Chapter 13 Legal Issues ISO/IEC 27004:2016 and Information Security

Questions and Answers

An organization utilizing ISO/IEC 27004:2016 primarily aims to:

• Implement new information security policies without assessing existing controls.
• Reduce the cost of security operations without regard to effectiveness or compliance.
• Systematically review and improve their Information Security Management (ISM) system through measurement and analysis. (correct)
• Focus solely on the visible aspects of day-to-day security operations, ignoring strategic improvements.

Which statement accurately differentiates Information Security Governance (ISG) from Information Security Management (ISM)?

• ISG and ISM are interchangeable terms describing the same set of security activities.
• ISG focuses on the daily operational security tasks, while ISM sets the overall security strategy.
• ISM is primarily concerned with policy creation, while ISG handles the practical implementation of those policies.
• ISG dictates the desired security posture, while ISM executes and maintains that posture. (correct)

What is the MOST critical function of Information Security Management (ISM) within an organization?

• Developing marketing strategies to promote the organization's security posture.
• Overseeing legal compliance without regard to daily security practices.
• Defining the organization's long-term strategic goals for security.
• Ensuring the practical implementation of Information Security Governance (ISG) policies. (correct)

An organization discovers a discrepancy between its Information Security Governance (ISG) policies and their actual implementation. According to best practices, what should be the FIRST step to address this?

Conduct a thorough review and analysis of the ISM processes to identify implementation gaps. (C)

In the context of maintaining an effective information security posture, why is continuous monitoring, measurement, analysis, and evaluation, as emphasized by ISO/IEC 27004:2016, considered essential?

It ensures that security measures remain aligned with evolving threats and organizational needs. (B)

What distinguishes Information Security Governance from Information Security Management?

Governance dictates policies and strategy; management implements them. (A)

Which role has ultimate compliance authority and oversight in Information Security Governance?

Board of Directors (BOD) (D)

Which of the following is NOT a direct responsibility of Information Security Management?

Creating security strategy (B)

According to FISMA, what is a crucial requirement for each federal agency to ensure data and IT resources are protected?

Developing and implementing an agency-wide information security program led by a designated CISO. (B)

Which action is LEAST likely to be a direct component of a federal agency's responsibilities under FISMA?

Lobbying Congress to weaken security legislation. (D)

Under FISMA, what is the primary responsibility of a federal agency's CISO?

To lead and oversee the agency’s information security program. (D)

How does FISMA ensure the security of federal data and IT resources?

By requiring each federal agency to develop an information security program, assess risks, and provide security training. (B)

Which entity does a U.S. federal agency report to regarding FISMA compliance?

The president of the United States. (D)

What is the primary purpose of a high-level information security policy?

To delineate the organization's overarching information security expectations. (A)

Which of the following elements is typically included in the policy history section of a high-level information security policy?

Dates of policy revisions and reviews. (A)

Why is it important for high-level policies to be concise and easy to understand?

To ensure consistent interpretation and application across the organization. (B)

Which of the following is a characteristic of supporting documents (e.g., standards, guidelines, and procedures) in relation to a high-level information security policy?

They provide detailed explanations on how to meet the policy's expectations. (C)

What is the significance of listing 'related documents' within a high-level information security policy?

To indicate standards or procedures that support the policy. (B)

Why does the development and review process for policy documents tend to be lengthy and time-consuming?

Because policies are high-level governance documents with a broad scope, addressing the entire organization. (C)

In the context of information security policies, what role does the 'policy contact' serve?

To answer questions and provide clarifications about the policy. (D)

Which statement accurately reflects the relationship between high-level information security policies and detailed implementation procedures?

High-level policies define the organization's security expectations, while implementation procedures provide the specific details on how to meet those expectations. (B)

What fundamentally forms the basis of an organization's comprehensive information security program?

An organization's Information Security Governance (ISG) documents, detailing its commitment and framework. (C)

What is the primary focus of the Government Accountability Office (GAO) high-risk list concerning information systems and cyber infrastructure?

Identifying and mitigating vulnerabilities in national information systems susceptible to fraud, waste, abuse, or mismanagement. (A)

An organization's ISG documents are utilized to address a number of key areas; however, which of the choices is MOST applicable?

