Governance Simplified



Similar documents
Ctfo MANAGEMENT SECURITY PATCH. Felicia M. Nicastro. Second Edition. CRC Press. VC#*' J Taylor & Francis Group / Boca Raton London New York

THE COMPLETE PROJECT MANAGEMENT METHODOLOGY AND TOOLKIT

SECOND EDITION THE SECURITY RISK ASSESSMENT HANDBOOK. A Complete Guide for Performing Security Risk Assessments DOUGLAS J. LANDOLL

Security Controls What Works. Southside Virginia Community College: Security Awareness

SECURITY. Risk & Compliance Services

Implementing the Project Management Balanced Scorecard

Compiled by; Mark E.S. Bernard, ISO Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

Developing National Frameworks & Engaging the Private Sector

Executive's Guide to

Information Technology and Organizational Learning

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

RESILIENT. SECURE and SOFTWARE. Requirements, Test Cases, and Testing Methods. Mark S. Merkow and Lakshmikanth Raghavan. CRC Press

Management. ITIL Release. Dave Howard. A Hands-on Guide. CRC Press. Taylor & Francis Group. Taylor St Francis Croup, an Informa business

(Instructor-led; 3 Days)

Improving Business Process Performance

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

SOFTWARE TESTING AS A SERVICE

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

I n f o r m a t i o n S e c u r i t y

Project Management Concepts, Methods, and Techniques

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

Harmonizing Your Compliance and Security Objectives. Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology

NetIQ FISMA Compliance & Risk Management Solutions

Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza

Self-Service SOX Auditing With S3 Control

^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA

Certified Information Security Manager (CISM)

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

igrc: Intelligent Governance, Risk, and Compliance White Paper

How To Improve Your Business

HITRUST CSF Assurance Program

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

CISO's Guide to. Penetration Testing. James. S. Tiller. A Framework to Plan, Manage, and Maximize Benefits. CRC Press. Taylor & Francis Group

TABLE OF CONTENTS INTRODUCTION... 1

Implementation. Business-Driven IT-Wide Agile (Scrum) and Kanban (Lean) Andrew T. Pham and David K. Pham. An Action Guide for Business and IT Leaders

CESG Certification of Cyber Security Training Courses

Information Security Risk Management

ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA. ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York

INFORMATION SECURITY STRATEGIC PLAN

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Information Security Risk Management

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Information Security Program CHARTER

Vendor Management Panel Discussion. Managing 3 rd Party Risk

TABLE OF CONTENTS CHAPTER TITLE PAGE

Think like an MBA not a CISSP

Cloud Security and Managing Use Risks

IT Manager's Handbook

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

SCAC Annual Conference. Cybersecurity Demystified

Computing. Federal Cloud. Service Providers. The Definitive Guide for Cloud. Matthew Metheny ELSEVIER. Syngress is NEWYORK OXFORD PARIS SAN DIEGO

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

Warning Signs and the Red Flag System

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Domain 1 The Process of Auditing Information Systems

Vendor Risk Management Financial Organizations

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Securing the Cloud. Cloud Computer Security Techniques and Tactics. Vic (J.R.) Winkler. Technical Editor Bill Meine ELSEVIER

CORE Security and GLBA

Information Security Policy

External Supplier Control Requirements

Department of Management Services. Request for Information

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Management. Project. Software. Ashfaque Ahmed. A Process-Driven Approach. CRC Press. Taylor Si Francis Group Boca Raton London New York

for Research and Guiding Innovation for Positive R&D Outcomes Lory Mitchell Wingate

Risk Management Guide for Information Technology Systems. NIST SP Overview

Consolidated Audit Program (CAP) A multi-compliance approach

IT Security & Compliance Risk Assessment Capabilities

Corporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA Office: Fax:

SECURITY RISK MANAGEMENT

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Achieving Security through Compliance

The Intersection of Internal Controls and Cyber Security

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Certified Information Systems Auditor (CISA)

Advances in Network Management

Information Security Management System for Microsoft s Cloud Infrastructure

Achieving Governance, Risk and Compliance Requirements with HISP Certification Course

Maximizing Configuration Management IT Security Benefits with Puppet

QRadar SIEM 6.3 Datasheet

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Dr. Anton Security Warrior Consulting

