Information Security Governance Simplified

Getting Information Security Right: Top to Bottom
Information Security Governance
Tone at the Top
Tone at the Bottom
Governance, Risk, and Compliance (GRC)
The Compliance Dilemma
Suggested Reading

Developing Information Security Strategy
Evolution of Information Security
Organization Historical Perspective
     Fear, Uncertainty, Doubt, Fear, Uncertainty, Doubt
Understand the External Environment 
     Regulatory 
     Competition 
     Emerging Threats 
     Technology Cost Changes 
     External Independent Research
The Internal Company Culture 
     Risk Appetite 
     Speed
     Collaborative versus Authoritative
     Trust Level 
     Growth Seeker or Cost Cutter 
     Company Size 
     Outsourcing Posture
Prior Security Incidents, Audits
Security Strategy Development Techniques 
     Mind Mapping
     SWOT Analysis 
     Balanced Scorecard 
     Face-to-Face Interviews
Security Planning 
     Strategic 
     Tactical 
     Operational/Project Plans
Suggested Reading

Defining the Security Management Organization
History of the Security Leadership Role Is Relevant
The New Security Officer Mandate
Day 1: Hey, I Got the Job!
Security Leader Titles
Techie versus Leader
The Security Leaders Library
Security Leadership Defined
Security Leader Soft Skills
Seven Competencies for Effective Security Leadership
Security Functions 
     Learning from Leading Organizations
What Functions Should the Security Officer Be Responsible For?
Assessing Risk and Determining Needs Functions
Implement Policies and Control Functions
Promote Awareness Functions
Monitor and Evaluate Functions
Reporting Model
Suggested Reading

Interacting with the C-Suite
Communication between the CEO, CIO, Other Executives, and CISO
13 "Lucky" Questions to Ask One Another
     The CEO, Ultimate Decision Maker 
     The CEO Needs to Know Why 
     The CIO, Where Technology Meets the Business 
     CIO’s Commitment to Security Important 
     The Security Officer, Protecting the Business 
     The CEO, CIO, and CISO Are Business Partners
Building Grassroots Support through an Information Security Council 
     Establishing the Security Council
     Appropriate Security Council Representation 
     "-Inging" the Council: Forming, Storming, Norming, and Performing
Integration with Other Committees
Establish Early, Incremental Success
Let Go of Perfectionism
Sustaining the Security Council
End User Awareness
Security Council Commitment
Suggested Reading

Managing Risk to an Acceptable Level
Risk in Our Daily Lives
Accepting Organizational Risk
Just Another Set of Risks
Management Owns the Risk Decision
Qualitative versus Quantitative Risk Analysis
Risk Management Process
     Risk Analysis Involvement 
     Step 1: Categorize the System 
     Step 2: Identify Potential Dangers (Threats)
     Step 3: Identify Vulnerabilities That Could Be Exploited 
     Step 4: Identify Existing Controls 
     Step 5: Determine Exploitation Likelihood Given Existing Controls
     Step 6: Determine Impact Severity 
     Step 7: Determine Risk Level 
     Step 8: Determine Additional Controls
Risk Mitigation Options
     Risk Assumption
     Risk Avoidance 
     Risk Limitation 
     Risk Planning 
     Risk Research 
     Risk Transference
Conclusion
Suggested Reading

Creating Effective Information Security Policies
Why Information Security Policies Are Important
Avoiding Shelfware
Electronic Policy Distribution
Canned Security Policies
Policies, Standards, Guidelines Definitions
     Policies Are Written at a High Level 
     Policies 
     Security Policy Best Practices 
     Types of Security Policies 
     Standards 
     Procedures 
     Baselines 
     Guidelines 
     Combination of Policies, Standards, Baselines, Procedures, and Guidelines
An Approach for Developing Information Security Policies
Utilizing the Security Council for Policies
The Policy Review Process 
     Information Security Policy Process
Suggested Reading

