CISSP ALL-IN-ONE-9e 1er examen.pdf
Document Details
Uploaded by Deleted User
Tags
Related
- CISM TEXT (2) (dragged) 4 PDF
- Chapter 06 - Information Systems Security_df46cbf5492578c4f90cbbbca0df820f (1).pdf
- CISSP ALL-IN-ONE-9e 1er examen.pdf
- L13 September 9, 2023 Meeting Recording - Governance, Risk & Compliance
- NIST Special Publication 800-100 PDF - Information Security Handbook
- CISSP All-in-One Exam Guide Chapter 1 Summary PDF
Full Transcript
Cybersecurity Governance CHAPTER 1 This chapter presents the following: Fundamental cybersecurity concepts...
Cybersecurity Governance CHAPTER 1 This chapter presents the following: Fundamental cybersecurity concepts Security governance principles Security policies, standards, procedures, and guidelines Personnel security policies and procedures Security awareness, education, and training The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards—and even then I have my doubts. —Eugene H. Spafford While some of us may revel in thinking about and implementing cybersecurity, the fact is that most organizations would much rather focus on many other things. Businesses exist to generate profits for their shareholders. Most nonprofit organizations are dedicated to furthering particular social causes such as charity, education, or religion. Apart from security service providers, organizations don’t exist specifically to deploy and maintain firewalls, intrusion detection systems, identity management technologies, and encryp- tion devices. No corporation really wants to develop hundreds of security policies, deploy antimalware products, maintain vulnerability management systems, constantly update its incident response capabilities, and have to comply with the myriad of security laws, regulations, and standards that exist worldwide. Business owners would like to be able to make their widgets, sell their widgets, and go home with a nice profit in their pockets. But things are not that simple. Organizations are increasingly faced with attackers who want to steal customer data to carry out identity theft and banking fraud. Company secrets are commonly being stolen by internal and external entities for economic espionage purposes. Systems are being hijacked and used within botnets to attack other organizations, mine cryptocurrencies, or spread spam. Company funds are being secretly siphoned off through complex and hard-to-identify digital methods, commonly by organized criminal rings in different countries. And organizations that find themselves in the crosshairs of attackers may come under constant attack that brings their systems and websites offline for hours or days. Companies are required to practice a wide range of security disciplines today to keep 3 CISSP All-in-One Exam Guide 4 their market share, protect their customers and bottom line, stay out of jail, and still sell their widgets. As we start our exploration of the Certified Information Systems Security Professional (CISSP) Common Body of Knowledge (CBK) in this chapter, we will define what cybersecurity means and how it must be governed by, well, CISSPs. Each organization must develop an enterprise-wide security program that consists of technologies, procedures, and processes covered throughout this book. As you go along in your security career, you will find that most organizations have some (but rarely all) pieces to the puzzle of an “enterprise-wide security program” in place. Many of the security programs in place today can be thought of as lopsided or lumpy. The security programs excel within the disciplines that the team is most familiar with, and the other disciplines are found lacking. It is your responsibility to become as well rounded in security as possible so that you can identify these deficiencies in security programs and help improve upon them. This is why the CISSP exam covers a wide variety of technologies, methodologies, and processes—you must know and understand them holistically if you are going to help an organization carry out security holistically. Fundamental Cybersecurity Concepts and Terms As cybersecurity professionals, our efforts are ultimately focused on the protection of our information systems. These systems consist of people, processes, and technologies designed to operate on information. To protect them means to ensure the confidentiality, integrity, and availability (the CIA triad) of all assets in our information systems as well as the authenticity and nonrepudiation of tasks performed in them. Each asset will require different levels of these types of protection, as we will see in the following sections. Availability Security objectives Integrity Confidentiality Chapter 1: Cybersecurity Governance 5 Confidentiality Confidentiality means keeping unauthorized entities (be they people or processes) from PART I gaining access to information assets. It ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of secrecy should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination. Confidentiality can be provided by encrypting data as it is stored and transmitted, by enforcing strict access control and data classification, and by training personnel on the proper data protection procedures. Attackers can thwart confidentiality mechanisms by network monitoring, shoulder surfing, stealing credentials, breaking encryption schemes, and social engineering. These topics will be addressed in more depth in later chapters, but briefly, shoulder surfing is when a person looks over another person’s shoulder and watches their keystrokes or views data as it appears on a computer screen. Social engineering is when one person tricks another person into sharing confidential information, for example, by posing as someone authorized to have access to that information. Social engineering can take many forms. Any one-to-one communication medium can be used to perform social engineering attacks. Users can intentionally or accidentally disclose sensitive information by not encrypting it before sending it to another person, by falling prey to a social engineering attack, by sharing a company’s trade secrets, or by not using extra care to protect confidential information when processing it. Integrity Integrity means that an asset is free from unauthorized alterations. Only authorized enti- ties should be able to modify an asset, and only in specific authorized ways. For example, if you are reviewing orders placed by customers on your online store, you should not be able to increase the price of any items in those orders after they have been purchased. It is your store, so you can clearly change prices as you wish. You just shouldn’t be able to do it after someone agrees to buy an item at a certain price and gives you authorization to charge their credit card. Environments that enforce and provide this attribute of security ensure that attackers, or mistakes by users, do not compromise the integrity of systems or data. When an attacker inserts malware or a back door into a system, the system’s integrity is compromised. This can, in turn, harm the integrity of information held on the system by way of corruption, malicious modification, or the replacement of data with incorrect data. Strict access controls, intrusion detection, and hashing can combat these threats. Authorized users can also affect a system or its data’s integrity by mistake (although internal users may also commit malicious deeds). For example, a user with a full hard drive may unwittingly delete a configuration file under the mistaken assumption that deleting a file must be okay because the user doesn’t remember ever using it. Or a user may insert incorrect values into a data-processing application that ends up charging a customer $3,000 instead of $300. Incorrectly modifying data kept in databases is another common way users may accidentally corrupt data—a mistake that can have lasting effects. Security should streamline users’ capabilities and give them only certain choices and functionality, so errors become less common and less devastating. System-critical files CISSP All-in-One Exam Guide 6 should be restricted from viewing and access by users. Applications should provide mechanisms that check for valid and reasonable input values. Databases should let only authorized individuals modify data, and data in transit should be protected by encryption or other mechanisms. Availability Availability protection ensures reliable and timely access to data and resources to autho- rized individuals. Network devices, computers, and applications should provide adequate functionality to perform in a predictable manner with an acceptable level of perfor- mance. They should be able to recover from disruptions in a secure and quick fashion, so productivity is not negatively affected. Necessary protection mechanisms must be in place to protect against inside and outside threats that could affect the availability and productivity of all business-processing components. Like many things in life, ensuring the availability of the necessary resources within an organization sounds easier to accomplish than it really is. Networks have many pieces that must stay up and running (routers, switches, proxies, firewalls, and so on). Software has many components that must be executing in a healthy manner (operating system, applications, antimalware software, and so forth). And an organization’s operations can potentially be negatively affected by environmental aspects (such as fire, flood, HVAC issues, or electrical problems), natural disasters, and physical theft or attacks. An organization must fully understand its operational environment and its availability weaknesses so that it can put in place the proper countermeasures. Authenticity One of the curious features of the modern Internet is that sometimes we are unsure