Transcription
Governance Management and ComplianceTable of ContentsInformation Security Governance. 2The Business Case . 3Basics: The CIA Triad . 6IT Governance . 7Information Security . 8Due Diligence . 11ITGI Guidance -1. 14ITGI Guidance -2. 16Components to be Managed -1 . 17Components to be Managed -2 . 19Compliance Enforcement -1 . 21Compliance Enforcement -2 . 22Notices . 26Page 1 of 26
Information Security GovernanceInformation SecurityGovernance6**006 Ben Malisow: All right. Any questions beforewe get started? Let's get right into it.Page 2 of 26
The Business CaseThe Business CaseStrategic alignment: Ensuring that the security programsupports and operates in concert with the organization’s goals,policies, and especially the organizational processes,including acquisitions, divestitures, and governancecommitteesOrganizations need security professionals to run the securityprogram because 100% security is impossible. Need a cost-effective approach Separate skill setSenior management always makes the final decision, butneeds input from security professionals.7**007 Business case. The two words thatyou're going to hear over and overagain-- Gabriel's heard this in theCISA class-- over and over again:Strategic Alignment. You don't dosystem in absence of corporatepolicy. You don't do security independentof business. Security is supposed to goalong with what your line of business is.That's the whole point of it. And thatshould be helpful for both how you dothings and how the business does things.Certain things like evaluation of yourassets, determining data ownership-these things will help both theorganization from a businessstandpoint and you do your job froma security standpoint.Page 3 of 26
It also explains why you are needed.And there's an old adage that saysthe first two things to go duringbudget cuts are security and training.Not so much anymore. Training, yes;security not so much. Security hastaken kind of a new forefront amongeven the most hardened corporatehatchet masters.We have a unique skill set that allowsbusiness to remain in compliancewith regulation, for one thing, nowthat there are a lot more regulations.HIPAA, in the healthcare field. Whodid finance before? Gramm-LeachBliley and SOX. Are there otherregulations for other industries?Anyone think of any?Student: FERPA.Ben Malisow: What?Student: FERPA, the educationversion of HIPAA.Ben Malisow: Oh. I wasn't evenaware of this. What's it called?Student: FERPA.Student: FERPA.Ben Malisow: FERPA. Okay.Student: Federal Education Record- I don't know.Ben Malisow: Wow. When-- isthat--?Student: For colleges.Page 4 of 26
Ben Malisow: Okay, all right.Student: Colleges, high schools.Ben Malisow: What's that?Student: Colleges, public schools,high schools, that kind of stuff.Ben Malisow: Good. Good, good,good. Are there non-legislativeregulations as well?Student: PCI?Ben Malisow: PCI. That's exactlywhat I was looking for too. Good.Payment Card Industry. Yeah. Visastarted it, but by and large all thecredit cards have jumped on board ofthe fact that if you want to use theircapabilities, you're going to have toremain compliant with theregulations. Good.Does that mean that we're in charge?No. Senior management is always onthe hook for making those decisions.But they're going to turn to us to findout what those decisions should be.Page 5 of 26
Basics: The CIA TriadBasics: The CIA TriadConfidentiality – Ensuring information is only available to thoseauthorized to have access to the informationIntegrity – Describes the wholeness and completeness of the informationwithout any alteration except by authorized sourcesAvailability – The ability to use the information or resource when it isneededIS ManagementAvailabilityIntegrityConfidentialityIT Security8**008 There's our old friend thetriad. Don't make fun of my clip art.From a policy standpoint, it shouldaddress all of the areas, each of thelegs of the triad.Page 6 of 26
IT GovernanceIT Governance“A structure of relationships and processes to direct andcontrol the enterprise in order to achieve the enterprise’s goalsby adding value while balancing risk versus return over IT andits processes.”—IT Governance Institute (ITGI)The ITGI has determined that IT security governance ought tobe an element of IT governance.9**009 This is a great quoteexplaining what governance is fromthe ITGI.Page 7 of 26
