security governance primer - eric vanderburg - jurinnov
DESCRIPTION
Security Governance Primer - Eric Vanderburg - JURINNOVTRANSCRIPT
![Page 1: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/1.jpg)
Security Governance PrimerDr. Eric VanderburgDirector, Information Systems and SecurityJURINNOV LTD
Ramana Gaddamanugu, CFESenior Manager, Risk and ComplianceJURINNOV LTD
![Page 2: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/2.jpg)
2
Objectives
•Define the security policy cycle
• Explain risk identification
•Design a security policy
•Define types of security policies
•Define compliance monitoring and evaluation
![Page 3: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/3.jpg)
3
Understanding the Security Policy Cycle
• First part of the cycle is risk identification
• Risk identification seeks to determine the risks that an organization faces against its information assets
• That information becomes the basis of developing a security policy
• A security policy is a document or series of documents that clearly defines the defense mechanisms an organization will employ to keep information secure
![Page 4: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/4.jpg)
4
Reviewing Risk Identification
• First step in security policy cycle is to identify risks
• Involves the four steps:• Inventory the assets
• Determine what threats exist against the assets and by which threat agents
• Investigate whether vulnerabilities exist that can be exploited
• Decide what to do about the risks
![Page 5: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/5.jpg)
5
Asset Identification
• An asset is any item with a positive economic value
•Many types of assets, classified as follows:• Physical assets – Data• Software – Hardware• Personnel
• Along with the assets, attributes of the assets need to be compiled
![Page 6: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/6.jpg)
6
Asset Identification
• After an inventory of assets has been created and their attributes identified, the next step is to determine each item’s relative value
• Factors to be considered in determining the relative value
![Page 7: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/7.jpg)
7
Threat Identification
• A threat is not limited to those from attackers, but also includes acts of God, such as fire or severe weather
• Threat modeling constructs scenarios of the types of threats that assets can face
• The goal of threat modeling is to better understand who the attackers are, why they attack, and what types of attacks may occur
![Page 8: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/8.jpg)
8
Threat Identification
•A valuable tool used in threat modeling is the construction of an attack tree
•An attack tree provides a visual image of the attacks that may occur against an asset
![Page 9: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/9.jpg)
9
Vulnerability Appraisal
• After assets have been inventoried and prioritized and the threats have been explored, the next question becomes, what current security weaknesses may expose the assets to these threats?
• Vulnerability appraisal takes a current snapshot of the security of the organization as it now stands
![Page 10: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/10.jpg)
10
Vulnerability Appraisal
• To assist with determining vulnerabilities of hardware and software assets, use vulnerability scanners
• These tools, available as free Internet downloads and as commercial products, compare the asset against a database of known vulnerabilities and produce a discovery report that exposes the vulnerability and assesses its severity
![Page 11: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/11.jpg)
11
Risk Assessment
• Final step in identifying risks is to perform a risk assessment
• Risk assessment involves determining the likelihood that the vulnerability is a risk to the organization
• Each vulnerability can be ranked by the scale
• Sometimes calculating anticipated losses can be helpful in determining the impact of a vulnerability
![Page 12: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/12.jpg)
12
Risk Assessment
• Formulas commonly used to calculate expected losses are:• Single Loss Expectancy
• Annualized Loss Expectancy
• An organization has three options when confronted with a risk:• Accept the risk
• Diminish the risk
• Transfer the risk
![Page 13: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/13.jpg)
13
Designing the Security Policy
• Designing a security policy is the logical next step in the security policy cycle
• After risks are clearly identified, a policy is needed to mitigate what the organization decides are the most important risks
![Page 14: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/14.jpg)
14
What Is a Security Policy?• A policy is a document that outlines
specific requirements or rules that must be met• Correct vehicle for an organization to use when
establishing information security
• A standard is a collection of requirements specific to the system or procedure that must be met by everyone
• A guideline is a collection of suggestions that should be implemented
![Page 15: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/15.jpg)
15
Balancing Control and Trust
• To create an effective security policy, two elements must be carefully balanced: trust and control
• Three models of trust:• Trust everyone all of the time• Trust no one at any time• Trust some people some of the time
![Page 16: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/16.jpg)
16
Designing a Policy
•When designing a security policy, you can consider a standard set of principles
• These can be divided into what a policy must do and what a policy should do
![Page 17: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/17.jpg)
17
Designing a Policy
• Security policy design should be the work of a team and not one or two technicians
• The team should have these representatives:• Senior level administrator
• Member of management who can enforce the policy
