• Each proposed solution must be examined and
ranked as to its likely success in solving the
problem. This analysis may include reviewing
economic, technological, behavioral, and
operational feasibilities, which are described here:
• Economic feasibility - Comparing the costs and
benefits of a possible solution with other possible
solutions.
• Technological feasibility- Assessing the
organization's ability to acquire the technology
needed to implement a particular solution.
• Behavioral feasibility - Assessing the likelihood
(probability) that subordinates will adopt and
support a particular solution rather than resist it.
• Operational feasibility - Assessing the
organization's ability to integrate a particular
solution into its current business processes.
• Step 5: Select, Implement, and Evaluate
• Once a solution is chosen and implemented, you
must evaluate it to determine its effectiveness in
solving the problem. It is important to monitor
the chosen solution carefully so that if it proves
ineffective, it can be canceled or altered quickly.
In Iris's case, she might decide to implement the
firewall filters to reduce the spam, as most of it
comes from a few common sources.
Principles of Information Security Management
• The InfoSec management team operates like all
other management units by using the common
characteristics of leadership and management.
• The InfoSec management team's goals and
objectives differ from those of the IT and general
management communities in that the InfoSec
management team is focused on the secure
operation of the organization.
• Some of the InfoSec management team's goals and
objectives may be contrary (opposite) to or require
resolution with the goals of the IT management
team.
• The primary focus of the IT group is to ensure the
effective and efficient processing of information,
whereas the primary focus of the InfoSec group is
to ensure the confidentiality, integrity, and
availability of information.
• Because the Chief Information Security Officer
(CISO) in charge of the security management
team typically reports directly to the Chief
Information Officer (CIO), who is responsible for
the IT function, issues and arranging conflicts can
arise unless upper management interfere.
 There are 6 main Principles of
InfoSec Management:
• 1. Planning InfoSec Planning Model includes
activities necessary to support the design,
creation, and implementation of InfoSec
strategies within the planning environments of all
organizational units, including IT. Because the
InfoSec strategic plans must support not only the
IT use and protection of information assets, but
also those of the entire organization, it is
imperative that the CISO work closely with all
senior managers in developing InfoSec strategy.
 2. Policy
• In InfoSec, there are three general policy
categories,
• Enterprise Information Security Policy
(EISP)- Developed within the context of the
strategic IT plan, this sets the character for the
InfoSec department and the InfoSec climate
across the organization. The CISO typically
drafts the program policy, which is usually
supported and signed by the CIO or the CEO.
• Issue -Specific Security Policies {ISSPs)-These
are sets of rules that define acceptable behavior
within a specific organizational resource, such as
e-mail or Internet usage.
• System-Specific Policies (SysSPs) - A merger of
technical and managerial intent, SysSPs include
both the managerial guidance for the
implementation of a technology as well as the
technical specifications for its configuration.
 3. Programs
• InfoSec operations that are specifically managed
as separate entities are called "programs:· An
example would be a Security Education Training
and Awareness (SETA) program, a risk
management program, or emergency programs
such as incident response, disaster recovery, or
business continuity.
• SETA programs provide critical information to
employees to maintain or improve their current
levels of security knowledge. Risk management
programs include the identification, assessment,
and control of risks to information assets.
• Other programs that may emerge include a
physical security program, complete with fire
protection, physical access, gates, guards, and so
on. Some organizations with specific regulations
may have additional programs dedicated to
client/customer privacy, awareness, and the like.
Each organization will typically have several
security programs that must be managed.
• 4. Protection The protection function is executed
via a set of risk management activities, as well as
protection mechanisms, technologies, and tools.
Each of these mechanisms or safeguards
represents some aspect of the management of
specific controls in the overall InfoSec plan.
• 5. People People are the most critical link in the
InfoSec program. This area encompasses security
personnel (the professional information security
employees), the security of personnel (the
protection of employees and their information),
and aspects of the SETA program.
• 6. Projects
• Whether an InfoSec manager is asked to roll out
a new security training program or select and
implement a new firewall, it is important that the
process be managed as a project. The final
element for thoroughgoing InfoSec management
is the application of a project management
discipline to all elements of the InfoSec program.
• Project management involves identifying and
controlling the resources applied to the project, as
well as measuring progress and adjusting the
process as progress is made toward the goal.
 st U n i t
o f fi r
E nd