ISACA CISM – Domain 03 – Information Security Program Development Part 4

28. Elements of the Roadmap Part4

So as I mentioned, a general control has kind of a wider scope. The general controls are just activities that support your entire organization in a centralized fashion. If part of my security solution or my security program might be the use of ID badges and magnetic key locks to be able to gain entry into a facility, that certainly is going to affect the entire organization. Everybody that has to use that facility. Not just my information technology part of it, but everyone that comes in, from the CEO all the way down to contractors coming in there. So the term general is used to describe controls that are over the infrastructure and operate, or should operate in a shared environment.

Now, these controls can be managed by different groups other than the security manager as well, but the security manager is the one who must identify what those roles and responsibilities are going to be and assign them appropriately. So again, if you think about my example of the magnetic key locks, there may be a contingent that you have that is responsible for the physical security of the facilities. And so that’s certainly not something the It department is going to deal with, but it’s going to be something that you would assign to those facilities managers for them to be able to take care of those types of issues of that control.

29. Elements of the Roadmap Part5

Now, if you use the constraints of roles and responsibilities, the Information Security Manager should be able to help identify the key technology elements that facilitate the achievement of your control objectives. And if it’s used centrally throughout the organization, it should become a part of the overall security architecture.

30. Gap Analysis

After the roles and responsibilities have been properly established. The next step is to have an inventory. It should be taken of the required versus existing technology and processes. What we’re doing here is we’re basically creating a gap analysis. Now, the inventory and analysis can help identify where the control objectives are not adequately supported by the controls and that information can be helpful in the progress being made towards achieving the security program goals. In other words, we now know where we’re deficient and we can then make our road map to see what it takes to get that particular control or whichever ones that we’re reviewing and analyzing to the desired state of security.

31. Lesson 5: Information Security Management Framework

So now, on this lesson, we’re going to talk about the information security management framework, which means we’ll talk a little bit about what that framework is supposed to be about. And then we’ll take a look at some examples of frameworks, such as the COBIT Five or the ISO IEC 270. Zero, one.

32. Security Management Framework

So when we talk about a security management framework or anything that has the title framework, it’s important to remember that it is a conceptual representation of a management structure. So it’s kind of a goal to try to achieve. Part of what we have to do, of course, in any framework is have some definitions of what we’re trying to accomplish. So we’ll often see that it’s going to define, as it says here, technical, operational, administrative and managerial components of a program, of a security program. Again being a little bit vague about which specific program. But that’s the nice thing about a framework is we can use it as a template to put it on top of whatever that security objective is going to be. It should also define the organizational units involved and the leadership, right, those who are the decision makers.

Now some of the other outcomes that we want from effective security management framework should focus on some of the short or shorter term needs. As an example, one of the things we should have is, as we talked about with the organizational units or the leaders, is who the decision makers, they really need to have an awareness of what the risk is, what your mitigation options are. Because when you think about it, if we’re going to still look at that top down, we want the management staff to do what we call buy in to this program. And if you’re the one that’s trying to sell this program and let’s say you’re the Is manager, you want to be able to craft some options for the outcomes. You want to basically try to sell this program, but more than just sell it, I mean, you also need this as the outline so that we basically are going forward in a direction that works to meet whatever the security needs are going to be.

So you have to be able to at least somehow list and again, this is back in documentation, the tactical and strategic value add to the organization. In other words, more than likely there’s going to be some money involved. And so we want to be able to say what is the value add? The value add is hey, you’re going to be in compliance with regulatory laws. That sounds like a good value add to an organization. Or if after a risk analysis, we decided that something very important to us, like a database of customers is at higher risk because of how the security attacks have changed over time. Sounds like another value add. But we also want to make sure that we’re not just throwing money away. We want efficient operation with regards to cost.