Transcription:

Information Security Governance Simplified From the Boardroom to the Keyboard TODD FITZGERALD, cissp; cisa, cism Foreword by Tom Peltier CRC Press Taylor & Francis Croup Boca Raton London NewYork CRC Press is an imprint of the Taylor & Francis Croup, an Informs business AN AUERBACH BOOK

Contents Foreword Acknowledgments Introduction About the Author xvii xxi xxiii xxvii Chapter 1 Getting Information Security Right:Top to Bottom 1 Information Security Governance 2 Tone at the Top 5 Tone at the Bottom 5 Governance, Risk, and Compliance (GRC) 6 The Compliance Dilemma 7 Suggested Reading 10 Chapter 2 Developing Information Security Strategy 11 Evolution ofinformation Security Organization Historical Perspective 16 Fear, Uncertainty, Doubt, Fear, Uncertainty, Doubt 16 Understand the External Environment 17 Regulatory 17 Competition 18 Emerging Threats 19 Technology Cost Changes 19 External Independent Research 20 The Internal Company Culture 20 Risk Appetite 21 Speed 22 IS VII

VIII CONTENTS Collaborative versus Authoritative 22 Trust Level 23 Growth Seeker or Cost Cutter 24 Company Size 25 Outsourcing Posture 25 Prior Security Incidents, Audits 26 Security Strategy Development Techniques 28 Mind Mapping 28 SWOT Analysis 30 Balanced Scorecard 32 Face-to-Face Interviews 32 Security Planning 34 Strategic 34 Tactical 35 Operational/Project Plans 35 Suggested Reading 36 Chapter 3 Defining the Security Management Organization 37 History of the Security Leadership Role Is Relevant 37 The New Security Officer Mandate 40 Day 1: Hey, I Got the Job! 41 Security Leader Titles 42 Techie versus Leader 43 The Security Leaders Library 44 Security Leadership Defined 45 Security Leader Soft Skills 46 Seven Competencies for Effective Security Leadership 46 Security Functions 52 Learning from Leading Organizations 52 Assess Risk and Determine Needs 53 Implement Policies and Controls 54 Promote Awareness 56 Monitor and Evaluate 56 Central Management 56 What Functions Should the Security Officer Be Responsible For? 57 Assessing Risk and Determining Needs Functions 58 Risk Assessment/Analysis 58 Systems Security Plan Development 59 External Penetration Testing 60 Implement Policies and Control Functions 61 Security Policy Development 61 Security Architecture 61 Security Control Assessment 62

CONTENTS IX Identity and Access Management 62 Business Continuity and Disaster Recovery 63 Promote Awareness Functions 64 End User Security Awareness Training 64 Intranet Site and Policy Publication 65 Targeted Awareness 65 Monitor and Evaluate Functions 65 Security Baseline Configuration Review 66 Logging and Monitoring 67 Vulnerability Assessment 67 Internet Monitoring/Management of Managed Services 68 Incident Response 68 Forensic Investigations 69 Central Management Functions 69 Reporting Model 70 Business Relationships 71 Reporting to the CEO 71 Reporting to the Information Systems Department 72 Reporting to Corporate Security 72 Reporting to the Administrative Services Department 73 Reporting to the Insurance and Risk Management Department 73 Reporting to the Internal Audit Department 74 Reporting to the Legal Department 74 Determining the Best Fit 75 Suggested Reading 75 Chapter 4 Interacting with the C-Suite 77 Communication between the CEO, CIO, Other Executives, and CI SO 78 13 "Lucky" Questions to Ask One Another 80 The CEO, Ultimate Decision Maker 81 The CEO Needs to KnowWhy 87 The CIO, Where Technology Meets the Business 87 CIO's Commitment to Security Is Important 94 The Security Officer, Protecting the Business 95 The CEO, CIO, and CISO Are Business Partners 100 Building Grassroots Support through an Information Security Council 101 Establishing the Security Council 101 Oversight of Security Program 103 Decide on Project Initiatives 103 Prioritize Information Security Efforts 103 Review and Recommend Security Policies 103 Champion Organizational Security Efforts 104 Recommend Areas Requiring Investment 104

