Module 4 Governance Strategy Policy
Module 4 Governance Strategy Policy
IT Security Management
Governance, Strategy, Policy
and Planning
Learning Objectives
Governance is
• “The set of responsibilities and practices exercised by the
board and executive management with the goal of providing
strategic direction, ensuring that objectives are achieved,
ascertaining that risks are managed appropriately, and
verifying that the enterprise’s resources are used
responsibly”
Strategic planning and corporate responsibility are best
accomplished using an approach many call Governance, Risk
management, and Compliance (GRC)
Source: This information is derived from the Corporate Governance Task Force Report, “Information
Security Governance: A Call to Action,” April 2004, National Cyber Security Task Force.
Governance without strategy
Mission Statement:
• “Random Widget Co designs and manufactures quality widgets and associated
equipment and supplies for use in modern business environments”
Values Statement:
• “Random Widget Co values commitment, honesty, integrity and social responsibility
among its employees, and is committed to providing its services in harmony with its
corporate, social, legal and natural environments”
Vision Statement:
• “Random Widget Co will be the preferred manufacturer of choice for every business’s
widget equipment needs, with an RWW widget in every machine they use”
Some formal governance frameworks
Definition:
• a definite course of action adopted as expedient or
from other considerations: a business policy.1
Enterprise information security policy (EISP) is that high-level information security policy
that sets the strategic direction, scope, and tone for all of an organization’s security efforts.
Provides an overview of the corporate philosophy on security
Information on the structure of the InfoSec organization and individuals who fulfill the
InfoSec role
Fully articulated responsibilities for security that are shared by all members of the
organization (employees, contractors, consultants, partners, and visitors)
Fully articulated responsibilities for security that are unique to each role within the
organization
An EISP is also known as a security program policy, general security policy, IT security
policy, high-level InfoSec policy, or simply an InfoSec policy
Electronic mail, IM and other communications Personal and/or home use of company
apps equipment
Use of the Internet, the Web, and company Removal of organizational equipment from
networks organizational property
Malware protection requirements Personal equipment on company networks
Non-organizationally issued software or Personal technology during work hours
hardware on organization assets Organizational telecommunications technologies
Organizational information on non- and networks
organizationally owned computers Photocopying and scanning equipment
Prohibitions against hacking or testing security Company information while outside company
controls or attempting to modify or escalate facilities
privileges
Access control credentials by users
Include the user access lists, matrices, and capability tables that govern the
rights and privileges
A capability table specifies which subjects and objects that users or groups can
access
These specifications are frequently complex matrices, rather than simple lists or
tables
In general ACLs enable administrations to restrict access according to user,
computer, time, duration, or even a particular file.
In general ACLs regulate:
• Who can use the system
• What authorized users can access
• When authorized users can access the system
• Where authorized users can access the system from
• How authorized users can access the system
1. Exclusive: The Hairstyles Abercrombie Has Deemed "Unacceptable” (BuzzFeed / Maheshwari, 2013)
The Information Security Blueprint
Information Security Blueprint
Defense in depth
• Implementation of security in layers
• Requires that organization establish multiple layers of security
controls and safeguards
Security perimeter
• Border of security protecting internal systems from outside
threats
• Does not protect against internal attacks from employee threats
or onsite physical threats
Design of Security Architecture- Spheres of
Security
Defense in Depth
Design of Security Architecture
Defense in Depth
Security Perimeters
Security Education, Training & Awareness
(SETA) Program
Security Education, Training & Awareness (SETA)
Program
Test measure Essay (interpret learning) Problem solving (apply • True or False
learning) • Multiple choice
(identify
learning)
• Governance is responsibilities and practices that are exercised by the board and executives of
an organisation
• Governance, Risk, Compliance are a often quoted trio (GRC)
• Governance closely relates to strategy – it is the set of practices that will help an organisation
achieve it’s strategic goals
• Many information security governance frameworks already exist, you don’t need to reinvent
the wheel – just find one that’s appropriate to your needs
• Planning is an essential business process closely related to governance.
• Planning occurs and several levels: strategic, tactical and operational
• Policies are the tools used to turn plans in to real-world instructions and rules
• Policies come in many flavours, from general business guidelines, to operational rules and
system specific requirements
• Policy development is a very important process in managing IT security
Summary
• Policy development can follow similar phases to other products or services: Investigation;
Analysis; Design; Implementation; Maintenance
• Policies without compliance don’t achieve anything
• Policy compliance is generally sought through agreement, but...
• Consider how to achieve compliance when there’s no agreement?
• Policy enforcement can involve management directives “do this or else..”.
• Policies may also be enforced through technical means (turn off the Wi-Fi, force password
complexity)
• Information security education, training, and awareness (SETA) is a control measure that
reduces accidental security breaches and increases organizational resistance to many other
forms of attack
• Defense-in-depth requires that organization establish multiple layers of security controls
and safeguards
• The security parameter is the border of security protecting internal systems from outside
threats