5.1 Summarize elements of effective security governance

  • Policies, standards, and procedures are fundamental components of an organization's security program.
      - Policies: High-level, authoritative documents that define the organization's commitment to security.
      - Standards: More specific than policies, they specify methods to implement technical and procedural requirements.
      - Procedures: Detailed, step-by-step instructions for completing specific tasks while aligning with standards.
      - Procedures ensure clear directions for individuals to perform their job duties consistently, securely, and efficiently.

Organizational Policies

  • Organizational policies are critical for effective governance and compliance.
      - Framework for Operations: They provide the framework for operations, decision-making, and behavior within the organization.
      - Governance Definition: Governance refers to processes used to direct and control an organization, including decision-making and risk management.
      - Outputs of Governance: Policies are the outputs of governance, establishing rules for decision-making processes, risk mitigation, fairness, and transparency.
      - Expectations for Performance: Policies set performance expectations, align the organization, prevent misconduct, and eliminate inefficiencies.
      - Compliance: Refers to how well an organization adheres to relevant regulations, policies, standards, and laws.
      - Policies integrate legal and regulatory requirements into operations, defining rules and procedures for compliance and consequences of non-compliance.
      - Example: A data privacy policy detailing practices for maintaining compliance with laws protecting customer data.

Common Organizational Policies

  • Acceptable Use Policy (AUP): Outlines acceptable behavior by users of network and computer systems.
      - Addresses browsing behavior, content, software downloads, and handling sensitive information.
      - Ensures user activities do not harm the organization or resources.
      - Details consequences for non-compliance and requires user acknowledgment of the policy.

  • Information Security Policies: Policies ensuring compliance from all IT users regarding security of information within the organizational authority.

  • Business Continuity & Continuity of Operations Plans (COOP): Focus on essential processes during and after disruptions (e.g., natural disasters, cyber-attacks).

  • Disaster Recovery Policies: Outline steps to recover from catastrophic events (e.g., natural disasters, hardware failures, security breaches) aiming to restore operations efficiently.

  • Incident Response Policy: Details procedures to follow after a security breach or cyberattack, including steps for investigating and mitigating impacts.

  • Software Development Life Cycle (SDLC) Policies: Govern software development, detailing stages from requirement analysis to maintenance post-deployment, ensuring compliance with efficiency, reliability, and security standards.

  • Change Management Policies: Define processes for requesting, reviewing, approving, and implementing changes to IT systems.

Guidelines

  • Guidelines provide recommendations that steer actions within specific roles or departments, offering flexibility compared to policies.
      - They represent best practices and suggestions for achieving goals effectively.
      - Example of a guideline: Help desk support procedures related to email responses.
      - Differences: Policies are mandatory, while guidelines offer recommendations allowing discretion.

  • Regular reviews of guidelines are essential to ensure they remain practical and relevant.

Procedures

  • Procedures translate policies and standards into specific tasks, providing checklists for compliance.

Personnel Management

Identity and Access Management (IAM)

  • IAM encompasses both IT/security procedures and HR policies across three phases:
      - Recruitment: Finding and selecting candidates, including security screening and background checks.
      - Operation: HR communicates policy and training to employees, emphasizing security training.
      - Termination: Managing the exit process, including security implications for departing employees.

Background Checks

  • Background checks verify identity and check for potential risks (criminal activity, bankruptcy).
      - Higher scrutiny for positions with access to confidential information or requiring security clearance.

Onboarding

  • Onboarding processes involve welcoming new employees and may include similar processes for contractors.
      - Joint efforts from IT and HR to create user accounts and assign appropriate privileges while preventing configuration vulnerabilities.

  • Tasks involved in onboarding include:
      - Secure Transmission of Credentials: Issuing passwords or smart cards securely to avoid exploitation.
      - Asset Allocation: Providing users with computers or mobile devices, ensuring security.
      - Training/Policies: Scheduling security awareness training and assessments.

