Information Security

Governance Simplified

From the Boardroom to the Keyboard

TODD FITZGERALD, cissp; cisa, cism

Foreword by Tom Peltier

CRC PressTaylor& Francis CroupBoca Raton London NewYork

CRC Press is an imprint of the

Taylor & Francis Croup, an Informs business

AN AUERBACH BOOK

Contents

Foreword xvii

Acknowledgments xxi

Introduction xxiii

About the Author xxvii

Chapter 1 Getting Information Security Right:Top

to Bottom 1

Information Security Governance 2

Tone at the Top 5

Tone at the Bottom 5

Governance, Risk, and Compliance (GRC) 6

The Compliance Dilemma 7

Suggested Reading 10

Chapter 2 Developing Information Security Strategy 11

Evolution ofInformation Security IS

Organization Historical Perspective 16

Fear, Uncertainty, Doubt, Fear, Uncertainty, Doubt 16

Understand the External Environment 17

Regulatory 17

Competition 18

Emerging Threats 19

Technology Cost Changes 19

External Independent Research 20

The Internal Company Culture 20

Risk Appetite 21

Speed 22

VII

VIII CONTENTS

Collaborative versus Authoritative 22

Trust Level 23

Growth Seeker or Cost Cutter 24

Company Size 25

Outsourcing Posture 25

Prior Security Incidents, Audits 26

Security Strategy Development Techniques 28

Mind Mapping 28

SWOT Analysis 30

Balanced Scorecard 32

Face-to-Face Interviews 32

Security Planning 34

Strategic 34

Tactical 35

Operational/Project Plans 35

Suggested Reading 36

Chapter 3 Defining the Security Management

Organization 37

History of the Security Leadership Role Is Relevant 37

The New Security Officer Mandate 40

Day 1: Hey, I Got theJob! 41

Security Leader Titles 42

Techie versus Leader 43

The Security Leaders Library 44

Security Leadership Defined 45

Security Leader Soft Skills 46

Seven Competencies for Effective Security Leadership 46

Security Functions 52

Learning from Leading Organizations 52

Assess Risk and Determine Needs 53

Implement Policies and Controls 54

Promote Awareness 56

Monitor and Evaluate 56

Central Management 56

What Functions Should the Security Officer Be

Responsible For? 57

Assessing Risk and Determining Needs Functions 58

Risk Assessment/Analysis 58

Systems Security Plan Development 59

External Penetration Testing 60

Implement Policies and Control Functions 61

Security Policy Development 61

Security Architecture 61

Security Control Assessment 62

CONTENTS IX

Identity and Access Management 62

Business Continuity and Disaster Recovery 63

Promote Awareness Functions 64

End User Security Awareness Training 64

Intranet Site and Policy Publication 65

Targeted Awareness 65

Monitor and Evaluate Functions 65

Security Baseline Configuration Review 66

Logging and Monitoring 67

Vulnerability Assessment 67

Internet Monitoring/Management ofManaged Services 68

Incident Response 68

Forensic Investigations 69

Central Management Functions 69

Reporting Model 70

Business Relationships 71

Reporting to the CEO 71

Reporting to the Information Systems Department 72

Reporting to Corporate Security 72

Reporting to the Administrative Services Department 73

Reporting to the Insurance and Risk Management

Department 73

Reporting to the Internal Audit Department 74

Reporting to the Legal Department 74

Determining the Best Fit 75

Suggested Reading 75

Chapter 4 Interacting with the C-Suite 77

Communication between the CEO, CIO, Other

Executives, and CI SO 78

13 "Lucky" Questions to Ask One Another 80

The CEO, Ultimate Decision Maker 81

The CEO Needs to KnowWhy 87

The CIO, Where Technology Meets the Business 87

CIO's Commitment to Security Is Important 94

The Security Officer, Protecting the Business 95

The CEO, CIO, and CISO Are Business Partners 100

Building Grassroots Support through an Information

Security Council 101

Establishing the Security Council 101

Oversight ofSecurity Program 103

Decide on Project Initiatives 103

Prioritize Information Security Efforts 103

Review and Recommend Security Policies 103

Champion Organizational Security Efforts 104

Recommend Areas Requiring Investment 104

X CONTENTS

Appropriate Security Council Representation 104

"-Ingmg" the Council: Forming, Storming, Norming,and Performing 107

