Governance Simplified

Transcription

1 Information Security Governance Simplified From the Boardroom to the Keyboard TODD FITZGERALD, cissp; cisa, cism Foreword by Tom Peltier CRC Press Taylor & Francis Croup Boca Raton London NewYork CRC Press is an imprint of the Taylor & Francis Croup, an Informs business AN AUERBACH BOOK

2 Contents Foreword Acknowledgments Introduction About the Author xvii xxi xxiii xxvii Chapter 1 Getting Information Security Right:Top to Bottom 1 Information Security Governance 2 Tone at the Top 5 Tone at the Bottom 5 Governance, Risk, and Compliance (GRC) 6 The Compliance Dilemma 7 Suggested Reading 10 Chapter 2 Developing Information Security Strategy 11 Evolution ofinformation Security Organization Historical Perspective 16 Fear, Uncertainty, Doubt, Fear, Uncertainty, Doubt 16 Understand the External Environment 17 Regulatory 17 Competition 18 Emerging Threats 19 Technology Cost Changes 19 External Independent Research 20 The Internal Company Culture 20 Risk Appetite 21 Speed 22 IS VII

3 VIII CONTENTS Collaborative versus Authoritative 22 Trust Level 23 Growth Seeker or Cost Cutter 24 Company Size 25 Outsourcing Posture 25 Prior Security Incidents, Audits 26 Security Strategy Development Techniques 28 Mind Mapping 28 SWOT Analysis 30 Balanced Scorecard 32 Face-to-Face Interviews 32 Security Planning 34 Strategic 34 Tactical 35 Operational/Project Plans 35 Suggested Reading 36 Chapter 3 Defining the Security Management Organization 37 History of the Security Leadership Role Is Relevant 37 The New Security Officer Mandate 40 Day 1: Hey, I Got the Job! 41 Security Leader Titles 42 Techie versus Leader 43 The Security Leaders Library 44 Security Leadership Defined 45 Security Leader Soft Skills 46 Seven Competencies for Effective Security Leadership 46 Security Functions 52 Learning from Leading Organizations 52 Assess Risk and Determine Needs 53 Implement Policies and Controls 54 Promote Awareness 56 Monitor and Evaluate 56 Central Management 56 What Functions Should the Security Officer Be Responsible For? 57 Assessing Risk and Determining Needs Functions 58 Risk Assessment/Analysis 58 Systems Security Plan Development 59 External Penetration Testing 60 Implement Policies and Control Functions 61 Security Policy Development 61 Security Architecture 61 Security Control Assessment 62

4 CONTENTS IX Identity and Access Management 62 Business Continuity and Disaster Recovery 63 Promote Awareness Functions 64 End User Security Awareness Training 64 Intranet Site and Policy Publication 65 Targeted Awareness 65 Monitor and Evaluate Functions 65 Security Baseline Configuration Review 66 Logging and Monitoring 67 Vulnerability Assessment 67 Internet Monitoring/Management of Managed Services 68 Incident Response 68 Forensic Investigations 69 Central Management Functions 69 Reporting Model 70 Business Relationships 71 Reporting to the CEO 71 Reporting to the Information Systems Department 72 Reporting to Corporate Security 72 Reporting to the Administrative Services Department 73 Reporting to the Insurance and Risk Management Department 73 Reporting to the Internal Audit Department 74 Reporting to the Legal Department 74 Determining the Best Fit 75 Suggested Reading 75 Chapter 4 Interacting with the C-Suite 77 Communication between the CEO, CIO, Other Executives, and CI SO "Lucky" Questions to Ask One Another 80 The CEO, Ultimate Decision Maker 81 The CEO Needs to KnowWhy 87 The CIO, Where Technology Meets the Business 87 CIO's Commitment to Security Is Important 94 The Security Officer, Protecting the Business 95 The CEO, CIO, and CISO Are Business Partners 100 Building Grassroots Support through an Information Security Council 101 Establishing the Security Council 101 Oversight of Security Program 103 Decide on Project Initiatives 103 Prioritize Information Security Efforts 103 Review and Recommend Security Policies 103 Champion Organizational Security Efforts 104 Recommend Areas Requiring Investment 104

