information security governance simplified : from the ... · pdf fileinformation security...
TRANSCRIPT
Information Security
Governance Simplified
From the Boardroom to the Keyboard
TODD FITZGERALD, cissp; cisa, cism
Foreword by Tom Peltier
CRC PressTaylor& Francis CroupBoca Raton London NewYork
CRC Press is an imprint of the
Taylor & Francis Croup, an Informs business
AN AUERBACH BOOK
Contents
Foreword xvii
Acknowledgments xxi
Introduction xxiii
About the Author xxvii
Chapter 1 Getting Information Security Right:Top
to Bottom 1
Information Security Governance 2
Tone at the Top 5
Tone at the Bottom 5
Governance, Risk, and Compliance (GRC) 6
The Compliance Dilemma 7
Suggested Reading 10
Chapter 2 Developing Information Security Strategy 11
Evolution ofInformation Security IS
Organization Historical Perspective 16
Fear, Uncertainty, Doubt, Fear, Uncertainty, Doubt 16
Understand the External Environment 17
Regulatory 17
Competition 18
Emerging Threats 19
Technology Cost Changes 19
External Independent Research 20
The Internal Company Culture 20
Risk Appetite 21
Speed 22
VII
VIII CONTENTS
Collaborative versus Authoritative 22
Trust Level 23
Growth Seeker or Cost Cutter 24
Company Size 25
Outsourcing Posture 25
Prior Security Incidents, Audits 26
Security Strategy Development Techniques 28
Mind Mapping 28
SWOT Analysis 30
Balanced Scorecard 32
Face-to-Face Interviews 32
Security Planning 34
Strategic 34
Tactical 35
Operational/Project Plans 35
Suggested Reading 36
Chapter 3 Defining the Security Management
Organization 37
History of the Security Leadership Role Is Relevant 37
The New Security Officer Mandate 40
Day 1: Hey, I Got theJob! 41
Security Leader Titles 42
Techie versus Leader 43
The Security Leaders Library 44
Security Leadership Defined 45
Security Leader Soft Skills 46
Seven Competencies for Effective Security Leadership 46
Security Functions 52
Learning from Leading Organizations 52
Assess Risk and Determine Needs 53
Implement Policies and Controls 54
Promote Awareness 56
Monitor and Evaluate 56
Central Management 56
What Functions Should the Security Officer Be
Responsible For? 57
Assessing Risk and Determining Needs Functions 58
Risk Assessment/Analysis 58
Systems Security Plan Development 59
External Penetration Testing 60
Implement Policies and Control Functions 61
Security Policy Development 61
Security Architecture 61
Security Control Assessment 62
CONTENTS IX
Identity and Access Management 62
Business Continuity and Disaster Recovery 63
Promote Awareness Functions 64
End User Security Awareness Training 64
Intranet Site and Policy Publication 65
Targeted Awareness 65
Monitor and Evaluate Functions 65
Security Baseline Configuration Review 66
Logging and Monitoring 67
Vulnerability Assessment 67
Internet Monitoring/Management ofManaged Services 68
Incident Response 68
Forensic Investigations 69
Central Management Functions 69
Reporting Model 70
Business Relationships 71
Reporting to the CEO 71
Reporting to the Information Systems Department 72
Reporting to Corporate Security 72
Reporting to the Administrative Services Department 73
Reporting to the Insurance and Risk Management
Department 73
Reporting to the Internal Audit Department 74
Reporting to the Legal Department 74
Determining the Best Fit 75
Suggested Reading 75
Chapter 4 Interacting with the C-Suite 77
Communication between the CEO, CIO, Other
Executives, and CI SO 78
13 "Lucky" Questions to Ask One Another 80
The CEO, Ultimate Decision Maker 81
The CEO Needs to KnowWhy 87
The CIO, Where Technology Meets the Business 87
CIO's Commitment to Security Is Important 94
The Security Officer, Protecting the Business 95
The CEO, CIO, and CISO Are Business Partners 100
Building Grassroots Support through an Information
Security Council 101
Establishing the Security Council 101
Oversight ofSecurity Program 103
Decide on Project Initiatives 103
Prioritize Information Security Efforts 103
Review and Recommend Security Policies 103
Champion Organizational Security Efforts 104
Recommend Areas Requiring Investment 104
X CONTENTS