of who is putting out the things we read and download. Does that patch really come from Microsoft? Did your boss really send you that e-mail asking you to buy $10,000 worth of gift cards? Authenticity protections ensure we can trust that something comes from its claimed source. This concept is at the heart of authentication, which establishes that an entity trying to log into a system is really who it claims to be. Authenticity in information systems is almost always provided through cryptographic means. As an example, when you connect to your bank’s website, the connection should be encrypted using Transport Layer Security (TLS), which in turn uses your bank’s digital certificate to authenticate to your browser that it truly is that bank on the other end and not an impostor. When you log in, the bank takes a cryptographic hash of the credentials you provide and compares them to the hash the bank has in your records to ensure it really is you on the other end. Nonrepudiation While authenticity establishes that an entity is who it claims to be at a particular point in time, it doesn’t really provide historical proof of what that entity did or agreed to. For example, suppose Bob logs into his bank and then applies for a loan. He doesn’t read the fine print until later, at which point he decides he doesn’t like the terms of the transaction, Chapter 1: Cybersecurity Governance 7 so he calls up the bank to say he never signed the contract and to please make it go away. Although the session was authenticated, Bob could claim that he walked away from his PART I computer while logged into the bank’s website, that his cat walked over the keyboard and stepped on , executing the transaction, and that Bob never intended to sign the loan application. It was the cat. Sadly, his claim could hold up in court. Nonrepudiation, which is closely related to authenticity, means that someone cannot disavow being the source of a given action. For example, suppose Bob’s bank had implemented a procedure for loan applications that required him to “sign” the application by entering his personal identification number (PIN). Now the whole cat defense falls apart unless Bob could prove he trained his cat to enter PINs. Most commonly, nonrepudiation is provided through the use of digital signatures. Just like your physical signature on a piece of paper certifies that you either authored it or agree to whatever is written on it (e.g., a contract), the digital version attests to your sending an e-mail, writing software, or agreeing to a contract. We’ll discuss digital signatures later in this book, but for now it will be helpful to remember that they are cryptographic products that, just like an old-fashioned physical signature, can be used for a variety of purposes. EXAM TIP A good way to differentiate authenticity and nonrepudiation is that authenticity proves to you that you’re talking to a given person at a given point in time. Nonrepudiation proves to anyone that a given person did or said something in the past. Balanced Security In reality, when information security is considered, it is commonly only through the lens of keeping secrets secret (confidentiality). The integrity and availability threats tend to be overlooked and only dealt with after they are properly compromised. Some assets have a critical confidentiality requirement (e.g., company trade secrets), some have critical integrity requirements (e.g., financial transaction values), and some have critical avail- ability requirements (e.g., e-commerce web servers). Many people understand the con- cepts of the CIA triad, but may not fully appreciate the complexity of implementing the necessary controls to provide all the protection these concepts cover. The following provides a short list of some of these controls and how they map to the components of the CIA triad. Availability: Redundant array of independent disks (RAID) Clustering Load balancing Redundant data and power lines Software and data backups CISSP All-in-One Exam Guide 8 Disk shadowing Co-location and offsite facilities Rollback functions Failover configurations Integrity: Hashing (data integrity) Configuration management (system integrity) Change control (process integrity) Access control (physical and technical) Software digital signing Transmission cyclic redundancy check (CRC) functions Confidentiality: Encryption for data at rest (whole disk, database encryption) Encryption for data in transit (IPSec, TLS, PPTP, SSH, described in Chapter 4) Access control (physical and technical) All of these control types will be covered in this book. What is important to realize at this point is that while the concept of the CIA triad may seem simplistic, meeting its requirements is commonly more challenging. Other Security Terms The words “vulnerability,” “threat,” “risk,” and “exposure” are often interchanged, even though they have different meanings. It is important to understand each word’s defini- tion and the relationships between the concepts they represent. A vulnerability is a weakness in a system that allows a threat source to compromise its security. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a firewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations. A threat is any potential danger that is associated with the exploitation of a vulnerability. If the threat is that someone will identify a specific vulnerability and use it against the organization or individual, then the entity that takes advantage of a vulnerability is referred to as a threat agent (or threat actor). A threat agent could be an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, or an employee circumventing controls in order to copy files to a medium that could expose confidential information. Chapter 1: Cybersecurity Governance 9 A risk is the likelihood of a threat source exploiting a vulnerability and the corresponding business impact. If a firewall has several ports open, there is a higher likelihood that an PART I intruder will use one to access the network in an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood that an employee will make an unintentional mistake that may destroy data. If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact. An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages. If password management is lax and password rules are not enforced, the organization is exposed to the possibility of having users’ passwords compromised and used in an unauthorized manner. If an organization does not have its wiring inspected and does not put proactive fire prevention steps into place, it exposes itself to potentially devastating fires. A control, or countermeasure, is put into place to mitigate (reduce) the potential risk. A countermeasure may be a software configuration, a hardware device, or a procedure that eliminates a vulnerability or that reduces the likelihood a threat agent will be able to exploit a vulnerability. Examples of countermeasures include strong password management, firewalls, a security guard, access control mechanisms, encryption, and security awareness training. NOTE The terms “control,” “countermeasure,” and “safeguard” are interchangeable terms. They are mechanisms put into place to reduce risk. If an organization has antimalware software but does not keep the signatures up to date, this is a vulnerability. The organization is vulnerable to more recent malware attacks. The threat is that a threat agent will insert malware into the environment and disrupt productivity. The risk is the likelihood of a threat agent using malware in the environment and the resulting potential damage. If this happens, then a vulnerability has been exploited and the organization is exposed to loss. The countermeasures in this situation are to update the signatures and install the antimalware software on all computers. The relationships among risks, vulnerabilities, threats, and countermeasures are shown in Figure 1-1. Applying the right countermeasure can eliminate the vulnerability and exposure, and thus reduce the risk. The organization cannot eliminate the threat agent, but it can protect itself and prevent this threat agent from exploiting vulnerabilities within the environment. Many people gloss over these basic terms with the idea that they are not as important as the sexier things in information security. But you will find that unless a security team has an agreed-upon language in place, confusion will quickly take over. These terms embrace the core concepts of security, and if they are confused in any manner, then the activities that are rolled out to enforce security are commonly confused. CISSP All-in-One Exam Guide 10 Gives rise to Figure 1-1 The relationships Exploits Threat among the agent Leads to different security Threat concepts Vulnerability Risk Directly affects Asset Can damage Exposure And causes an Safeguard Can be countermeasured by a Security Governance Principles Now that we have established a shared vocabulary for the fundamental cybersecurity concepts and understand how they relate to each other, let’s turn our attention to how we can prioritize, assess, and continuously improve the security of our organizations. This is where security governance comes into play. Security governance is a framework that supports the security goals of an organization being set and expressed by senior management, communicated throughout the different levels of the organization, and consistently applied and assessed. Security governance grants power to the entities who need to implement and enforce security and provides a way to verify the performance of these necessary security activities. Senior management not only needs to set the direction of security but also needs a way to be able to view and understand how their directives are being met or