5.1 Summarize elements of effective security governance

Question 1

Policies vs Standards vs Procedures vs Guidelines

Answer 1

Policies: brief, high-level statements that identify goals based on an organization’s overall beliefs and principles.

• Acceptable Use Policies (AUP): Define system usage rules; users acknowledge understanding.
• Information Security Policies: Protect data; set rules for password, data handling, and internet use.
• Business Continuity and Disaster Recovery Policies: Ensure operations continue during disruptions; outline backup and recovery.
• Incident Response Policies: Define steps and roles for responding to security incidents.
• Software Development Lifecycle (SDLC) Policies: Secure software development process with standards for each phase.
• Change Management Policies: Control IT changes with a process for request, approval, testing, and documentation.

Standards: details on policy implementation.

Security policies are typically high-level documents that set forth general requirements without getting into specific details. This allows them to remain fairly constant even when technology and the business changes. Security standards, on the other hand, are where the details surface. Security standards outline technical and business requirements for security.

• Password Standards: Define requirements for password length, complexity, expiration, and avoid common passwords.
• Access Control Standards: Set rules for access levels, roles, and procedures for granting or revoking access.
• Physical Security Standards: Outline protections for physical assets, including locks, alarms, and environmental safeguards.
• Encryption Standards: Specify approved methods for encrypting data at rest, in transit, and in use.

Procedures: Step-by-step instructions to follow policies and standards.

• Change Management Procedures: Define steps for requests, approvals, and implementation of changes.
• Onboarding Procedures: Grant new hires access following least privilege; provide accounts and resources as needed.
• Offboarding Procedures: Remove access, disable accounts, collect equipment, and retrieve security badges/cards.

Security Guidelines

Optional best practices to help employees meet security requirements effectively.

• Example: Guidelines may suggest the best methods for laptop encryption within policy requirements.

Question 2

Governance Structures

Answer 2

• Boards: Elected by shareholders to set strategy, policies, and key decisions.
• Committees: Board subgroups focusing on specific areas.
• Government Entities: Set laws and regulations for compliance, especially in public sectors.
• Centralized vs. Decentralized Structures:
  
  • Centralized
  • Decentralized

Question 3

Policies

Answer 3

• Acceptable Use Policy (AUP): Outlines do’s and don’ts for users, protecting the organization from legal and security risks.
• Information Security Policies: Defines how to protect information assets through data classification, access control, encryption, and physical security. Ensures CIA
• Business Continuity: How an organization sustains critical operations during and after disruptions, minimizing impact and enabling quick recovery.
  
  • Tabletop Exercises: Discussion-based in a conference setting
  • Simulations: Hands-on exercises in a simulated environment
  • Parallel Processing: Activates disaster recovery site to run alongside primary site
  • Failover Tests: Shuts down primary site to verify failover site functionality
• Disaster Recovery: Focuses on recovering IT systems and data, including backup, restoration, and alternative locations. Part of BCP, or a separate document
• Incident Response: Covers detection, reporting, response, and prevention of security incidents.
• SDLC
• Change Management: Manages IT changes to minimize disruptions through request, approval, implementation, and review processes.

Question 4

Standards

Answer 4

Framework for implementing security measures, ensuring a complete security posture.

• Password Standards: Define password complexity, length, changes, reuse rules, and emphasize hashing and salting.
• Access Control Standards: Enforces least privilege and separation of duties. Manage resource access using models (see the separate card).
• Physical Security Standards
• Encryption Standards: Keep data secure with algorithms like AES or RSA, balancing security and performance.

Question 5

Procedures

Answer 5

Structured approach in consistency, efficiency, and compliance with standards.

• Change Management: Handles organizational changes smoothly.
• Onboarding and Offboarding Procedures:
• Playbooks: Detailed guides with step-by-step instructions for specific tasks. Used for processes like cybersecurity response or customer complaint handling.

Question 6

Governance Considerations

Answer 6

• Regulatory Considerations: need for organizations to comply with all relevant laws and regulations that apply to their operations
• Legal Considerations: Includes contract law, intellectual property, and employment law.
• Industry Considerations: Industry-specific standards and ethical practices influence customer expectations. Non-adoption can harm competitiveness and reputation.
• Geographical Considerations:
  
  • Local: Zoning laws, city ordinances.
  • Regional: CCPA (California).
  • National: ADA (US-wide).
  • Global: GDPR (applies to EU data worldwide). Even if a company is based outside of the EU, if it collects or processes the data of EU citizens, it must comply with the GDPR.
• Handling conflicting laws requires legal expertise and governance flexibility.