Chapter 5 - 02 Information Security Governance and Compliance PDF

Summary

This document discusses information security governance and compliance program. It describes the framework used by enterprises to manage IT security, mitigate risks and ensure compliance with regulations. It also touches on organizational structure, stakeholder interests, and business drivers.

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Module Discuss Various Regulatory Frameworks, Laws, and Acts Flow / : \ ». 7 Learn to Design and Develop Understand Information Security | Governance and Compliance Program / ¢ Security Policies | "\ Learn to Conduct Different Types of ‘ Security and Awareness Training L All Rights Reserved. Reproduction is Strictly Prohibited. Understand Information Security Governance and Compliance Program Information associates, framework mitigation. satisfy the security governance is a framework created by members, partners, and other which can be used by enterprises to instruct, control, and manage IT security. The creates an organizational structure and provides clear visibility into risks that require It also ensures that security programs or strategies comply with regulations and business objectives. This section discusses the essential concepts of information security governance and compliance program. Module 05 Page 540 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Define, Implement, Manage and Maintain an Information Secunty Governance Program W, O i ¥y { A business driver is a condition, process, requirement, or other concern that influences the way in which an organization directs or manages activities QO The security professional must understand why an organization exists and how it conducts business before the process of developing information security governance can begin Copyright© by Il Rights Reserved. Reproduction s Strictly Prohibited Define, Implement, Manage and Maintain an Information Security Governance Program The corporate governance framework consists of explicit and implicit contracts between the company and the stakeholders for distribution of responsibilities, rights, rewards, and procedures for reconciling the sometimes conflicting interests of stakeholders in accordance with their duties, privileges, roles, and procedures for proper supervision (as well as control and information flows) to serve as a system of checks and balances. Reconciling the conflicting interests of stakeholders requires an understanding of the drivers that influence these interests. A business driver is a condition, process, requirement, or other concern that influences the way in which an organization directs or manages its activities. A close relationship exists between the drivers affecting an organization and the governance processes established to manage activities. At the highest levels of an organization, corporate governance defines how the organization will achieve its mission, vision, and objective. The security professional must understand why an organization exists and how it conducts business before the process of developing information security governance can begin. Governance provides structure to support the delivery of results that satisfy the interests and objectives of stakeholders, whether those stakeholders are shareholders, investors, employees, suppliers, customers, or the community. The form of business organization, its hierarchical structure, the industry in which it operates, and its maturity all work together to influence the product of corporate governance in an organization. Module 05 Page 541 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Form of Business Organization O The form of business organization, its hierarchical structure, the industry in which it operates, and its Q Proprietorships, partnerships, and corporations are the three most common approaches to organizing a business O Each approach has a unique influence on the scope and complexity of governance within an organization maturity all work together to influence the product of corporate governance in an organization Proprietorship Partnership Copyright © by EC ik Proprietorship Partnership QO A proprietorship, the simplest form of ownership, exists when a single individual owns the organization iL All Rights Reserved. Reproductionis Strictly Prohibited Corporation QO Corporations exist as legal entities that are separate from their owners mission, vision, and purpose of the organization on the basis of O A partnership (similar to a proprietorship) is two or more individuals who share the benefits and the responsibility for liabilities related to the operations of the organization P g QO Partnership allow owners to pool their knowledge and experience ::,si'oor:t:\;r Gt O QO Shareholder value is the primary force driving governance for corporations Q The proprietor defines the O The power to make decisions rests solely with this person However, governance becomes more complex as the partnership works to address the perspectives and desires of more people O Governance is direct because owners must establish the rules for running the corporation within the articles of incorporation Copyright © by EC-Council. All Rights Reserved. Reproduction s Strictly Prohibited Form of Business Organization The structure of the organization within which the information security exists creates key considerations when determining how to position the organization. The form of business organization, its hierarchical structure, the industry in which it operates, and its maturity all work together to influence the product of corporate governance in an organization. Module 05 Page 542 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Proprietorships, partnerships, and corporations are the three most common approaches to organizing a business. Each approach has a unique influence on the scope and complexity of governance within an organization. As an organization increases in size and complexity, the number of stakeholders and their competing interests grow as well. These factors work in combination to define the form of corporate governance that works best to support a particular organization. Proprietorship A proprietorship, the simplest form of ownership, exists when a single individual owns the organization, receives all the benefits of its operation, and assumes responsibility for all its liabilities. The proprietor defines the mission, vision, and purpose of the organization on the basis of his or her experience and priorities. The power to make decisions rests solely with this person. Partnership A partnership (similar to a proprietorship) is two or more individuals who share the benefits and the responsibility for liabilities related to the operations of the organization. Partnerships allow owners to pool their knowledge and experience. However, governance