Governance Management and Compliance - FedVTE … · Governance Management and Compliance . Table...

Governance Management and Compliance

Table of Contents

Information Security Governance ................................................................................................... 2

The Business Case ........................................................................................................................... 3

Basics: The CIA Triad ....................................................................................................................... 6

IT Governance ................................................................................................................................. 7

Information Security ....................................................................................................................... 8

Due Diligence ................................................................................................................................ 11

ITGI Guidance -1 ............................................................................................................................ 14

ITGI Guidance -2 ............................................................................................................................ 16

Components to be Managed -1 .................................................................................................... 17

Components to be Managed -2 .................................................................................................... 19

Compliance Enforcement -1 ......................................................................................................... 21

Compliance Enforcement -2 ......................................................................................................... 22

Notices .......................................................................................................................................... 26

of 26

Information Security Governance

6

Information Security Governance

**006 Ben Malisow: All right. Any questions before we get started? Let's get right into it.

of 26

The Business Case

7

The Business Case

Strategic alignment: Ensuring that the security program supports and operates in concert with the organization’s goals, policies, and especially the organizational processes, including acquisitions, divestitures, and governance committees

Organizations need security professionals to run the security program because 100% security is impossible.

• Need a cost-effective approach• Separate skill set

Senior management always makes the final decision, but needs input from security professionals.

**007 Business case. The two words that you're going to hear over and over again-- Gabriel's heard this in the CISA class-- over and over again: Strategic Alignment. You don't do system in absence of corporate policy. You don't do security independent of business. Security is supposed to go along with what your line of business is. That's the whole point of it. And that should be helpful for both how you do things and how the business does things. Certain things like evaluation of your assets, determining data ownership-- these things will help both the organization from a business standpoint and you do your job from a security standpoint.

of 26

It also explains why you are needed. And there's an old adage that says the first two things to go during budget cuts are security and training. Not so much anymore. Training, yes; security not so much. Security has taken kind of a new forefront among even the most hardened corporate hatchet masters. We have a unique skill set that allows business to remain in compliance with regulation, for one thing, now that there are a lot more regulations. HIPAA, in the healthcare field. Who did finance before? Gramm-Leach- Bliley and SOX. Are there other regulations for other industries? Anyone think of any? Student: FERPA. Ben Malisow: What? Student: FERPA, the education version of HIPAA. Ben Malisow: Oh. I wasn't even aware of this. What's it called? Student: FERPA. Student: FERPA. Ben Malisow: FERPA. Okay. Student: Federal Education Record- - I don't know. Ben Malisow: Wow. When-- is that--? Student: For colleges.

of 26

Ben Malisow: Okay, all right. Student: Colleges, high schools. Ben Malisow: What's that? Student: Colleges, public schools, high schools, that kind of stuff. Ben Malisow: Good. Good, good, good. Are there non-legislative regulations as well? Student: PCI? Ben Malisow: PCI. That's exactly what I was looking for too. Good. Payment Card Industry. Yeah. Visa started it, but by and large all the credit cards have jumped on board of the fact that if you want to use their capabilities, you're going to have to remain compliant with the regulations. Good. Does that mean that we're in charge? No. Senior management is always on the hook for making those decisions. But they're going to turn to us to find out what those decisions should be.

of 26

Basics: The CIA Triad

8

Basics: The CIA TriadConfidentiality – Ensuring information is only available to those authorized to have access to the information

Integrity – Describes the wholeness and completeness of the information without any alteration except by authorized sources

Availability – The ability to use the information or resource when it is needed

Con

fiden

tialit

y

Inte

grity

Avai

labi

lity

IT Security

IS Management

**008 There's our old friend the triad. Don't make fun of my clip art. From a policy standpoint, it should address all of the areas, each of the legs of the triad.

of 26

IT Governance

9

IT Governance

“A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.”

— IT Governance Institute (ITGI)

The ITGI has determined that IT security governance ought to be an element of IT governance.

**009 This is a great quote explaining what governance is from the ITGI.

of 26

Information Security

10

Information Security

Objective: Protect the confidentiality, integrity and availability (CIA) of information

• Critical to achieving this objective: Develop, implement, and manage an effective IS program

Effective IS governance offers many benefits• Demonstrates “due care” which can help to mitigate the potential for

civil and legal liability• Ensures policy compliance• Lowers risks to defined and acceptable levels• Improves customer trust• Protects the organization’s reputation• Provides accountability during critical business operations

