CISSPillsDOMAIN 3: Information Security Governance

and Risk Management# 3.06

CISSPills

Table of Contents Security Governance Security Roles and Responsibilities Personnel Security Screening and Background checks Employment Agreements Employment Termination Security-Awareness Training

CISSPills

Security Governance

Security Governance is the collection of practices related to supporting, defining and directing the security efforts of an organisation. It is a coherent system of integrated processes that helps to ensure consistent oversight, accountability and compliance.

Security Governance is closely related and intertwined with Corporate and IT Governance and ultimately represents the implementation of a security solution and a management method that are tightly interconnected.

Security is not an IT issue only, as it affects every aspect of an organisation. The term ‘governance’, emphasises this by indicating that Security needs to be managed and governed across the entire organisation, not just the IT department.

CISSPills

Security Governance (cont’d)

Security Governance guarantees that the appropriate security activities are being performed to: handle risk adequately; ensure security investments are cost-effective; make sure management has visibility on the effectiveness of the

security program.

CISSPills

Security Roles and Responsabilities

It is important to build an organisational structure that contains the necessary roles and maps the correct responsibilities to them.Clear definitions of responsibilities, line of authorities and communications, and enforcement capabilities support accountability and help understanding who does what in every circumstance.

CISSPills

Security Roles and Responsabilities (cont’d) Security Steering Committee: is responsible for making decisions on strategic

and tactical security issues within the enterprise as a whole. The group should be made up of people from different areas in order to assess risks and effects of security decisions on individual departments and the organisation as a whole;

Senior Manager: this role is assigned to people ultimately responsible for the security maintained by an organisation an most concerned by the protection of its assets. The senior manager must sign off on all policy issues (see CISSPills #3.05). The senior managers’ endorsement of the security policy indicates the accepted ownership of the implemented security within the organisation. Senior managers are responsible for exercising due care and due diligence in establishing security for an organisation;

Security Professional: this role is assigned to trained and experienced individuals responsible for following the directives mandated by senior management, they have the functional responsibility for security, including writing and implementing the security policy. Security professionals are implementers rather than decision-makers, decisions must be left to senior management;

Data Owner: this is the person who’s responsible for classifying information for placement and protection. It’s usually a high-level manager responsible for data protection, however it usually delegates the actual data management tasks to a Data Custodian

CISSPills

Security Roles and Responsabilities (cont’d) Data Custodian: this role is assigned to the user who is responsible for

the tasks of implementing the prescribed protection defined by the security policy and senior management. The Data Custodian performs all the activities necessary to provide adequate protection of the data and to fulfil the requirements and responsibilities delegated by the upper management (e.g. deploying security solutions, performing back-ups, managing data storage, etc.);

User: is any person who has access to the systems. Their access should be tied to their work and limited so they have only enough access to perform their tasks (least privilege principle). Users are responsible for understanding and upholding the security policy of an organisation by following prescribed operational procedure and operating within defined security;

Auditor: this role is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate. The auditor produces compliance and effectiveness reports that are reviewed by the senior managers. Issues discovered through these reports are transformed into new directives assigned by the senior managers to security professionals or fata custodians.

CISSPills

Personnel Security

People are the weakest link and although their future actions cannot be predicted, it is possible minimising the risks by implementing preventive measures. This includes: hiring qualified individuals; performing background checks; using detailed job descriptions; providing necessary training; enforcing strict access control; terminating employees in a way that protects all the parties

involved.

CISSPills

Screening and Background Checks

Employment candidate screening is based on the sensitivity and classification defined by the job description. In turn, sensitivity and classification depend on the harm caused by accidental or intentional violations of security by a person in the position.The thoroughness of the screening should reflect the sensitivity of the position to be filled, as this process is essential to validate candidates’ adequacy, qualifications and trustworthiness.

CISSPills

Employment Agreements

When a new employee is hired, they should sign an employment agreement, which outlines the rules and restrictions of the organisation, the security policy, the acceptable use and activities policies, etc.; these could be separate documents and in this case the agreement is used to verify that the employee has read and understood such documentation.Additionally, one common document also signed by the employee is the NDA (Nondisclosure Agreement), which is used to provide the confidential information within an organisation from being disclosed by a former employee.

CISSPills

Employment Termination

Company should have a specific set of procedures to follow with every termination; this is essential to maintaining a secure environment when an employee must be removed by an organisation. For example: The employee must be escorted off the premises and not allowed

to return without an escort for any reason; The employee must surrender any identification badge or key; The employee must complete an exit interview and return

company supplies; The employee’s accounts and passwords should be disabled or

changed immediately.

CISSPills

Security-Awareness Training

The successful implementation of a security solution requires changes in user behaviour. Security training is performed to modify employees’ behaviour and attitude towards security.The goal of creating awareness is to bring security into the forefront and make it a recognised entity for users, it establishes a common baseline of security understanding across the organisation and focuses on key topics and issues related to security that each employee must comprehend and put in place.All the personnel should be aware of their security responsibilities and liabilities, they should be trained to know what to do and what not to do. Noncompliance repercussions must also be specified and enforced.Training must be tailored depending on the audience to ensure everyone can understand it.It is usually best to have each employee sign a document to acknowledge they have understood all the topics discussed as part of the training . This reinforces the policies importance and also provide evidence should the employee claim they were never informed about policies them.

CISSPills

That’s all Folks!We are done, thank you for the interest! Hope you have enjoyed these pills as much as I have had fun writing them.For comments, typos, complaints or whatever your want, drop me an e-mail at:

cisspills <at> outlook <dot> comMore resources: Stay tuned on for the next issues; Join ”CISSP Study Group Italia” if you are preparing your exam.

Brought to you by Pierluigi Falcone. More info about me on

Contact Details