Defining the organization’s information security goals, data protection strategies, legal compliance, employee responsibilities, and consequences for non-compliance. (B)

How might an organization demonstrate its commitment to compliance with legal and regulatory requirements through its Information Security Governance (ISG) documents?

By outlining specific procedures for adhering to relevant laws and regulations, such as GDPR or HIPAA. (B)

In the context of information security, what distinguishes 'standards' from 'guidelines' within an organization's security program?

Standards provide specific, mandatory requirements, while guidelines offer flexible recommendations. (B)

What is the MOST LIKELY consequence for an employee failing to meet their information security responsibilities, as defined in an organization's ISG documents?

Disciplinary actions, legal penalties, or damage to the organization's reputation. (A)

What critical aspect does the inclusion of 'employee information security responsibilities' within an organization's ISG documents primarily address?

Establishing a clear understanding among employees regarding their roles and duties in safeguarding organizational information assets. (B)

An organization decides to implement a new information security policy. Which action would be LEAST effective in ensuring employee adherence and understanding?

Distributing the policy document via email without providing additional context or training. (A)

What is the primary difference between a standard statement and a procedural statement in the context of information security governance?

Standard statements define what is expected, while procedural statements detail how to meet those expectations. (B)

An employee requires a multifactor authentication token but cannot visit the technology center during the stated hours. What aspect of the provided policy creates this potential conflict?

The policy lacks a provision for remote access or alternative arrangements for obtaining the token. (B)

Which of the following scenarios best illustrates the application of a guideline in information security?

Recommending employees regularly update passwords and avoid using personal information in them. (A)

An organization observes a rise in phishing attacks targeting its employees. How can the organization effectively leverage guidelines to mitigate this threat?

By providing guidelines that educate employees on how to identify and report phishing attempts. (D)

What inherent limitation exists when relying solely on guidelines to enforce information security practices?

Guidelines lack the authority to ensure consistent compliance across the organization. (C)

How do guidelines complement standard and procedural statements within an organization's information security framework?

Guidelines provide context and encourage proactive security behaviors beyond mandatory requirements outlined in standards and procedures. (B)

Consider an organization with strict policies against using personal devices for work. How might guidelines be used to address the 'gray area' of employees occasionally checking work email on their personal phones?

The organization can provide guidelines that educate employees on the risks of using personal devices and recommend security measures like strong passwords and device encryption. (B)

An employee disregards guidelines on password complexity, rationalizing that remembering a simple password improves their productivity. What critical aspect of security awareness is the employee failing to appreciate?

The balance between usability and security, prioritizing security to protect sensitive information. (D)

What is the primary advantage of employing a formal process for policy creation within an organization?

It ensures diverse stakeholder input and facilitates regular reviews, enhancing policy relevance and acceptance across the organization. (D)

Why might an organization choose to maintain the use of legalese in its high-level policies despite the trend towards plain language?

High-level policies require a level of precision that only legalese can provide, minimizing potential legal challenges. (B)

What is the most significant challenge associated with using legalese in organizational policies?

It often obscures simple concepts, leading to frustration and potential misunderstandings among those who need to adhere to the policies. (A)

What is the most important goal of the plain language movement within the legal profession?

To enhance the comprehensibility of legal documents for the general public, ensuring clarity and minimizing misinterpretations. (C)

In what context is the use of legalese MOST appropriate, considering its drawbacks?

When creating high-level governance documents where precise legal interpretation is paramount. (D)

An organization is revising its employee handbook. Which approach would be most effective for ensuring the policies are well-understood and followed?

Engage legal counsel to translate the existing policies into plain language, while using a formal review process for feedback. (C)

What is the most significant risk of unilaterally adopting a policy written in plain language without consulting legal counsel?

It might introduce ambiguities that lead to legal challenges or unintended interpretations and create loopholes. (C)

How can organizations balance the benefits of plain language with the perceived necessity of legalese in formal documents?

By reserving legalese for only the most critical sections of the document with severe financial or legal implications, while using plain language elsewhere. (D)

Flashcards

ISO/IEC 27004:2016

A standard (ISO/IEC 27004:2016) for reviewing an Information Security Management (ISM) system.