5 X CONTENTS Appropriate Security Council Representation 104 "-Ingmg" the Council: Forming, Storming, Norming, and Performing 107 Forming 107 Storming 108 Norming 108 Performing 109 Integration with Other Committees 109 Establish Early, Incremental Success 111 Let Go of Perfectionism 112 Sustaining the Security Council 113 End User Awareness 114 Security Council Commitment 116 Suggested Reading 117 Chapter 5 Managing Risk to an Acceptable Level 119 Risk in Our Daily Lives 120 Accepting Organizational Risk 121 JustAnother Set of Risks 122 Management Owns the Risk Decision 122 Qualitative versus Quantitative Risk Analysis 123 Risk Management Process 124 Risk Analysis Involvement 124 Step 1: Categorize the System 125 Step 2: Identify Potential Dangers (Threats) 128 Human Threats 128 Environmental/Physical Threats 128 Technical Threats 129 Step 3: Identify Vulnerabilities That Could Be Exploited 129 Step 4: Identify Existing Controls 130 Step 5: Determine Exploitation Likelihood Given Existing Controls 131 Step 6: Determine Impact Severity 132 Step 7: Determine Risk Level 134 Step 8: Determine Additional Controls 135 Risk Mitigation Options 135 Risk Assumption 135 Risk Avoidance 136 Risk Limitation 136 Risk Planning 136 Risk Research 136 Risk Transference 137 Conclusion 137 Suggested Reading 137

6 CONTENTS XI Chapter 6 Chapter 7 Creating Effective Information Security Policies 139 Why Information Security Policies Are Important 139 Avoiding Shelfware 140 Electronic Policy Distribution 141 Canned Security Policies 142 Policies, Standards, Guidelines Definitions 143 Policies Are Written at a High Level 143 Policies 145 Security Policy Best Practices 145 Types of Security Policies 147 Standards 149 Procedures 150 Baselines 151 Guidelines 152 Combination of Policies, Standards, Baselines, Procedures, and Guidelines 153 Policy Analogy 153 An Approach for Developing Information Security Policies 154 Utilizing the Security The Policy Review Process 156 Information Security Policy Process 161 Suggested Reading 161 Council for Policies 155 Security Compliance Using Control Frameworks 163 Security Control Frameworks Defined 163 Security Control Frameworks and Standards Examples 164 Heath Insurance Portability and Accountability Act (HIPAA) 164 Federal Information Security Management Act of 2002 (FISMA) 164 National Institute of Standards and Technology (NIST) Recommended Security Controls for Federal Information Systems (800-53) 164 Federal Information System Controls Audit Manual (FISCAM) 165 ISO/IEC 27001:2005 Information Security Management Systems Requirements 165 ISO/IEC 27002:2005 Information Technology- Security Techniques Code of Practice for Information Security Management 166 Control Objectives for Information and Related Technology (COBIT) 167 Payment Card Industry Data Security Standard (PCI DSS) 167

7 XII CONTENTS Information Technology Infrastructure Library (ITIL) 168 Security Technical Implementation Guides (STIGs) and National Security Agency (NSA) Guides 168 Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook 169 The World on Operates Standards 169 Standards Are Dynamic 171 The How Is Typically Left Up to Us 171 Key Question: Why Does the Standard Exist? 173 Compliance Is Not Security, But It Is a Good Start 173 Integration of Standards and Control Frameworks 174 Auditing Compliance 175 Adoption Rate of Various Standards 175 ISO 27001/2 Certification 176 NIST Certification 177 Control Framework Convergence 177 The 11-Factor Compliance Assurance Manifesto 178 The Standards/Framework Value Proposition 183 Suggested Reading 183 Chapter 8 Chapter 9 Managerial Controls: Practical Security Considerations 185 Security Control Convergence 185 Security Control Methodology 188 Security Assessment and Authorization Controls 188 Planning Controls 189 Risk Assessment Controls 190 System and Services Acquisition Controls 191 Program Management Controls 193 Suggested Reading 211 Technical Controls: Practical Security Considerations 213 Access Control Controls 213 Audit and Accountability Controls 214 Identification and Authentication 215 System and Communications Protections 215 Suggested Reading 238 Chapter 10 Operational Controls: Practical Security Considerations 239 Awareness and Training Controls 239 Configuration Management Controls 240 Contingency Planning Controls 240 Incident Response Controls 241 Maintenance Controls 241 Media Protection Controls 242 Physical and Environmental Protection Controls 243

