Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
-
Upload
ursula-dorsey -
Category
Documents
-
view
218 -
download
1
Transcript of Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
![Page 1: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/1.jpg)
Information Security Governance and Risk
Chapter 2Part 3
Pages 100 to 141
![Page 2: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/2.jpg)
Security Documents
• Policies• Procedures• Standards• Guidelines• Baselines
![Page 3: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/3.jpg)
Security Policy
• General statement produces by senior management
• Needs to be technology and solution independent.
• Written in broad terms.• Outlines goals not specific ways of
accomplishing them.
![Page 4: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/4.jpg)
Organizational Security Policy
• Addresses laws, regulations and liability issues• Describes scope and risk management is
willing to accept• Business objectives should drive policy• Easily understood by employees• Process for dealing with those who do not
comply
![Page 5: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/5.jpg)
Issue-Specific Policies
• Email usage• Employees should confirm they have read and
understand the policy
![Page 6: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/6.jpg)
Issue-Specific Policies
• Acceptable use policy• Data protection policy• Business continuity policy• See pages 103-4
![Page 7: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/7.jpg)
System-Specific Policies
• Specific to actual computers, networks, applications
• How a database containing sensitive information should be protected and who can have access.
![Page 8: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/8.jpg)
Standards
• Mandatory actions or rules• Specific products to be used• “Employees are require to wear identifications
badges at all times”• “Confidential information must be protected
with AES-256 at rest and in transit”
![Page 9: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/9.jpg)
Baselines
• When risks have been mitigated and security put into place, a baseline is agreed upon.
• Reference point to compare against when new software is installed or when changes are made
• Are we still providing the baseline protection?
![Page 10: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/10.jpg)
Guidelines
• Suggested and best practices
![Page 11: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/11.jpg)
Procedures
• Detailed step-by-step tasks that should be followed
• How policies, standards, and guidelines will be implemented in an operating environment
• Set up a new user account
![Page 12: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/12.jpg)
Implementation
• Policies, standards, procedures, baselines are often written for auditors
• Awareness training• Companies that do not do awareness training
can be held liable in the eyes of the law.• It must be clear that management staff
support these policies
![Page 13: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/13.jpg)
Information Classification
• Table 2-11 on pages 110-111
![Page 14: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/14.jpg)
Information Classification
• Assign value to different kinds of information• After identifying all important information, it
should be properly classified.• Determine how to allocate funds to protect
information in a cost-effective manner• Each classification should have separate
handling requirements and procedures to how that data is accessed, used and destroyed.
![Page 15: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/15.jpg)
Data Classification Procedures
• Page 114
![Page 16: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/16.jpg)
Board of Directors
• Goal – Shareholders’ interests are protected and the corporation is run properly
• 2002 scandals – Enron• U.S. Government & SEC– Sarbanes-Oxley Act (SOX)– Board of Directors can be held personally
responsible (fined or jailed) for fraud
![Page 17: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/17.jpg)
Executive Management
• CEO– Day-to-day management
• CFO– Corporate financial activities
• 2002 Financial Scandal– SEC makes them personally responsible.– Can be fined or go to jail.
![Page 18: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/18.jpg)
Executive Management
• CIO– Strategic use and management of information
systems• Chief Privacy Officer– Customer, company, and employee data is kept
safe– Usually an Attorney who understands privacy,
legal and regulatory requirements.
![Page 19: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/19.jpg)
Privacy
• Amount of control an individual should have over their sensitive information.
• Personal identifiable information (PII)– Identity theft and financial fraud
![Page 20: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/20.jpg)
Executive Management
• Chief Security Officer (CSO)– Understand the risks the company faces and
mitigating these risks to an acceptable level– Understanding business drivers and for creating
and maintaining a program that facilitates these drivers.
– Security compliance with regulations
![Page 21: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/21.jpg)
Data Owner
• Usually in charge of a business unit• Responsible for protection and use of a
specific subset of information• Classifies this data• Ensure security controls and in place, backup
requirements, proper access rights
![Page 22: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/22.jpg)
Data Custodian
• Responsible for maintain and protecting the data
![Page 23: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/23.jpg)
User
• Must have the necessary level of access to the data to perform the duties
• Is responsible for following security procedure
![Page 24: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/24.jpg)
Personnel Security
• In security, people are often the weakest link.• Accidentally through mistakes or lack of
training• Intentionally through fraud and malicious
intent
![Page 25: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/25.jpg)
Preventative Measures
• Separation of duties– No one individual can complete a critical task by
herself– Example: Supervisor’s written approval– Collusion to commit destruction or fraud
![Page 26: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/26.jpg)
Preventative Measures
• Rotation of duties– No person should stay in one position for a long
time• Mandatory vacations– While on vacation, fill-ins can usually detect fraud
• Key Terms – page 127
![Page 27: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/27.jpg)
Hiring Practices
• Nondisclosure agreements signed by new employees
• References checked• Education verified• Detailed background check
![Page 28: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/28.jpg)
Termination
• Employee escorted out of facility• Surrender identification badges and keys• Exit interview• User’s accounts disabled immediately• Too many companies have been hurt by
vengeful or disgruntled employees
![Page 29: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/29.jpg)
Security-Awareness Training
• Communicate security to employees• Supported by senior management• Management must allocate resources for
training• Training must be simple to understand• Acceptable behaviors• Noncompliance repercussions• During hiring and annually thereafter
![Page 30: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/30.jpg)
Security Governance
• Table 2-13 Company A on page 133
![Page 31: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/31.jpg)
Metrics
• “You can’t manage something that you can’t measure.”
• Quantifiable performance based data• Continuously gathered and compared so that
improvement or drops in performance can be identified
• ISO/IEC 27004 tells to measure a security program
![Page 32: Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649ecf5503460f94bdcfb5/html5/thumbnails/32.jpg)
Quick Tips
• Pages 138 to 141