SECURITY ORGANISATION AND POLICIES
7CCSMSEM Security Management Dr. Jose M. Such
Learning Outcomes
• Security Culture
• Security Roles
• What is a Policy? Standard? Procedure? Guideline? • Policy examples and what to include in them
• What to consider when writing a policy
Security Culture
• Information security is more than just technical countermeasures.
• It is as much about people as it is about anything else.
• People have to be educated, motivated and appropriately regulated.
Security Culture
Don’t just pin to the board or website
It must be clear within the organisation that information assurance is important!
Why?
A significant number of information assurance incidents are simply human-errors / mistakes / carelessness!
Security Culture
“Cyber incidents” is the only row that isn’t due to human error.
Everything else is due to human error / mistakes!
Remember, companies avoid reporting incidents when possible, so the figures are likely significantly worse.
https://ico.org.uk/action-weve-taken /data-security-incident-trends/
Security Culture
The culture’s focus isn’t just confidentiality, but integrity and availability too.
CEO of TSB “stepped down” as banking services were not available.
Video
SECURITY ROLES
CISO
Chief Information Security Officer (CISO)
• The top Information security manager in an organisation.
• Responsible for protecting their organization’s computers, networks and data against threats, such as security breaches, computer viruses or attacks by cyber-criminals.
CISO
Deloitte Reveals the Four Faces of the CISO
The CISO role requires a balanced focus across four faces that enables the enterprise security function to maximize the value delivered to the organization.
STRATEGIST
Drive business and cyber risk strategy alignment, innovate and instigate transitional change to manage risk through valued investments
CISO
ADVISOR
Integrate with the business to educate, advise and influence activities with cyber risk implications
GUARDIAN
Protect business assets by understanding the threat landscape and managing the effectiveness of the cyber risk program
TECHNOLOGIST
Assess and implement security technologies and standards to build organizational capabilities
Current
Secure Vigilant Resilient
Desired
33%
41%
15%
12%
12%
22%
32%
35%
Copyright © 2015 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited
CISO – Focus
• What risks may the enterprise face?
• Where may the enterprise be vulnerable to attack? • What controls are in place?
CISO – Responsibilities
• Managing Information Security:
1. Coordinating information security activities across the enterprise 2. Reporting effectiveness of security policy to senior management 3. Coordinating the production of security policy
• Supporting the Enterprise:
1. Understanding the enterprise’s risk appetite and profile and how it
may be evolving
2. Providing expert advice on information security matters to the enterprise
3. Creating a culture of good information exchange and security practices
CISO–whoamI?
Who is the CISO?
Where am I within the organisational structure?
How do I get the authority to enforce good information assurance? Why do people listen to me?
CISO–whoamI?
Senior role, ideally a board member
Demonstrate from the “higher ups” a commitment to real information assurance
Why is this important?
High up in the organisation’s hierarchy
CISO
Why a C-level Executive?
• Authority within Organisation
• A director or board member has the necessary status to ensure
appropriate focus is placed on information security.
• Sarbanes-Oxley (USA) and The Companies Act (UK) also require this level of accountability/responsibility.
• External Incentive
• There is a responsibility to ensure adequate service continuity requirements are in place. If there is a major problem, the company won’t go out of operation.
• If measures are not properly implemented, the accountable person can face a custodial sentence.
Video
One person can’t do everything. What about the team?
Security Forum
• Generally it should involve stakeholders who require good information assurance and those who are going to arrange it.
• This may include:
• Line of business managers • Departmental headers
• Representatives from vested interest parties (i.e. IT, internal audit, HR, physical security)
Security Forum
• What should the forum do?
• Ensure information security is included in the planning of all
activities for the enterprise
• Approve and prioritise security activities
• Review performance of security activities and assess whether the risk profile of the enterprise has altered (i.e. are there new threats?)
• Approve policies, standards and procedures in relation to information security
What other InfoSec Roles??
• SystemAdministrator
• Apersonwhomanagestheoperationofacomputersystemorparticular
electronic communication service. • SecurityAuditor
• Apersonwhoworkswithacompanytoprovideanauditofsecuritysystems used by that company.
• System User
• Apersonwhointeractswithasystem,typicallythroughaninterface,toextract
some functional benefit.
• Incident Response Member
• Apersonwhoispartoftheincidentresponseteam.Theyareresponsiblefor resolving incidents as they arise.
• Security Champion
• Apersonwhoisappointedtooverseethatasecuritypolicywithintheirgroupis
enforced and to report incidents to management. • Security Officer/Guard
• Apersonemployedbytheorganisationtoprotecttheassetsfromavarietyof hazards by enforcing preventative measures.
But can the team manage security independently from outside requirements?
Externally Imposed Requirements
• Statutory requirements
• legal requirements that must be fulfilled.