not being met. If a board of directors and CEO demand that security be integrated properly at all levels of the organization, how do they know it is really happening? Oversight mechanisms must be developed and integrated so that the people who are ultimately responsible for an organization are constantly and consistently updated on the overall health and security posture of the organization. This happens through properly defined communication channels, standardized reporting methods, and performance-based metrics. Let’s compare two companies. Company A has an effective security governance program in place and Company B does not. Now, to the untrained eye it would seem Chapter 1: Cybersecurity Governance 11 as though Companies A and B are equal in their security practices because they both have security policies, procedures, and standards in place, the same security technology PART I controls (firewalls, endpoint detection, identity management, and so on), defined security roles, and security awareness training. You may think, “These two companies are on the ball and quite evolved in their security programs.” But if you look closer, you will see some critical differences (listed in Table 1-1). Does the organization you work for look like Company A or Company B? Most organizations today have many of the pieces and parts to a security program (policies, standards, firewalls, security team, IDS, and so on), but management may not be Company A Company B Board members understand that information Board members do not understand that security is critical to the company and information security is in their realm of demand to be updated quarterly on security responsibility and focus solely on corporate performance and breaches. governance and profits. The chief executive officer (CEO), chief The CEO, CFO, and business unit managers financial officer (CFO), chief information officer feel as though information security is (CIO), chief information security officer (CISO), the responsibility of the CIO, CISO, and IT and business unit managers participate in a department and do not get involved. risk management committee that meets each month, and information security is always one topic on the agenda to review. Executive management sets an acceptable The CISO copied some boilerplate security risk level that is the basis for the company’s policies, inserted his company’s name, and security policies and all security activities. had the CEO sign them. Executive management holds business unit All security activity takes place within the managers responsible for carrying out risk security department; thus, security works management activities for their specific within a silo and is not integrated throughout business units. the organization. Critical business processes are documented Business processes are not documented and along with the risks that are inherent at the not analyzed for potential risks that can affect different steps within the business processes. operations, productivity, and profitability. Employees are held accountable for any Policies and standards are developed, but no security breaches they participate in, either enforcement or accountability practices have maliciously or accidentally. been envisioned or deployed. Security products, managed services, and Security products, managed services, and consulting services are purchased and consulting services are purchased and deployed in an informed manner. They are deployed without any real research or also constantly reviewed to ensure they are performance metrics to determine the return cost-effective. on investment or effectiveness. The organization is continuing to review its The organization does not analyze its processes, including security, with the goal of performance for improvement, but continually continued improvement. marches forward and makes similar mistakes over and over again. Table 1-1 Security Governance Program: A Comparison of Two Companies CISSP All-in-One Exam Guide 12 truly involved, and security has not permeated throughout the organization. Some organizations rely just on technology and isolate all security responsibilities within the IT group. If security were just a technology issue, then this security team could properly install, configure, and maintain the products, and the company would get a gold star and pass the audit with flying colors. But that is not how information security works. It is much more than just technological solutions. Security must be driven throughout the organization, and having several points of responsibility and accountability is critical. At this point, you may be asking, “So, what does security governance actually look like in the real world?” Security governance is typically implemented as a formal cybersecurity program or an information security management system (ISMS). Whichever of these names you call it, it is a collection of policies, procedures, baselines, and standards that an organization puts in place to make sure that its security efforts are aligned with business needs, streamlined, and effective, and that no security controls are missing. Figure 1-2 illustrates many of the elements that go into a complete security program. Governance Regulations model Development of metrics Vulnerability Common and threat Vulnerability threats management and threat Laws Policy management development System Policy life cycle compliance security Process Auditing management Common threats Company Incident assets response Security Physical program Data security Use of classification metrics Personnel security Network Business Communication continuity security security Risk analysis Process and management Operational development management and monitoring Risk analysis Tactical management Organizational and management security Strategic management Figure 1-2 A complete security program contains many items. Chapter 1: Cybersecurity Governance 13 Aligning Security to Business Strategy An enterprise security architecture is a subset of an enterprise architecture (discussed in PART I depth in Chapter 4) and implements an information security strategy. It consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally. It is a comprehensive and rigorous method for describing the structure and behavior of all the components that make up a holistic ISMS. The main reason to develop an enterprise security architecture is to ensure that security efforts align with business practices in a standardized and cost-effective manner. The architecture works at an abstraction level and provides a frame of reference. Besides security, this type of architecture allows organizations to better achieve interoperability, integration, ease of use, standardization, and governance. How do you know if an organization does not have an enterprise security architecture in place? If the answer is “yes” to most of the following questions, this type of architecture is not in place: Does security take place in silos throughout the organization? Is there a continual disconnect between senior management and the security staff? Are redundant products purchased for different departments for overlapping security needs? Is the security program made up of mainly policies without actual implementation and enforcement? When a user’s access requirements increase because of business needs, does the network administrator just modify the access controls without the user manager’s documented approval? When a new product is being rolled out, do unexpected interoperability issues pop up that require more time and money to fix? Do many “one-off ” efforts take place instead of following standardized procedures when security issues arise? Are the business unit managers unaware of their security responsibilities and how their responsibilities map to legal and regulatory requirements? Is “sensitive data” defined in a policy, but the necessary controls are not fully implemented and monitored? Are stovepipe (point) solutions implemented instead of enterprise-wide solutions? Are the same expensive mistakes continuing to take place? Is security governance currently unavailable because the enterprise is not viewed or monitored in a standardized and holistic manner? Are business decisions being made without taking security into account? Are security personnel usually putting out fires with no real time to look at and develop strategic approaches? Are some business units engaged in security efforts that other business units know nothing about? CISSP All-in-One Exam Guide 14 If many of these answers are “yes,” no useful architecture is in place. Now, the following is something very interesting the authors have seen over several years. Most organizations have multiple problems in the preceding list and yet they focus on each item as if it is unconnected to the other problems. What the CSO, CISO, and/or security administrator does not always understand is that these are just symptoms of a treatable disease. The “treatment” is to put one person in charge of a team that develops a phased-approach enterprise security architecture rollout plan. The goals are to integrate technology- oriented and business-centric security processes; link administrative, technical, and physical controls to properly manage risk; and integrate these processes into the IT infrastructure, business processes, and the organization’s culture. A helpful tool for aligning an organization’s security architecture with its business strategy is the Sherwood Applied Business Security Architecture (SABSA), which is shown in Table 1-2. It is a layered framework, with its first layer describing the business context within which the security architecture must exist. Each layer of the framework decreases in abstraction and increases in detail, so it builds upon the others and