Appropriate Security Council Representation 104
"-Ingmg" the Council: Forming, Storming, Norming,and Performing 107
Forming 107
Storming 108
Norming 108
Performing 109
Integration with Other Committees 109
Establish Early, Incremental Success 111
Let Go of Perfectionism 112
Sustaining the Security Council 113
End User Awareness 114
Security Council Commitment 116
Suggested Reading 117
Chapter 5 Managing Risk to an Acceptable Level 119
Risk in Our Daily Lives 120
Accepting Organizational Risk 121
JustAnother Set of Risks 122
Management Owns the Risk Decision 122
Qualitative versus Quantitative Risk Analysis 123
Risk Management Process 124
Risk Analysis Involvement 124
Step 1: Categorize the System 125
Step 2: Identify Potential Dangers (Threats) 128
Human Threats 128
Environmental/Physical Threats 128
Technical Threats 129
Step 3: Identify Vulnerabilities That Could Be Exploited 129
Step 4: Identify Existing Controls 130
Step 5: Determine Exploitation Likelihood Given
Existing Controls 131
Step 6: Determine Impact Severity 132
Step 7: Determine Risk Level 134
Step 8: Determine Additional Controls 135
Risk Mitigation Options 135
Risk Assumption 135
Risk Avoidance 136
Risk Limitation 136
Risk Planning 136
Risk Research 136
Risk Transference 137
Conclusion 137
Suggested Reading 137
CONTENTS XI
Chapter 6 Creating Effective Information Security
Policies 139
Why Information Security Policies Are Important 139
Avoiding Shelfware 140
Electronic Policy Distribution 141
Canned Security Policies 142
Policies, Standards, Guidelines Definitions 143
Policies Are Written at a High Level 143
Policies 145
Security Policy Best Practices 145
Types ofSecurity Policies 147
Standards 149
Procedures 150
Baselines 151
Guidelines 152
Combination of Policies, Standards, Baselines,
Procedures, and Guidelines 153
Policy Analogy 153
An Approach for Developing Information Security Policies 154
Utilizing the Security Council for Policies 155
The Policy Review Process 156
Information Security Policy Process 161
Suggested Reading 161
Chapter 7 Security Compliance Using Control
Frameworks 163
Security Control Frameworks Defined 163
Security Control Frameworks and Standards Examples 164
Heath Insurance Portability and Accountability Act
(HIPAA) 164
Federal Information Security Management Act of2002
(FISMA) 164
National Institute of Standards and Technology
(NIST) Recommended Security Controls for Federal
Information Systems (800-53) 164
Federal Information System Controls Audit Manual
(FISCAM) 165
ISO/IEC 27001:2005 Information Security
Management Systems—Requirements 165
ISO/IEC 27002:2005 Information Technology-
Security Techniques—Code of Practice for Information
Security Management 166
Control Objectives for Information and Related
Technology (COBIT) 167
Payment Card Industry Data Security Standard (PCI DSS) 167
XII CONTENTS
Information Technology Infrastructure Library (ITIL) 168
Security Technical Implementation Guides (STIGs) and
National Security Agency (NSA) Guides 168
Federal Financial Institutions Examination Council
(FFIEC) IT Examination Handbook 169
The World Operates on Standards 169
Standards Are Dynamic 171
The How Is Typically Left Up to Us 171
Key Question: Why Does the Standard Exist? 173
Compliance Is Not Security, But It Is a Good Start 173
Integration of Standards and Control Frameworks 174
Auditing Compliance 175
Adoption Rate ofVarious Standards 175
ISO 27001/2 Certification 176
NIST Certification 177
Control Framework Convergence 177
The 11-Factor Compliance Assurance Manifesto 178
The Standards/Framework Value Proposition 183
Suggested Reading 183
Chapter 8 Managerial Controls: Practical Security
Considerations 185
Security Control Convergence 185
Security Control Methodology 188
Security Assessment and Authorization Controls 188
Planning Controls 189
Risk Assessment Controls 190
System and Services Acquisition Controls 191
Program Management Controls 193
Suggested Reading 211
Chapter 9 Technical Controls: Practical Security
Considerations 213
Access Control Controls 213
Audit and Accountability Controls 214
Identification and Authentication 215
