CNIT 160: Ch 2a: Introduction to Information Security Governance
0 likes342 views
The document discusses the foundational aspects of information security governance, including its importance, activities, roles, and responsibilities within organizations. It emphasizes alignment with business objectives, risk management, monitoring, and compliance to ensure effective security practices are in place. Key roles such as the Chief Information Security Officer (CISO) and various IT staff are defined along with their contributions to maintaining a secure information environment.
CNIT 160: Ch 2a: Introduction to Information Security Governance
- 1. CNIT 160: Cybersecurity Responsibilities 2. Information Security Governance Part 1 Pages 16 - 55
- 2. Topics in Part 1 • Introduction to Information Security Governance • Reason for Security Governance • Security Governance Activities and Results • Business Alignment • Roles and Responsibilities
- 3. Topics in Part 1 (continued) • Introduction to Information Security Governance (continued) • Monitoring Responsibilities • Information Security Governance Metrics • The Security Balanced Scorecard • Business Model for Information Security
- 4. Topics in Part 2 • Security Strategy Development • Strategy Objectives • Control Frameworks • Risk Objectives • Strategy Resources • Strategy Development • Strategy Constraints
- 5. Governance • A process whereby senior management exerts strategic control over business functions • Through policies, objectives, delegation of authority, and monitoring • Ensures that business processes effectively meet vision and objectives
- 6. Information Security Governance • Focuses on key processes • Personnel management • Sourcing • Risk management • Configuration management • Change management • Access management
- 7. Information Security Governance • Focuses on key processes (continued) • Vulnerability management • Incident management • Business continuity planning • Establishment of an effective organization structure and clear statements of roles and responsibilities
- 8. Information Security Governance • Monitor processes with scorecard or metrics • Continuous improvement changes processes to keep them effective and support ongoing business needs
- 13. Reason for Security Governance • Organizations are dependent on information systems • Must understand priority of • Confidentiality • Integrity • Availability
- 14. Security Governance Activities and Results • Risk management • Risk assessments and follow-up actions to reduce risks • Process improvement • Event identification • Security events and incidents • Incident response
- 15. Security Governance Activities and Results • Improved compliance • With laws, regulations, and standards • Business continuity and disaster recovery planning • Metrics management • Measure key security events, such as incidents, policy changes, violations, audits, and training
- 16. Security Governance Activities and Results • Resource management • Allocation of manpower, budget, and resources • Improved IT governance • Increased trust • From customers, suppliers and partners • Improved reputation
- 17. Business Alignment • Security program must align with guiding principles • Mission • Why the organization exists • Goals and objectives • What achievements it wants to accomplish • Strategy • Activities needed to fulfill goals and objectives
- 18. Organization's Characteristics • Culture • Asset value • Risk tolerance • Legal obligations • Market conditions
- 19. Dr. No • Security that prevents necessary business practices • Leads to "Shadow IT" • Departments setting up uncontrolled IT assets
- 20. Organization's Characteristics • Goals and objectives • Risk appetite • Risk-averse organizations have a formal system of accountability for risk decisions
- 22. Roles and Responsibilities • Role describes expected activities
- 23. Ranks • In order of increasing seniority
- 25. RACI Charts
- 26. RACI Charts
- 27. Considerations • When assigning roles in a RACI chart • Skills • Segregation of duties • Conflict of interest
- 28. Ch 2a-1
- 29. Board of Directors • Fiduciary duty • Accountable to shareholders to act in the best interests of the organization • Selected for • Investor representation • Business experience • Access to resources • Appoints the CEO
- 30. Five Principles • From National Association of Corporate Directors
- 31. Executive Management • Carries out directives from the board of directors
- 32. • Ratifies corporate security policy • Publicly supporting it • Leads by example • Has ultimate responsibility Executive Management
- 33. Security Steering Committee's Responsibilities • Risk treatment deliberation and recommendation • Discussion and coordination of IT and security projects • Review of recent risk assessments • Discussion of new laws, regulations, and requirements • Review of recent security incidents
- 34. Business Process and Business Asset Owners • Usually nontechnical personnel • Responsibilities: • Access grants, revocation, and reviews • Configuration • Function definition • Process definition • Physical location
- 35. Custodial Responsibilities • IT staff acts as a proxy for asset owners • Should implement decisions from the asset owner • But often the asset owner is uninvolved and uninformed, instead of periodically reviewing these decisions