Security Compliance Using Control Frameworks
Security Control Frameworks Defined
Security Control Frameworks and Standards Examples 
     Heath Insurance Portability and Accountability Act (HIPAA) 
     Federal Information Security Management Act of 2002 (FISMA) 
     National Institute of Standards and Technology(NIST) Recommended Security Controls for Federal Information Systems (800-53) 
     Federal Information System Controls Audit Manual (FISCAM) 
     ISO/IEC 27001:2005 Information Security Management Systems—Requirements 
     ISO/IEC 27002:2005 Information technology—Security Techniques—Code of Practice for Information Security Management 
     Control Objectives for Information and Related Technology (COBIT) 
     Payment Card Industry Data Security Standard (PCI DSS)
     Information Technology Infrastructure Library (ITIL) 
     Security Technical Implementation Guides (STIGs) and National Security Agency (NSA) Guides 
     Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook
The World Operates on Standards
Standards Are Dynamic
The How Is Typically Left Up to Us
Key Question: Why Does the Standard Exist?
Compliance Is Not Security, But It Is a Good Start
Integration of Standards and Control Frameworks
Auditing Compliance
Adoption Rate of Various Standards 
     ISO 27001/2 Certification
     NIST Certification
Control Framework Convergence
The 11-Factor Compliance Assurance Manifesto
The Standards/Framework Value Proposition
Suggested Reading

Managerial Controls: Practical Security Considerations
Security Control Convergence
Security Control Methodology
Security Assessment and Authorization Controls
Planning Controls
Risk Assessment Controls
System and Services Acquisition Controls
Program Management Controls
Suggested Reading

Technical Controls: Practical Security Considerations
Access Control Controls
Audit and Accountability Controls
Identification and Authentication
System and Communications Protections
Suggested Reading

Operational Controls: Practical Security Considerations
Awareness and Training Controls
Configuration Management Controls
Contingency Planning Controls
Incident Response Controls
Maintenance Controls
Media Protection Controls
Physical and Environmental Protection Controls
Personnel Security Controls
System and Information Integrity Controls
Suggested Reading

The Auditors Have Arrived, Now What?
Anatomy of an Audit
Audit Planning Phase 
     Preparation of Document Request List
     Gather Audit Artifacts 
     Provide Information to Auditors
On-Site Arrival Phase 
     Internet Access 
     Reserve Conference Rooms 
     Physical Access 
     Conference Phones 
     Schedule Entrance, Exit, Status Meetings 
     Set Up Interviews
Audit Execution Phase 
     Additional Audit Meetings 
     Establish Auditor Communication Protocol 
     Establish Internal Company Protocol 
     Media Handling
     Audit Coordinator Quality Review 
     The Interview Itself 
Entrance, Exit, and Status Conferences 
     Entrance Meeting 
     Exit Meeting 
     Status Meetings
Report Issuance and Finding Remediation Phase
Suggested Reading

Effective Security Communications
Why a Chapter Dedicated to Security Communications?
End User Security Awareness Training 
     Awareness Definition
Delivering the Message 
     Step 1: Security Awareness Needs Assessment
     Step 2: Program Design
     Step 3: Develop Scope
     Step 4: Content Development 
     Step 5: Communication and Logistics Plan
     Step 6: Awareness Delivery 
     Step 7: Evaluation/Feedback Loops
Security Awareness Training Does Not Have to Be Boring 
     Targeted Security Training 
     Continuous Security Reminders
     Utilize Multiple Security Awareness Vehicles
Security Officer Communication Skills 
     Talking versus Listening 
     Roadblocks to Effective Listening 
     Generating a Clear Message 
     Influencing and Negotiating Skills 
     Written Communication Skills 
     Presentation Skills
Applying Personality Type to Security Communications 
     The Four Myers–Briggs Type Indicator (MBTI) 
     Preference Scales
     Determining Individual MBTI Personality
     Summing Up the MBTI for Security
Suggested Reading

The Law and Information Security
Civil Law versus Criminal Law
Electronic Communications Privacy Act of 1986 (ECPA)
The Computer Security Act of 1987
The Privacy Act of 1974
Sarbanes–Oxley Act of 2002 (SOX)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act of 1996
Health Information Technology for Economic and Clinical Health (HITECH) Act
Federal Information Security Management Act of 2002 (FISMA)
Summary
Suggested Reading

Learning from Information Security Incidents
Recent Security Incidents 
     Texas State Comptroller
     Sony PlayStation Network 
     Student Loan Social Security Numbers Stolen 
     Social Security Numbers Printed on Outside of Envelopes 
     Valid E-Mail Addresses Exposed 
     Office Copier Hard Disk Contained Confidential Information 
     Advanced Persistent Threat Targets Security Token
Who Will Be Next?
Every Control Could Result in an Incident
Suggested Reading

Ways to Dismantle Information Security Governance Efforts
Final Thoughts
Suggested Reading
Index