1.3 Evaluate and apply security governance principles

1.3 Evaluate and apply security governance principles

• Alignment of security function to business strategy, goals, mission, and objectives
• Organizational processes (e.g., acquisitions, divestitures, governance committees)
• Organizational roles and responsibilities
• Security control frameworks
• Due care/due diligence

Security costs money.  If the security is so inefficient or expensive that the organization can’t function, then security is useless.  Security governance is the set of policies that protect the organization.

The security policies

• Must align with the goals of the business.  What does the organization want to protect?  How valuable is the information?  What is the cost of the security process vs the value of the benefit?
  
  
• Must be established in accordance with the organization’s governance.  That means that they must be created, reviewed, and approved by the executives who are responsible for managing the organization.
  
  
• Roles and responsibilities of the employees who enforce and monitor the policies must be defined.
  
  

Under the ideas of the CISSP, security governance is not just the responsibility of the IT department.  It is something that the executive management and business leaders must oversee.  The people who oversee security must understand security.  They must have diverse backgrounds because security is complicated and has many aspects.

We can create our own security framework or use a standard government framework and modify it for our needs.

A business case is an argument for why an action makes financial sense.  Remember that security costs money.  For us to implement a security policy, we must explain to our business leaders how that security policy will benefit the organization.  Business leaders don’t want details about how the technology will work.  They want to know how it will make them money (or how it will stop them from losing money).  Most security policies don’t make money, but they do save the organization – the cost of not having security and then having a data leak, a lawsuit, a criminal investigation, etc. can be very expensive.

We might define our business case through a mission statement.  A mission statement tells people what we do and what we stand for.  A goal is something that we expect to achieve.  We might set goals using SMART:

• Specific – what are we doing?
  
  
• Measurable – how can we determine whether we are successful?
  
  
• Achievable – is the goal realistic?
  
  
• Relevant – does the goal align with the strategy?
  
  
• Time-Bound – is there a specific deadline for achieving the goal?
  
  

If management does not care about security, then

• Security policies won’t be enforced.  Users who violate security policies won’t be punished.
  
  
• Security projects and technology won’t be funded.
  
  
• The organization won’t take efforts to protect its data
  
  

Senior management should set security goals for the entire organization.  They should delegate responsibilities for turning those goals into policies to middle management.  We call this the top-down approach.  In a large organization, information security is covered by the Information Security Team, or InfoSec Team.  It may also be covered by a governance committee.

The InfoSec Team is headed by the Chief Information Security Officer (CISO), Chief Security Officer (CSO), or Information Security Officer (ISO).  The InfoSec Team may report directly to the CEO.

The organization will make three plans

• Strategic Plan – this is a long-term plan for the organization.  How does security meet the goals for the organization?  What risks does the organization face and how can they be mitigated?  We update this plan every year.
  
  
• Tactical Plan – this is a mid-term plan that outlines the tasks required to meet the goals in the strategic plan.  What security projects do we need to implement?  Which security vendors do we need to recruit?  How much money do we need?
  
  
• Operational Plan – this is a short-term plan that provides details about complying with the tactical plan.  We might have many different operational plans for each aspect of the security governance.  Who will perform which tasks and when?  What is the schedule?  How do we train employees?
  
  

No plan ever failed on paper.  But a plan must be specific and must be followed.  It must also be updated when the environment changes.

When one organization purchases another organization, this is called an acquisition.  A merger is when two organizations become one.  When we acquire another company or merge with a company, we have to understand that

• The other company’s IT systems will have been managed differently.  They may be more secure or less secure, but always different.  If we are bringing in IT personnel from the other organization, then there will likely be a conflict about the best way to do things.  We have to find a standard operating procedure that covers all of the systems.
  
  
• We are increasing the quantity of security holes that are present, simply because we are increasing the attack surface.  There are more pieces of equipment, more makes and models of hardware, and more vendors.  If we use Cisco switches and the other organization uses Juniper switches, we are now exposed to both Cisco’s security risks and Juniper’s security risks.
  
  
• Mergers and acquisitions put a strain on IT resources.  This gives them less time to detect and respond to existing issues and security threats.

Before completing the merger or acquisition, we need to ask the following questions

• What are the policies in place at the other organization?
  
  
• What assets are we acquiring?  How do we fit them in to our own structure?
  
  
• What software does the other organization use, and are they properly licensed?
  
  
• What regulations is the other organization subject to?

A divestiture is when an organization spins off part of itself to form a second separate organization, or when it sells part of itself.  When we engage in an acquisition, merger, or divestiture, we risk losing data.

