Domain 1: Information Security Governance Flashcards
- Define Governance
- Steps
Governance - rules that run the organization (policies, procedures, standards). Set the direction and control organization’s activities
Failure of governance = predominant reason for failure in security
- senior Mgmt determines requirements, outcomes, and level of acceptable risk
- Security manager set control objectives to satisfy requirements
- Security manager determines how to move from current state to desired state (gap analysis)
- Create road map to identify specifics needed to achieve objectives
- Identify resources needed to navigate road map and implement strategy. Identify constraints
ISO/IEC 27000
Requirements for managing information security management system (ISMS)
- Policies
- Standards
- Business Case
- Examples of internal and external factors that may effect threats, vulnerabilities, and exposures
- Policies
- designed to mitigate risk
- usually developed in response to perceived threat
- state management intent and direction at high level
- support strategic objectives.
- Standards
- set boundaries for people, processes, procedures, and technologies
- maintain compliance with policies
- support achievement of organization’s goals and objectives
- combined with other controls to create security baselines
- Business Case
- captures the business reasoning for initiating project
- identifies the needs and business purpose
- encompass benefits, total cost of ownership (TCO), and risk for full cycle of project
- Internal and External Factors
Internal - people, business activities, financial capacity to absorb loss
External - market changes, emerging threats, new technologies, new regulations, attackers
Importance of Metrics
- What cannot be measured cannot be managed.
- Most important requirements for good metrics is to identify what information is needed at different organizational levels
- First step is to establish metrics to determine what is meaningful to recipients. Then communicate and continuously monitor to appropriate personnel
Benefits of prudent management
- address increased potential for civil or legal liability due to inaccurate information or absence of due care
- assurance of policy compliance
- increase predictability and reduce uncertainty of business operations by lowering risk to acceptable level
- provide framework to optimize allocations of limited security resources
- level of assurance that critical decisions are not based on faulty information
- firm foundation for efficient and effective risk mgmt, process improvement, rapid incident response and continuity mgmt
- greater confidence in interaction with trading partners
- trust in customer relationships
- protect organization’s reputation
- better ways to process electronic transactions
- safeguard information during critical business activities, such as mergers and acquisitions
- mgmt of resources
Six outcomes of Governance
ACRONYM: RRAPS-V
The objective of governance is to develop and manage security program that achieves these outcomes:
- Strategic alignment - aligning security requirements with enterprise requirements, supports business objectives and strategy
2. Risk Management - managing risk to an acceptable level
3. Value Delivery - security investments should be managed to optimize support of business objectives and deliver clear value to the organization; there should be clear standards and practices in place, baselines, and continuous improvement to the program;
4. Resource Optimization - document security processes and architectures. security architectures should be developed to define and use infrastructures to achieve security objectives efficiently. This promotes recognition of the resource needs.
5. Performance Measurement - monitoring and reporting to ensure objectives are achieved i.e. Metrics
6. Assurance process integration - integrating all functions with security
Relationship of Governance Elements
- Risk Capacity
- Risk Appetite
- Risk Acceptance vs risk appetite and risk capacity
- Residual Risk
- Risk Tolerance
- Risk Exposure
- Risk Register
- Inherent Risk
- Risk Transfer and at what impact and likelihood levels is this likely done?
- Risk Capacity - amount of loss an enterprise can tolerate without continued existence being called into question
- Risk Appetite - amount of risk an enterprise is willing to accept in pursuit of its mission
- Risk Acceptance vs risk appetite and risk capacity - Risk acceptance should not exceed risk appetite or risk capacity
- Residual Risk - Residual risk is the remaining risk after all mitigation efforts have occurred
- Risk Tolerance - the acceptable level of variation an organization is willing to allow for a risk
- Risk Exposure - the potential losses
- Risk Register - documentation of information discovered through risk analysis
- Inherent Risk - the risk that exists;
- Risk Transfer - process of assigning risk to another organization through purchase of insurance or outsourcing; commonly done with low likelihood high impact risks such as floods.
- Information Security
- IT Security
- Cybersecurity
- Information Security Governance
- Information Security - deals with all aspects of information (written, spoken electronic) regardless of it being created, transported, stored or destroyed.