moves from policy to practical implementation of technology and solutions. The idea is to provide a chain of traceability through the contextual, conceptual, logical, physical, component, and operational levels. Assets Motivation Process People Location Time (What) (Why) (How) (Who) (Where) (When) Contextual The Business risk Business Business Business Business time business model process organization geography dependencies model and relationships Conceptual Business Control Security Security Security Security- attributes objectives strategies and entity model domain related profile architectural and trust model lifetimes and layering framework deadlines Logical Business Security Security Entity schema Security Security information policies services and privilege domain processing model profiles definitions and cycle associations Physical Business Security rules, Security Users, Platform Control data model practices, and mechanisms applications, and network structure procedures and user infrastructure execution interface Component Detailed Security Security Identities, Processes, Security step data standards products and functions, nodes, timing and structures tools actions, and addresses, sequencing ACLs and protocols Operational Assurance Operation risk Security Application Security Security of operation management service and user of sites, operations continuity management management networks, and schedule and support and support platforms Table 1-2 SABSA Architecture Framework Chapter 1: Cybersecurity Governance 15 The following outlines the questions that are to be asked and answered at each level of the framework: PART I What are you trying to do at this layer? The assets to be protected by your security architecture. Why are you doing it? The motivation for wanting to apply security, expressed in the terms of this layer. How are you trying to do it? The functions needed to achieve security at this layer. Who is involved? The people and organizational aspects of security at this layer. Where are you doing it? The locations where you apply your security, relevant to this layer. When are you doing it? The time-related aspects of security relevant to this layer. SABSA is a framework and methodology for enterprise security architecture and service management. Since it is a framework, this means it provides a structure for individual architectures to be built from. Since it is a methodology also, this means it provides the processes to follow to build and maintain this architecture. SABSA provides a life-cycle model so that the architecture can be constantly monitored and improved upon over time. EXAM TIP You do not need to memorize the SABSA framework, but you do need to understand how security programs align with business strategies. For an enterprise security architecture to be successful in its development and implementation, the following items must be understood and followed: strategic alignment, business enablement, process enhancement, and security effectiveness. We’ll cover the first three of these in the following sections but will cover security effectiveness in Chapter 18 when we discuss security assessments. Strategic Alignment Strategic alignment means the business drivers and the regulatory and legal requirements are being met by the enterprise security architecture. Security efforts must provide and support an environment that allows an organization to not only survive, but thrive. The security industry has grown up from the technical and engineering world, not the business world. In many organizations, while the IT security personnel and business personnel might be located physically close to each other, they are commonly worlds apart in how they see the same organization they work in. Technology is only a tool that supports a business; it is not the business itself. The IT environment is analogous to the circulatory system within a human body; it is there to support the body—the body does not exist to support the circulatory system. And security is analogous to the immune system of the body—it is there to protect the overall environment. If these critical systems (business, IT, security) CISSP All-in-One Exam Guide 16 do not work together in a concerted effort, there will be deficiencies and imbalances. While deficiencies and imbalances lead to disease in the body, deficiencies and imbalances within an organization can lead to risk and security compromises. Business Enablement When looking at the business enablement requirement of the enterprise security architec- ture, we need to remind ourselves that each organization exists for one or more specific business purposes. Publicly traded companies are in the business of increasing share- holder value. Nonprofit organizations are in the business of furthering a specific set of causes. Government organizations are in the business of providing services to their citizens. Companies and organizations do not exist for the sole purpose of being secure. Security cannot stand in the way of business processes, but should be implemented to better enable them. Business enablement means the core business processes are integrated into the security operating model—they are standards based and follow a risk tolerance criteria. What does this mean in the real world? Let’s say a company’s accountants have figured out that if they allow the customer service and support staff to work from home, the company would save a lot of money on office rent, utilities, and overhead—plus, the company’s insurance would be cheaper. The company could move into this new model with the use of virtual private networks (VPNs), firewalls, content filtering, and so on. Security enables the company to move to this different working model by providing the necessary protection mechanisms. If a financial institution wants to enable its customers to view bank account information and carry out money transfers online, it can offer this service if the correct security mechanisms are put in place (access control, authentication, secure connections, etc.). Security should help the organization thrive by providing the mechanisms to do new things safely. Process Enhancement Process enhancement can be quite beneficial to an organization if it takes advantage of this capability when it is presented to it. An organization that is serious about securing its environment will have to take a close look at many of the business processes that take place on an ongoing basis. Many times, these processes are viewed through the eye- glasses of security, because that’s the reason for the activity, but this is a perfect chance to enhance and improve upon the same processes to increase productivity. When you look at many business processes taking place in all types of organizations, you commonly find a duplication of efforts, manual steps that can be easily automated, or ways to streamline and reduce time and effort that are involved in certain tasks. This is commonly referred to as process reengineering. When an organization is developing its security enterprise components, those components must be integrated into the business processes to be effective. This can allow for process management to be refined and calibrated. This, in turn, allows for security to be integrated in system life cycles and day-to-day operations. So, while business enablement means “we can do new stuff,” process enhancement means “we can do stuff better.” Chapter 1: Cybersecurity Governance 17 Organizational Processes PART I The processes we just covered are regular day-to-day ones. There are other processes that happen less frequently but may have a much more significant impact on the security posture of the organization. Let’s dig a bit deeper into some of these key organizational processes and how our security efforts align with, enable, and enhance them. Mergers and Acquisitions As companies grow, they often acquire new capabilities (e.g., markets, products, and intellectual property) by merging with another company or outright acquiring it. Merg- ers and acquisitions (M&A) always take place for business reasons, but they almost always have significant cybersecurity implications. Think of it this way: your company didn’t acquire only the business assets of that other company it just purchased; it also acquired its security program and all the baggage that may come with it. Suppose that during the M&A process you discover that the company that your company is acquiring has a significant but previously unknown data breach. This is exactly what happened in 2017 when Verizon acquired Yahoo! and discovered that the latter had experienced two mas- sive security breaches. The acquisition went forward, but at a price that was $350 million lower than originally agreed. One of the ways in which companies protect themselves during a merger or acquisition is by conducting extensive audits of the company they are about to merge with or acquire. There are many service providers who now offer compromise assessments, which are in-depth technical examinations of a company’s information systems to determine whether an undocumented compromise is ongoing or has happened in the past. It’s sort of like exploratory surgery; let’s open up the patient and see what we find. Another approach is to conduct an audit of the ISMS, which is more focused on policies, procedures, and controls. Divestitures A divestiture, on the other hand, is when your company sells off (or otherwise gets rid of ) a part of itself. There are many reasons why a company may want to divest itself of a business asset, such as having a business unit that is not profitable or no longer well aligned with the overarching strategy. If the divestiture involves a sale or transfer of an asset to another company, that company is going to audit that