Purpose of ISO 27004

The standard assists organizations in developing control measurements and analyzing them to determine if policy or control adjustments are needed.

Information Security Management (ISM)

The visible, day-to-day security operations of an organization that implement Information Security Governance (ISG) policies.

Information Security Governance (ISG)

Establishes the desired overall security stance or posture of an organization.

ISG vs. ISM

ISG defines the security posture, while ISM maintains it through practical application of policies.

Info Security Governance

Strategic and tactical approach to security.

Info Security Management

Tactical and operational implementation of security.

Governance Role

Creates security policies and strategy.

Management Role

Implements security policies and strategy.

Governance Authority

Ultimate authority and oversight.

Management Authority

Day-to-day management and authority.

Governance Personnel

BOD, CIO, CISO

Management Personnel

CISO and information security managers.

What is the GAO?

A U.S. government agency that provides auditing, evaluation, and investigative services for Congress.

GAO High-Risk List

A list published every two years by the GAO, highlighting areas vulnerable to fraud, waste, abuse, or mismanagement.

ISG Documents

Documents that are the foundation of an organization's approach to information security.

Information Security Goals

To specify what the organization wants to achieve regarding data protection.

Protecting Own Data

An organization must safeguard its own data from unauthorized access, use, disclosure, disruption, modification, or destruction.

Protecting Data of Others

An organization's duty to protect data received from customers, partners, or other entities.

Compliance

Adherence to laws, regulations, and industry standards related to information security.

Security Program Elements

Policies, standards, guidelines, and procedures used to structure an IS program.

Policy consequences

Details consequences for failing to follow the policy.

Related policy documents

Lists related documents that support or reference the policy.

Policy contact

Lists the person responsible for answering policy-related questions.

Policy history

Lists revision and review dates, showing the policy's history.

High-level policies

Concise documents stating organizational information security expectations.

Supporting documents

Provide detailed explanations on how to meet policy expectations.

Policy scope

High-level governance documents addressing the whole organization.

Policy authority

Policies are governance documents from executive management.

Multifactor Authentication

Using multiple methods to verify a user's identity before granting access to IT systems.

Authentication Solutions

A business-provided application on a mobile device or a physical token for authentication.

Obtaining Authentication Device

Visiting the specified location during business hours with required identification.

Required IDs

Employee ID and state-issued ID are needed.

Guidelines

Documents that encourage good security practices, educate about threats, and promote proactive action.

Purpose of Guidelines

To promote secure behaviors without strict mandates.

Information Security Advice

Providing employees with advice on securing their own devices and accounts.

Recommended Actions

Actions recommended to improve one's security habits.

Formal Policy Process

A structured method for gathering feedback on a policy from various departments and stakeholders, especially for organization-wide policies.

Policy Communication

Ensures that employees are informed about the final versions of policies.

Regular Policy Review

A way for organizations to systematically check and update policies.

Legalese

Legal writing with excessive legal phrases, Latin terms, long sentences, and complex structures, making it difficult to understand.

Plain Language

Writing in a clear, straightforward style using everyday language to enhance understanding.

Trend in Legal Writing

Formal documents are written in plain language to increase understanding of documents. People are less likely to misunderstand them.

Legalese in High-Level Policies

High-level policies which are documents written by an organization’s legal counsel.

Drawbacks of Legalese

Legalese obscures simple concepts, frustrating those who need to adhere to the policies.

Study Notes

Information Security Governance

• Information security governance (ISG) alongside information security policies are discussed.
• An organization's governance structure is crucial to its security program.
• Governance focuses on protecting resources and data, and supports business needs while ensuring security.
• Strong governance leads to successful security programs.
• Organizations use policies, standards, guidelines, and procedures to build their security program.
• Documentation helps guide employee behavior, define rules for securing IT resources, and protect against legal liability.

Chapter 13 Topics

• Key topic covered includes what information security governance is, what information security governance documents are, recommended information security policies, and case studies.

Chapter 13 Goals

• Main goals are to describe key concepts and terms related to security governance, goals of security governance documents, and the different types of security policies.

What is ISG?