- IT Security - deals with security of information within boundaries of technology domain, in custodial capacity. IT is NOT the owner, IT owns the machinery that processes it. IT functions as a custodian for data owners
- Cybersecurity - sub discipline of of information security. includes both IT security and information security.
- Information Security Governance - scope and responsibilities should be clearly set in strategy and policies. Essential information security is supported by senior MGMT.
Governance, Risk Management, and Compliance (GRC)
- Governance - responsibility of senior MGMT and board of directors. focuses on creating mechanisms to ensure personnel follow established processes and policies
- Risk management - managing risk to acceptable level. identity potential risk and associated impacts. prioritize mitigation based on business objectives. Develop and deploy internal controls to manage and mitigate risk throughout the organization
- Compliance - record and monitor the policies, procedures, and controls needed to ensure policies and standards are being followed
Effective integration of GRC requires governance is in place before risk can be management and before compliance enforced.
- Business Model for Information Security (BMIS)
- Systems Thinking
- Holistic approach
- Business Model for Information Security (BMIS) - uses systems thinking to clarify complex relationships within the enterprise to more effectively manage security. Made up of elements and dynamic interconnections which form basis of the model and establish boundaries of an information security program and model how the program functions and reacts to internal and external change (looks at complex environments (i.e. GRC, policies, people, etc) and their relationships.)
- Systems Thinking - examine how systems interact, work, and why the whole is more than the sum of its parts
- Holistic approach - examine system as a complete functioning unit and not a sum of its parts
BMIS 4 elements and 6 dynamic interconnections
***Elements
- Organization design and strategy - network of people, assets, and processes interacting with each other in defined roles and working towards common goal. The strategy specifies business goals and the objectives to be achieved. Sets the basic direction of the enterprise. The strategy should adapt to external and internal factors.
- People - defines who implements each part of the strategy. Internally, deals with recruitment, employee issues, termination. Externally, customers, suppliers, stakeholders have strong influence on enterprise
- Process - formal and informal mechanisms to get things done and a vital link to all dynamic interconnections. Identify, ensure, manage and control risk, availability, confidentiality, integrity, and accountability. Ensure processes meet business requirements, align with policy, is well documented, communicated, and reviewed periodically
- Technology - tools, applications, and infrastructure
***Dynamic Interconnections - actions and behavior can force the model out of balance or bring it back to equilibrium
- Governance - sets limits within which an enterprise operates and is implemented within processes to monitor performance, describe activities, and achieve compliance while also providing adaptability to emergent conditions (organization > process)
- Culture - pattern of behaviors, beliefs, assumptions, attitudes, and ways of doing things. It is learned and creates sense of comfort. Culture exists at an organizational level (policies, expectations). What is information considered, how is it interpreted, and what will be done with it? (organization > people)
- Enablement and Support - make processes usable an easy, be transparent to ensure people comply with technical security measures. policies, standards, guidelines should eliminate conflicts of interest, be flexible to support changing business objectives, and be easy to follow (Process > Technology)
- Emergence - implies developing, growing, evolving, and refers to patterns in life of enterprise. Introduces possible solutions (i.e. Feedback loops, process improvement, change control) (Process > People)
- Human Factors - people may not understand how to use technology or refuse to embrace technology. Can cause internal threats such as data leakage, data theft. Important to train all users (People > Technology)
- Architecture - comprehensive and formal encapsulation of the people, processes, policies and technology that comprise an enterprise’s security practices. Ensures defense in depth. The design describes how security controls are positioned and how they relate to the overall enterprise architecture. Consistent and cost-effective
- Board of Directors
- Senior Management
- Business Process owners
- Steering Committee
- Chief Information Security Officer
- Board of Directors - it is essential the Board is involved with and provide oversight to information security. A common concern with the Board is liability. The Board is protected by insurance, however they must exercise due care. Neglecting to address risk is a failure of due care and therefore voids any protection. US Sarbanes-Oxley Act mandates every company on stock exchange to maintain an audit committee. The board is often the audit committee, monitoring internal controls - mainly financial controls.
- Senior Management - ensure organizational functions, resources, and infrastructure are available and properly utilized to fulfill directives of the board, regulatory compliance, etc.