We might be engaged in negotiations with the owners of the business that we want to purchase and accidentally give them too much information.  When we divest part of our business, we need to ensure the portion we sold does not keep any confidential information belonging to the parent company.  Employees who leave with the divestiture must not continue to have access to the resources and information belonging to the parent company.

Data Classification is the process of categorizing data by the level of secrecy it requires.  Security is expensive.  We might not be able to afford to protect all data at the same level.  Therefore, the most sensitive data is given the most protection – according to the harm that will result if the data is leaked.  Some data might be publicly available and does not require protection.

How can we classify data?  We should ask the following questions

• How important is it to the organization?
  
  
• What is the data worth to the organization?
  
  
• What is it worth to a third party?
  
  
• How old is the data?
  
  
• Is the data valid forever or does it expire?
  
  
• What damage will result if the data is leaked or modified?
  
  
• Who has access to the data?
  
  
• Who does not have access to the data?
  
  
• Where is the data stored?
  
  

When implementing a classification policy

• We create a set of classification levels (for example, Confidential, Secret, Top Secret) or we might only have one classification level.
  
  
• We apply a classification to each data object according to its sensitivity and other factors.  We might create policies for how objects are classified.  The policy should be clear so that a user can unambiguously classify any data object.
  
  We also specify when data can be unclassified.  Most data objects should not remain classified forever – when the data expires or is no longer able to cause harm if leaked, it might not need to be classified, or its classification level might be reduced.  Storing irrelevant data is expensive.  This is known as declassification.
  
  
• We choose a custodian for each data object, set of data objects, or objects with a specific classification level.  The custodian is responsible for protecting the data and providing access to the data.
  
  
• We choose the type of security controls that apply to each classification level.

In the US federal government, there are many classifications.  Different departments can create different classifications.

• Top Secret – a leak of this data can cause harm to national security.  Top Secret data includes nuclear technology and military technology.  A user must have a need to know in order to access the data (just because a user has a Top Secret clearance does not mean that they are automatically entitled to access the data).
  
  
• Secret – a leak of the data can cause some harm.
  
  
• Confidential – the data is proprietary.
  
  
• Sensitive but Unclassified – this data is not classified but should not be disclosed.
  
  
• Unclassified – this information is available to the public.
  
  
• For Official Use Only/Law Enforcement Sensitive – this is data that has no official classification under the law but must still be protected.  Its disclosure might be compromise law enforcement informant identities, investigative techniques, or ongoing investigations.

In the Canadian federal government

• Top Secret – a leak of this data can cause harm to national security.  Top Secret data includes nuclear technology and military technology.  A user must have a need to know in order to access the data (just because a user has a Top Secret clearance does not mean that they are automatically entitled to access the data).
  
  
• Secret – a leak of the data can cause serious harm to the government
  
  
• Confidential – a leak of the data can cause some harm to the government.
  
  
• Protected – this data is not classified, but contains personal information such as personal information, healthcare information, or trade secrets.  The government has a legal obligation to protect this data.  Protected data comes in three levels – Protected A, Protected B, and Protected C.  The lowest level is Protected A, and the highest level is Protected C.
  
  
• Unclassified – this information is available to the public.

The government has specific policies for how each classification of data is handled and stored.  If we are storing or processing data on behalf of the government, then we will have to use their classification procedure and follow the same policies for storing and handling the data.

In a business, we might have the following classification levels

• Confidential – this is the highest level of data protection, which includes trade secrets, like the recipe for Coke for example.  We also call this proprietary data.
  
  
• Private – private is a high level of protection like confidential but contains data for third parties such as customers.  Others will be harmed if this data is leaked.
  
  
• Sensitive – sensitive data is data that is not public but also not confidential.  If leaked, it could cause embarrassment to the company.
  
  
• Public – data that is available to the public.
  
  

Who owns what?  A file is usually owned by the person who created it.  But the organization can impose its own rules on its employees – it can own the data created by the employees.

What security roles do people play?

• Senior Manager – the person who is responsible for the assets and their protection.  This person approves/disapproves security policies and sets the direction of the organization.  We always need approval from a senior manager who accepts responsibility for the security of the data.  If the security process fails, the senior manager is the one who is blamed.
  
  The senior manager decides
  
  
  • What are we going to protect?
    
    
  • How important is the data?
    
    
  • How much money should we spend to protect the data?
    
    
  • What laws do we have to comply with?
    
    
• Security Professional – this is the person who implements the security policy.  The professional takes guidance from the senior manager and makes it happen.
  