Information SecurityInformation SecurityObjective: Protect the confidentiality, integrity and availability(CIA) of information Critical to achieving this objective: Develop, implement, and managean effective IS programEffective IS governance offers many benefits Demonstrates “due care” which can help to mitigate the potential for civil and legal liabilityEnsures policy complianceLowers risks to defined and acceptable levelsImproves customer trustProtects the organization’s reputationProvides accountability during critical business operations10**010 What is our objective?Maintain that triad. Makes sense.How do you do that? Put a goodprogram in place. We're going to goover the elements of those programs.What are the benefits of having thatprogram in place? Right here. Righthere.The big one, due care, we're going todrill down in in just a second. Butthe other reason you have goodgovernance is to make sure thateveryone stays in compliance. Wetalked about this some yesterday.First of all, if you don't write it downit didn't happen. But second of all, ifPage 8 of 26
you don't publish it, people can't beheld accountable to it. It's a way ofensuring that you have that stick inyour hand as well.Helps bring your risk down toacceptable level. What's theacceptable level of risk in anorganization? Trick question.Student: Five.Ben Malisow: Good answer. Thesego to 11. The acceptable level of riskin an organization is whatever thatorganization decides to accept. It'sdifferent for every organization. It'sfuzzy, and the rationale can besomewhat ambiguous. And it'llchange from senior management tosenior management every time there'sa coup d'itat or a change of power.It improves customer trust. Is itimportant for your customers to thinkthat their information is going to beheld as valuable as you hold yourown information? Absolutely. Whathappens if your customers start tothink you're going to lose their data?They're not going to do business withyou. Does that happen? Sure. Sure.And, helps protect your reputation.Do you look silly if you are the entityknown for losing people'sinformation? Yes, you do. You lookeven sillier if your entire businessmodel is based on holding ontopersonal information.Who's heard of ChoicePoint? Whatwas ChoicePoint?Page 9 of 26
Student: They sell informationabout people.Ben Malisow: That's literally whatthey do. Anyone think of what kindof information they sell? Do youknow an example of it?One of the things that they do is theywere the third-party provider forverifying driver's license informationfor rental car checks. When you callup the rental car company and say,"I want to reserve a car," they ask foryour driver's license information.They take that number, they run itthrough the ChoicePoint database.The rental car company doesn'tmaintain that database; ChoicePointdoes. And then ChoicePoint sayswhether or not you're wanted as afelon in Virginia for speeding.ChoicePoint had a huge breech. Isthat how you had heard of them?Student: Mm-hmm.Ben Malisow: Yeah. Do you knowwhat caused that breach?Student: No.Ben Malisow: A couple of theiremployees. They were sellingbatches of this personal information-people driver's license informationand other personally identifiableinformation-- for pretty low numbersI think it was. I think it was like twocents per. And they sold a wholebunch of them. Pay your peoplewell, is one good way to do that. ButPage 10 of 26
yeah, they lost a lot of reputation inthat. And if that's your entirebusiness model is being able to holdonto information, losing it is not agood way to maintain your reputation.And helps provide accountability. Ifyou have good governance, you'repointing out who is responsible fordoing what, and that's important too.Not just for blaming people, but forgiving them credit where credit is dueas well.Due DiligenceDue DiligenceThe standard of “due care”Components include Senior management supportComprehensive policies, standards, and procedureAppropriate security education, training, and awarenessPeriodic risk assessmentsEffective backup and recovery processesImplementation of adequate security controlsEffective monitoring and metricsEffective complianceTesting business continuity and disaster recovery plansPeriodic independent reviews of the infrastructure11**011 All right: Drilling down on duecare. What is the reasonable personrule? Has anyone heard of thatbefore?Page 11 of 26
Student: It's a supposedly objectiveway of measuring something legally.Ben Malisow: Good. Good. It'sthe legal standard for what youshould be expected to do if you arein a position of responsibility orauthority. Would a reasonableperson in a similar situation haveacted the way you did? And that canbe-- as long as you can show that,that helps attenuate your liability. Aslong as-- "Well, there was a fire, so Ithought it'd be great if I doused itwith gasoline." The court's going tosay, "No, that does not rise to thestandard of due care. You havefailed the reasonable person testthere." Right?You, from a security perspective, areheld to maintaining due care. Youhave a fiduciary responsibility, youhave a legal responsibility, you havea professional responsibility to beable to provide your organizationwith that level of reasonable person.To be able to get there, you need tohave-- we talked about this yesterdaytoo-- senior management support.Without buy-in from on high, yourprogram isn't even going to getlaunched.We're going to talk about policystandards and procedures, thedifference between those two, butyour program needs to have that.Your organization needs to have todemonstrate that it's beingreasonable.Page 12 of 26