**010 What is our objective? Maintain that triad. Makes sense. How do you do that? Put a good program in place. We're going to go over the elements of those programs. What are the benefits of having that program in place? Right here. Right here. The big one, due care, we're going to drill down in in just a second. But the other reason you have good governance is to make sure that everyone stays in compliance. We talked about this some yesterday. First of all, if you don't write it down it didn't happen. But second of all, if

of 26

you don't publish it, people can't be held accountable to it. It's a way of ensuring that you have that stick in your hand as well. Helps bring your risk down to acceptable level. What's the acceptable level of risk in an organization? Trick question. Student: Five. Ben Malisow: Good answer. These go to 11. The acceptable level of risk in an organization is whatever that organization decides to accept. It's different for every organization. It's fuzzy, and the rationale can be somewhat ambiguous. And it'll change from senior management to senior management every time there's a coup d'itat or a change of power. It improves customer trust. Is it important for your customers to think that their information is going to be held as valuable as you hold your own information? Absolutely. What happens if your customers start to think you're going to lose their data? They're not going to do business with you. Does that happen? Sure. Sure. And, helps protect your reputation. Do you look silly if you are the entity known for losing people's information? Yes, you do. You look even sillier if your entire business model is based on holding onto personal information. Who's heard of ChoicePoint? What was ChoicePoint?

of 26

Student: They sell information about people. Ben Malisow: That's literally what they do. Anyone think of what kind of information they sell? Do you know an example of it? One of the things that they do is they were the third-party provider for verifying driver's license information for rental car checks. When you call up the rental car company and say, "I want to reserve a car," they ask for your driver's license information. They take that number, they run it through the ChoicePoint database. The rental car company doesn't maintain that database; ChoicePoint does. And then ChoicePoint says whether or not you're wanted as a felon in Virginia for speeding. ChoicePoint had a huge breech. Is that how you had heard of them? Student: Mm-hmm. Ben Malisow: Yeah. Do you know what caused that breach? Student: No. Ben Malisow: A couple of their employees. They were selling batches of this personal information-- people driver's license information and other personally identifiable information-- for pretty low numbers I think it was. I think it was like two cents per. And they sold a whole bunch of them. Pay your people well, is one good way to do that. But

of 26

yeah, they lost a lot of reputation in that. And if that's your entire business model is being able to hold onto information, losing it is not a good way to maintain your reputation. And helps provide accountability. If you have good governance, you're pointing out who is responsible for doing what, and that's important too. Not just for blaming people, but for giving them credit where credit is due as well.

Due Diligence

11

Due Diligence

The standard of “due care”

Components include• Senior management support• Comprehensive policies, standards, and procedure• Appropriate security education, training, and awareness• Periodic risk assessments• Effective backup and recovery processes• Implementation of adequate security controls• Effective monitoring and metrics• Effective compliance• Testing business continuity and disaster recovery plans• Periodic independent reviews of the infrastructure

**011 All right: Drilling down on due care. What is the reasonable person rule? Has anyone heard of that before?

of 26

Student: It's a supposedly objective way of measuring something legally. Ben Malisow: Good. Good. It's the legal standard for what you should be expected to do if you are in a position of responsibility or authority. Would a reasonable person in a similar situation have acted the way you did? And that can be-- as long as you can show that, that helps attenuate your liability. As long as-- "Well, there was a fire, so I thought it'd be great if I doused it with gasoline." The court's going to say, "No, that does not rise to the standard of due care. You have failed the reasonable person test there." Right? You, from a security perspective, are held to maintaining due care. You have a fiduciary responsibility, you have a legal responsibility, you have a professional responsibility to be able to provide your organization with that level of reasonable person. To be able to get there, you need to have-- we talked about this yesterday too-- senior management support. Without buy-in from on high, your program isn't even going to get launched. We're going to talk about policy standards and procedures, the difference between those two, but your program needs to have that. Your organization needs to have to demonstrate that it's being reasonable.

of 26

Education training and awareness. If you don't tell your people what the standards, policies and procedures are, they won't be held to them and they won't understand them. Plus, they won't act in accordance with them. We'll talk about why we do training in a little bit too. Risk assessments. Make sure you know that the countermeasures you have in place are either working or therefore good cause; or, if they need to be changed, how to change them. Backup and recovery, in case you lose your data. Implementation of adequate controls. Again, if you don't show that you have acted in a manner in accordance with a reasonable person for maintaining security of those assets that you're being held-- or that you're holding-- you are being shown to be negligent. You're not providing due care. Monitoring and metrics. Can you prove that you've been actually measuring what it is that you're doing? Is your compliance effective? Have you been auditing? Are you enforcing all of your policies and standards? Testing. Independent reviews as well.