• Data is a valuable asset for organizations.
• Over 50% of large corporations do not treat data as a business asset.
• Organizations must balance using data for business goals with protecting it.
• Failing to balance data use and protection can harm organizational goals.
• Executive management is responsible for governing the organization and its information security.
• ISG ensures the executive team protects information assets by making it a business decision.
• ISG aligns security objectives with business needs, moving security beyond technical concerns to strategic importance.
• Security goals of confidentiality, integrity, and availability are known as the C-I-A triad or the A-I-C triad.
• Organizations use ISG to improve their business.
• ISG ensures that information security concepts are applied in a way that helps meet business goals.
• ISG ensures accountability and oversight.

Information Security Governance Planning

• ISG is executive management's responsibility for strategic direction, oversight, and accountability in securing data and IT resources.
• The main task is ensuring the information security strategy supports business goals, including profitability.
• Strategic planning is long-term, focusing on new approaches, products, technologies, and processes.
• Tactical planning has a short- to medium-term outlook, enabling organizations to respond to market conditions and unexpected opportunities, typically within six months.
• Operational planning focuses on daily operations and immediate issues.

Information Security Needs

• Organizations determine how data meets business goals and how security can support this.
• Organizations must know their regulatory landscape, especially data protection laws.
• Organizations must adopt a risk management approach, identifying and prioritizing security risks.
• Organizations are to consider the impact of security failures like breaches, malware, or unavailable data, which can lead to lawsuits, costs, and loss of customers.
• A 2019 survey revealed the average cost of a data breach in the U.S. is almost $4 million.

ISG Strategic Roles

• ISG roles include board of directors, chief information officer, chief information security officer, and information security managers.
• The board of directors (BOD) is the top governance group, required by law to act with due care and in the organization's best interests.
• The BOD plans strategic direction, decides business goals, makes sure resources are used effectively, ensures legal compliance, determines how to reduce information security risk, issues high-level security policies, and delegates tactical activities.
• The chief information officer (CIO) is the senior IT official focusing on strategic IT issues and defining the IT mission.
• The CIO advises the BOD on IT issues, is strategic and tactical in nature, and delegates information security management (ISM) to a CISO.
• The CIO focuses on internal IT systems, while the chief technology officer (CTO) focuses on externally- geared technology products.
• The chief information security officer (CISO) is the senior information security official, responsible for information security strategy and tactical planning.
• The CISO ensures the CIO and BOD understand security threats, suggests security policy, determines security safeguards, and delegates operational tasks.
• Information security managers handle the functional management of the security program, implement controls set by the CISO, create security standards and guidelines, participate in risk assessments, and manage security infrastructure.
• Higher-level roles are for governance decisions while lower-level roles handle ISM and operational tasks.

ISG vs ISM

• ISG and ISM, though often used interchangeably, have a subtle distinction.
• Many organizations use one or both terms to refer to all governance and management activities.
• ISG, handled by the BOD, CIO, and CISO, ensures security supports business goals, offers oversight and accountability, and directs security activities.
• ISM refers to day-to-day security operations and implements ISG policies, maintaining the organization's security posture.

Creating an ISG program

• The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) offer guidance for creating an ISG program.
• The standard uses the term ISM system to refer to both ISG and ISM activities.
• The standard creates a risk-based ISM system, reviewing how to operate, monitor, review, maintain, and improve it, outlining processes at each step, and can be used by organizations of all sizes.
• The ISO/IEC 27002:2013 standard known as “Information Technology-Security Techniques—Code of Practice for Information Security Controls," works with the standard.
• Organizations regularly review their ISM systems measuring their effectiveness, which is guided in "ISO/IEC 27004:2016 Information Technology-Security Techniques—Information Security Management—Monitoring, Measurement, Analysis, and Evaluation."
• ISM, the organization's day-to-day security operations, is the visible part of ISG and ensures ISG policies are put into practice.

The Federal Government's ISG

• Congress created the Federal Information Security Modernization Act (FISMA) to protect federal data and IT resources.
• Federal agencies must comply with FISMA, developing an information security program, naming a CISO, assessing security risk, reducing risk, providing security training, and reporting compliance to the Government Accountability Office (GAO).
• Since 1997, the GAO has designated protecting national information systems and cyber infrastructure vulnerable to fraud, waste, abuse, or mismanagement as “high risk”, updating the list every 2 years.