Education training and awareness. Ifyou don't tell your people what thestandards, policies and proceduresare, they won't be held to them andthey won't understand them. Plus,they won't act in accordance withthem. We'll talk about why we dotraining in a little bit too.Risk assessments. Make sure youknow that the countermeasures youhave in place are either working ortherefore good cause; or, if theyneed to be changed, how to changethem.Backup and recovery, in case youlose your data.Implementation of adequate controls.Again, if you don't show that youhave acted in a manner inaccordance with a reasonable personfor maintaining security of thoseassets that you're being held-- or thatyou're holding-- you are being shownto be negligent. You're not providingdue care.Monitoring and metrics. Can youprove that you've been actuallymeasuring what it is that you'redoing? Is your compliance effective?Have you been auditing? Are youenforcing all of your policies andstandards?Testing. Independent reviews aswell.Page 13 of 26
ITGI Guidance -1ITGI Guidance -1The board of directors should Be informed about InfosecSet direction to drive policy and strategyProvide resources to security effortsAssign management responsibilitiesSet prioritiesSupport changes requiredDefine cultural values related to risk assessmentObtain assurance from internal or external auditorsInsist that security investments are made measurable and reportedon for program effectiveness12**012 All of those go into due care.The ITGI gave us that definition ofwhat good governance would be.These are a list of requirements thatthe ITGI suggests the board ofdirectors take part in. And that'seven beyond senior management.That's the director-level leadership ofthe organization.Are they going to be in charge ofInfoSec for the entity, for yourbusiness entity? No. No. Theyshouldn't be. They shouldn't be.That's too down in the weeds forthem. Are they responsible overall?Yes. So they have to be informed,Page 14 of 26
and the CISSP or the security officershould be prepared to brief them andbring them up to speed on what'sgoing on, and be able to refrain fromspeaking geek long enough to beable to translate that into board ofdirectors' talk, usually withPowerPoints and graphics.They're going to set your direction foryour policy. Again, without seniormanagement buy-in, that program isnot going to work. They're not goingto administer that policy, but they'regoing to set the organizationalculture for it.They're going to give you the budgetand the personnel. They're going tosay who is responsible for it. They'regoing to pick the priorities for yourorganization. They're actuallycreating that culture, and they'regoing to make sure that it gets donewithin those constraints.Page 15 of 26
ITGI Guidance -2ITGI Guidance -2Management should Write security policies with business input Ensure that roles and responsibilities are defined and clearly understoodIdentify threats and vulnerabilitiesDevelop and implement information security strategiesEnsure policy is approved by the boardEstablish priorities and implement security projects in a timelymannerMonitor breachesAssess the completeness and effectiveness of the security programReinforce awareness education as criticalBuild security into the systems development life cycleEnsure legislative and regulatory complianceEnsure compliance with privacy requirements13**013 If the board of directors isn'trunning the program, is managementrunning the program? Notnecessarily, even thoughmanagement's going to beresponsible for the outcomes.Management's going to publish thosepolicies. Management's going to-you're probably going to write themand they're going to sign them, whichis the way it should be. You areacting as the internal consultant tomanagement for being securityexperts. All of these requirementsfall on management's shoulders, butyou have to support them in them.Page 16 of 26
Components to be Managed -1Components to be Managed -1Organizational processes Acquisitions Divestures Governance committees— Enterprise-wide oversight committee— Oversight committee representationo HR, Legal, IT, Business Units, Compliance/Audit, Infosec— Mission statementIinformation lifecycle Classification Categorization Ownership14**014 What do you manage? Whatare the things that a securityprogram is actually governing? Thisdoesn't include just the devices orthe personnel or the processes.Sometimes, in terms of what theorganization is doing, it's growingitself. These things can be looked atfrom a device standpoint-- Are youbuying new hardware? Are youbuying new software?But what else can they be looked atin? Buying new companies. Hasanyone ever grown by acquisition?Has anyone ever been through theprocess of being purchased by alarger entity? This is anPage 17 of 26
