Cybersecurity Principles and Governance

Domain 1: Security Principles and Governance Elements

Introduction to Governance Elements

  • Leaders and management implement systems and structures to achieve organizational goals.

  • Guided by laws and regulations to enact public policy.

Relationship between Regulations, Standards, Policies, and Procedures

  • Regulations:

    • Issued in law, typically from government.

    • Non-compliance may result in financial penalties.

  • Standards:

    • Provide a framework to introduce policies and procedures supporting regulations.

  • Policies:

    • Established by governance (e.g., executive management).

    • Guide organizational activities to ensure compliance with industry standards and regulations.

  • Procedures:

    • Detailed steps necessary to complete tasks aligned with policies.

Governance and Organizational Purpose

  • All organizations exist to fulfill specific purposes. Examples include:

    • Providing raw materials.

    • Manufacturing equipment.

    • Developing software applications.

    • Constructing buildings.

    • Supplying goods and services.

  • Decisions must be made, rules defined, and policies in place to achieve organizational goals.

Examples of Regulations and Standards

  • Health Insurance Portability and Accountability Act (HIPAA) of 1996

    • Regulates the use of Protected Health Information (PHI) in the U.S.

    • Violations can lead to fines and imprisonment.

  • International Organization for Standardization (ISO):

    • Develops international standards, including those for information systems and security.

    • Standards are available for purchase online.

  • General Data Protection Regulation (GDPR):

    • Enacted by the EU to regulate Personally Identifiable Information (PII) of its citizens.

    • Companies must comply even if they do not have a physical presence in the EU, affecting their operations internationally.

Multilevel Regulation Compliance

  • Organizations may face regulations at multiple levels:

    • National.

    • Regional.

    • Local.

  • Must ensure compliance with the most restrictive regulations relevant to their operations.

Role of Standards in Information Security

  • Standards serve as compliance documents and best practice guides.

  • They assure that policies and procedures align with regulations.

Governance Policies

  • Policies are informed by applicable laws and define which standards to follow.

  • They establish context, strategic direction, and priorities for the organization.

  • Operate on multiple levels within the organization:

    • High-level Governance Policies: Shape decisions made by executives.

    • Functional Area Policies: Specific to areas like HR, finance, and security.

Implementation of Policies through Procedures

  • Policies translated into procedures for operational execution.

  • Procedures detail the steps and criteria necessary to execute tasks.

    • Can address both one-time and regular activities.

    • Measure effectiveness of task completion.

  • Proper documentation and training are essential for successful implementation.

Technical Standards in Organizations

  • National Institute of Standards and Technology (NIST):

    • A U.S. government agency that publishes technical standards for IT and cybersecurity.

    • NIST standards are often free to access and widely respected in both governmental and industrial settings.

  • Internet Engineering Task Force (IETF):

    • Sets standards for communication protocols to enable global computer communication across different languages.

  • Institute of Electrical and Electronics Engineers (IEEE):

    • Establishes standards for telecommunications and computer engineering.

Security Controls

Types of Security Controls

  • Physical Controls:

    • Utilize hardware devices (e.g., badge readers, facility architectural features) to manage access and movement within locations.

    • Protect entry to the organization’s premises and manage visitor access.

  • Technical Controls:

    • Implemented by computer systems/networks to protect against unauthorized access.

    • Include configuration settings or parameters managed through graphical user interfaces.

  • Administrative Controls:

    • Directives and guidelines set for people within organizations to adhere to security policies.

    • Effective when integrated into daily operations and referenced during training.

Risk Identification

Concepts of Risk in Security

  • Importance of identifying risks at all organizational levels.

  • Employees have a role in identifying risks to protect the organization.

  • Risk identification is a continuous process, involving regular assessment of potential hazards.

Examples of Regulatory Impact on Operations

  • GDPR protects data of EU individuals regardless of their citizenship.

  • HIPAA guards patient medical information in the U.S. with strict compliance requirements.

Risk and Security Management Models

  • The concepts of risks, vulnerabilities, and threats relate closely to information security:

    • Assets: Things that need protection.

    • Vulnerabilities: Gaps or weaknesses in protection efforts.

    • Threats: Entities aiming to exploit vulnerabilities.

Assessing Risk Management Decisions

  • Organizations evaluate risk likelihood, impact, and tolerance.

  • Strategic decisions are typically made by top management regarding which risks to accept or ignore.

Decision Making Based on Risk Priorities

Operational Risk Management

  • Security professionals analyze operational risks and communicate findings to relevant stakeholders.

  • Risk data should be leveraged effectively in decision making.

Terminology Recap

  • Asset: Something that must be protected.

  • Vulnerability: A weakness in security measures.

  • Threat: An entity that exploits vulnerabilities.

Privacy and Security Regulations

Understanding Privacy

  • Privacy rights provide individuals control over their personal information.

  • Privacy laws vary by region (example: HIPAA and GDPR).

Role of Privacy in the Cybersecurity Context

  • Professionals must stay informed about privacy standards related to their operations globally.

The CIA Triad

Definition and Components

  • Confidentiality:

    • Ensuring authorized access to information only.

  • Integrity:

    • Maintaining the correctness and reliability of data.

  • Availability:

    • Ensuring access to systems/data when needed by users.

Importance of the CIA Triad

  • Aids in communicating the purpose of information security to management and users clearly.

  • Establishes common terminology in the field of information security and risk management.