Chapter
0 - Why We Need Security Programs
WHAT DO WE MEAN WHEN WE SAY INFORMATION SECURITY?
Confidentiality, Integrity, and Availability Triad
Relating the CIA Triad to Security
UNDERSTANDING THE THREATS WE FACE
BENEFITS OF A FORMAL SECURITY PROGRAM
Ensure Security of Information Assets
Provide a Framework for Security
Codifies the Desired Security Level
Provides a Mechanism to Assess Risk
Helps Keep Program and Practices Up To Date
1 - Develop an Information Security Strategy
INFORMATION SECURITY STRATEGIC PLANNING PRINCIPLES
DEVELOP THE ORGANIZATIONAL VISION AND MISSION STATEMENTS
DESCRIBE THE INFORMATION SECURITY ENVIRONMENT
DELIVERING THE INFORMATION SECURITY STRATEGIC PLAN
INFORMATION SECURITY CAPABILITY ROAD MAP DEVELOPMENT
2 - Integrate Security Into the Organization
UNDERSTAND THE ORGANIZATIONAL SECURITY CULTURE
INTEGRATE INFORMATION SECURITY INTO BUSINESS PROCESSES
ESTABLISH INFORMATION SECURITY BUSINESS RELATIONSHIP MANAGEMENT
3 - Establish a Security Organization
KEY FACTORS IN DETERMINING THE ORGANIZATIONAL STRUCTURE
WHERE SHOULD SECURITY REPORT?
Governance, Risk, and Compliance
Ability to Support Security
RESPONSIBILITIES WITHIN SECURITY
Bigger Equals More Complex
CISO/CSO/CIO/CFO/CEO—Relationships and Roles
Information Security Committee
RELATIONSHIPS WITH EXTERNAL ORGANIZATIONS AND AUTHORITIES
Other Organizations in the Same Industry
Law Enforcement and Government
4 - Why Information Security Policies?
ALIGN INFORMATION SECURITY POLICIES TO THE ORGANIZATIONAL PROFILE
TYPES OF INFORMATION SECURITY POLICIES
INFORMATION SECURITY POLICY GOVERNANCE AND MANAGEMENT
Information Security Policy Governance
Information Security Policy Management
DEVELOP A RISK MANAGEMENT FRAMEWORK
Choosing an Existing Framework
National Institute for Science and Technology
International Organization for Standardization
Federal Information Processing Standard
Developing a Framework From Scratch
EVALUATE OBJECTIVES FOR RISK MANAGEMENT
Objectives Inherited From the Business
Security-Specific Objectives
RESPONDING TO THE RESULTS OF RISK ASSESSMENTS
Who Decides How to Respond?
COMMUNICATING RISK TO THE BUSINESS
Know Who the Stakeholders Are
Alerting for Issues or Changes
Communicating Responsibilities to Users
Receiving Communications From Users
RISK MANAGEMENT AND CONTROLS
What Security Controls Provide Us
Assurance That Requirements Are Met
Assurance That Risks Are Being Dealt With
Controls and Audit Findings
Auditing Against Frameworks
Audit Findings Centered on Controls
Auditing How Controls Are Applied
GAINING MANAGEMENT BUY IN
Establish Business Relevancy
Discuss Objectives and How They Will Be Met
Data Sensitivity and Criticality
ACCESS CONTROL CONSIDERATIONS
PHYSICAL AND ENVIRONMENTAL SECURITY FOR FACILITIES
ZONES OF TRUST AND CONTROL
Limiting Zone Interface Points
ENSURING DATA CONFIDENTIALITY
MAKING USE OF TESTED TECHNOLOGIES
Why Developing Your Own Encryption Is a Bad Idea
7 - Manage the Security of Third Parties and Vendors
Information Security Agreement
Information Privacy Agreement
Auditing and Monitoring Agreement
Foreign Corrupt Practices Agreement
8 - Conduct Security Awareness and Training
PARTNERING WITH STAKEHOLDERS
Who Are the Stakeholders for Security Training?
TARGETING TRAINING NEEDS FOR THE AUDIENCE
Information Security Policies
Additional Training for Technical Staff
Information Technology Staff
Incident Reporting and Response
Secure Software Development
Software Development Life Cycle
Sensitive and Regulated Data
Enforcing Security Policy
TRAINING AND AWARENESS METHODS
EVALUATE THE EFFECTIVENESS OF TRAINING
Report on Training Effectiveness
9 - Security Compliance Management and Auditing
ESTABLISHING AN INFORMATION SECURITY COMPLIANCE MANAGEMENT PROGRAM
PUBLISHING AN INFORMATION SECURITY COMPLIANCE POLICY
DEPLOY AN INFORMATION SECURITY COMPLIANCE PROCESS
Step 1: Determine Applicable Security Policies, Laws, and Regulations
Step 2: Prepare the Information Security Compliance Management Plan
Step 3: Data Collection and Asset Identification
Step 4: Perform Risk Analysis
Step 5: Report Findings and Recommendations
Step 6: Execute the Implementation Plan
Step 7: Periodically Monitor, Test, Review, and Modify the Information Security Compliance Management Program
INFORMATION SECURITY COMPLIANCE MANAGEMENT IN MERGERS AND ACQUISITIONS
10 - Information Security Program Metrics
BUILDING THE SECURITY METRICS PROGRAM
Step 1. Identify the Stakeholders
Step 2: Define Metrics Program Goals and Objectives
Step 3: Decide Which Metrics to Report
ISO 27004:2009—Information Security Management—Measurement
NIST Special Publication 800-55 Revision 1—Performance Measurement Guide
Questions Relevant to Meaningfulness
Questions Relevant to Measurability
Questions Relevant to Correctness
Questions Relevant to Usefulness
Step 4: Establish Targets and Threshold
Step 5: Develop Strategies for Collecting Metrics Data
Step 6: Determine How Metrics Will Be Reported
Step 7: Create a Remediation Action Plan
Step 8: Conduct a Formal Program Review Cycle
INFORMATION SECURITY METRICS AND KEY PERFORMANCE INDICATORS
Examples of Strategic KPIs
Examples of IT Risk Management KPIs
Examples of Operational Security KPIs
COMMON OBJECTIONS TO INFORMATION SECURITY METRICS PROGRAMS
Building a Practical Information Security Program
Disclaimer: Any content in publications that violate the sovereignty, the constitution or regulations of the PRC is not accepted or approved by CNPIEC.