Information Security Governance Documents

• ISG documents establish the foundation for the security program.
• Documents address information security goals, how the organization protects its data and the data of others, compliance with regulations, employee responsibilities, and consequences for failing to meet responsibilities.
• Organizations use policies, standards, guidelines, and procedures to create their security program to support information security goals.
• A formal policy is the highest-level document, followed by standards, procedures, and guidelines.
• Guidelines provide security advice and move from broad policies to specific procedures.
• Policies and ISG Documents, is often used in a generic way to describe the entire suite of ISG documents.
• ISG documents are administrative safeguards.

Policy Statements

• A formal policy is executive management's high-level statement of security direction and goals.
• High-level governance documents help minimize risk by establishing the organization's security strategy and are approved by an organization’s BOD.
• The BOD uses policies to establish security goals and compliance expectations.
• Organizations develop policies by assessing their regulatory landscape, size, complexity, IT systems, and how security can meet business goals.
• Policies should include a policy statement, exclusions, rationale, definitions, affected parties, responsible parties, compliance language, related documents, contact information, and history.
• High-level policies should be clear, concise, and understandable by all, focusing on expectations rather than detailed instructions.

Understanding Standards

• Standards support high-level policies by detailing the activities and actions needed to meet policy goals.
• Are below policies in the ISG documents hierarchy.
• More specific than policies and may require actions or behaviors to comply with a policy, this is referred to as a baseline
• Technology neutral referring to safeguards and do not refer to safeguards and controls organizations need to protect data/IT resources.
• Created at the CIO/CISO level with input from security managers.

Understanding Procedures and Guidelines

• Procedures are the lowest ISG level documents.
• Provide step-by-step checklists on how to meet security goals or conduct security-related activities and are tailored to specific technologies or departments.
• Guidelines are the most flexible ISG document issued to encourage good security practices, educate, and promote action.
• Organizations might create a guideline to help employees learn how to avoid social engineering attacks.

Characteristics of Information Security Policies

• Each type of ISG document has a different role and focus, with each directed at different audiences.
• All must be easy to understand, have a clear scope, be regularly reviewed, and be communicated to all employees.
• An organization should create a structured ISG document development process, potentially with a "policy on policies".
• The formal process is to allow units, departments, and stakeholders an opportunity to comment on policies.

Policy Development

• The ISG development process includes development, stakeholder review, management approval, employee communication, compliance documentation, awareness activities, and maintenance/review.
• Legal counsel, risk management, and audit teams must ensure the document meets regulatory needs and protects the organization.
• The BOD must sign high-level policies, with the executive's authority signing lower-level documents.
• Effective is required for employees to find the resources needed to follow policy, which can be achieved through newsletters, memos, or company-wide emails.
• Organizations must measure policy compliance by documenting approval, communication, departmental actions, and deviations with formal policy exception review processes.

Enacting Corrective Action

• Policy exception requests weakens an organization's overall security posture.
• They are granted only when the policy negatively affects business objectives or the cost of compliance exceeds the cost of noncompliance.
• The development process requires ongoing employee education, security training, and regular ISG document reviews to reflect current business and security goals.
• A BOD demonstrates reasonable care when it regularly reviews its policies.

Types of Recommended Infomation Security Policies

• Security policies vary among organizations due to different goals, needs, and cultures.
• Organizations should address acceptable use, anti-harassment, workplace privacy/monitoring, data retention/destruction, intellectual property, authentication/password, and security awareness/training.
• These policies address IT resource use and data, often involving collaboration between information security and HR departments.

Acceptable Use Policy (AUP)

• Companies use AUP's, which are used to tell employees how to properly use organizational IT resources.
• AUP's are important because It resources are expensive and contain data that is valuable to the organization.
• AUPs can prevent costly issues, such as information security compromises, malware on IT systems, or unintentional loss of data.
• AUP is a code of conduct that states permitted uses of IT resources, prohibited actions, and consequences for violations.
• Legal departments use AUPs to meet regulatory responsibilities and limit legal liability.
• Information security departments use to make employees aware of the consequences of improper use of IT services, which can include consequences such as consuming network bandwidth, consuming network storage space, or introducing malware onto IT systems.

