Information security governance is the information security in the organizational level, which includes senior management, policies, processes, and staffing. It is also the organizational priority provided by the senior leadership, which is required for a successful information security program.
Security Policy and Related Documents
Documents such as policies and procedures are a required part of any successful information security program. These documents should be grounded in reality; they are not idealistic document that sit on shelves collecting dust. They should mirror the real world and provide guidance on the correct (and sometimes required) way of doing things.
Policies are the high level management directives. Policy is mandatory; such as, even if you don’t agree with your company’s sexual harassment policy, you still must follow it.
Policy is high level, and it does not delve into specific. A server security policy would discuss protecting the confidentiality, integrity, and availability of the system, usually in those terms.
It may discuss software updates and patching. The policy would not use low-level terms like “Linux” or “Windows.”
In fact, if you converted your server from Windows to Linux, your server policy would not change. However, other documents, like procedures would change.
A procedure is a step by step guide for the accomplishing a task. Procedure are low level and specific. Like policies, procedures are mandatory.
Here is a simple example of the procedure for creating a new user:
- Receive a new-user request form and verify its completeness.
- Verify that the user’s manager has signed the form.
- Verify that the user has read and agreed to the user account security policy.
- Classify the user’s role by the following role-assignment procedure NS-103.
- Verify that the user has selected a secret word, such as his or her mother’s maden name, and enter it into the help of the desk account profile.
- Create the account and assign the proper role.
- Assign the secret word as the initial password, and set “Force user to change password on next login to ‘True.’”
- Email the new account document to the user and their manager.
The steps of this procedure are mandatory. Security administrator do not have the option of skipping Step 1, for example, and create an account without a form.
Other safeguards depend on this procedure. For example, when a user calls the help desk as a result of a forgotten password, the help desk will follow their “forgotten password” procedure, which includes asking for the user’s secret word.
The help desk can’t do that unless Step 5 was completed; without that word, the help desk can’t securely reset the password.
This mitigates the risks of social engineering attacks, during which an imposter tries to trick the help desk into resetting a password for an account he or she is not authorized to access.
A standard describes the specific use of the technology, often applied to hardware and software. “All employees will receive an ACME Nexus-6 laptop with 8 GB of memory, a 3.3 GHZ quad core central processing unit (CPU), and 500-gigabyte disk” is an example of a hardware stand.
“The laptops will run Windows 10 Enterprise, 64-bit version” is an example of a software (operating system) standard.
Standard are mandatory. Not only do they lower the TCO of a safeguard, but they also support disaster recovery.
Guidelines are discretionary recommendations. A guideline can be a useful piece of advice, such as “To create a strong password, take the first letter of every word in a sentence, and mix in some numbers and symbols. ‘I will pass the CISSP exam in six months!’ becomes Iwptcei6m!’”
Baselines are uniform ways of implementing a standard. “Harden the system by applyi9ng the Center for Internet Security Linux benchmarks” is an example of a baseline (see https://benchmarks.cisecurity.org for the Security Benchmarks division of the Center for Internet Security, a great resource). The system must meet the baseline described by those benchmarks.
Baselines are discretionary. It is acceptable to harden the system without following the aforementioned benchmarks, as long as it is at least as secure as a system hardened using the benchmarks. Formal exceptions to baselines will require senior managed to sign-off.
Below Summarizes the Types of Security Documentation.
|Document||Example||Mandatory or Discretionary?|
|Policy ||Protect the CIA of PII by hardening the operating system.||Mandatory|
|Procedure||Step 1: Install prehardened OS image. Step 2: Download Patches from update server. Step 3: …||Mandatory|
|Standard||Use Nexus-6 laptop hardware||Mandatory|
|Guideline||Patch installation may be automated via the use of an installer script||Discretionary|
|Baselines||Use the CIS Security Benchmarks Windows Benchmark||Discretionary|