asset. In other words, for us cybersecurity professionals, a divestiture is when we have to answer tough questions from the buyer, and an M&A is when we are the ones asking the tough questions of someone else. They are two sides to the same coin. If your company is divesting assets for whose security you are responsible, you will probably work closely with the business and legal teams to identify any problem areas that might reduce the value of the assets being sold. For example, if there are any significant vulnerabilities in those assets, you may want to apply controls to mitigate the related risks. If you discover a compromise, you want to eradicate it and recover from it aggressively. A less obvious cybersecurity implication of divestiture is the need to segment the part or parts of the ISMS that involve the asset(s) in question. If your company is selling a CISSP All-in-One Exam Guide 18 business unit, it undoubtedly has security policies, procedures, and controls that apply to it but may also apply to other business areas. Whoever is acquiring the assets will want to know what those are, and maybe even test them at a technical level. You need to be prepared to be audited without revealing any proprietary or confidential information in the process. Be sure to keep your legal team close to ensure you are responsive to what is required of you, but nothing else. Governance Committees The organizational processes we’ve described so far (M&A and divestitures) are trig- gered by a business decision to either acquire or get rid of some set of assets. There is another key process that is ongoing in many organizations with mature cybersecurity practices. A governance committee is a standing body whose purpose is to review the structures and practices of the organization and report its findings to the board of directors. While it may sound a bit scary to have such a committee watching over everything you do, they can actually be your allies by shining a light on the tough issues that you cannot solve by yourself without help from the board. It is important for you to know who is who in your organization and who can help get what you need to ensure a secure environment. Organizational Roles and Responsibilities Senior management and other levels of management understand the vision of the orga- nization, the business goals, and the objectives. The next layer down is the functional management, whose members understand how their individual departments work, what roles individuals play within the organization, and how security affects their department directly. The next layers are operational managers and staff. These layers are closer to the actual operations of the organization. They know detailed information about the technical and procedural requirements, the systems, and how the systems are used. The employees at these layers understand how security mechanisms integrate into systems, how to configure them, and how they affect daily productivity. Every layer offers differ- ent insight into what type of role security plays within an organization, and each should have input into the best security practices, procedures, and chosen controls to ensure the agreed-upon security level provides the necessary amount of protection without nega- tively affecting the company’s productivity. EXAM TIP Senior management always carries the ultimate responsibility for the organization. Although each layer is important to the overall security of an organization, some specific roles must be clearly defined. Individuals who work in smaller environments (where everyone must wear several hats) may get overwhelmed with the number of roles presented next. Many commercial businesses do not have this level of structure in their security teams, but many large companies, government agencies, and military units do. What you need to understand are the responsibilities that must be assigned and whether Chapter 1: Cybersecurity Governance 19 they are assigned to just a few people or to a large security team. These roles include the executive management, security officer, data owner, data custodian, system owner, PART I security administrator, supervisor (user manager), change control analyst, data analyst, user, auditor, and the guy who gets everyone coffee. Executive Management The individuals designated as executive management typically are those whose titles start with “chief,” and collectively they are often referred to as the “C-suite.” Executive leaders are ultimately responsible for everything that happens in their organizations, and as such are considered the ultimate business and function owners. This has been evidenced time and again (as we will see shortly) in high-profile cases wherein executives have been fired, sued, or even prosecuted for organizational failures or fraud that occurred under their leadership. Let’s start at the top of a corporate entity, the CEO. Chief Executive Officer The chief executive officer (CEO) has the day-to-day management responsibilities of an organization. This person is often the chairperson of the board of directors and is the highest-ranking officer in the company. This role is for the person who oversees the company’s finances, strategic planning, and operations from a high level. The CEO is usually seen as the visionary for the company and is responsible for developing and modifying the company’s business plan. The CEO sets budgets; forms partnerships; and decides on what markets to enter, what product lines to develop, how the company will differentiate itself, and so on. This role’s overall responsibility is to ensure that the company grows and thrives. NOTE The CEO can delegate tasks, but not necessarily responsibility. More and more regulations dealing with information security are holding the CEO accountable for ensuring the organization practices due care and due diligence with respect to information security, which is why security departments across the land are receiving more funding. Personal liability for the decision makers and purse-string holders has loosened those purse strings, and companies are now able to spend more money on security than before. (Due care and due diligence are described in detail in Chapter 3.) Chief Financial Officer The chief financial officer (CFO) is responsible for the corporation’s accounting and financial activities and the overall financial structure of the organization. This person is responsible for determining what the company’s financial needs will be and how to finance those needs. The CFO must create and maintain the company’s capital structure, which is the proper mix of equity, credit, cash, and debt financing. This person oversees forecasting and budgeting and the processes of submitting financial statements to the regulators and stakeholders. Chief Information Officer The chief information officer (CIO) may report to either the CEO or CFO, depending upon the corporate structure, and is responsible for the strategic use and management of information systems and technology within the organization. Over time, this position has become more strategic and less operational in CISSP All-in-One Exam Guide 20 Executives and Incarcerations and Fines, Oh My! The CFO and CEO are responsible for informing stakeholders (creditors, analysts, employees, management, investors) of the firm’s financial condition and health. After the corporate debacles at Enron and WorldCom uncovered in 2001–2002, the U.S. government enacted the Sarbanes-Oxley Act (SOX), which prescribes to the CEO and CFO financial reporting responsibilities and includes penalties and potential personal liability for failure to comply. SOX gave the Securities Exchange Commis- sion (SEC) more authority to create regulations that ensure these officers cannot simply pass along fines to the corporation for personal financial misconduct. Under SOX, they can personally be fined millions of dollars and/or go to jail. The follow- ing list provides a sampling of some of the cases in the past decade in which C-suite executives have been held accountable for cybersecurity issues under various laws: August 2020 Joseph Sullivan, former chief information security officer at Uber, was charged with obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack of Uber. July 2019 Facebook agreed to pay $100M in fines for making misleading disclosures concerning the risks to user data after becoming aware that Cambridge Analytica had improperly collected and misused PII on nearly 30M Facebook users in 2014 and 2015. The company neither admitted nor denied the SEC allegations as part of this agreement. March 2019 Jun Ying, a former chief information officer for Equifax, pled guilty and was subsequently convicted to four months in prison on charges of insider trading for allegedly selling his stock in the company after discovering a massive data breach. He suspected (correctly) that the stock would lose value once the breach became known. March 2018 Martin Shkreli, a notorious pharmaceutical executive, was sentenced to seven years in prison after being convicted of securities fraud stemming from his alleged use of funds from new companies to pay down debts previously incurred by financially troubled companies. December 2017 KIT Digital’s former CEO Kaleil Isaza Tuzman was found guilty of market manipulation and fraud charges. His former CFO, Robin Smyth, had previously pled guilty and turned government witness against Tuzman. As of this writing, Tuzman is still awaiting sentencing. June 2015 Joe White, the former CFO of Shelby Regional Medical Center, was sentenced to 23 months in federal prison after making false claims to receive payments under the Medicare Electronic Health Record Incentive Program. These are only some of the big cases that made it into the headlines. Other