• Member of the legal staff
• Representative from the user community
![Page 18: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/18.jpg)
18
Elements of a Security Policy
• Because security policies are formal documents that outline acceptable and unacceptable employee behavior, legal elements are often included in these documents
• The three most common elements:• Due care
• Separation of duties
• Need to know
![Page 19: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/19.jpg)
19
Due Care
• Term used frequently in legal and business settings
•Defined as obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them
![Page 20: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/20.jpg)
20
Separation of Duties
• Key element in internal controls
• Means that one person’s work serves as a complementary check on another person’s
• No one person should have complete control over any action from initialization to completion
![Page 21: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/21.jpg)
21
Need to Know
• One of the best methods to keep information confidential is to restrict who has access to that information
• Only that employee whose job function depends on knowing the information is provided access
![Page 22: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/22.jpg)
22
Types of Security Policies• Umbrella term for all of the subpolicies
included within it
• In this section, you examine some common security policies:• Acceptable use policy• Human resource policy• Password management policy• Privacy policy• Disposal and destruction policy• Service-level agreement
![Page 23: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/23.jpg)
23
Acceptable Use Policy (AUP)
• Defines what actions users of a system may perform while using computing and networking equipment
• Should have an overview regarding what is covered by this policy
• Unacceptable use should also be outlined
![Page 24: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/24.jpg)
24
Human Resource Policy
• Policies of the organization that address human resources
• Should include statements regarding how an employee’s information technology resources will be addressed
![Page 25: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/25.jpg)
25
Password Management Policy
• Although passwords often form the weakest link in information security, they are still the most widely used
• A password management policy should clearly address how passwords are managed
• In addition to controls that can be implemented through technology, users should be reminded of how to select and use passwords
![Page 26: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/26.jpg)
26
Privacy Policy
• Privacy is of growing concern among today’s consumers
• Organizations should have a privacy policy that outlines how the organization uses information it collects
![Page 27: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/27.jpg)
27
Disposal and Destruction Policy
• A disposal and destruction policy that addresses the disposing of resources is considered essential
• The policy should cover how long records and data will be retained
• It should also cover how to dispose of them
![Page 28: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/28.jpg)
28
Service-Level Agreement (SLA) Policy
• Contract between a vendor and an organization for services
• Typically contains…
![Page 29: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/29.jpg)
29
Understanding Compliance Monitoring and Evaluation
• The final process in the security policy cycle is compliance monitoring and evaluation
• Some of the most valuable analysis occurs when an attack penetrates the security defenses
• A team must respond to the initial attack and reexamine security policies that address the vulnerability to determine what changes need to be made to prevent its reoccurrence
![Page 30: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/30.jpg)
30
Incidence Response Policy
• Outlines actions to be performed when a security breach occurs
• Most policies outline composition of an incidence response team (IRT)
• Should be composed of individuals from:• Senior management – IT personnel
• Corporate counsel – Human resources
• Public relations
![Page 31: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/31.jpg)
31
Ethics Policy
• Codes of ethics by external agencies have encouraged its membership to adhere to strict ethical behavior within their profession
• Codes of ethics for IT professionals are available from the Institute for Electrical and Electronic Engineers (IEEE) and the Association for Computing Machinery (ACM), among others
• Main purpose of an ethics policy is to state the values, principles, and ideals each member of an organization must agree to
![Page 32: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/32.jpg)
32
Summary• The security policy cycle defines the overall
process for developing a security policy
• There are four steps in risk identification:• Inventory the assets and their attributes
• Determine what threats exist against the assets and by which threat agents
• Determine whether vulnerabilities exist that can be exploited by surveying the current security infrastructure
• Make decisions regarding what to do about the risks
![Page 33: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/33.jpg)
33
Summary
• A security policy development team should be formed to create the information security policy
• An incidence response policy outlines actions to be performed when a security breach occurs
• A policy addressing ethics can also be formulated by an organization
![Page 34: Security Governance Primer - Eric Vanderburg - JURINNOV](https://reader037.vdocuments.us/reader037/viewer/2022102813/546c4567b4af9f752c8b4f81/html5/thumbnails/34.jpg)
For assistance or additional information
• Phone: 216-664-1100
• Web: www.jurinnov.com
• Email: [email protected]
JurInnov Ltd.
The Idea Center
1375 Euclid Avenue, Suite 400
Cleveland, Ohio 44115
34