In other words, I might look at it, if you’re looking for specific hardware, that’s where the vendors are going to come in and those vendors are going to give you all of these pox proof of concepts about their product and hopefully the data sheets that go with that product. And you can use that to compare it against what the goals are and be able to find the equipment that’s going to work for you. Efficient operation. You might decide, hey, it’s time to buy this new firewall from a vendor we’ve never used. But look at what it does. Okay, maybe it does work very well. What does that do to cost? And I’m just throwing this out as examples, but often then you have the cost of testing the equipment, you have the cost of installing it, of training the people in your organization to know how to use it if it’s something that’s new and it’s not a part of their existing skill set.

So it just kind of continues on from there. Now, your vendors, I’m going to just warn you, they’re going to talk about operational costs. Some will say they’re greener than others. You won’t pay as much of a power bill. But that’s again, parts of what you hopefully are going to take a look at as you’re putting this together. All right, so again, and as you’re going through this, the next part here is you’re going to look at what is the information security drivers, the activities, the benefits, the needs. I guess that kind of goes back to where I talked about looking at the proof of concepts, the data sheets about what’s happening. So when you consider the types of options that the information Security Manager is going to try to produce or the type of information they’re going to craft, the options, like I said, have to deliver, as I said here, and I’ll underline it again, something that’s a value add.

It could be questions like whether this program is going to add a tactical or strategic value to the organization or if the program is being operated efficiently with cost issues. As I’ve talked about, if the program is going to foster cooperation and goodwill between those organizational units, which is again, a part of, hopefully any plan is getting everybody involved. So that’s really kind of what we’re looking at as a framework. And now we’re going to take a look at some of the existing frameworks that you might choose to use in coming up with this program.

33. COBIT 5

So the first one is COBIT, in this case COBIT Five. COBIT stands for the Control objectives for informationrelated Technology, used to sand for something different. But it is a comprehensive framework that can help if you use it to meet your objectives. And it really consists of five different principles that we’re going to take a look at and talk about as we go through it. Certainly I’m not going to talk about in great detail of everything that is represented in COBIT. If you were to look it up, start using this as a way of developing your framework, then you’re going to see that there’s a lot more to it, obviously. But our goal here is to at least know that it does exist and that we should learn about it in more detail if you are involved in creating some of these programs.

But the simple goal of this set up with COVID is to try to create an optimal value from It by basically having a balance between getting the benefits and optimizing the risk levels and your resource use. And so it’s kind of a holistic set up. The first principle in COVID here is meeting the stakeholder needs. So if you think about It, stakeholders, as I talked about, is anybody who has an interest in this company succeeding. That also includes users or not users, the employees, I should say. I guess they could be the users, but the employees would certainly like, I’m certain, to continue to work and have their jobs. So again, that’s where we’re trying to create that balance and trying to make sure that the stakeholders understand that we’re meeting their needs both in the security realm and trying to giving them, I guess, the maximum benefits, optimizing the risk that we can and still being good with the effective cost.

So what are we doing? We’re balancing the risk, basically the needs of the company and trying to balance the costs. Principle two here is covering the enterprise from end to end. So basically the idea is that we’re trying to integrate the governance of the enterprise It into the enterprise governance itself. And again, governance is well, we’ve talked about that in the other domains, but if you noticed, I said governance of It versus the company itself, right? And that’s kind of going from end to end, if you could think about it. So our goal there is to make sure we cover all the functions and processes within the enterprise. And COVID doesn’t do just it right. It is about the It and the company. So as I said, it’s trying to basically treat information related technologies as an asset that needs to be dealt with like any other asset.

And it’s trying to consider all of the It related governance and management enablers from the enterprise end to end. The third principle here is applying a single integrated framework. All right? Now in the world of It, there are going to be many standards that we might have to deal with. Some people might call them best practices, whatever words you like to use with that. And each of those basically are on a subset, right? So if I were talking about firewall security as an example, they would talk about how we should limit traffic, what we should be looking for, what should be allowed. But that’s focusing on a best practice of a firewall. If it was a server, we might talk about best practices in hardening that server and turning off services we don’t need and a lot of different best practices.