AUP Terminology

• General terms found in organization AUP's include: IT resources for business use only, Employees shouldn't tamper with IT resources, no personal use of organizational IT resources, and IT resources to be monitored for employee compliance.
• Many AUP's include terminology and guidance for email, internet, and mobile device use.

AUP Enforcement

• Enforcement on the the AUP may include suspension of access to IT resources, employee reprimand, employment suspension, and referral to law enforcement.

Anti-Harassment Policies

• Harassment includes unwanted verbal/physical conduct that demeans or threatens a person.
• Workplace harassment can violate federal law, specifically Title VII of the 1964 Civil Rights Act, which prohibits discrimination based on race, sex, religion, disability, and ethnicity.
• Anti-harassment policies are used to limit liability for workplace harassment and typically include defining harassment, reporting procedures, investigation protocols, and retaliation prohibitions.
• The law allows victims to recover damages from their harassers who were not stopped by their employer.

Workplace Privacy and Monitoring Policies

• Workplace privacy is a controversial issue, because employees do not want to have their activitiesmonitored/creates distrust in the workplace.
• U.S. employees have few privacy rights when using an organizations IT resources.
• Allows an organization to monitor emails if there is legitimate business reason for it which can include: assessing employee productivity, monitoring operational use of IT resources, monitoring the use of an organization's intellectual property.

Combining Workplace Privacy and Monitoring Policies

• Informs employees that IS services are not private and may be monitored, even if the organization does not actively do so.

Data Retention and Destruction Policies

• Organizations are using data retention policies state on how data is controlled throughout its life cycle. Laws and Organizational Policies, and data destruction to determine retention parameters.
• Organization must have policies for how to handle storing data, what to do with it when it is no longer needed, and have a backup primary storage systems.
• Involves destroying it in a way that cannot be recovered, which means the organization must employee awareness to make employees aware of requirements and properly file/maintain data.

Data Retention Policies

• Helps manage competing concerns from business purposes, product marketing, data disasters, and legal and fiscal concerns.
• A cross-functional team helps review/determine the requirements such as what type of data and where it is stored legally.

Data Destruction Policies

• Ensures the destruction of appropriate policies and data such as identification for destruction, methods of that data, and validation procedures for that destruction.
• Legal Requirements influence on data destruction such as the (GLBA) which states that paper documents holding customer's information must be destroyed, as well as federal regulations that require electronic data to be destroyed as well.

State Law Data Destruction Requirements

• Some states require some form of data destruction such as The State of Indiana that requires information to be disposed of in a way that makes it unusable through specific methods.

Intellectual Property Policies

• Intellectual property laws protect people or organizations' ownership rights in their creative ideas.
• Protect an organizations assets, such as the company's electronic proprietary and trade secret data,
• An organization also must take precautions to not violate others' copyrights.

Authentication and Password Policies

• Authentication such as (username/passwords) controls are among the most basic types of information security controls that should be implemented to protect IT resources.
• Multifactor authentication can also be used when employees use 2 or more different types of credentials to access the IT resources.
• Other common password policies include: ensuring passwords aren't written down, they contain complexity requirements, and they expire after a certain amount of time.

Security Awareness and Training

• 88% of employees surveyed in 2016 did not know about security policies.
• This means training and awareness is important because employees have a large role to play in meeting information security goals.
• A high-level awareness and training policy/statement ensures that employees know that The BOD supports info security education and in most times these are stand-alone policies.

Components of an IS Awareness and Training Program

• IS Awareness programs should implement components that discuss why security and training are important, who has overall responsibility for the policy. such can provide training/awareness and often training should take place.

Acceptable Use Case Study

• Employee handbooks provided by Autoliv stated general rules of conduct and anti-harassment policies for its employees working at Autoliv.

Description

Quiz covering Information Security Governance (ISG) and Management (ISM). Questions focus on compliance, roles, responsibilities, and continuous monitoring as emphasized by ISO/IEC 27004:2016. Explore key differences between ISG and ISM.