of 26

ITGI Guidance -1

12

ITGI Guidance -1

The board of directors should• Be informed about Infosec• Set direction to drive policy and strategy• Provide resources to security efforts• Assign management responsibilities• Set priorities• Support changes required• Define cultural values related to risk assessment• Obtain assurance from internal or external auditors• Insist that security investments are made measurable and reported

on for program effectiveness

**012 All of those go into due care. The ITGI gave us that definition of what good governance would be. These are a list of requirements that the ITGI suggests the board of directors take part in. And that's even beyond senior management. That's the director-level leadership of the organization. Are they going to be in charge of InfoSec for the entity, for your business entity? No. No. They shouldn't be. They shouldn't be. That's too down in the weeds for them. Are they responsible overall? Yes. So they have to be informed,

of 26

and the CISSP or the security officer should be prepared to brief them and bring them up to speed on what's going on, and be able to refrain from speaking geek long enough to be able to translate that into board of directors' talk, usually with PowerPoints and graphics. They're going to set your direction for your policy. Again, without senior management buy-in, that program is not going to work. They're not going to administer that policy, but they're going to set the organizational culture for it. They're going to give you the budget and the personnel. They're going to say who is responsible for it. They're going to pick the priorities for your organization. They're actually creating that culture, and they're going to make sure that it gets done within those constraints.

of 26

ITGI Guidance -2

13

ITGI Guidance -2

Management should• Write security policies with business input• Ensure that roles and responsibilities are defined and clearly

understood• Identify threats and vulnerabilities• Develop and implement information security strategies • Ensure policy is approved by the board• Establish priorities and implement security projects in a timely

manner• Monitor breaches• Assess the completeness and effectiveness of the security program• Reinforce awareness education as critical • Build security into the systems development life cycle• Ensure legislative and regulatory compliance • Ensure compliance with privacy requirements

**013 If the board of directors isn't running the program, is management running the program? Not necessarily, even though management's going to be responsible for the outcomes. Management's going to publish those policies. Management's going to-- you're probably going to write them and they're going to sign them, which is the way it should be. You are acting as the internal consultant to management for being security experts. All of these requirements fall on management's shoulders, but you have to support them in them.

of 26

Components to be Managed -1

14


Organizational processes• Acquisitions• Divestures• Governance committees

— Enterprise-wide oversight committee— Oversight committee representation

o HR, Legal, IT, Business Units, Compliance/Audit, Infosec— Mission statement

Iinformation lifecycle• Classification• Categorization• Ownership

**014 What do you manage? What are the things that a security program is actually governing? This doesn't include just the devices or the personnel or the processes. Sometimes, in terms of what the organization is doing, it's growing itself. These things can be looked at from a device standpoint-- Are you buying new hardware? Are you buying new software? But what else can they be looked at in? Buying new companies. Has anyone ever grown by acquisition? Has anyone ever been through the process of being purchased by a larger entity? This is an

of 26

organizational challenge as well that the security person has to be on top of. If you get a whole new set of networks, if you get a whole new set of standards, if you get a whole new set of people, you have to mesh that and bring it up to either your standards or make the two work nicely together. In terms of how this is addressed, there are different ways of assigning that responsibility too, in terms of who's in charge. In some organizations, there's an enterprise- wide oversight committee. Obviously the organization has to be a certain size to be able to support that kind of personnel. Most groups don't have people that they can assign to that sort of additional duty outside of operational functions until they get to a place where they can afford it. Who should serve on that committee? All these people. They all serve a function and they all have particular insights to offer that committee. The mission statement is something that's very popular in the guide. The book talks quite a bit about mission statements and how to write one. It has an example in there. Go ahead and look at it. I won't read it to you. Mission statement. Sorry, there's a typo in there. That's Information Lifecycle, of course. We talked somewhat about that before. You got to classify the information according to its sensitivity and the

of 26

value that you've assigned to that data. Categorize it based on what domain it falls into, and assign ownership. Who's going to be responsible for that data? Who controls that data? Who controls who gets access to it?


15


Third-party governance• Obtaining services from outside providers does not relinquish the

security responsibility of the organization, nor does it imply delegated responsibility

• Some common issues to be considered include:— Isolation of external party access to resources— Integrity and authenticity of data and transactions— Protection against malicious code and content— Privacy and confidentiality agreements and procedures— Security standards for transacting systems— Data transmission confidentiality— Identity and access management of the third party— Incident contact and escalation procedures

**015 But, in today's environment, not every organization wants to be in the IT or information business either. Some of them, it's not their core competency and they're not interested in doing it. So your governance program also has to look at outsourcing. Managed services. Anyone ever work in an environment where IT has been farmed out to

of 26

another vendor? Andy, you're nodding. Student: Mm-hmm. Ben Malisow: How'd that work out? Was it good? Was the vendor good? Student: What kind of response time are you willing to deal with is kind of the issue. Ben Malisow: Good. Good, good, good. Yeah, absolutely. And that's some of the things that you have to make sure that you're putting in the contract, that's in your SLIs, right? Because your contracting it out, does that mean your organization is no longer responsible for the security of the data? Student: No. Ben Malisow: No. Not at all. Not at all. You still retain that accountability. You're still stuck with that owner-- that onus-- right? These are all aspects of the things that you have to be responsible for. They should be in the contract with the provider; you should be auditing them internally; there should be provision for an external audit as well. All of the things that you would do internally for security, you still have to do even though you've subbed out the IT function. Does that make sense? Yeah.

of 26

Compliance Enforcement -1

16


Policy establishes the basis for accountability for information security responsibilities.

