Information Security Governance
Security Policy and related documents
- Policy – High level management directives that are mandatory and does not dwelve into specifics
- Components of a program policy:
- Purpose – Describes the need of the policy; typically to provide CIA of protected data
- Scope – Describes what systems, people, facilities, and organizations are covered by the policy
- Responsibilities – Responsibilities of the information security staff, policy and management teams, as well as responsibilities of all members of the organization
- Compliance – Describes how to judge effectiveness of policy and what happens when policy is violated.
Low level step-by-step guide for accomplishing a task that are mandatory. Example: Steps to follow when creating a new user.
Describes the specific use of technology often applied to hardware and software which are mandatory. Example: standard issue of laptop hardware and software
Guidelines are recommendations which is discretionary. Examples advice to take first letter of every word in a sentence to form a strong password. You can create a strong password without following this guideline.
Baselines are uniform ways of implementing a standard which is discretionary. Example: Performing a security baseline using the CIS standard benchmark. You can harden the system without following the benchmark as long as it is at least as secure as one following the benchmark.
Security Awareness and Training
- Awareness – Changes user behaviour; ie remind users to never share accounts or passwords
- Training – Provides a skillset; ie teaches the user how to perform a task such as training network engineers how to configure routers
Organizations should conduce thorough background checks before hiring. This includes criminal records, financial investigation, verifying education and certifications.
A fair formal termination process includes a progressive discipline (ladder of discipline) process:
- Formal Discussion
- Verbal Warning meeting, with HR attendance
- Written warning meeting, with HR attenance
This is fair, and lowers chance of negative reaction. People tend to act more reasonably if they feel they have been treated fairly.
Vendor, Consultant and Contractor Security
They may have access to sensitive data. They must be trained and made aware of the risks. Security policies, procedures and guidance should be applied. Policies in regards to ownership of data and intellectual property should be developed. Clear rules dictating where and when 3rd party may access or store data must be developed.
Outsourcing and offshoring
Outsourcing – Use of a third party to provide IT services at lower cost
Offshoring – Outsourcing to another country
Concerns about offshoring are risks associated with privacy and regulatory issues. ie Australia has no HIPAA, SOX or GLBA.