8 CONTENTS XIII Personnel Security Controls 244 System and Information Integrity Controls 245 Suggested Reading 276 Chapter 11 The Auditors Have Arrived, Now What? 277 Anatomy of an Audit 278 Audit Planning Phase 279 Preparation of Document Request List 280 Gather Audit Artifacts 284 Provide Information to Auditors 285 On-Site Arrival Phase 287 Internet Access 287 Reserve Conference Rooms 288 Physical Access 289 Conference Phones 290 Schedule Entrance, Exit, Status Meetings 290 Set Up Interviews 291 Audit Execution Phase 292 Additional Audit Meetings 293 Establish Auditor Communication Protocol 293 Establish Internal Company Protocol 294 Media Handling 296 Audit Coordinator Quality Review 298 The Interview Itself 298 Entrance, Exit, and Status Conferences 299 Entrance Meeting 299 Exit Meeting 301 Status Meetings 301 Report Issuance and Finding Remediation Phase 302 Suggested Reading 304 Chapter 12 Effective Security Communications 305 Why a Chapter Dedicated to Security Communications? 305 End User Security Awareness Training 306 Awareness Definition 307 Delivering the Message 308 Step 1: SecurityAwareness Needs Assessment 308 New or Changed Policies 308 Past Security Incidents 309 Systems Security Plans 309 Audit Findings and Recommendations 309 Event Analysis IndustryTrends 310 Management Concerns 310 Organizational Changes 311 Step 2: Program Design 311 Target Audience Frequency of Sessions 311

9 XIV CONTENTS Number of Users 312 Method of Delivery 312 Resources Required 312 Step 3: Develop Scope 312 Determine Participants Needing Training 312 Business Units 313 Select Theme 313 Step 4: Content Development 314 Step 5: Communication and Logistics Plan 315 Step 6: Awareness Delivery 316 Step 7: Evaluation/Feedback Loops 317 Security Awareness Training Does Not Have to Be Boring 317 Targeted Security Training 317 Continuous Security Reminders 319 Utilize Multiple SecurityAwareness Vehicles 319 Security Officer Communication Skills 320 Talking versus Listening 320 Roadblocks to Effective Listening 321 Generating a Clear Message 323 Influencing and Negotiating Skills 323 Written Communication Skills 324 Presentation Skills 325 Applying Personality Type to Security Communications 326 The Four Myers-Briggs Type Indicator (MBTI) Preference Scales 326 Extraversion versus Introversion Scale 327 versus Sensing Intuition Scale 327 Thinking versus Feeling Scale 328 Judging versus Perceiving Scale 328 Determining Individual MBTI Personality 329 Summing Up the MBTI for Security 334 Suggested Reading 334 Chapter 13 The Law and Information Security 337 Civil Law versus Criminal Law 339 Electronic Communications Privacy Act of 1986 (ECPA) 340 The Computer Security Act of The Privacy Act of Sarbanes-Oxley Act of2002 (SOX) 342 Gramm-Leach-Bliley Act (GLBA) 344 Health Insurance Portability and Accountability Act of Health Information Technology for Economic and Clinical Health (HITECH) Act 348 Federal Information Security Management Act of 2002 (FISMA) 348 Summary 350 Suggested Reading 350

10 CONTENTS XV Chapter 14 Learning from Information Security Incidents 353 Recent Security Incidents 355 Texas State Comptroller 355 Sony PlayStation Network 356 Student Loan Social Security Numbers Stolen 358 Social Security Numbers Printed on Outside of Envelopes 359 Valid Addresses Exposed 360 Office Copier Hard Disk Contained Confidential Information 362 Advanced Persistent Threat Targets Security Token 362 Who Will Be Next? 364 Every Control Could Result in an Incident 365 Suggested Reading 366 Chapter Ways to Dismantle Information Security Governance Efforts 369 Final Thoughts 379 Suggested Reading 381 Index 383