becomes more complex as the partnership works to address the perspectives and desires of more people. Corporation A corporation is the most complex form of business. Corporations exist as legal entities that are separate from their owners. Governance is direct because owners must establish the rules for running the corporation within the articles of incorporation. Shareholder value is the primary force driving governance for corporations. That value can exist as a financial return or as a product or service delivered in the interests of the community— the greater good. Module 05 Page 543 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Exam 212-82 Certified Cybersecurity Technician Network Security Controls — Administrative Controls Industry * @ NI * : évr?] ' GOVE g\ A limited set of industries is the subject of most discussions about governance: public, retail, information, and financial services However, a broad variety of industries exist— [ RNANCE The industry in which an organization operates affect corporate governance * each with their own concerns and industryspecific requirements that drive their governance decisions Copyright © by EC4{ il ANl Rights Reserved. Reproductionis Strictly Prohibited Industry The industry in which an organization operates affects corporate governance. A limited set of industries is the subject of most discussions about governance: public, retail, information, and financial services. However, a broad variety of industries exist—each with their own concerns and industry-specific requirements that drive their governance decisions. The drivers applied in a particular industry rarely affect other industries in the same way. In fact, unique business drivers affecting each industry require tailored approaches to address industry-specific concerns. For example, the concerns like protected health information (PHI), contracted providers, and data sharing in healthcare organizations are completely different from the concerns faced by organizations in retail, agriculture, manufacturing, or financial services, which all have different operational models and business drivers. Module 05 Page 544 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Organizational Maturity ‘** ‘l O Maturity varies irrespective of the size of an organization, or the structure established to manage its activities O The concept of maturity maps to capability maturity model integration (CMMI), which is a process model that defines what an organization should do to promote behaviors that facilitate improved performance Capability Maturity Model Integration (CIMIVII) Processes are unpredictable, poorly controlled, and reactive Processes are Processes are characterized for projects, but is often reactive | meveri D[ mEvenz Processes are characterized throughout the organization and proactive ) Focuses on process measured and controlled proactive uevens improvement and enhancing existing processes [[ZEvEL4 || 1EverLs | Copyright © by y ECpyrig IL All Rights Reserved. Reproduction is Strictly y Prohibited ! Organizational Maturity (Cont’d) Reactive versus Proactive Approaches T T Making money and short-term shareholder returns Reacting to immediate problems Organizations cannot T Focus Long-term returns and strategic directions Priorities Taking a preemptive approach Control Control is localized begin to realize the Control is centralized benefits of mapping Reliance on instinct or the processes to g:zi:::nce ON8 ORINONN Analysis Focus on data to improve processes standards and People counted as a cost Personnel People valued as an asset n across the enterprise Training Trainin Training organizational achieving consistency until CMMI Level 3 i ik f r mor is a benefit or A perk Distrust between management and employees g Leadership § is essential to success Leaders and personnel collaborate and work together Copyright © by EC-Council All Rights Reserved. Reproductions Strictly Prohibited, Organizational Maturity The maturity of an organization influences governance. Maturity varies irrespective of the size of an organization or the structure established to manage its activities. The concept of maturity maps to capability maturity model integration (CMMI), which is a process model that defines what an organization should do to promote behaviors that facilitate improved performance. Module 05 Page 545 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Administrative Controls INITIAL MANAGED QUANTITATIVELY MANAGED DEFINED OPTIMIZING Processes are unpredictable, poorly controlled, Processes are characterized for projects, but is Processes are characterized throughout the Processes are measured and controlled - Focuses on process improvement and enhancing existing and reactive often reactive organization and proactive proactive processes LEVEL1 LEVEL 2 LEVEL 3 LEVEL 4 LEVELS Figure 5.2: CMMI Model Whether a proprietorship, a partnership, or a corporation, most organizations begin as immature and reactive. Here, processes are unpredictable, poorly controlled, and oversensitive. As they mature, organizations begin to define processes and move toward increasingly proactive and formalized policies, procedures, and processes that improve performance across individual business practices or for the entire enterprise. The effectiveness of governance varies as organizations move from immaturity to maturity along the CMMI model. Definition of formal processes is difficult at Level 1 and Level 2, where methods are unpredictable or reactive. Organizations cannot begin to realize the benefits of mapping processes to organizational standards and achieving consistency across the enterprise until CMMI Level 3. Achieving this level of maturity is important for information security leadership because the security professional cannot begin to establish formal standards for information security governance until the classification of processes exists throughout the organization. Reactive Attribute Making money and short-term shareholder returns Reacting to immediate problems Focus Long-term returns and strategic.. directions Priorities Taking a preemptive approach Control is centralized Control Reliance on instinct or the Analvsis experience of one or more people People counted as a cost Distrust between management and employees Y Personnel Training is a benefit or perk Proactive Training Leadership Control is localized Focus on data to improve processes People valued as an asset Training is essential to success Leaders and personnel collaborate and work together Table 5.8: Reactive versus Proactive Approaches Some organizations take the steps necessary to achieve the highest level of maturity defined by CMMI Level 5; however, achieving and maintaining this degree of maturity is both difficult and rare. Most organizations are satisfied with maturity Level 3 or Level 4 and focus