• For instance law enforcement agencies must be contacted should certain laws be broken or are suspected of being broken – e.g. the downloading of child pornography.
• may influence how an enterprise’s incident reporting procedures are organised.
• For example how, when and by whom should the authorities be contacted? Privacy legislation such as the Data Protection Act (UK) will influence how information is stored and managed within the enterprise and how resources are deployed to ensure that it complies with this legislation.
Externally Imposed Requirements
Criminal activities (including data breaches) should be reported to the police! https://www.telegraph.co.uk/business/2018/09/06/british-airways-hacked-380000-sets-payment-details-stolen/
Externally Imposed Requirements
Information Commissioner’s Office must be notified if the breach violates:
Data Protection Act 2018
(It complements the EU General Data Protection Regulation (GDPR))
They also influence how information should be stored within an organisation and impose hefty fines if a company fails to comply.
Externally Imposed Requirements
Two levels of fines for GDPR
Up to €10 million / 2% of annual turnover Up to €20 million / 4% of annual turnover
Externally Imposed Requirements
• Regulatory requirements
• often imposed by trade bodies, and they specify how an enterprise
should operate to conform to certain standards.
• Although they are not legal obligations, regulatory bodies have extensive powers, and failure to comply could lead to possible fines or, in extreme cases, exclusion from trading in a particular environment.
• The finance sector is a good example of this as it maintains strict controls to prevent financial malpractices such as fraud or money laundering.
Externally Imposed Requirements
• Advisory requirements
• may arise from government agencies or utility companies and may provide advice as to what arrangements should be put into place to help cope with instances such as fires, natural disasters and acts of terrorism.
• These requirements are not legally binding and are generally issued to help encourage best practice.
Externally Imposed Requirements
Important to Remember
Threats, vulnerabilities, risks and the external requirements for an enterprise are always changing!
No single person in a big organisation will know
everything
It is important to seek advice (training, accreditations) and external services (penetration testing).
QUIZ TIME!
Go to: PollEv.com/josesuch498
SECURITY POLICIES
What is a Policy?
• Ahighlevelstatementofanorganisation’svalues,goals and objectives in a specific area.
• Example:Eachuserisresponsibleforcreatingand maintaining their system passwords.
• A policy doesn’t say how it should be implemented, but it states the end-goal.
What is a Standard?
• More prescriptive than policy. It quantifies what needs to be done and provides consistency in controls that can be measured.
• Example:Passwordsmustcontainaminimumofeight characters, be a mix of numbers and letters and be changed every 30 days.
• Designed to support policy and stating what “must” be done and how it should be achieved.
• p.s. While this is a wide-spread standard, it is a really bad standard to implement!
What is a Procedure?
• A set of detailed working instructions that describe what, when, how and by whom something should be done.
Our password standard must be reviewed every six months based on the new advice provided by regulatory organisations. This is will be completed by Jose Such.
Signed, Ms Rachel Jackson (Chairperson of GANT)
What is a Guideline?
• They provide advice, direction and best practice in instances where it is often difficult to regulate how something should be done.
• For example: A code of conduct or working practice when out of the office.
2. Usefulness: Our products, features, and services should make Google more useful for all our users. We have many different types of users, from individuals to large businesses, but one guiding principle: “Is what we are offering useful?”
https://abc.xyz/investor/other/google-code-of-conduct.html
QUIZ TIME!
Go to: PollEv.com/josesuch498
Documentation for Information Security
A high-level information security policy
• All organisations should set out its commitment to information security and what it expects to be done to protect its information assets. It should contain:
• Manage Security:
• Howtheenterprisewillmanageitsinformationsecurity
• ProtectAsset:
• Howaretheinformationassetsprotectedaccordingtotheircriticality.
• Compliance:
• Complywithlegalandregulatoryobligations
• Awareness:
• Howuserswillbeawareofinformationsecurityissues
• Breaches:
• Howtodealwithbreachestopolicyandweaknessesofinformationsecurity
• Support:
• Thepolicyisfullysupportedbyseniormanagement
An Information Security Implementation Programme
• A high level view of how the organisation will address its security needs (and help focus on implementing controls that address the risks that matter most). It includes:
Impact of Programme
How the programme will address risks within the enterprise and reduce them to an acceptable level
Security Controls
What controls need to be implemented to achieve reduced risk?
Level of Effort
Who is involved in implementing the program and how much time is required?
Accountability
Who is responsible for each part of the programme?
Costs and Timescales
Is it cost effective? And what is the timeline to complete each goal?
Tracking Progress
How will progress be tracked?
Security Strategy / Security Architecture
A plan on how to improve an existing assurance function within an organisation.