- Business Process owners - responsible for aligning security activities to support business objectives
- Steering Committee - compromised of senior representatives of stakeholders/groups that are affected by security considerations. Security manager should ensure roles, responsibilities, activities, scope are clearly defined for those in the steering committee. Material should be reviewed and solutions should e discussed prior to full committee meetings. Subcommittees are encouraged. Main purpose is to come to consensus of priorities, objectives, trade-offs, balancing culture, effective communication channel
- Chief Information Security Officer - usually held by a c-level role. typically reports to CIO CEO and CTO
NIST 800-30 Rev 1
Guide for conducting risk assessments describes the key roles of personnel who must support risk management process
- CIO
- CISO
- ISM
- SO/IO
- Business/Functional Managers
- IT Security Practitioners
- Security Awareness Trainers / SMEs
- CIO - responsible for IT planning, budgeting, performance and components under CISO/information security manager
- CISO - generally performs same functions as information security manager, but holds officer/executive status; reports to CEO, chief operating officer (COO) or board of directors (BOD)
- ISM - responsible for security program, including risk management; act as major consultants in support of senior management
- SO/IO - ensures control implementation, policy compliance, approve changes
- Business and Functional Managers - responsible for business operations, and IT procurement, authority for trade-off decisions
- IT Security Practitioners - network, system, application, database admins, computer specialists, security analysis, security consultants;
- Security Awareness Trainers - must understand organization’s objectives and process to develop training materials and incorporate requirements into training programs for end users
How ISM obtains senior management commitment to information security program
Once ISM has developed security strategy, senior management must approve the strategy/program.
- Educate senior management on how critical IT systems and information are to continued operation of the enterprise
- Be clear on what an appropriate level of support from senior mgmt includes
- clear approval of policies, monitoring performance, supporting SAT, adequate resources and sufficient authority, treating information security as critical, high level oversight and control, addressing issues at senior mgmt/BOD meetings
Developing and presenting the Business Case
- Business Case
- Feasibility Study
- Stage Gates or Kill Points
- Formal presentations
- 6 elements of Feasibility Study (PCR-AER)
- Business case - provides the information required for organization to decide whether a project should proceed. The essential consideration is the value proposition or the cost-benefit analysis of moving forward with the project. Usually the first step or precursor to commencement of project
- Feasibility study - initial business case derives from feasibility study. This is an early study of a problem to assess of a solution is practical and meets schedule and budget requirements.
- Stage Gates/Kill Points - a well-planned project will have decision points where the business case is formally reviewed to ensure it is still relevant. If the business case changes throughout the project, it should be reapproved
- Formal presentations - ISM conduct formal presentations for senior mgmt highlighting the following (aligning security and business obj; consequences of failing to achieve security obj; budget items; total cost of ownership TCO / ROI; define monitoring and auditing measures)
- Project scope - defines the problem and/or opportunity
- Current analysis - define and establish an understanding of the current system, process, or product. Strength and weaknesses of current product are identified
- Requirements - these are based on stakeholder needs and constraints maybe due to contractural and regulatory processes, end-user functional needs, etc
- Approach - the recommended software and/or system to satisfy the requirements. This step also identifies alternatives and rationale for why the preferred solution was selected
- Evaluation - addresses cost-effectiveness or value propositions of approach selected. The final report should include estimated total cost along with cost of alternatives (including man power hours, material facility costs, vendor contractor costs, project schedule, etc)
- Review - formal review of report with ALL stakeholders. Renders decision to approve or reject the project
Governance of Third-Party Relationships
- challenges
- ISM responsibility
- Challenges - cultural differences, technology incompatibles, incident response process, business continuity, disaster recovery
- ISM clearly documents potential risks and possible impact of 3rd party relationships
- security metric vs technical metric
- Risk assessments vs Metrics
- metric - quantifiable entity that allows measurement of achievement of a process goal
- security metric - degree of safety relative to a reference point
