Security Plus - Chapter 16 Flashcards
Corporate Governance
Ensures that the organization sets an appropriate strategic direction, develops a plan to implement that strategy, and then executes its strategic plan.
Corporate Structure (Public company):
Shareholders -> Board of Directors -> Chief Executive Officer -> Management Team
Information Security Governance
The CISO is appointed by the CEO or other C level direct report to the CEO. The CISO then works with senior management team to design and implement an information security framework that guides the activity of the information security program and ensures alignment with the organization’s information security strategy.
Types of Governance Structure
Centralized governance - A top-down approach where a central authority creates policies and standards, which are then enforced throughout the organization.
Decentralized governance - Uses a bottom-up approach, where individual business units are delegated the authority to achieve cybersecurity objectives and then may do so in the manner that they see fit.
Information Security Policy Framework
A series of documents designed to describe the organizations cybersecurity program. The scope and complexity of these documents vary widely, depending on the nature of the organization and its information resources.
Four types of documents:
Policies - High-level statements of management intent. Compliance with policies is mandatory. Usually contains broad statements about cybersecurity objectives:
- A statement of the importance of cybersecurity to the organization
- Requirements that all staff and contractors take measures to protect the confidentiality, integrity, and availability of information and systems
- Statement on the ownership of the information created and/or processed by the organization
- Designation of the CISO or other individual as the executive responsible for cybersecurity issues
- Delegation of authority granting the CISO the ability to create standards, procedures, and guidelines that implement the policy
Specific policies to create:
- Information Security policy - Provides high-level authority and guidance for the cybersecurity program
- Incident Response policy - Describes how the organization will respond to a cybersecurity incident
- Acceptable Use policy - Provides network and system users with clear direction on permissible uses of information resources
- Business Continuity and Disaster Recovery policy - Outline the procedures and strategies to ensure that essential business functions continue to operate during and after a disaster, and data assets are covered and protected.
- Software Development Lifecycle policy - Establishes the process and standards for developing and maintaining software, ensuring that security is considered and integrated at every stage of development
- Change management and control policy - Describe how the organization will review, approve, and implement proposed changes to information systems in a manner that manages both cybersecurity and operational risk
Standards - Provide mandatory requirements describing how an organization will carry out its information security policies. May include specific configuration settings, the controls that must be put into place, or any other security objective.
4 Types of standards:
- Password Standard - Set forth requirements for password length, complexity, reuse, and similar issues.
- Access control standard - Describes the account lifecycle from provisioning through active use and decommissioning.
- Physical security standard - Establishes guidelines for securing the physical premises and assets of the organization.
- Encryption standards - Specifies the requirements for encrypting data both in transit and at rest. Includes the selection of the algorithm, key management practices, and the conditions under which data must be encrypted to protect the confidentiality and integrity of information.
Procedures - Detailed step-by-step processes that individuals and organizations must follow in specific circumstances. Ensure a consistent process to achieve a security objective. Compliance to procedures is mandatory. Procedures to be included in policy frameworks:
- Change management procedures
- Onboarding and offboarding procedures
- Playbooks - Describe the actions that the organization’s incident response team will take when specific incidents occur.
Guidelines - Provide best practices and recommendations related to a given concept, technology, or task. Compliance is not mandatory for guidelines
Understand that these documents must take into account a few other concerns: The organizations business objectives, external considerations that may impact the polices.
- Regulations
- Industry-specific considerations that may alter your approach
- Jurisdiction-specific considerations based on global, national, and/or local/regional issues in the areas the organization operates.
Exceptions and Compensating Controls
An organization should provide a mechanism for exceptions to the rules established by policies, standards, and procedures. The policy framework should include the specific requirements for receiving an exception and the individual or committee with the authority to approve.
Exception processes usually require the use of compensating controls to mitigate the risk. Often times these are temporary requests until a system is able to establish the proper control requirements. For example PCI-DSS exception requirements:
- The control must meet the intent and rigor of the original requirement
- The control must provide a similar level of defense as the original requirement, to offset the risk
- The control must be “above and beyond” other PCI-DSS requirements
- The control must address the additional risk imposed by not meeting the requirement
- The controls must address the requirement currently and, in the future.
Change Management Processes and Control s
Standard operating procedures for changes:
1. Request the change - Submit a request once it is known what updates or changes need to be made to a system.
2. Review the change - Experts within the organization review the change. This allows the proper staff members the ability to review the change who experts for that system.
3. Approve/Reject the change - The experts can then determine if the change should be approved or denied to proceed. The experts should sign off on the change control request with their response.
4. Test the change - Once approved, the change should be tested in a non-production environment. Ensure that a backout plan is established in case the change causes an unexpected impact to the system.
5. Document the change - Make sure that updates to all documentation regarding the system are updated with the changed/updated information.
Common Compliance Requirements
HIPAA - Security and privacy rules that affect healthcare providers, health insurers, and health information clearinghouses.
PCI-DSS - Provides detailed rules regarding the storage, processing, and transmission of credit and debit card information.
Gramm-Leach Bliley Act - GLBA - Covers US financial institutions requiring them to have a formal security program and designate an individual for overall responsibility of the program.
Sarbanes-Oxley - SOX - Applies to the financial records of publicly traded institutions and requires those companies to have a strong degree of assurance for the IT systems that store and process those records.
General Data Protection Regulation - GDPR - Implements security and privacy requirements for the personal information of European Union residents worldwide
Family Education Rights and Privacy Act - FERPA - Requires US educational institutions implement security and privacy controls for student educational records.
Data breach notification laws are also established on a state by state basis.
Compliance Monitoring
Ensuring that organizations adhere to various laws, regulations, and contractual obligations.
Due Diligence - The process of continuously researching and understanding the legal and regulatory requirements that pertain to the organization.
Due care - Refers to the ongoing efforts to ensure that the implemented policies and controls are effective and continuously maintained.
Acknowledgement - Ensuring that employees and business partners state that they are aware of the compliance requirements.
Attestation - Ensure that employees and business partners validate or confirmed that they are aware of these policies and controls.