CISSP Security Governance
The term governance is referred to as the is the process that defines how decisions are made within an organization. When you look at the term governance within a security context, governance is the set of responsibilities and practices exercised by executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly.
Governance – how an organization is managed.
Security Governance – how security is managed, through policies, roles, and processes used to make security decisions.
Note:
- Security must align with organizational goals (not dominate or drive them).
- Security is optional (it’s a support function).
- Remember that security and its budget can be “done away” with at any time.
- Security practitioners must align with organizational goals.
- This helps keep costs down.
- It also helps the security program serve the organization properly.
Security Control Frameworks
Security Control Frameworks (SCF) are publications that an organization uses to outline or develop a security strategy. The SCF addresses both cybersecurity and privacy, so that these principles are designed to be “baked in” at the strategic, operational and tactical levels.
Organizational roles:
- Governance Committee: The Governance Commitee consists of personnel who determine how decisions should be made within an organization.
- Senior Management (Also called C-level): These include the CEO, CFO, COO, CIO…
- Security Manager: Responsible for advising senior management on security matters.
CISSP – Security Governance vs. Management
Security Governance and Management are different and are performed at different levlels within the organisation. Governance is the job of the governing body, such as a committee or board, to provide direction, leadership and control. Management is typically the job of a management or executive team, led by a co-ordinator or chief executive and his/her staff and volunteers. The governing body’s role is to oversee management, not to manage.
When exercising CISSP security governance practices, it is important for the security manager to consider, and distinguish between, two important concepts:
- Due Care: Due care is a legal liability concept that defines the minimum level of information protection that a business must achieve. Sometimes called Prudent Man Rule. The Prudent Man Rule requires that an organization engage in business practices that a prudent, right thinking, person would consider appropriate. Businesses should align themselves with best practices appropriate to their industry as best practices today may become minimum necessary required by standard of due care.
- Due Diligence: Making sure that the right thing was done. An example of this is performing audits and investigations. Effort to maintain due care. Practicing due diligence is a defense against negligence. Due diligence is a formal process that requires and ensures an organization continue to scrutinize their own practices in order to meet or exceed requirements for protection of assets and stakeholders.
Basically, Due care refers to our habits, policies, and procedures that we use to keep us safe and out of trouble. Due diligence means that we take necessary actions to follow these policies and procedures to keep safe. For example, we perform due diligence when investigating a potential problem that has been detected.
Also note:
- Gross negligence – Opposite of due care. If you cannot demonstrate due care, you are grossly negligent
Information Security Goals and Planning
A security model has different layers, but it also has different types of goals to accomplish in different time frames.
- Strategic goals (long term)
- Tactical goals (six months to one year)
- Operational goals (less than months) goals.
Information Security Goals should be based on the security objectives derived from the business security objectives, also called DUE CARE objectives.
Subject and Object.
The subject is a something that can manipulate an object; an object is something that can be manipulated by a subject.
A subject is usually a human user or process running in memory.
An object is any resource that exists anywhere a subject can access it (in memory, on disk, across a communications channel, in “the cloud”, etc.).
Subjects are active and objects are passive.
- Subject – (Active) Most often users but can also be programs – Subject manipulates Object.
- Object – (Passive) Any passive data (both physical paper and data) – Object is manipulated by Subject.
- Some can be both at different times, an active program is a subject; when closed, the data in program can be object.
Processes
- Acquisitions – state of IT integration can be difficult to determine.
- Divestitures – how to split IT services, especially user management.
- Governance committees – governing vendors, projects, state of IT, architecture, and more.
Security Document Development
Senior management must make decisions on what should be protected, how it should be protected, and to what extent it should be protected. These findings should be crafted into written documents.
There are 5 levels of security documents.
- Policies – acceptable use policy
- Procedures -> detailed, in-depth, step-by-step documents
- Baseline –> minimum levels
- Guideline –> recommendations
- Procedure –> step-by-step description
Policies
- Policy – High level management directives that are mandatory and does not dwelve into specifics
- Components of a program policy:
- Purpose – Describes the need of the policy; typically to provide CIA of protected data
- Scope – Describes what systems, people, facilities, and organizations are covered by the policy
- Responsibilities – Responsibilities of the information security staff, policy and management teams, as well as responsibilities of all members of the organization
- Compliance – Describes how to judge effectiveness of policy and what happens when policy is violated.
- Policy types – NIST: program policy (organization security program), issue-specific policy (email policy, email privacy policy), and system specific policy (file server policy, webserver policy)
Procedures
Low level step-by-step guide for accomplishing a task that are mandatory. Example: Steps to follow when creating a new user.
Standards
Describes the specific use of technology often applied to hardware and software which are mandatory. Example: standard issue of laptop hardware and software
Guidelines
Guidelines are recommendations which is discretionary. Examples advice to take first letter of every word in a sentence to form a strong password. You can create a strong password without following this guideline.
Baselines
A baseline is a minimum level of security that a system, network, or device must adhere to.
Security Frameworks
The following industry standards are some of those which provide multiple frameworks that could be reviewed when creating security baselines to achieve CISSP security governance.
- BS 7799, ISO 17799, and 27000 Series
- COBIT and COSO
- OCTAVE
- ITIL
Some common frameworks are:
ISO/IEC 27000 Series
- Security program Development standard on developing and maintaining an Information Security Management System (ISMS)
- 27000:2018 – Overview of ISMSs and vocabulary
- 27001:2013 – ISMS Requirements
- 27002:2013 – Code of Practice for IS controls
- 27003:2017 – Guidance on the requirements for an ISMS
- 27004:2016 – ISMS monitoring, measurement, analysis, and evaluation guidelines
COBIT – a framework aimed at documenting Organizational IT Security. If you take the first three letters of Cobit (Cob) and reverse them, it spells “Doc” (we know it’s a “b”, but just go with it), and the O and IT you can remember as “Organizational” and “IT”
ITIL – how IT can serve business functions – remember it by thinking “I TILt it this way, or that way” for the business.
NIST Special Publications (risk management frameworks), such as 800-53 , which is a set of security controls, 800-37, which is the risk management framework.
CSA STAR is for cloud security alliance, which publishes standards for cloud security. Of interest is:
- Tier 1, in which participants self-assess by filling out a questionnaire,
- Tier 2 is a third party assessment, and
- Tier 3 is continuous monitoring by a certified independent organization.