X CONTENTS Appropriate Security Council Representation 104 "-Ingmg" the Council: Forming, Storming, Norming, and Performing 107 Forming 107 Storming 108 Norming 108 Performing 109 Integration with Other Committees 109 Establish Early, Incremental Success 111 Let Go of Perfectionism 112 Sustaining the Security Council 113 End User Awareness 114 Security Council Commitment 116 Suggested Reading 117 Chapter 5 Managing Risk to an Acceptable Level 119 Risk in Our Daily Lives 120 Accepting Organizational Risk 121 JustAnother Set of Risks 122 Management Owns the Risk Decision 122 Qualitative versus Quantitative Risk Analysis 123 Risk Management Process 124 Risk Analysis Involvement 124 Step 1: Categorize the System 125 Step 2: Identify Potential Dangers (Threats) 128 Human Threats 128 Environmental/Physical Threats 128 Technical Threats 129 Step 3: Identify Vulnerabilities That Could Be Exploited 129 Step 4: Identify Existing Controls 130 Step 5: Determine Exploitation Likelihood Given Existing Controls 131 Step 6: Determine Impact Severity 132 Step 7: Determine Risk Level 134 Step 8: Determine Additional Controls 135 Risk Mitigation Options 135 Risk Assumption 135 Risk Avoidance 136 Risk Limitation 136 Risk Planning 136 Risk Research 136 Risk Transference 137 Conclusion 137 Suggested Reading 137

CONTENTS XI Chapter 6 Chapter 7 Creating Effective Information Security Policies 139 Why Information Security Policies Are Important 139 Avoiding Shelfware 140 Electronic Policy Distribution 141 Canned Security Policies 142 Policies, Standards, Guidelines Definitions 143 Policies Are Written at a High Level 143 Policies 145 Security Policy Best Practices 145 Types of Security Policies 147 Standards 149 Procedures 150 Baselines 151 Guidelines 152 Combination of Policies, Standards, Baselines, Procedures, and Guidelines 153 Policy Analogy 153 An Approach for Developing Information Security Policies 154 Utilizing the Security The Policy Review Process 156 Information Security Policy Process 161 Suggested Reading 161 Council for Policies 155 Security Compliance Using Control Frameworks 163 Security Control Frameworks Defined 163 Security Control Frameworks and Standards Examples 164 Heath Insurance Portability and Accountability Act (HIPAA) 164 Federal Information Security Management Act of 2002 (FISMA) 164 National Institute of Standards and Technology (NIST) Recommended Security Controls for Federal Information Systems (800-53) 164 Federal Information System Controls Audit Manual (FISCAM) 165 ISO/IEC 27001:2005 Information Security Management Systems Requirements 165 ISO/IEC 27002:2005 Information Technology- Security Techniques Code of Practice for Information Security Management 166 Control Objectives for Information and Related Technology (COBIT) 167 Payment Card Industry Data Security Standard (PCI DSS) 167

XII CONTENTS Information Technology Infrastructure Library (ITIL) 168 Security Technical Implementation Guides (STIGs) and National Security Agency (NSA) Guides 168 Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook 169 The World on Operates Standards 169 Standards Are Dynamic 171 The How Is Typically Left Up to Us 171 Key Question: Why Does the Standard Exist? 173 Compliance Is Not Security, But It Is a Good Start 173 Integration of Standards and Control Frameworks 174 Auditing Compliance 175 Adoption Rate of Various Standards 175 ISO 27001/2 Certification 176 NIST Certification 177 Control Framework Convergence 177 The 11-Factor Compliance Assurance Manifesto 178 The Standards/Framework Value Proposition 183 Suggested Reading 183 Chapter 8 Chapter 9 Managerial Controls: Practical Security Considerations 185 Security Control Convergence 185 Security Control Methodology 188 Security Assessment and Authorization Controls 188 Planning Controls 189 Risk Assessment Controls 190 System and Services Acquisition Controls 191 Program Management Controls 193 Suggested Reading 211 Technical Controls: Practical Security Considerations 213 Access Control Controls 213 Audit and Accountability Controls 214 Identification and Authentication 215 System and Communications Protections 215 Suggested Reading 238 Chapter 10 Operational Controls: Practical Security Considerations 239 Awareness and Training Controls 239 Configuration Management Controls 240 Contingency Planning Controls 240 Incident Response Controls 241 Maintenance Controls 241 Media Protection Controls 242 Physical and Environmental Protection Controls 243

