This document discusses information security governance and risk management. It covers several topics: - The roles and responsibilities of various information security positions such as the security officer, system administrators, and end users. - Security policies, standards, procedures, and frameworks that organizations can implement to formalize security practices. - Compliance with regulations and how to map different compliance frameworks. - Managing risks from third parties, acquisitions, and other organizational changes. - Ensuring proper information security governance through activities like risk analysis, security awareness training, and oversight from executive management.

1. Domain 3: Information Security Governance
&
Risk Management
July 27, 2013
Tim Jensen
StaridLabs

2. ●Risk Analysis
●Data Classification
●Risk Assessment
●Security Awareness
Information Security Governance includes:

3. Risk Management
Minnimize loss of information assets through:
● Identification
● Measurement
● control

4. Security Management Lifecycle
Image Src: http://www.gao.gov/special.pubs/ai00033.pdf

5. IT Governance
● Governance must be informed about information
security
● Set direction to drive policy and strategy
● Provide resources to security efforts
● Assign management responsibilities
● Set priorities
● Support Changes required
● Insist that security investments are made
measurable and reported on for program
effectiveness

6. Impact from organizational changes
● Acquisitions and mergers
● Divestitures
● Spin-offs
● Governance Committees

7. Acquisitions and Mergers
● Friendly VS Hostile
● New staff and roles require new security
awareness and training
● Threats from former employees or threats that
the new company will face due to the merger
● Vulnerabilities when systems are merged
● New regulations/compliance
● External business partner review and
assessment

8. Divestitures and Spin-offs
● Data Loss/data leak due to employees
leaving
● System ports/protocols/connections left open
after systems were removed
● Loss of visibility into systems if both
organizations didn't keep security monitoring
tools
● New threats from laidoff employees
● Revision of policies, procedures, and
standards for new governance/compliance

9. Governance Committee Changes
● Ensure the committee understands at a
high level the importance of information
security and risk management
● Ensure someone on the committee has
security and risk aptitude
● Maintain working relationship with
committee and be aproachable

10. Security Roles & Responsibilities

11. End User
● End user is responsible for protecting
information assets on a daily bases through
adherence to the security policies
● End user compliance failures include:
● Downloading unauthorized software
● Opening attachments from unknown senders
● Visiting malicious websites
● End user can be turned into human security
sensors with proper training

12. Phishing Effectiveness
Img Src: 2013 Verizon Breach Report Pg 38

13. Executive Management
● EM maintains the overall responsibility for
protection of the information assets.
● EM must be aware of the risks they are
accepting on behalf of the organization
● Risk must be identified through risk
assessment so management can make
informed decisions

14. Security Officer
● Directs, coordinates, plans, and organizes
information security activities throughout the
organization
● Responsible for the design, implementation,
management, and review of the
organization's security policies, standards,
procedures, baselines, and guidelines

15. Information Systems Security
Professional
● Drafting of security policies, standards, and
supporting guidelines and procedures
● Baselines
● Guidance on technical security issues and
emerging threats
● Interpretation of regulations
● Analysis of vendor solutions

16. Data/Information/Business Owners
● Classify information assets
● Ensure business information is protected
● Review access rights
● Approve access to information
● Determine criticality, backups, and
safeguards for data

17. Data/Information
Custodian/Steward
● Individual or function who takes care of
information on behalf of the owner
● Makes sure information is available, backed
up, and consistent

18. Information Systems Auditor
● Verifies compliance with security policies,
procedures, standards, baselines, designs,
architectures, management direction, and
other requirements
● Provide independent assurance to
management on appropriateness of security
controls

19. Business Continuity Planner
● Develop contingency plans to prepare for
disasters
● Ensures business processes can continue
during and after:
● Earthquakes, tornadoes, hurricanes, blackouts,
political change, terrorist activities, fires, floods,
etc

20. IS/IT professionals
● Convert security controls into actionable
security on IT systems
● Test controls

21. Security Administrator
● Manages user access requests and
ensures privileges are provided to
authorized users
● Manages privileges needs over time
● Removes access upon user termination

22. Network/Systems Administrator
● Configures network and server
hardware/operating system to insure
information is available and accessible
● Manages patching and vulnerability
management

23. Physical Security
● Monitors physical locations with cameras,
alarms, card readers, etc.
● Verifies physical breaches do not occur and
mitigates damage if breach does occur

24. Administrative Assistant/Secretaries
● First line of defense at most companies:
● Greets visitors
● Signs for packages
● Screens phone calls for executives
● Very prone to social engineering attacks
● Friendly for a living

25. Help Desk Administrator
● Fields technical questions from users
● Likely going to hear about security issues before
anyone else
● Viruses
● Systems freezing
● Wierd popups**
● Help desk usually responsible for identifying threats
and notifying the incident response (CIRT) team