But those are, again, focused kind of as a subset. And so what we’re trying to do here with applying a single integrated framework is we’re trying to take all of that into account so that we have basically an overarching framework for the governance and management of your it. The next principle there is enabling a Holistic approach. Again, the idea, if you’re seeing what it is, is we’re grouping everything together. We’re trying to basically have effective governance and management, and we want to take into account the different interacting components. So if I were just to draw a network diagram coming from the Internet world, often we would say, okay, well, we’re going to have a firewall.

We might have intrusion prevention, then we might have a core switch that traffic goes through and that’s going to break down into different parts of the organization. Maybe I’ve got a server farm that we’re trying to protect. And so Holistically, we’re not looking at just the subsets, right? We want to look at all of it together as we’re working with this framework. And then the next principle is separating governance from management. And in the COBIT framework, they do make a clear distinction between governance and management, two different disciplines with different activities. And so that means we would have different types of organizational units that are working on this.

But again, the idea here is that with governance, right, when we talk about that, that we’re trying to make sure that the stakeholder needs, conditions and options are evaluated to give us that balance that we talked about before. And then with the management, that’s where we’re doing the plans, the building and running and monitoring. And so we’re still going to have the separation of the two. But still, if we go back to the Holistic approach, just like I did with the network equipment, we should still have the ability to work with this from end to end. So the idea for COVID then, is not tell you this is step one, step two, step three, but it’s focused there, as you can see, is on providing guidance for all of the professionals that are involved.

34. ISO/IEC 27001

The next one we’ll look at is the ISO 270 zero one. It is a security standard for information security management systems. Sometimes they call it the Isms. And basically what it does, besides, as I said, having a standard, it also has the accompanying code of practice. In fact, the accompanying code of practice, this is ISO 270 zero two. And when this came out, the standards were again, kind of a high level comprehensive requirement for information security. Some of it was based on the British standard and slightly expanded. And they have, as you can see, a number of little areas that they’re going to talk about. One would be security policy. So that’s trying to give and I’m going to abbreviate management direction and as well as support for information security to make sure that again, that it’s going with the business requirements as well as relevant laws and regulations.

The next control area is the organization of assets and resources. And hopefully that seems pretty straightforward. Remember that assets are even some of the controls that we are using as well as what we’re trying to protect. And the resources can be the people and the networks and everything else. Asset classification and controls measures that we use to identify the assets and make sure that we have the appropriate protection and handling measures. Again, remember, controls often thought of as countermeasures or personnel security, making sure your employees, contractors, third parties know what their responsibilities are and especially when you consider that everybody is going to be in different parts of the organization.

Let me finish that word out there. And by defining what those responsibilities are, everybody knows what their jobs are supposed to be, something that’s kind of suitable for roles. And by doing that, everybody knows what their job is. The goal is to try to lower the risk of human error, especially if everybody knows how they’re working together. So the next one is the communications and operations management. It’s a way of having measures that can ensure the correct and secure operation of your information processing facilities. The next one is access control. Again, measures that we use to prevent unauthorized access notice. Again, these are high level, right? Information systems acquisition. And let me just back up. High level.

They’re not telling you step by step how to do this, but if you use it as a checklist you can make sure that you have met each of these different elements to be able to show that you’re trying to be in conformance with these frameworks. Anyway, the information systems acquisition, we could actually say acquisition or development and maintenance is, again, if you add all of that in there. So what else did I just tell you about the development of information systems and of course maintenance. All of those should be a part of what we’re looking at. And that’s all it’s trying to do is make sure that we actually have in place a plan on dealing with how we may add or further develop or configure or maintain these security controls.

Business continuity management is how we try to mitigate, minimize interruptions or the impact from interruptions. That’s what it’s always been about. So if I just said impact and give you a down arrow, right? We’re trying to lower the impact. Compliance is a way of measuring and it’s a measure that we use to prevent breaches of any criminal or civil laws or statutory, regulatory or contractual obligations. And then we should also have, as a part of this set up for incident management, the processes and capabilities that we use. And we’re going to talk a lot more about that in a different domain. But one of the big features here is going to be something like early detection, right? The earlier you detect an incident, the quicker you’re going to be able to respond and hopefully contain and lower the impact to your business.

• Category: Uncategorized