CONTENTS XIII Personnel Security Controls 244 System and Information Integrity Controls 245 Suggested Reading 276 Chapter 11 The Auditors Have Arrived, Now What? 277 Anatomy of an Audit 278 Audit Planning Phase 279 Preparation of Document Request List 280 Gather Audit Artifacts 284 Provide Information to Auditors 285 On-Site Arrival Phase 287 Internet Access 287 Reserve Conference Rooms 288 Physical Access 289 Conference Phones 290 Schedule Entrance, Exit, Status Meetings 290 Set Up Interviews 291 Audit Execution Phase 292 Additional Audit Meetings 293 Establish Auditor Communication Protocol 293 Establish Internal Company Protocol 294 Media Handling 296 Audit Coordinator Quality Review 298 The Interview Itself 298 Entrance, Exit, and Status Conferences 299 Entrance Meeting 299 Exit Meeting 301 Status Meetings 301 Report Issuance and Finding Remediation Phase 302 Suggested Reading 304 Chapter 12 Effective Security Communications 305 Why a Chapter Dedicated to Security Communications? 305 End User Security Awareness Training 306 Awareness Definition 307 Delivering the Message 308 Step 1: SecurityAwareness Needs Assessment 308 New or Changed Policies 308 Past Security Incidents 309 Systems Security Plans 309 Audit Findings and Recommendations 309 Event Analysis IndustryTrends 310 Management Concerns 310 Organizational Changes 311 Step 2: Program Design 311 Target Audience 311 310 Frequency of Sessions 311

XIV CONTENTS Number of Users 312 Method of Delivery 312 Resources Required 312 Step 3: Develop Scope 312 Determine Participants Needing Training 312 Business Units 313 Select Theme 313 Step 4: Content Development 314 Step 5: Communication and Logistics Plan 315 Step 6: Awareness Delivery 316 Step 7: Evaluation/Feedback Loops 317 Security Awareness Training Does Not Have to Be Boring 317 Targeted Security Training 317 Continuous Security Reminders 319 Utilize Multiple SecurityAwareness Vehicles 319 Security Officer Communication Skills 320 Talking versus Listening 320 Roadblocks to Effective Listening 321 Generating a Clear Message 323 Influencing and Negotiating Skills 323 Written Communication Skills 324 Presentation Skills 325 Applying Personality Type to Security Communications 326 The Four Myers-Briggs Type Indicator (MBTI) Preference Scales 326 Extraversion versus Introversion Scale 327 versus Sensing Intuition Scale 327 Thinking versus Feeling Scale 328 Judging versus Perceiving Scale 328 Determining Individual MBTI Personality 329 Summing Up the MBTI for Security 334 Suggested Reading 334 Chapter 13 The Law and Information Security 337 Civil Law versus Criminal Law 339 Electronic Communications Privacy Act of 1986 (ECPA) 340 The Computer Security Act of 1987 341 The Privacy Act of 1974 342 Sarbanes-Oxley Act of2002 (SOX) 342 Gramm-Leach-Bliley Act (GLBA) 344 Health Insurance Portability and Accountability Act of 1996 345 Health Information Technology for Economic and Clinical Health (HITECH) Act 348 Federal Information Security Management Act of 2002 (FISMA) 348 Summary 350 Suggested Reading 350

CONTENTS XV Chapter 14 Learning from Information Security Incidents 353 Recent Security Incidents 355 Texas State Comptroller 355 Sony PlayStation Network 356 Student Loan Social Security Numbers Stolen 358 Social Security Numbers Printed on Outside of Envelopes 359 Valid E-Mail Addresses Exposed 360 Office Copier Hard Disk Contained Confidential Information 362 Advanced Persistent Threat Targets Security Token 362 Who Will Be Next? 364 Every Control Could Result in an Incident 365 Suggested Reading 366 Chapter 15 17 Ways to Dismantle Information Security Governance Efforts 369 Final Thoughts 379 Suggested Reading 381 Index 383

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information