Forming 107

Storming 108

Norming 108

Performing 109

Integration with Other Committees 109

Establish Early, Incremental Success 111

Let Go of Perfectionism 112

Sustaining the Security Council 113

End User Awareness 114

Security Council Commitment 116

Suggested Reading 117

Chapter 5 Managing Risk to an Acceptable Level 119

Risk in Our Daily Lives 120

Accepting Organizational Risk 121

JustAnother Set of Risks 122

Management Owns the Risk Decision 122

Qualitative versus Quantitative Risk Analysis 123

Risk Management Process 124

Risk Analysis Involvement 124

Step 1: Categorize the System 125

Step 2: Identify Potential Dangers (Threats) 128

Human Threats 128

Environmental/Physical Threats 128

Technical Threats 129

Step 3: Identify Vulnerabilities That Could Be Exploited 129

Step 4: Identify Existing Controls 130

Step 5: Determine Exploitation Likelihood Given

Existing Controls 131

Step 6: Determine Impact Severity 132

Step 7: Determine Risk Level 134

Step 8: Determine Additional Controls 135

Risk Mitigation Options 135

Risk Assumption 135

Risk Avoidance 136

Risk Limitation 136

Risk Planning 136

Risk Research 136

Risk Transference 137

Conclusion 137

Suggested Reading 137

CONTENTS XI

Chapter 6 Creating Effective Information Security

Policies 139

Why Information Security Policies Are Important 139

Avoiding Shelfware 140

Electronic Policy Distribution 141

Canned Security Policies 142

Policies, Standards, Guidelines Definitions 143

Policies Are Written at a High Level 143

Policies 145

Security Policy Best Practices 145

Types ofSecurity Policies 147

Standards 149

Procedures 150

Baselines 151

Guidelines 152

Combination of Policies, Standards, Baselines,

Procedures, and Guidelines 153

Policy Analogy 153

An Approach for Developing Information Security Policies 154

Utilizing the Security Council for Policies 155

The Policy Review Process 156

Information Security Policy Process 161

Suggested Reading 161

Chapter 7 Security Compliance Using Control

Frameworks 163

Security Control Frameworks Defined 163

Security Control Frameworks and Standards Examples 164

Heath Insurance Portability and Accountability Act

(HIPAA) 164

Federal Information Security Management Act of2002

(FISMA) 164

National Institute of Standards and Technology

(NIST) Recommended Security Controls for Federal

Information Systems (800-53) 164

Federal Information System Controls Audit Manual

(FISCAM) 165

ISO/IEC 27001:2005 Information Security

Management Systems—Requirements 165

ISO/IEC 27002:2005 Information Technology-

Security Techniques—Code of Practice for Information

Security Management 166

Control Objectives for Information and Related

Technology (COBIT) 167

Payment Card Industry Data Security Standard (PCI DSS) 167

XII CONTENTS

Information Technology Infrastructure Library (ITIL) 168

Security Technical Implementation Guides (STIGs) and

National Security Agency (NSA) Guides 168

Federal Financial Institutions Examination Council

(FFIEC) IT Examination Handbook 169

The World Operates on Standards 169

Standards Are Dynamic 171

The How Is Typically Left Up to Us 171

Key Question: Why Does the Standard Exist? 173

Compliance Is Not Security, But It Is a Good Start 173

Integration of Standards and Control Frameworks 174

Auditing Compliance 175

Adoption Rate ofVarious Standards 175

ISO 27001/2 Certification 176

NIST Certification 177

Control Framework Convergence 177

The 11-Factor Compliance Assurance Manifesto 178

The Standards/Framework Value Proposition 183

Suggested Reading 183

Chapter 8 Managerial Controls: Practical Security

Considerations 185

Security Control Convergence 185

Security Control Methodology 188

Security Assessment and Authorization Controls 188

Planning Controls 189

Risk Assessment Controls 190

System and Services Acquisition Controls 191

Program Management Controls 193

Suggested Reading 211

Chapter 9 Technical Controls: Practical Security

Considerations 213

Access Control Controls 213

Audit and Accountability Controls 214

Identification and Authentication 215