executives have also received punishments for “creative accounting” and fraudulent activities. Chapter 1: Cybersecurity Governance 21 many organizations. CIOs oversee and are responsible for the day-in, day-out technology operations of a company, but because organizations are so dependent upon technology, PART I CIOs are being asked to sit at the corporate table more and more. CIO responsibilities have extended to working with the CEO (and other management) on business-process management, revenue generation, and how business strategy can be accomplished with the company’s underlying technology. This person usually should have one foot in techno-land and one foot in business-land to be effective because she is bridging two very different worlds. The CIO sets the stage for the protection of company assets and is ultimately responsible for the success of the company’s security program. Direction should be coming down from the CEO, and there should be clear lines of communication between the board of directors, the C-level staff, and mid-management. Chief Privacy Officer The chief privacy officer (CPO) is a newer position, created mainly because of the increasing demands on organizations to protect a long laundry list of different types of data. This role is responsible for ensuring that customer, company, and employee data is kept safe, which keeps the company out of criminal and civil courts and hopefully out of the headlines. This person is often an attorney with privacy law experience and is directly involved with setting policies on how data is collected, protected, and given out to third parties. The CPO often reports to the chief security officer. It is important that the CPO understand the privacy, legal, and regulatory requirements the organization must comply with. With this knowledge, the CPO can then develop the organization’s policies, standards, procedures, controls, and contract agreements to ensure that privacy requirements are being properly met. Remember also that organizations are responsible for knowing how their suppliers, partners, and other third parties are protecting this sensitive information. The CPO may be responsible for reviewing the data security and privacy practices of these other parties. Some companies have carried out risk assessments without considering the penalties and ramifications they would be forced to deal with if they do not properly protect the information they are responsible for. Without considering these liabilities, risk cannot be properly assessed. Privacy Privacy is different from security. Privacy indicates the amount of control an indi- vidual should be able to have and expect to have as it relates to the release of their own sensitive information. Security refers to the mechanisms that can be put into place to provide this level of control. It is becoming more critical (and more difficult) to protect personally identifiable information (PII) because of the increase of identity theft and financial fraud threats. PII is a combination of identification elements (name, address, phone number, account number, etc.). Organizations must have privacy policies and controls in place to protect their employee and customer PII. Chapter 3 discusses PII in depth. CISSP All-in-One Exam Guide 22 CSO vs. CISO The CSO and CISO may have similar or very different responsibilities, depending on the individual organization. In fact, an organization may choose to have both, either, or neither of these roles. It is up to an organization that has either or both of these roles to define their responsibilities. By and large, the CSO role usually has a further-reaching list of responsibilities compared to the CISO role. The CISO is usually focused more on technology and has an IT background. The CSO usually is required to understand a wider range of business risks, including physical security, not just technological risks. The CSO is usually more of a businessperson and typically is present in larger organizations. If a company has both roles, the CISO reports directly to the CSO. The CSO is commonly responsible for ensuring convergence, which is the formal cooperation between previously disjointed security functions. This mainly pertains to physical and IT security working in a more concerted manner instead of working in silos within the organization. Issues such as loss prevention, fraud prevention, business continuity planning, legal/regulatory compliance, and insurance all have physical security and IT security aspects and requirements. So one individual (CSO) overseeing and intertwining these different security disciplines allows for a more holistic and comprehensive security program. The organization should document how privacy data is collected, used, disclosed, archived, and destroyed. Employees should be held accountable for not following the organization’s standards on how to handle this type of information. Chief Security Officer The chief security officer (CSO) is responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level. This role is responsible for understanding the organization’s business drivers and for creating and maintaining a security program that facilitates these drivers, along with providing security, compliance with a long list of regulations and laws, and any customer expectations or contractual obligations. The creation of this role is a mark in the “win” column for the security industry because it means security is finally being seen as a business issue. Previously, security was relegated to the IT department and was viewed solely as a technology issue. As organizations began to recognize the need to integrate security requirements and business needs, creating a position for security in the executive management team became more of a necessity. The CSO’s job is to ensure that business is not disrupted in any way due to security issues. This extends beyond IT and reaches into business processes, legal issues, operational issues, revenue generation, and reputation protection. Data Owner The data owner (information owner) is usually a member of management who is in charge of a specific business unit and who is ultimately responsible for the protection Chapter 1: Cybersecurity Governance 23 and use of a specific subset of information. The data owner has due-care responsibilities and thus will be held responsible for any negligent act that results in the corruption or PART I disclosure of the data. The data owner decides upon the classification of the data she is responsible for and alters that classification if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, defining secu- rity requirements per classification and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and defining user access cri- teria. The data owner approves access requests or may choose to delegate this function to business unit managers. And the data owner will deal with security violations pertaining to the data she is responsible for protecting. The data owner, who obviously has enough on her plate, delegates responsibility of the day-to-day maintenance of the data protec- tion mechanisms to the data custodian. NOTE Data ownership takes on a different meaning when outsourcing data storage requirements. You may want to ensure that the service contract includes a clause to the effect that all data is and shall remain the sole and exclusive property of your organization. Data Custodian The data custodian (information custodian) is responsible for maintaining and protect- ing the data. This role is usually filled by the IT or security department, and the duties include implementing and maintaining security controls; performing regular backups of the data; periodically validating the integrity of the data; restoring data from backup media; retaining records of activity; and fulfilling the requirements specified in the com- pany’s security policy, standards, and guidelines that pertain to information security and data protection. System Owner The system owner is responsible for one or more systems, each of which may hold and process data owned by different data owners. A system owner is responsible for integrat- ing security considerations into application and system purchasing decisions and devel- opment projects. The system owner is responsible for ensuring that adequate security is being provided by the necessary controls, password management, remote access controls, operating system configurations, and so on. This role must ensure that the systems are Data Owner Issues Each business unit should have a data owner who protects the unit’s most criti- cal information. The company’s policies must give the data owners the necessary authority to carry out their tasks. This is not a technical role, but rather a business role that must understand the relationship between the unit’s success and the protection of this critical asset. Not all businesspeople understand this role, so they should be given the necessary training. CISSP All-in-One Exam Guide 24 properly assessed for vulnerabilities and must report any that are discovered to the inci- dent response team and data owner. Security Administrator The security administrator is responsible for implementing and maintaining specific secu- rity network devices and software in the enterprise. These controls commonly include firewalls, an intrusion detection system (IDS), intrusion prevention system (IPS), anti- malware, security proxies, data loss prevention, etc. It is common for a delineation to exist between the security administrator’s responsibilities and the network administrator’s responsibilities. The security administrator has the main focus of keeping the network secure, and the network administrator has the focus of keeping things up and running. A security administrator’s tasks commonly