• How risk profile of enterprise will likely change (due to business working practices and objectives)
• Trends in threats/vulnerabilities to potential type of incidents
• Expected developments in software and hardware
• Legal,ComplianceandAudit Requirement changes
Higher, non-technical and less detailed level than an implementation programme
Timescale: 3-5 Year Period.
Translates organisational requirements for assurance into a set of controls to protect information assets.
• Consistent framework for global assurance controls and arrangements
• Focuses on technology, policies, processes, procedures, and user behaviour
• Set of “principles” to express the type of controls to be implemented.
• Auditing and monitoring controls, which ensure the organisation complies with security policies and legal obligations.
Support moving from a high-level conception view of controls to a detailed specification and design.
End-user code of practice
Designed to define the standards for use of organisational information and communication systems by employees.
• Protect Credentials:
• UserspasswordsandPINsare
protected
• Donotwriteonapieceofpaper!
• Access Control:
• Usersonlyaccessinformationthat
theyhaveauthorisationtosee
• Usershouldreportiftheycan access information that they do not need to know
• Physical Security:
• Loggingoffworkstationswhen
unattended
• Itdoesn’tmatterifthisinterruptsa youtube video!
• Culture at the workplace:
• Mayincludeexpectedbehaviour towards other employees (and clients)
• Personal devices:
• Canbeusedornotforwork
• Canbebroughtintotheworkplace! (e.g. GCHQ employees cannot bring their phones into work)
• Social Engineering
• Avoid passing amusing e-mails around (attachment might contain viruses)
• Employeesmaynotbeallowedto be given “gifts”
Contract of employment
Employees should be contractually obliged to follow the security policies!
• Acceptance of Standards
• Behaviour & conduct
• Use of company assets
• Duty of care to organisation and other staff
• Intellectual Property
• Who owns it?
• Non-closure / confidentiality of information
• Applicable Laws and Regulations
• Employee is legally accountable for their actions
• Clearly states the legal framework for their role
• Disciplinary proceedings and process
• Accountability for the employee
• Risk of suspension
Summary of Policy Examples
• A high-level information security policy
• Acommitmenttoinformationassuranceandhowtheorganisationplansto
protect them.
• An Information Security Implementation Programme
• Ahighlevelviewofhowtheorganisationwilladdressitsassuranceneeds(and help focus on implementing controls that address the risks that matter most)
• Security Strategy and Architecture
• Strategy:Aplanonhowtoimproveanexistingassurancefunctionwithinan
organisation.
• Architecture:Translatesorganisationalrequirementsforassuranceintoasetof controls to protect information assets.
• End-user code of practice
• Designedtodefinethestandardsforuseoforganisationalinformationand
communication systems by employees.
• Contract of Employment
• Employeesshouldbecontractuallyobligedtofollowthesecuritypolicies!
What to consider when writing these documents??
A policy must strike a balance
A policy must strike a balance.
It must consider the financial cost and impact on working conditions if the policy is enforced.
$1 million security control to protect assets valued at $10k?
Does it make financial sense?
Expiring a user’s password every 10 days.
Can this prevent workers from working?
Segregation of duties and avoiding dependence
Segregation of duties and avoiding dependence
One person may not perform the duties for more than one role where there can be a conflict of interest. The requirement for segregation of duties has two functions:
Limit Scope
If one individual has all the passwords, access rights and privileges for the entire organisation…..
…. They can destroy all data with little to no risk of discovery.
System Admin, System User, and System Auditor
Limit Dependence
If an organisation relies on one individual…
…What if they resign (or get hit by a bus?)
Good documentation, more than one person, etc.
What if a third-party requires access to assets
Policies, Standards and Procedures should be extended to third parties:
• Must be a written and signed agreement with the third party before access to information is permitted
• A Non-Disclosure Agreement (NDA) might be required to protect assets and intellectual property.
• Assets should NOT be transferred until the organisation is confident that the third party can adequately protect its confidentiality (and possibly integrity).
What to include in third-party agreement
What is included in an agreement with third party?
How to notify and investigate assurance incidents
Right to audit/monitor arrangements by third party
How to manage changes to application or service
All policies extend to third party and their subcontractors
Background checks on personnel recruited (GCHQ-like)
What if lack of compliance
What if a user doesn’t comply with policy?
The consequence for not complying must be clearly stated in the policy!
Breach may have to be reported to law enforcement
Lead to an employee disciplinary process
Termination of a supplier contract
Tips for writing documents
Tips for writing documents
Try and write your document such that:
● It is clear and to the point
● Little to no jargon
● Positive rather than negative
○ Avoid “do nots”
● Scope should be clear
○ To all GANT employees in the UK
Realistic Policies
Aspiration: Employee must keep laptops with them at all times
Reality: Laptops should not be left unattended in public places.
Enforceable Policies
Not enforceable: All customer records should be kept without their consent.
Enforceable: A customer’s consent must first be obtained before storing their data.