System and Communications Protections 215

Suggested Reading 238

Chapter 10 Operational Controls: Practical

Security Considerations 239

Awareness and Training Controls 239

Configuration Management Controls 240

Contingency Planning Controls 240

Incident Response Controls 241

Maintenance Controls 241

Media Protection Controls 242

Physical and Environmental Protection Controls 243

CONTENTS XIII

Personnel Security Controls 244

System and Information Integrity Controls 245

Suggested Reading 276

Chapter 11 The Auditors Have Arrived, Now What? 277

Anatomy of an Audit 278

Audit Planning Phase 279

Preparation of Document Request List 280

Gather Audit Artifacts 284

Provide Information to Auditors 285

On-Site Arrival Phase 287

Internet Access 287

Reserve Conference Rooms 288

Physical Access 289

Conference Phones 290

Schedule Entrance, Exit, Status Meetings 290

Set Up Interviews 291

Audit Execution Phase 292

Additional Audit Meetings 293

Establish Auditor Communication Protocol 293

Establish Internal Company Protocol 294

Media Handling 296

Audit Coordinator Quality Review 298

The Interview Itself 298

Entrance, Exit, and Status Conferences 299

Entrance Meeting 299

Exit Meeting 301

Status Meetings 301

Report Issuance and Finding Remediation Phase 302

Suggested Reading 304

Chapter 12 Effective Security Communications 305

Why a Chapter Dedicated to Security Communications? 305

End User Security Awareness Training 306

Awareness Definition 307

Delivering the Message 308

Step 1: SecurityAwareness Needs Assessment 308

New or Changed Policies 308

Past Security Incidents 309

Systems Security Plans 309

Audit Findings and Recommendations 309

Event Analysis 310

IndustryTrends 310

Management Concerns 310

Organizational Changes 311

Step 2: Program Design 311

Target Audience 311

Frequency of Sessions 311

XIV CONTENTS

Number ofUsers 312

Method of Delivery 312

Resources Required 312

Step 3: Develop Scope 312

Determine Participants Needing Training 312

Business Units 313

Select Theme 313

Step 4: Content Development 314

Step 5: Communication and Logistics Plan 315

Step 6: Awareness Delivery 316

Step 7: Evaluation/Feedback Loops 317

Security Awareness Training Does Not Have to Be Boring 317

Targeted Security Training 317

Continuous Security Reminders 319

Utilize Multiple SecurityAwareness Vehicles 319

Security Officer Communication Skills 320

Talking versus Listening 320

Roadblocks to Effective Listening 321

Generating a Clear Message 323

Influencing and Negotiating Skills 323

Written Communication Skills 324

Presentation Skills 325

Applying Personality Type to Security Communications 326

The Four Myers-Briggs Type Indicator (MBTI)Preference Scales 326

Extraversion versus Introversion Scale 327

Sensing versus Intuition Scale 327

Thinking versus Feeling Scale 328

Judging versus Perceiving Scale 328

Determining Individual MBTI Personality 329

Summing Up the MBTI for Security 334

Suggested Reading 334

Chapter 13 The Law and Information Security 337

Civil Law versus Criminal Law 339

Electronic Communications Privacy Act of 1986 (ECPA) 340

The Computer Security Act of 1987 341

The Privacy Act of 1974 342

Sarbanes-Oxley Act of2002 (SOX) 342

Gramm-Leach-Bliley Act (GLBA) 344

Health Insurance Portability and Accountability Act of1996 345

Health Information Technology for Economic and Clinical

Health (HITECH) Act 348

Federal Information Security Management Act of2002

(FISMA) 348

Summary 350

Suggested Reading 350

CONTENTS XV

Chapter 14 Learning from Information Security

Incidents 353

Recent Security Incidents 355

Texas State Comptroller 355

Sony PlayStation Network 356

Student Loan Social Security Numbers Stolen 358

Social Security Numbers Printed on Outside of Envelopes 359

Valid E-Mail Addresses Exposed 360

Office Copier Hard Disk Contained Confidential

Information 362

Advanced Persistent Threat Targets Security Token 362

Who Will Be Next? 364

Every Control Could Result in an Incident 365

Suggested Reading 366

Chapter 15 17 Ways to Dismantle Information

Security Governance Efforts 369

Final Thoughts 379

Suggested Reading 381

Index 383