on maintaining operations at this level because the cost and effort required to maintain CMMI Level 5 may not be worth the benefit. Module 05 Page 546 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Maturity affects an organization at the macro level; it also influences the micro level, where a mix of maturity exists in different departments and business units across the organization. For example, HR and accounting have higher levels of maturity because of the established processes and procedures inherent in these professions. Similarly, IT programs that follow the IT governance and service delivery models offered by Control Objectives for Information and Related Technologies (COBIT) and Infrastructure Technology Information Library (ITIL), respectively, are more likely to operate with higher maturity than organizations that do not use formal standards to manage IT governance and IT service delivery. Module 05 Page 547 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls - Administrative Controls Exam 212-82 Information Security Drivers Alignment with the business, compliance, and privacy are among the most important information security drivers an organization must address | | Organizational alignment is one of the most important drivers for information security governance ®0 0O 1 ! The security professional can achieve harmony and alignment between the business and security by mapping information security governance to the foundations provided by corporate governance The security professional must understand the organization before alignment can occur Because competitive forces produce different reactions to business drivers, the security professional must understand the objectives of the business, the business processes created to support those objectives, information and technology supporting these processes, and the threats that could disrupt those processes Copyright © by EC-Council All Rights Reserved. Reproductionis Strictly Prohibited Information Security Drivers Business drivers affect the decisions made in an organization. Information security drivers are also worth consideration because of their effect on the management and operation of an organization. Alignment with the business, compliance, and privacy are among the most important information security drivers an organization must address. Corporate governance influences the programs and activities created to support information security governance. Priorities defined at the corporate governance level provide the foundation for most information security decisions. They often influence, and sometimes outweigh, information security priorities. Business and operational priorities of the organization affect not only the strategy for information security governance, but also the resources dedicated to accomplishing security goals and objectives. Organizational alignment is one of the most important drivers for information security governance. The security professional can achieve harmony and alignment between the business and security by mapping information security governance to the foundations provided by corporate governance. Success and effectiveness for this approach rely on understanding the influence of corporate governance and then incorporating corporate governance principles into the security program. The efforts to achieve this balance reinforce the importance of executive buy-in and corporate communication. They also highlight the value of relationships between the security professional and other organizational leaders. Optimally, information security governance should flow naturally from the highest levels of leadership and permeate, top-down, throughout the rest of the organization. The approach used to achieve alignment with the business varies on the basis of the size, industry, and complexity of the organization. For example, larger corporations operating in regulated environments often dedicate more resources to a more comprehensive security Module 05 Page 548 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 program. Smaller organizations with fewer resources tend to focus on key components of the security program, dedicating organizational resources to the most important aspects of security and outsourcing other components of the security program to vendors and managed service providers. The security professional must understand the organization before alignment can occur. Because competitive forces produce different reactions to business drivers, the security professional must understand the objectives of the business, the business processes created to support those objectives, information and technology supporting these processes, and the threats that could disrupt those processes. Module 05 Page 549 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Managing an Enterprise Information Security Compliance Program Information Security Management System/Framework Security Management and Operations Driving the information security program requires compliance with various laws, regulations, standards, and Business Continuity S Management r—_ T frameworks. MmO Q oSN < OO E.T Security Metrics an Q The practical mechanism for enabling this activity is through the creation of an information security Information Security Management System management program Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited Managing an Enterprise Information Security Compliance Program Driving the information security program requires compliance with various laws, regulations, standards, and frameworks. The practical mechanism for enabling this activity is through the creation of an information security management program. Today’s information security management programs encompass more than just firewalls and passwords. They are organization-wide programs that are designed to enable the business to operate in a state of reduced risk. The effective management of information security in an organization or enterprise encompasses all organizational and operational processes and participants relevant to information security. Information security should be an ongoing process, which when fully developed, will position an organization to address the right security issues so that the business fulfills its objectives. The information security management processes, procedures, standards, and framework is a combination of well-defined policies, guidelines information security. The figure below shows how information security management system fit together. Module 05 Page 550 for establishing all of the pieces the required level of of a comprehensive Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 G o v e r n a n c e Information Security Management System Figure 5.3 Information Security Management System/Framework Module 05 Page 551 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.