S

Information Security and Governance

ISC2 Code of Ethics

  • Preamble: safety and welfare of society, duty to principles, duty to each other; adherence to highest ethical standards; certification conditioned on ethics adherence.

  • Canons (four core duties):

    • Protect society, the common good, public trust, and infrastructure

    • Act honorably, honestly, justly, responsibly, and legally

    • Provide diligent and competent service to principles

    • Advance and protect the profession

Privacy in the Working Environment

  • Privacy governs how private information is handled; controls depend on jurisdiction.

  • US: HIPAA governs privacy of medical information.

  • EU: GDPR gives individuals control over personal data within EU borders; extraterritorial reach.

  • As a security professional, know privacy laws/regulations in all jurisdictions where your company operates; act accordingly.

Risk Management Terminology

  • Asset: something in need of protection

  • Vulnerability: gap or weakness in protection

  • Threat: something or someone that exploits a vulnerability to thwart protection

Decision Making Based on Risk Priorities

  • Decisions consider: likelihood, impact, and risk tolerance (organization-specific).

  • Example: Hawaii (volcanic risk) vs Chicago (blizzards) – executives set risk tolerance at the top.

  • Ignoring/accepting risk can increase liability (e.g., exposure to asbestos).

  • \text{Risk} = \text{Likelihood} \times \text{Impact}

Importance of Risk Management

  • Threat: potential event that can exploit a vulnerability to harm assets

  • Vulnerability: weakness in protection of assets (including information)

  • Asset: item to protect (e.g., IT components, power supply, information)

  • Risk treatment: evaluate likelihood and impact, then mitigate appropriately

  • Governance and compliance influence daily operations (laws/regulations, standards)

Regulations and Governance Elements

  • Regulations/Laws affect operations (e.g., GDPR, HIPAA)

  • Standards and published frameworks guide organizational policies

  • Policy vs governance: policy sets direction; governance guides decision making and compliance

  • Compliance can incur penalties for violations; regulations vary by region

Risk Identification

  • Risk identification is recurring: identify, characterize, and estimate disruption potential

  • Know organization’s strategic, tactical, and operational plans

  • How to identify risks: be vigilant in daily operations; move from observation to action

  • Takeaways:

    • Identify risk to communicate it clearly

    • Employees at all levels responsible for identifying risk

    • Identify risk to protect against it

  • Security professionals assist in system-level risk assessment (process, controls, monitoring, incident response, recovery)

What are Security Controls?

  • Physical controls: use physical hardware (badge readers, architectural features, staff actions) to control movement of people/equipment

  • Technical (logical) controls: automated protection, detection, and enforcement in systems/networks; implement access controls and data protection

  • Administrative controls: policies, directives, guidelines to shape human behavior; cover entire organization; can be highly effective when trained and practiced

Security Controls: Implementation & Integration

  • Technical controls involve configurations, GUI management, or hardware settings

  • Implement via in-context references and training to become part of day-to-day activities

  • Integrate controls with identity management, access control, and secure systems into a seamless security posture

Governance Elements: Policy, Standards, Procedures

  • Governance: decisions, rules, and policies guiding the organization toward its goals

  • Policy: broad, strategic; informed by laws; sets standards and direction

  • Governance policies: direct decision-making and ensure compliance when needed

  • Other policies exist at various organizational levels; high-level policies guide behavior across the organization

  • Procedures: explicit, repeatable steps to perform tasks; include decision criteria and measurement criteria; require proper documentation and training

Standards and Regulation References

  • HIPAA (1996): governs PHI in the US; violations carry fines/imprisonment for individuals and organizations

  • ISO: international standards for information security and related topics

  • GDPR: EU regulation protecting PII(personally identifiable information); penalties for non-compliance; extraterritorial reach

  • Multinational organizations face multiple regulations; ensure compliance across regions

Standards, Regulations, and Programs Overview

  • Organizations use multiple standards to support compliance and best practices

  • Regulations can impose fines/penalties; apply at national, regional, and local levels; act according to the most restrictive region

  • NIST (US): publishes technical standards; many are required for US government agencies; widely used; free to download

  • IETF(Internet Engineering Task Force): standards for Internet protocols enabling global interoperability

  • IEEE: standards for telecommunications, computer engineering, and related fields

Policy, Standards, and Procedures in Practice

  • Policy is informed by law; establishes context and strategic direction

  • Standards and procedures translate policy into actionable guidance

  • Procedures provide step-by-step instructions and measurement criteria; support consistent task performance

  • Documentation and training maximize benefits of procedures