- technical metrics - tactical operational mgmt of technical security systems (IDSes, firewalls, servers, etc). these metrics are of little value to mgmt as it says nothing about how well risk is being managed, policy compliance, etc
- Full audits and risk assessments provide a snapshot of security whereas metrics are able to provide up to date information as requested
Good metrics are SMART and MAC-RAP
- specific - based on a clear goal
- measurable
- attainable
- relevant
- timely
additional considerations - MAC-RAP
- meaningful
- accurate
- cost-effective
- repeatable
- actionable
- predictable
- Value at Risk (VAR)
- Return on Security Investment (ROI)
- Annual Loss Expectancy (ALE)
- Key Goal Indicator (KGI)
- Key Performance Indicator (KPI)
- Litmus Test
- Value at Risk (VAR) - compute maximum probable loss in a defined period (day, week, year); 95-99% accuracy using Monte Carlo theory which inputs thousands of calculations of historical data to predict possible losses;
- Return on Security Investment (ROI) - calculate ROI based on the reduction in losses resulting from a security control compared to the cost of the control (Amount Gained/Loss - Cost / Cost) x 100
- Annual Loss Expectancy (ALE) - annualized loss base on probable frequency and magnitude of security compromise
- Key Goal Indicator (KGI) - indicates whether goal has been met
- Key Performance Indicator (KPI) - indicates how well process is performing to meet the goal
- Litmus Test - reverse order evaluation to see if specific control can be tracked back to specific business requirement. Controls that cannot be tracked back should be re-evaluated and possibly eliminated
Common Pitfalls of flawed decision making (12)
- overconfidence
- optimism
- anchoring
- status quo
- mental accounting
- the herding instinct/faddism
- False Consensus
- Confirmation Bias
- Selective recall
- biased assimilation
- biased evaluation
- groupthink
Common Pitfalls of flawed decision making
- overconfidence
- optimism
- anchoring - once a # has been presented to someone, that person will rely on that first value
- status quo - sticking with familiar or known approaches
- mental accounting - treating money differently depending on where it comes from, where it is kept, how it is spent (i.e. imposing cost caps on core business while spending freely on start up)
- the herding instinct/faddism - seek validation from others
- False Consensus - overestimate the extent that others share their views
- Confirmation Bias - seeking opinions that support one’s own beliefs
- Selective recall - remembering certain facts
- biased assimilation - accepting only facts that support current position
- biased evaluation - easy acceptance of evidence that supports one’s hypotheses and reject others
- groupthink - pressure for agreement in team based cultures
COBIT 5
- 5 principles (Mc-AES)
- 7 enables (PPOC-ISP)
- COBIT - a comprehensive framework for the governance and management of enterprise IT and extensively addresses IT security, governance, risk, and information security.
- Based on 5 principles (Mc-AES)
- Meeting Stakeholder Needs - enterprises exist to create value for stakeholders by maintaining balance between benefit and risks
- Covering the Enterprise End-to-End - this framework will benefit all functions and processes within the enterprise
- Applying a Single, Integrated Framework - this framework aligns with many other frameworks
- Enabling a Holistic Approach - taking into account several interacting components. This framework defines 7 categories of enablers below (PPOC-ISP)
- Separating Governance from Management - Governance ensures stakeholder needs are evaluated to determine agreed-on enterprise objectives to be achieved setting direction through prioritization and decision making; monitoring performance and compliance; Usually responsibility of BOD. Management plans, builds, runs, monitors activities in alignment with objectives determined by BOD. Responsibility of Senior MGMT under leadership of CEO.
7 Categories of Enables below:
- Principles, Policies, and Frameworks - vehicle to translate the desired behavior into practical guidance for day to day mgmt.
- Processes - describe an organized set of practices and activities to achieve certain objectives to produce outputs in support of achieving goals
- Organizational structures - decision making entities in organization
- Culture, ethics, and behaviors - this is underestimated as a factor in an organization’s success
- Information
- Services, infrastructure, and applications
- People, skills, and competencies
- COBIT 5 Process Assessment Model (PAM) Maturity Levels
- Capability Maturity Model Integration (CMMI)
- COBIT 5 Process Assessment Model (PAM) - a tool used to assess current state and define a future desired state; conforms to ISO/IEC 15504-2 (Conducting a process assessment of each COBIT 5 process, resulting in 0 to 5 maturity level)
- Capability Maturity Model Integration (CMMI) - frameworks that provides guidance to elevate performance. There are 5 levels:
- Initial - processes are unpredictable, poorly controlled, and reactive
- Managed - Processes are characterized for projects and if often reactive
- Defined - Processes characterized for the organization and is proactive
- Quantitatively Managed - Processes measured and controlled
- Optimizing - Focus on process improvement