  • IAM automation can streamline onboarding processes by automating user account provisioning and management, improving security.

Playbooks

  • Essential for documenting standardized operational procedures and guiding personnel, enhancing consistency and quality.
      - Promote knowledge sharing and continuity within the organization.

  • Important in incident response and crisis management, aiding personnel in making swift decisions under pressure.

  • Best practices and frameworks (like MITRE ATT&CK and NIST SP800-61) assist in developing effective playbooks.

Change Management

  • Changes in systems should be planned with careful consideration of their impacts.

  • Significant changes should be trialed, and changes must come with a rollback plan for unforeseen consequences.

Offboarding

  • Offboarding processes are crucial for ensuring a secure exit.
      - Account Management: Disabling user accounts and ensuring access to company information.
      - Company Assets Retrieval: Collecting all company devices and confirming no retained copies of sensitive information.
      - Personal Asset Wiping: Ensuring corporate data is removed from employee-owned devices.

Standards

  • Standards define expected outcomes for tasks and are influenced by regulatory requirements, business needs, risk management strategies, and industry practices.

Common Regulatory Standards

  • ISO/IEC 27001: Information security management system (ISMS) framework ensuring security controls are proportionate.

  • ISO/IEC 27002: Companion standard with guidance on controls for ISMS.

  • ISO/IEC 27017: Addresses cloud services within ISO/IEC 27001 scope.

  • ISO/IEC 27018: Focuses on protecting personally identifiable information (PII) in clouds.

  • NIST SP800-63: Guidelines for digital identity, including password controls.

  • PCI DSS: Security standards for organizations handling credit card transactions.

  • FIPS: Guidelines developed by NIST for federal systems, specifying cryptographic requirements.

Internal Standards

  • Organizations create internal standards to manage operations and protect resources.
      - Standards differ from policies, focusing on implementation over business practices.
      - Example of password standards:
        - Hashing Algorithms: Requirements for secure password storage.
        - Secure Password Transmission: Secure methods for transmitting passwords.

Access Control Standards

  • Ensure only authorized individuals can access necessary information, preventing unauthorized changes.
      - Include models like role-based access control (RBAC) and methods for user identity verification.

Physical Security Standards

  • Protect physical aspects of IT environments (data centers, hardware).
      - Standards encompass building security, workstation security, and visitor management.

Encryption Standards

  • Define acceptable encryption methods to protect data.
      - Address algorithms, key lengths, and key management procedures.

Legal Environment

  • Governance committees ensure compliance with cybersecurity laws to mitigate legal liabilities.
      - Must address risks like regulatory compliance, contractual obligations, privacy laws, and public disclosure laws.

Key Cybersecurity Laws

  • GDPR: Governs personal data collection, requiring informed consent and privacy rights.

  • CCPA: Grants California residents the right to access and delete personal data collected.

  • FISMA: Promotes security for federal data management.
      - Various other national and regional laws enforce specific cybersecurity practices across industries, such as HIPAA, GLBA, and others relevant to healthcare and finance.

Governance Practices

  • Organizations must regularly monitor, evaluate, and update their cybersecurity policies and legal compliance measures.
      - Collaboration is essential for reviewing and updating policies.

Governance Boards and Committees

  • Governance boards provide strategic direction for cybersecurity governance, involving executives and stakeholders.
      - Committees aid in complex decision-making, offering analysis and recommendations.
      - Hybrid governance balances centralized and decentralized approaches for flexibility and standardization.

Government Entities

  • Specialized agencies enforce security standards and provide a regulatory framework for security governance across various sectors (e.g., regulatory, intelligence, law enforcement).

Data Governance Roles

  • Key roles include:
      - Owner: Responsible for data protection strategy and access decision-making.
      - Controller: Ensures compliance with data regulations and processing legally.
      - Processor: Manages data processing on behalf of the controller, maintaining security measures.
      - Custodian: Implements security controls and safeguards data integrity.

  • Effective security governance relies on effective coordination among these roles to maintain compliance and security.