System and Communications Protections 215
Suggested Reading 238
Chapter 10 Operational Controls: Practical
Security Considerations 239
Awareness and Training Controls 239
Configuration Management Controls 240
Contingency Planning Controls 240
Incident Response Controls 241
Maintenance Controls 241
Media Protection Controls 242
Physical and Environmental Protection Controls 243
CONTENTS XIII
Personnel Security Controls 244
System and Information Integrity Controls 245
Suggested Reading 276
Chapter 11 The Auditors Have Arrived, Now What? 277
Anatomy of an Audit 278
Audit Planning Phase 279
Preparation of Document Request List 280
Gather Audit Artifacts 284
Provide Information to Auditors 285
On-Site Arrival Phase 287
Internet Access 287
Reserve Conference Rooms 288
Physical Access 289
Conference Phones 290
Schedule Entrance, Exit, Status Meetings 290
Set Up Interviews 291
Audit Execution Phase 292
Additional Audit Meetings 293
Establish Auditor Communication Protocol 293
Establish Internal Company Protocol 294
Media Handling 296
Audit Coordinator Quality Review 298
The Interview Itself 298
Entrance, Exit, and Status Conferences 299
Entrance Meeting 299
Exit Meeting 301
Status Meetings 301
Report Issuance and Finding Remediation Phase 302
Suggested Reading 304
Chapter 12 Effective Security Communications 305
Why a Chapter Dedicated to Security Communications? 305
End User Security Awareness Training 306
Awareness Definition 307
Delivering the Message 308
Step 1: SecurityAwareness Needs Assessment 308
New or Changed Policies 308
Past Security Incidents 309
Systems Security Plans 309
Audit Findings and Recommendations 309
Event Analysis 310
IndustryTrends 310
Management Concerns 310
Organizational Changes 311
Step 2: Program Design 311
Target Audience 311
Frequency of Sessions 311
XIV CONTENTS
Number ofUsers 312
Method of Delivery 312
Resources Required 312
Step 3: Develop Scope 312
Determine Participants Needing Training 312
Business Units 313
Select Theme 313
Step 4: Content Development 314
Step 5: Communication and Logistics Plan 315
Step 6: Awareness Delivery 316
Step 7: Evaluation/Feedback Loops 317
Security Awareness Training Does Not Have to Be Boring 317
Targeted Security Training 317
Continuous Security Reminders 319
Utilize Multiple SecurityAwareness Vehicles 319
Security Officer Communication Skills 320
Talking versus Listening 320
Roadblocks to Effective Listening 321
Generating a Clear Message 323
Influencing and Negotiating Skills 323
Written Communication Skills 324
Presentation Skills 325
Applying Personality Type to Security Communications 326
The Four Myers-Briggs Type Indicator (MBTI)Preference Scales 326
Extraversion versus Introversion Scale 327
Sensing versus Intuition Scale 327
Thinking versus Feeling Scale 328
Judging versus Perceiving Scale 328
Determining Individual MBTI Personality 329
Summing Up the MBTI for Security 334
Suggested Reading 334
Chapter 13 The Law and Information Security 337
Civil Law versus Criminal Law 339
Electronic Communications Privacy Act of 1986 (ECPA) 340
The Computer Security Act of 1987 341
The Privacy Act of 1974 342
Sarbanes-Oxley Act of2002 (SOX) 342
Gramm-Leach-Bliley Act (GLBA) 344
Health Insurance Portability and Accountability Act of1996 345
Health Information Technology for Economic and Clinical
Health (HITECH) Act 348
Federal Information Security Management Act of2002
(FISMA) 348
Summary 350
Suggested Reading 350
CONTENTS XV
Chapter 14 Learning from Information Security
Incidents 353
Recent Security Incidents 355
Texas State Comptroller 355
Sony PlayStation Network 356
Student Loan Social Security Numbers Stolen 358
Social Security Numbers Printed on Outside of Envelopes 359
Valid E-Mail Addresses Exposed 360
Office Copier Hard Disk Contained Confidential
Information 362
Advanced Persistent Threat Targets Security Token 362
Who Will Be Next? 364
Every Control Could Result in an Incident 365
Suggested Reading 366
Chapter 15 17 Ways to Dismantle Information
Security Governance Efforts 369
Final Thoughts 379
Suggested Reading 381
Index 383