  
  • What kinds of technologies do we need to secure the data at the budget that we have?
    
    
  • Who will install the technology?
    
    
  • How can we verify that the technology is working?
    
    
• Data Owner – this is the person who classifies the data.
  
  
• Data Custodian – this is the person who protects the data and ensures that the organization’s data meets its confidentiality, integrity, and availability requirements.  The Data Owner may delegate his responsibilities to the Data Owner.
  
  
• End Users – the end users perform tasks as designated by the organization.  They will have access to the organization’s data and are required to follow the policies set by the organization.
  
  
• Auditor – the auditor verifies that the policies created by management are working properly.  The auditor may work for the organization, a third party, or the government.  The auditor may verify that the organization’s security policies are in compliance with the law.

The Security Control Framework is the structure of the organization’s security policies.  The most important ones are

• ISO 27001
  
  
  • Developed by the International Standards Organization
    
    
  • 114 different types of controls in the following categories
    
    
    • Information Security Policies
      
      
    • Organization of Information Security
      
      
    • Human Resource Security
      
      
    • Asset Management
      
      
    • Access Control
      
      
    • Cryptography
      
      
    • Physical and Environmental Security
      
      
    • Operations Security
      
      
    • Communications Security
      
      
    • System Acquisition, Development, and Maintenance
      
      
    • Vendors
      
      
    • Information Security Incident Management
      
      
    • Business Continuity
      
      
    • Compliance
      
      
• ISO 27002
  
  
  • An extension of ISO 27001
    
    
  • Provides best practices to comply with ISO 27001
    
    
  • An organization can select the best of best practices based on their own needs and situation
    
    
• NIST 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations
  
  
  • Developed by the National Institute of Standards and Technology
    
    
  • Over 600 controls in the following categories
    
    
    • Access Control
      
      
    • Awareness and Training
      
      
    • Audit and Accountability
      
      
    • Security Assessment and Authorization
      
      
    • Configuration Management
      
      
    • Contingency Planning
      
      
    • Identification and Authentication
      
      
    • Incident Response
      
      
    • Maintenance
      
      
    • Media Protection
      
      
    • Physical and Environmental Protection
      
      
    • Planning
      
      
    • Personnel Security
      
      
    • Risk Assessment
      
      
    • System and Services Acquisition
      
      
    • System and Communications Protection
      
      
    • System and Information Integrity
      
      
    • Program Management
      
      
• NIST Cybersecurity Framework
  
  
  • Provides best practices to implement NIST 800-53
    
    
  • There are five domains
    
    
    • Identify – create a plan to manage cybersecurity risk
      
      
    • Protect – implement controls to avoid incidents
      
      
    • Detect – detect an incident
      
      
    • Respond – respond to a detected incident
      
      
    • Recover – restore systems that were affected by an incident
      
      
• CIS Critical Security Controls
  
  
  • 20 Controls for Cybersecurity Risk Management
    
    
    • Inventory and Control of Hardware Assets
      
      
    • Inventory and Control of Software Assets
      
      
    • Continuous Vulnerability Management
      
      
    • Controlled Use of Administrative Privileges
      
      
    • Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
      
      
    • Maintenance, Monitoring, and Analysis of Audit Logs
      
      
    • Email and Web Browser Protection
      
      
    • Malware Defenses
      
      
    • Limitation and Control of Network Ports, Protocols, and Services
      
      
    • Data Recovery Capabilities
      
      
    • Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
      
      
    • Boundary Defense
      
      
    • Data Protection
      
      
    • Controlled Access Based on the Need to Know
      
      
    • Wireless Access Control
      
      
    • Account Monitoring and Control
      
      
    • Implement a Security Awareness and Training Program
      
      
    • Application Software Security
      
      
    • Incident Response and Management
      
      
    • Penetration Tests and Red Team Exercises

Due Care means using a reasonable care to protect the organization and its assets.  Due Diligence means engaging in activities that support the Due Care.  Due Care means developing security policies.  Due diligence means applying those policies.  By applying due diligence, you can make avoid accusations of negligence if data was leaked – you can argue that you did everything reasonable to protect the data.  The amount of due diligence you must exercise depends on the value of the data.

Strict liability is a legal concept that means you are liable no matter what.  Due diligence means that you are liable only if you acted unreasonably.  For example, having customer data stored on an unencrypted, unsecured server is not due diligence and you would be liable if the information were leaked.  An employee using pirated software could make the company liable under copyright law.  Copyright law in general is strict liability – that means that we are liable for copyright infringement no matter what our intention was.