organizational challenge as well thatthe security person has to be on topof. If you get a whole new set ofnetworks, if you get a whole new setof standards, if you get a whole newset of people, you have to mesh thatand bring it up to either yourstandards or make the two worknicely together.In terms of how this is addressed,there are different ways of assigningthat responsibility too, in terms ofwho's in charge. In someorganizations, there's an enterprisewide oversight committee. Obviouslythe organization has to be a certainsize to be able to support that kind ofpersonnel. Most groups don't havepeople that they can assign to thatsort of additional duty outside ofoperational functions until they get toa place where they can afford it.Who should serve on thatcommittee? All these people. Theyall serve a function and they all haveparticular insights to offer thatcommittee.The mission statement is somethingthat's very popular in the guide. Thebook talks quite a bit about missionstatements and how to write one. Ithas an example in there. Go aheadand look at it. I won't read it to you.Mission statement.Sorry, there's a typo in there. That'sInformation Lifecycle, of course. Wetalked somewhat about that before.You got to classify the informationaccording to its sensitivity and thePage 18 of 26
value that you've assigned to thatdata. Categorize it based on whatdomain it falls into, and assignownership. Who's going to beresponsible for that data? Whocontrols that data? Who controlswho gets access to it?Components to be Managed -2Components to be Managed -2Third-party governance Obtaining services from outside providers does not relinquish thesecurity responsibility of the organization, nor does it implydelegated responsibility Some common issues to be considered include:————————Isolation of external party access to resourcesIntegrity and authenticity of data and transactionsProtection against malicious code and contentPrivacy and confidentiality agreements and proceduresSecurity standards for transacting systemsData transmission confidentialityIdentity and access management of the third partyIncident contact and escalation procedures15**015 But, in today's environment,not every organization wants to be inthe IT or information business either.Some of them, it's not their corecompetency and they're notinterested in doing it. So yourgovernance program also has to lookat outsourcing. Managed services.Anyone ever work in an environmentwhere IT has been farmed out toPage 19 of 26
another vendor? Andy, you'renodding.Student: Mm-hmm.Ben Malisow: How'd that workout? Was it good? Was the vendorgood?Student: What kind of responsetime are you willing to deal with iskind of the issue.Ben Malisow: Good. Good, good,good. Yeah, absolutely. And that'ssome of the things that you have tomake sure that you're putting in thecontract, that's in your SLIs, right?Because your contracting it out, doesthat mean your organization is nolonger responsible for the security ofthe data?Student: No.Ben Malisow: No. Not at all. Notat all. You still retain thataccountability. You're still stuck withthat owner-- that onus-- right?These are all aspects of the thingsthat you have to be responsible for.They should be in the contract withthe provider; you should be auditingthem internally; there should beprovision for an external audit aswell. All of the things that you woulddo internally for security, you stillhave to do even though you'vesubbed out the IT function. Doesthat make sense? Yeah.Page 20 of 26
Compliance Enforcement -1Compliance Enforcement -1Policy establishes the basis for accountability for informationsecurity responsibilities.Policies have no value if not communicated and enforced.Policies can and should create a security culture or mindsetwithin the organization, without enforcement, it will not betaken seriously.16**016 All right, so how do you enforce this?You have your governance in place andnow you want to make sure thateverybody's toeing the line. Policy isthe number one way of doing it.Again, if you don't publish it, peoplecan't be held to it. It's the tool thatsays you can be held accountable forthis. If you lock your policies up in asafe and don't let anyone read them,they don't do you any good. And ifthey're written well and if youdisseminate them well, they canactually help. They can be a goodtraining aid. They can be part ofyour education. They can be a goodpart of your security program.Page 21 of 26