- 37. Chief Information Security Officer (CISO) • Highest-ranking security person • Develops security strategies • Similar titles • Chief Security Officer (CSO) • Chief Information Risk Officer (CIRO) • Chief Risk Officer (CRO)
- 38. Position of CISO • Reports to Chief Operating Officer (COO) or Chief Executive Officer (CEO) • Sometimes to CIO or legal or someone else • Many organizations lack a CISO but have a manager of information security lower on the org chart, weakening security posture • Small to medium-sized orgs may contract with a virtual CISO for strategy and planning
- 39. Rank Sets Tone and Gives Power
- 40. Chief Privacy Officer • For organization with large amounts of customer Personally Identifiable Information (PII) • Regulations like • Health Insurance Portability and Accountability Act (HIPAA) • Fair Credit Reporting Act (FRCA) • The Gramm-Leach-Bliley Act (GLBA)
- 41. Software Development • Systems architect • Systems analyst • Software engineer/developer • Software tester
- 42. Data Management • Data manager • Database architect • Big data architect • Database administrator (DBA) • Database analyst • Data scientist
- 43. Network Management • Network architect • Network engineer • Network administrator • Telecom engineer
- 44. Systems Management • Systems architect • Systems analyst • Storage engineer • Systems administrator
- 45. Operations • Operations manager • Operations analyst • Controls analyst • Systems operator • Data entry • Media manager
- 46. Security Operations • Security architect • Security engineer • Security analyst • Examines logs • Access administrator
- 47. Security Audit • Security audit manager • Security auditor
- 48. Service Desk • Service desk manager • Service desk analyst • Technical support analyst
- 49. Quality Assurance & Other Roles • QA manager • QC manager • Vendor manager • Project manager
- 51. Monitoring Responsibilities • Confirming that the correct jobs are being carried out in the correct way • Controls and internal audit • Metrics and reporting • Work measurement • Performance evaluation • 360 feedback -- from peers, subordinates, and management • Position benchmarking -- comparing job titles with other organizations
- 52. Information Security Governance Metrics • Technical metrics, counts of events from • Firewall, IDS, Anti-malware, DLP, etc. • Business-related metrics • Key Risk Indicators (KRIs) • Key Goal Indicators (KGIs) • Key Performance Indicators (KPIs)
- 53. Return on Security Investment • Difficult to quantify • Because breaches are rare • Other ways to justify security • Fiduciary responsibility • Regulation • Competitive differentiation
- 54. SMART Metrics
- 56. Ch 2a-1
- 57. Risk Management
- 59. Convergence Metrics • Large organizations with multiple business units or locations
- 63. Business Model for Information Security
- 64. Business Model for Information Security
- 65. BMIS Elements and Dynamic Interconnections • Elements • Organization • People • Process • Technology
- 66. BMIS Elements and Dynamic Interconnections • Dynamic Interconnections • Culture • Governing • Architecture • Emergence • Enabling and Support • Human Factors
- 67. Culture • "a pattern of behaviors, beliefs, assumptions, attitudes, and ways of doing things" • Critical to the success or failure of an information security program • Cannot be legislated or controlled directly
- 68. Steps to Create Favorable Security Culture
- 69. Governing
- 70. Architecture
- 71. Architecture
- 72. The Zachman Framework • The dominant architecture architecture standard
- 74. Emergence • People learning to do things better • Can lead to improvements, but also cause inconsistent results
- 75. Enabling and Support • Technology and business people don't understand one another • To fill this gap, create a requirements document • Charts listing required and desired functionality for new technologies
- 76. BMIS Enabling and Support Life Cycle
- 77. Human Factors • Also called Human-Computer Interaction (HCI) • Includes User Interface (UI)
- 78. • Consistency with other systems • Typing and data entry methods • Display and readability • Error recovery • Sound • Voice and biometric recognition • Ergonomics • Environment Human Factors
- 79. Example 1: Adverse Effects of a Policy Change • New policy regarding personal devices and company email • Affects organization and processes • Changed processes affect people and technology
- 80. • An outside security audit shows that servers are months behind in security patches • The company uses a vulnerability scanner to keep up-to date, for compliance • Why is it failing? Example 2: Causes for Process Weakness
- 81. • Possible causes: • Technology -- scanner is faulty Example 2: Causes for Process Weakness
- 82. • Possible causes: • Architecture-- scanner can't reach all systems in network • Human factors-- engineers not using scanner properly Example 2: Causes for Process Weakness
- 83. • Possible causes: • Enabling & Support-- Interview engineers about business processes • New networks have been added that are not included in scanner's configuration Example 2: Causes for Process Weakness
- 84. Ch 2a-1