Policies have no value if not communicated and enforced.

Policies can and should create a security culture or mindset within the organization, without enforcement, it will not be taken seriously.

**016 All right, so how do you enforce this? You have your governance in place and now you want to make sure that everybody's toeing the line. Policy is the number one way of doing it. Again, if you don't publish it, people can't be held to it. It's the tool that says you can be held accountable for this. If you lock your policies up in a safe and don't let anyone read them, they don't do you any good. And if they're written well and if you disseminate them well, they can actually help. They can be a good training aid. They can be part of your education. They can be a good part of your security program.

of 26


17


Enforcement of compliance has several aspects• Regulatory compliance• Privacy requirements compliance• Internal policies, standards, and procedures compliance

Compliance methods• Policy review• Audit• Vulnerability and penetration testing

**017 Talked about a little bit about regulations. Are you responsible for knowing what all the laws are? Yeah. Yeah. Ignorance of the law isn't going to be any defense under your due care standards. So you have to know what they are. You have to know how to abide by them. Anyone familiar with SOX? Anyone done SOX compliance in their environment? You've done HIPAA compliance in your--? Student: I haven't done it personally. Ben Malisow: Anyone done any of the federal compliance stuff, any of

of 26

the FIPS standards, run certification, accreditation? How'd it go, Dan? Student: It's painful. Ben Malisow: Very detailed and very thorough, isn't it? Student: Yeah. Ben Malisow: Was it worth it when you were all done? Student: Yeah. Ben Malisow: Yeah. Student: I think so. Ben Malisow: Yeah. It's a pretty good procedure, actually, and they have really good checklists lined out. I mean, it's not as if they just said, "Here's the policy. Go for it." Student: Yeah, and it's a really nice stick to use to get people to actually consider security in the organization. Ben Malisow: 'Cause they hooked it to the budget. Yeah. Student: We're just-- Ben Malisow: FISMA was really good too. Yeah. Student: Yeah. Just the threat of being in trouble with the auditors. Ben Malisow: Yes. Yeah. HIPAA-- there was a problem with that, because initially the law came out,

of 26

way before there was any guidance on how to implement it. All that it was was a giant stick with absolutely no roadmap of how to comply with it. Were you still going to be held to that standard? Yeah, but nobody understood what the standard was. That can be tricky. That can be tricky, especially as new legislation is constantly coming out. Also, you have to be responsible for privacy data, which can be just as tricky nowadays. Are there federal privacy standards? There's some argument about that. It depends. If you look at the Fair Credit Reporting Act, there's some suggestion that there is. If you look at SOX, there's some suggestion that there is, but that's limited to publicly-traded organizations. Do states publish their own privacy requirements? Student: Yeah. Ben Malisow: Oh, heck yeah. Come to California sometime. They have a whole state agency that all they do is enforce that kind of stuff. It is very tricky. If your organization operates in several states, how many different forms of regulation do you have to comply with? Student: All of them. Ben Malisow: All of them. Yeah. Even the ones that disagree with each other, right? Yeah. They can be really tricky.

of 26

And you've got your own internal policies, standards and procedures. We're going to define the difference between policies, standards and procedures in a little bit too. How do you do that? Go over the policy. Why are you reviewing the policy if you just published the policy and it tells you what you're supposed to do? Why are you reviewing it? Why should you review your policy on an annual basis? Student: You might need to adjust it. Ben Malisow: Absolutely. Things change, don't they? Technology, people, our culture, the regulation itself. Audit, of course, is a huge tool. Like Dan said, all you do is you have to use that as a threat sometimes and you get compliance to go along with that. And, our favorite, the vulnerability testing and penetration testing.

of 26

Notices

NoticesCopyright 2013 Carnegie Mellon University

This material has been approved for public release and unlimited distribution except as restricted below. This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends attendance to ensure proper understanding.

NO WARRANTY. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT® is a registered mark of Carnegie Mellon University..

of 26

Governance Management and Compliance - FedVTE … · Governance Management and Compliance . Table...

Documents

Transcript of Governance Management and Compliance - FedVTE … · Governance Management and Compliance . Table...