Compliance Enforcement -2Compliance Enforcement -2Enforcement of compliance has several aspects Regulatory compliance Privacy requirements compliance Internal policies, standards, and procedures complianceCompliance methods Policy review Audit Vulnerability and penetration testing17**017 Talked about a little bit aboutregulations. Are you responsible forknowing what all the laws are?Yeah. Yeah. Ignorance of the lawisn't going to be any defense underyour due care standards. So youhave to know what they are. Youhave to know how to abide by them.Anyone familiar with SOX? Anyonedone SOX compliance in theirenvironment? You've done HIPAAcompliance in your--?Student: I haven't done itpersonally.Ben Malisow: Anyone done any ofthe federal compliance stuff, any ofPage 22 of 26
the FIPS standards, run certification,accreditation? How'd it go, Dan?Student: It's painful.Ben Malisow: Very detailed andvery thorough, isn't it?Student: Yeah.Ben Malisow: Was it worth it whenyou were all done?Student: Yeah.Ben Malisow: Yeah.Student: I think so.Ben Malisow: Yeah. It's a prettygood procedure, actually, and theyhave really good checklists lined out.I mean, it's not as if they just said,"Here's the policy. Go for it."Student: Yeah, and it's a really nicestick to use to get people to actuallyconsider security in the organization.Ben Malisow: 'Cause they hookedit to the budget. Yeah.Student: We're just--Ben Malisow: FISMA was reallygood too. Yeah.Student: Yeah. Just the threat ofbeing in trouble with the auditors.Ben Malisow: Yes. Yeah. HIPAA-there was a problem with that,because initially the law came out,Page 23 of 26
way before there was any guidanceon how to implement it. All that itwas was a giant stick with absolutelyno roadmap of how to comply with it.Were you still going to be held tothat standard? Yeah, but nobodyunderstood what the standard was.That can be tricky. That can betricky, especially as new legislation isconstantly coming out.Also, you have to be responsible forprivacy data, which can be just astricky nowadays. Are there federalprivacy standards? There's someargument about that. It depends. Ifyou look at the Fair Credit ReportingAct, there's some suggestion thatthere is. If you look at SOX, there'ssome suggestion that there is, butthat's limited to publicly-tradedorganizations.Do states publish their own privacyrequirements?Student: Yeah.Ben Malisow: Oh, heck yeah.Come to California sometime. Theyhave a whole state agency that allthey do is enforce that kind of stuff.It is very tricky. If your organizationoperates in several states, how manydifferent forms of regulation do youhave to comply with?Student: All of them.Ben Malisow: All of them. Yeah.Even the ones that disagree witheach other, right? Yeah. They canbe really tricky.Page 24 of 26
And you've got your own internalpolicies, standards and procedures.We're going to define the differencebetween policies, standards andprocedures in a little bit too.How do you do that? Go over thepolicy. Why are you reviewing thepolicy if you just published the policyand it tells you what you're supposedto do? Why are you reviewing it?Why should you review your policyon an annual basis?Student: You might need to adjustit.Ben Malisow: Absolutely. Thingschange, don't they? Technology,people, our culture, the regulationitself.Audit, of course, is a huge tool. LikeDan said, all you do is you have touse that as a threat sometimes andyou get compliance to go along withthat. And, our favorite, thevulnerability testing and penetrationtesting.Page 25 of 26
NoticesNoticesCopyright 2013 Carnegie Mellon UniversityThis material has been approved for public release and unlimited distribution except as restricted below.This material is distributed by the Software Engineering Institute (SEI) only to course attendees for theirown individual study. Except for the U.S. government purposes described below, this material SHALL NOTbe reproduced or used in any other manner without requesting formal permission from the SoftwareEngineering Institute at permission@sei.cmu.edu.This material is based upon work funded and supported by the Department of Defense under Contract No.FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute,a federally funded research and development center.The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this materialare restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 andDFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this materialor portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.Although the rights granted by contract do not require course attendance to use this material for U.S.Government purposes, the SEI recommends attendance to ensure proper understanding.NO WARRANTY. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLONDISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITEDTO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OFTHE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).CERT is a registered mark of Carnegie Mellon University.Page 26 of 26
The Business Case 7 The Business Case Strategic alignment: Ensuring that the security program suppor