26. Purposes for roles
● Increased efficiency by reducing confusion on who does
what
● Lowers risk to company reputation/brand
● Personal accountability
● Support of disciplinary actions for security violations
● Demonstratable compliance with applicable laws and
regulations
● Shielding of management from liability and negligence
● Roadmap for auditors
● Segregation by role is useful for determining the level of
security training required

27. Legal Negligence
● A failure to behave with the level of care
that someone of ordinary prudence would
have exercised under the same
circumstances. The behavior usually
consists of actions, but can also consist of
omissions when there is some duty to act

28. Gross Negligence
● carelessness which is in reckless disregard for
the safety or lives of others, and is so great it
appears to be a conscious violation of other
people's rights to safety. It is more than simple
inadvertence, but it is just shy of being
intentionally evil. If one has borrowed or
contracted to take care of another's property,
then gross negligence is the failure to actively
take the care one would of his/her own property.
If gross negligence is found by the trier of fact
(judge or jury), it can result in the award of
punitive damages on top of general and special
damages.

29. Legislative and Regulatory
Compliance
● As a general rule, laws and regulations represent a “moral
minimum” which must be adhered to and should never be
considered wholly adequate.
● Regulations often offer specific actions which must be met
for compliance.
● Some have a “Safe Harbor” provision which is a set of
“good faith” conditions which if met may temporarily or
indefinitely protect the organization from penalties of a new
law or regulation.

30. Compliance Examples
● FISMA
● PCI
● DISA STIGS
● NIST 800-53
● ISO 27001

31. Privacy Requirements
● Personally identifiable information (PII) is a
valuable commodity for marketers and
attackers
● Storing the data can become a liability.
Certain data falls under privacy regulations
which if not followed come with steep fines or
jail time.
● International exposure increases the risk. US
privacy laws are much less strict compared to
European laws (See the EDPD regulations)

32. Security and privacy control
frameworks
● Must be:
● Consistent – if approach and application is not consistent
then stakeholders will become confused and loose faith in
the program
● Measurable – Must be able to determine progress and
set goals.
● Standardized – Departments/companies must be able to
be compared against each other
● Comprehensive – Must cover regulatory requirements of
the organization and be able to accommodate new
requirements or organizational mandates
● Modular – Must be adaptable and able to withstand
organizational changes

33. NIST SP 800-53
● Over 300 controls in 17 families and 3 classes
● Government agencies build Acceptable Risk Standard
(ARS) documents based on FISMA requirements
which are based on NIST 800-53.
● An update to the underlying layers propagates up
through several security departments and agencies
before being implemented across all federal systems
● Federal system owners are expected to re mediate
before being mandated based on risk so long as the
remediation does not conflict with current regulations
(without approval)

34. ISO 27001
● Designed to work with organizations of all
sizes and types (vs just federal systems)

35. Compliance Mapping
● Different compliance frameworks can be
mapped together for ease of identifying
additional controls or conflicting controls
● If a control conflicts the organization
generally sides on the most restrictive control
for high security or does a risk assessment to
identify the risk to production stability vs risk
of breach

36. Information Security Governance
&
Risk Management Part 2
July 27, 2013
Jem Jensen
StaridLabs

37. Due Care
● Legal Definition
● The conduct that a reasonable man or woman will
exercise in a particular situation, in looking out for
the safety of others
● What is your legal obligation in a situation?
● Depends on laws
● Depends on who is defining “reasonable”
● Check the laws and precedence to measure your legal
exposure

38. Due Diligence
● Pre-emptive cousin of Due Care
● Attempts to avoid situations which can lead to
harm/require due care to be exercised
● Examples:
● Background checks
● Credit checks
● Pen tests

39. Confidentiality
● Definitions reminders
● Least Privilege: The level of access an
individual has is just what's necessary to do
their job
● Need-To-Know
● Data classification

40. Integrity
● Definitions reminders
● Info is protected from unauthorized or
accidental changes
● Segregation of duties
● Approval checkpoints
● Testing

41. Availability
● Definitions reminders
● Info is available and accessible to users when
needed
● Denial of Service
● Loss of Service (due to disaster, etc)
●

42. Security Policy Introduction
● Life without policy
● Employees has no guidance so they act based
on their view of what is right or wrong for the
company
● Might use past decisions and try to stick to the
status quo
● Many small companies operate this way
because it's cheap and easy. But it's dangerous

43. Security Policy Introduction
● Procedures
● Step-By-Step instructions
● Standards
● Specific Hardware and Software
● Baselines
● Consistent Level of Security
● Guidelines
● Recommendations

44. Security Policy Introduction
● Security policy is implemented with
Standards, Procedures, Baselines, and
Guidelines
● Without this implementation, the policy can't
be enforced
● Both policy and the implementation are
usually crafted by Security Officers

45. Security Policy Introduction
● The policy crafting process should be collaborative
and include
● HR
● Legal
● Compliance
● Various IT areas
● Business representatives
● When everyone is involved, it's easier to catch
everything and get buy-in from everyone

46. Security Policy Introduction
● Once policy is documented, it's important to
make it readily available to everyone
● Share documents, either on paper or in shared
folders
● Make and distribute forms & checklists
● Training

47. Security Policy Defined
● In essence, a security policy formalizes
what a company expects from employees
● Defines roles and responsibilities
● Assigns authority for security/compliance
● Policy-making is old. Therefore, the path to
making them is well-traveled. Lots of
guidelines!!!