also include creating new system user accounts, implementing new security software, testing security patches and components, and issuing new passwords. The security administrator must make sure access rights given to users support the policies and data owner directives. Supervisor The supervisor role, also called user manager, is ultimately responsible for all user activity and any assets created and owned by these users. For example, suppose Kathy is the supervisor of ten employees. Her responsibilities would include ensuring that these employees under- stand their responsibilities with respect to security; making sure the employees’ account information is up to date; and informing the security administrator when an employee is fired, suspended, or transferred. Any change that pertains to an employee’s role within the company usually affects what access rights they should and should not have, so the user manager must inform the security administrator of these changes immediately. Change Control Analyst Since the only thing that is constant is change, someone must make sure changes happen securely. The change control analyst is responsible for approving or rejecting requests to make changes to the network, systems, or software. This role must make certain that the change will not introduce any vulnerabilities, that it has been properly tested, and that it is properly rolled out. The change control analyst needs to understand how various changes can affect security, interoperability, performance, and productivity. Data Analyst Having proper data structures, definitions, and organization is very important to a com- pany. The data analyst is responsible for ensuring that data is stored in a way that makes the most sense to the company and the individuals who need to access and work with it. For example, payroll information should not be mixed with inventory information; the purchasing department needs to have a lot of its values in monetary terms; and the inventory system must follow a standardized naming scheme. The data analyst may be responsible for architecting a new system that will hold company information or advis- ing in the purchase of a product that will do so. The data analyst works with the data owners to help ensure that the structures set up coincide with and support the company’s business objectives. Chapter 1: Cybersecurity Governance 25 User The user is any individual who routinely uses the data for work-related tasks. The user PART I must have the necessary level of access to the data to perform the duties within their posi- tion and is responsible for following operational security procedures to ensure the data’s confidentiality, integrity, and availability to others. Auditor The function of the auditor is to periodically check that everyone is doing what they are supposed to be doing and to ensure the correct controls are in place and are being main- tained securely. The goal of the auditor is to make sure the organization complies with its own policies and the applicable laws and regulations. Organizations can have internal auditors and/or external auditors. The external auditors commonly work on behalf of a regulatory body to make sure compliance is being met. While many security professionals fear and dread auditors, they can be valuable tools in ensuring the overall security of the organization. Their goal is to find the things you have missed and help you understand how to fix the problems. Why So Many Roles? Most organizations will not have all the roles previously listed, but what is important is to build an organizational structure that contains the necessary roles and map the correct security responsibilities to them. This structure includes clear definitions of responsibilities, lines of authority and communication, and enforcement capabilities. A clear-cut structure takes the mystery out of who does what and how things are handled in different situations. Security Policies, Standards, Procedures, and Guidelines Computers and the information processed on them usually have a direct relationship with a company’s critical missions and objectives. Because of this level of importance, senior management should make protecting these items a high priority and provide the necessary support, funds, time, and resources to ensure that systems, networks, and information are protected in the most logical and cost-effective manner possible. A com- prehensive management approach must be developed to accomplish these goals success- fully. This is because everyone within an organization may have a different set of personal values and experiences they bring to the environment with regard to security. It is impor- tant to make sure everyone is consistent regarding security at a level that meets the needs of the organization. For a company’s security plan to be successful, it must start at the top level and be useful and functional at every single level within the organization. Senior management needs to define the scope of security and identify and decide what must be protected and to what extent. Management must understand the business needs and compliance requirements (regulations, laws, and liability issues) for which it is responsible regarding security and ensure that the company as a whole fulfills its obligations. Senior management also must determine what is expected from employees and what the consequences of CISSP All-in-One Exam Guide 26 noncompliance will be. These decisions should be made by the individuals who will be held ultimately responsible if something goes wrong. But it is a common practice to bring in the expertise of the security officers to collaborate in ensuring that sufficient policies and controls are being implemented to achieve the goals being set and determined by senior management. A security program contains all the pieces necessary to provide overall protection to an organization and lays out a long-term security strategy. A security program’s documentation should be made up of security policies, procedures, standards, guidelines, and baselines. The human resources and legal departments must be involved in the development and enforcement of rules and requirements laid out in these documents. ISMS vs. Enterprise Security Architecture What is the difference between an ISMS and an enterprise security architecture? An ISMS outlines the controls that need to be put into place (risk management, vulnerability management, business continuity planning, data protection, auditing, configuration management, physical security, etc.) and provides direction on how those controls should be managed throughout their life cycle. The ISMS specifies the pieces and parts that need to be put into place to provide a holistic security program for the organization overall and how to properly take care of those pieces and parts. The enterprise security architecture illustrates how these components are to be integrated into the different layers of the current business environment. The security components of the ISMS have to be interwoven throughout the business environment and not siloed within individual company departments. For example, the ISMS will dictate that risk management needs to be put in place, and the enterprise security architecture will chop up the risk management components and illustrate how risk management needs to take place at the strategic, tactical, and operational levels. As another example, the ISMS could dictate that data protection needs to be put into place. The security architecture can show how this happens at the infrastructure, application, component, and business level. At the infrastructure level we can implement data loss protection technology to detect how sensitive data is traversing the network. Applications that maintain sensitive data must have the necessary access controls and cryptographic functionality. The components within the applications can implement the specific cryptographic functions. And protecting sensitive company information can be tied to business drivers, which is illustrated at the business level of the architecture. The ISO/IEC 27000 series (which outlines the ISMS and is covered in detail in Chapter 4) is very policy oriented and outlines the necessary components of a security program. This means that the ISO standards are general in nature, which is not a defect—they were created that way so that they could be applied to various types of businesses, companies, and organizations. But since these standards are general, it can be difficult to know how to implement them and map them to your company’s infrastructure and business needs. This is where the enterprise security architecture comes into play. The architecture is a tool used to ensure that what is outlined in the security standards is implemented throughout the different layers of an organization. Chapter 1: Cybersecurity Governance 27 The language, level of detail, formality of the documents, and supporting mechanisms should be examined by the policy developers. Security policies, standards, guidelines, PART I procedures, and baselines must be developed with a realistic view to be most effective. Highly structured organizations usually follow documentation in a more uniform way. Less structured organizations may need more explanation and emphasis to promote compliance. The more detailed the rules are, the easier it is to know when one has been violated. However, overly detailed documentation and rules can prove to be more burdensome than helpful. The business type, its culture, and its goals must be evaluated to make sure the proper language is used when writing security documentation. There are a lot of legal liability issues surrounding security documentation. If your organization has a policy outlining how it is supposed to be