Information Security Governance

Governance

Policies

• High level, non-specific.

• They can contain “Patches, updates, strong encryption”

• They will not be specific to “OS, encryption type, vendor Technology”

Standards

• Describes a specific use of technology (All laptops are W10, 64bit, 8gig memory … )

Guidelines

• Recommendations, discretionary – Suggestions on how you would to do it.

Procedures

• Low level step-by-step guides, specific.

• They will contain “OS, encryption type, vendor Technology”

Baselines (Benchmarks)

• Benchmarks for server hardening, apps, network. Minimum requirement, we can implement stronger if needed.

Personnel Security

Awareness

• Change user behavior - this is what we want, we want them to change their behavior.

Training

• Provides users with a skillset - this is nice, but if they ignore the knowledge, it does nothing.

Hiring Practices

• We do background checks where we check: References, degrees, employment, criminal, credit history (less common, more costly). We have new staff sign a NDA (Non-Disclosure Agreement).

Employee Termination Practices

• We want to coach and train employees before firing them. They get warnings.

• When terminating employees, we coordinate with HR to shut off access at the right time.

Vendors, Consultants and Contractor Security

• When we use outside people in our environments, we need to ensure they are trained on how to handle data. Their systems need to be secure enough for our policies and standards.

Outsourcing and Offshoring

• Having someone else do part of your (IT in our case) work.

• This can lower cost, but a thorough and accurate Risk Analysis must be performed. Offshoring can also pose problems with them not having to comply with the same data protection standards.

SWOT Analysis (Strengths, Weaknesses, Opportunities, and Threats)

Internal factors

Strengths

• What we do well, skilled staff, assets, and advantages over competitors.

Weaknesses

• Things we are missing, resource limitations:

  • Human resources,

  • Physical resources,

  • Financials

  • Activities

  • Processes

  • Past experiences.

External factors

Opportunities

• Elements in the environment that the business or project could exploit to its advantage.

Threats

• Elements in the environment that could cause trouble for the business or project.

• Future trends, the economy, funding, our physical environment, legislation, national, or international events

GAP analysis process

Identify the existing process

What are we doing?

Identify the existing outcome

How well do we do it?

Identify the desired outcome

How well do we want to do?

Identify and document the gap

What is the difference between now and desired result?

Identify the process to achieve the desired outcome

How can we possibly get to the desired result?

Develop the means to fill the gap

Build the tool or processes to get the result.

Develop and prioritize Requirements to bridge the gap

Organizational finances

OPEX vs. CAPEX

• OPEX (Operating Expense) is the ongoing cost for running a product, business, or system. (Keeping the lights on).

• CAPEX (Capital Expenditure) is the money a company spends to buy, maintain, or improve its fixed assets, such as buildings, vehicles, equipment, or land.

Business plans, road-maps

• We build our organizational business plans based on the organizations mission statement and vision at the direction of senior leadership.

• We have 1-year, 3-year, and 5-year business plans and roadmaps.

Fiscal years (budget year)

• We plan our budgets according to our organizations fiscal year.

KGI’s, KPI’s, and KRI’s

• KGI (Key Goal Indicator):

• Define measures that tell management, after the fact—whether an IT process has achieved its business requirements.

• KPI (Key Performance Indicators):

• Define measures that determine how well the IT process is performing in enabling the goal to be reached.

KRI (Key Risk Indicators)

• Metrics that demonstrate the risks that an organization is facing or how risky an activity is.

• They are the mainstay of measuring adherence to and establishing enterprise risk appetite.

• Key risk indicators are metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise.

• KRI give an early warning to identify potential event that may harm continuity of the activity/project.

Key Goal, Performance, Risk Indicators

KGI (Key Goal Indicator)

• Define measures that tell management, after the fact—whether an IT process has achieved its business requirements.

KPI (Key Performance Indicators)

• Define measures that determine how well the IT process is performing in enabling the goal to be reached.

KRI (Key Risk Indicators)

• Metrics that demonstrate the risks that an organization is facing or how risky an activity is.

• They are the mainstay of measuring adherence to and establishing enterprise risk appetite.

• Key risk indicators are metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise.

• KRI give an early warning to identify potential event that may harm continuity of the activity/project.

Confidentiality, Integrity and Availability (CIA)

Confidentiality

Confidentiality this is what most people think IT Security is. Keep our data and secrets secret. To ensure no one unauthorized can access the data.

We use:

• Encryption for data at rest (for instance AES256), full disk encryption.

• Secure transport protocols for data in motion. (SSL, TLS or IPSEC).

• Best practices for data in use - clean desk, no shoulder surfing, screen view angle protector, PC locking (automatic and when leaving).

• Strong passwords, multi factor authentication, masking, access control, need-to-know, least privilege.

Threats:

• Attacks on your encryption (cryptanalysis).

• Social engineering.

• Key loggers (software/hardware), cameras, Steganography.

• IOT (Internet Of Things) – The growing number of connected devices we have pose a new threat, they can be a backdoor to other systems.

Integrity

Integrity: how we protect against modifications of the data and the systems. System integrity and Data integrity. To ensure the data has not been altered.

We use:

• Cryptography (again).

• Check sums (This could be CRC).

• Message Digests also known as a hash (This could be MD5, SHA1 or SHA2).

• Digital Signatures – nonrepudiation.

• Access control.

Threats:

• Alterations of our data.

• Code injections.

• Attacks on your encryption (cryptanalysis).

Availability

Availability: we ensure authorized people can access the data they need, when they need to. To guarantee system integrity and data availability.

We use:

• IPS/IDS.

• Patch Management.

• Redundancy on hardware power

• (Multiple power supplies/UPS’/generators), Disks (RAID), Traffic paths (Network design), HVAC, staff, HA (high availability) and much more.

• SLA’s – How high uptime to we want (99.9%?) – (ROI)

Threats:

• Malicious attacks (DDOS, physical, system compromise, staff).

• Application failures (errors in the code).

• Component failure (Hardware).

Finding the right mix

• The right mix of Confidentiality, Integrity and Availability is a balancing act.

• This is really the cornerstone of IT Security – finding the RIGHT mix for your organization.

  • Too much Confidentiality and the Availability can suffer.

  • Too much Integrity and the Availability can suffer.

  • Too much Availability and both the Confidentiality and Integrity can suffer.

Disclosure, Alteration and Destruction (DAD)

Disclosure

• Someone not authorized getting access to your information.

Alteration

• Your data has been changed.

Destruction

• Your data or systems have been destroyed or rendered inaccessible.