48. Security Policy Guidelines
● Guidelines
● Formally define a process for making and
maintaining new policy
● Policies should survive for 2-3 years
– Should be reviewed annually, eventually rewritten
● Policies shouldn't be too specific
– Technology, personnel, and markets change
● Use forceful, directive wording

49. Security Policy Guidelines
● Guidelines
● Leave out technical implementation details
– Policy must be independent of tech
● Keep as short as possible (2-3 pages)
● Provide references to supporting documents
● Thoroughly review before publishing
● Management review/sign-off
● Employee acknowledgement

50. Security Policy Guidelines
● Guidelines
● Do not use tech jargon
– Nontechnical people won't understand if you do
● Adjust policy based on incidents
– Regular reviews of incidents
● Review policy periodically
● Define exemption rules
● Develop sanctions for noncompliance
– Disciplinary actions/punishment/termination

51. Security Policy Types
● Organizational or Program Policy
● Issued by senior management
● Scoped to entire org or division
● High-level authority to define sanctions
● Example:
● “If a computer is unplugged, leave it alone”

52. Security Policy Types
● Functional or Issue-Specific Policy
● Scoped to particular technology or domain
● Example:
● Acceptable Use Policy for company internet

53. Security Policy Types
● System-specific Policy
● Targeted for specific application/platform
● Greater control for specific area
● Example:
● “Only Accounting and HR can input information
into the check-writing application”

54. Standards
● Policy defines what an org needs
● Standards define the requirements
● Lay out the hardware & software mechanisms
● Provide consistency of implementation
● Permit interoperability
● Can save money and time
● Standard is to use Windows desktops – don't have to
support and train for OSX or Linux
● May be external – NIST, ANSI, IEEE, ISO, NSA

55. Baselines
● Baselines describe how to best implement
standards, especially in software
● More technical and specific
● Example:
● “Disable the Telnet service on all servers”
● Also can be external – DISA STIGS, CIS

56. Procedures
● Step-by-step instructions
● By documenting procedures, a company can more easily
assure that they are implementing policy consistently
● Ensures nothing gets left out
● Minimizes liability
● Documenting procedures can help break down
interdepartmental walls and assumptions
● Easier to see duplicate work or missing work

57. Guidelines
● Optional recommendations to help
employees make judgment calls
● Suggested steps for doing work
● How to best implement a baseline

58. Documentation
● Do not combine policies with other
documentation!
● Documentation can be edited by employees
whereas only management should change
policies
● Also a good idea to keep standards separate

59. Analogy Time!
● Hammer Policy...
● “All boards must be nailed
together using company-issued
hammers to ensure end-product
consistency and worker safety”
● Policy is flexible – allows
company to define hammer
types and change the hammers
if a safer hammer emerges

60. Analogy Time!
● Hammer Standard
● “Eleven-inch fiberglass hammers will be used.
Only hardened-steel nails will be used with the
hammers. Automatic hammers are to be used
for repetitive jobs only that are > 1 hour.”
● Clearer, more specific

61. Analogy Time!
● Hammer Guidelines
● “To avoid splitting the wood, a pilot hole may be
drilled first.”
● Optional suggestion. May not apply in all cases,
depending on the wood being hammered

62. Analogy Time!
● Hammer Procedure
● “Position nail in upright position on board. Strike
nail with full swing of hammer. Repeat until nail
is flush with board.”
● Process for using the hammer and nail to get
the best results

63. Manage the Information Life Cycle
● When information is created, someone must
be responsible for it
● Determine impact
● Understand info replacement costs
● Determine who in and outside of the org needs
the info/when it should be released
● Know when the info is inaccurate/unneeded
and should be destroyed

64. Manage the Information Life Cycle
● Data classification can make the job easier
● Everyone knows how to treat it
● Data categorization too
● Helps define impact of loss and exposure
● A data retention schedule can help
● Mandate destruction of info after a certain date,
period, or period of inactivity

65. Third-Party Governance
● Types of third-parties
● IaaS – Infrastructure as a Service
– Provides “bare metal” hardware resources
– Example: Co-Lo servers
● PaaS – Platform as a Service
– Provides OS or DB
– Example: Amazon EC2
● SaaS – Software as a Service
– Provides full tool, company just provides the data

66. Third-Party Governance
● SLA – Service Level Agreement
● Defines levels of performance and
compensation/penalties between providers and customers
● Due Diligence
● On-site inspections
● Third-party policy reviews
● Document exchanges
● Independent inspections
● Legal review – legal exposure, international concerns

67. To Be Continued, next week...
Check the Syllabus! It's been updated!