protecting sensitive information and it is found out that your organization is not practicing what it is preaching, criminal charges and civil suits could be filed and successfully executed. It is important that an organization’s security does not just look good on paper, but in action also. Security Policy A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A security policy can be an organizational policy, an issue-specific policy, or a system-specific policy. In an organizational security policy, management establishes how a security program will be set up, lays out the program’s goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. This policy must address applicable laws, regulations, and liability issues and how they are to be satisfied. The organizational security policy provides scope and direc- tion for all future security activities within the organization. It also describes the amount of risk senior management is willing to accept. The organizational security policy has several important characteristics that must be understood and implemented: Business objectives should drive the policy’s creation, implementation, and enforcement. The policy should not dictate business objectives. It should be an easily understood document that is used as a reference point for all employees and management. It should be developed and used to integrate security into all business functions and processes. It should be derived from and support all legislation and regulations applicable to the company. It should be reviewed and modified as a company changes, such as through adoption of a new business model, a merger with another company, or change of ownership. Each iteration of the policy should be dated and under version control. The units and individuals who are governed by the policy must have easy access to it. Policies are commonly posted on portals on an intranet. CISSP All-in-One Exam Guide 28 It should be created with the intention of having the policies in place for several years at a time. This will help ensure policies are forward-thinking enough to deal with potential changes that may arise. The level of professionalism in the presentation of the policies reinforces their importance, as well as the need to adhere to them. It should not contain language that isn’t readily understood by everyone. Use clear and declarative statements that are easy to understand and adopt. It should be reviewed on a regular basis and adapted to correct incidents that have occurred since the last review and revision of the policies. A process for dealing with those who choose not to comply with the security policies must be developed and enforced so there is a structured method of response to noncompliance. This establishes a process that others can understand and thus recognize not only what is expected of them but also what they can expect as a response to their noncompliance. Organizational security policies are also referred to as master security policies. An organization will have many policies, and they should be set up in a hierarchical manner. The organizational (master) security policy is at the highest level, with policies underneath it that address security issues specifically. These are referred to as issue-specific policies. An issue-specific policy, also called a functional policy, addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues. For example, an organization may choose to have an e-mail security policy that outlines what management can and cannot do with employees’ e-mail messages for monitoring purposes, that specifies which e-mail functionality employees can or cannot use, and that addresses specific privacy issues. As a more specific example, an e-mail policy might state that management can read any employee’s e-mail messages that reside on the mail server, but not when they reside on the user’s workstation. The e-mail policy might also state that employees cannot use e-mail to share confidential information or pass inappropriate material and that they may be subject to monitoring of these actions. Before they use their e-mail clients, employees should be asked to confirm that they have read and understand the e-mail policy, either by signing a confirmation document or clicking Yes in a confirmation dialog box. The policy provides direction and structure for the staff by indicating what they can and cannot do. It informs the users of the expectations of their actions, and it provides liability protection in case an employee cries “foul” for any reason dealing with e-mail use. EXAM TIP A policy needs to be technology and solution independent. It must outline the goals and missions, but not tie the organization to specific ways of accomplishing them. Chapter 1: Cybersecurity Governance 29 A common hierarchy of security policies is outlined here, which illustrates the relationship between the master policy and the issue-specific policies that support it: PART I Organizational policy: Acceptable use policy Risk management policy Vulnerability management policy Data protection policy Access control policy Business continuity policy Log aggregation and auditing policy Personnel security policy Physical security policy Secure application development policy Change control policy E-mail policy Incident response policy A system-specific policy presents the management’s decisions that are specific to the actual computers, networks, and applications. An organization may have a system- specific policy outlining how a database containing sensitive information should be protected, who can have access, and how auditing should take place. It may also have a system-specific policy outlining how laptops should be locked down and managed. This policy type is directed to one or a group of similar systems and outlines how they should be protected. Policies are written in broad terms to cover many subjects in a general fashion. Much more granularity is needed to actually support the policy, and this happens with the use of procedures, standards, guidelines, and baselines. The policy provides the foundation. The procedures, standards, guidelines, and baselines provide the security framework. And the necessary security controls (administrative, technical, and physical) are used to fill in the framework to provide a full security program. Standards Standards refer to mandatory activities, actions, or rules. Standards describe specific requirements that allow us to meet our policy goals. They are unambiguous, detailed, and measurable. There should be no question as to whether a specific asset or action complies with a given standard. Organizational security standards may specify how hardware and software products are to be used. They can also be used to indicate expected user behavior. They provide a CISSP All-in-One Exam Guide 30 Types of Policies Policies generally fall into one of the following categories: Regulatory This type of policy ensures that the organization is following standards set by specific industry regulations (HIPAA, GLBA, SOX, PCI DSS, etc.; see Chapter 3). It is very detailed and specific to a type of industry. It is used in financial institutions, healthcare facilities, public utilities, and other government-regulated industries. Advisory This type of policy strongly advises employees as to which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical or financial information. Informative This type of policy informs employees of certain topics. It is not an enforceable policy, but rather one that teaches individuals about specific issues relevant to the company. It could explain how the company interacts with partners, the company’s goals and mission, and a general reporting structure in different situations. means to ensure that specific technologies, applications, parameters, and procedures are implemented in a uniform (standardized) manner across the organization. Organizational standards may require that all employees use a specific smart card as their access control token, that its certificate expire after 12 months, and that it be locked after three unsuccessful attempts to enter a personal identification number (PIN). These rules are compulsory within a company, and if they are going to be effective, they must be enforced. An organization may have an issue-specific data classification policy that states “All confidential data must be properly protected.” It would need a supporting data protection standard outlining how this protection should be implemented and followed, as in “Confidential information must be protected with AES256 at rest and in transit.” Tactical and strategic goals are different. A strategic goal can be viewed as the ultimate endpoint, while tactical goals are the steps necessary to achieve it. As shown in Figure 1-3, standards, guidelines, and procedures are the tactical tools used to achieve and support the directives in the security policy, which is considered the strategic goal. EXAM TIP The term standard has more than one meaning in our industry. Internal documentation that lays out rules that must be followed is a standard. But sometimes, best practices, as in the ISO/IEC 27000 series, are referred to as standards because they were developed by a standards body. And as we will see later, we have specific technologic standards, as in IEEE 802.11. You need to understand the context of how this term is used. The CISSP exam will not try and trick you on this word; just know that the industry uses it in several different ways. Chapter 1: Cybersecurity Governance 31 Figure 1-3 Policy Policies are PART I implemented through standards, Standards Mandatory procedures, and guidelines. Procedures Guidelines Recommended but optional Baselines The term baseline refers to a point in time that is used as a comparison for future changes. On