InfoDevSec

Security Governance through Principles and Policies

Security Governance Through Principles and Policies

  • Strategic Plan is a long-term plan that is fairly stable.
  • Tactical Plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredicted events. 
  • Operational Plan is a short-term, highly detailed plan based on the strategic and tactical plans.

Security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organization.

Security management planning ensures proper creation, implementation, and enforcement of a security policy.

ISC2 CISSP Study Guide 8th edition
Security management is a responsibility of upper management, not of the IT staff, and is considered an issue of business operations rather than IT administration. 
CIA Triad

Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. 

  • Sensitivity: Sensitivity refers to the quality of information, which could cause harm or damage if disclosed. Maintaining the confidentiality of sensitive information helps to prevent harm or damage.
  • Discretion: Discretion is an act of decision where an operator can influence or control disclosure in order to minimize harm or damage.
  • Criticality: The level to which information is mission-critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality of the information. High levels of criticality are essential to the operation or function of an organization.
  • Concealment: Concealment is the act of hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction. A related concept to concealment is security through obscurity, which is the concept of attempting to gain protection through hiding, silence, or secrecy. While security through obscurity is typically not considered a valid security measure, it may still have value in some cases.
  • Secrecy: Secrecy is the act of keeping something a secret or preventing the disclosure of information.
  • Privacy: Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.
  • Seclusion: Seclusion involves storing something in an out-of-the-way location. This location can also provide strict access controls. Seclusion can help enforcement of confidentiality protections.
  • Isolation: Isolation is the act of keeping something separated from others. Isolation can be used to prevent commingling of information or disclosure of information.

Integrity is the concept of protecting the reliability and correctness of data. Integrity protection prevents unauthorized alterations of data.

Integrity can be examined from three perspectives:

  • Preventing unauthorized subjects from making modifications
  • Preventing authorized subjects from making unauthorized modifications, such as mistakes
  • Maintaining the internal and external consistency of objects so that their data is a correct and true reflection of the real world and any relationship with any child, peer, or parent object is valid, consistent, and verifiable

Integrity is dependent on confidentiality. Other concepts, conditions, and aspects of integrity include the following:

  • Accuracy: Being correct and precise
  • Truthfulness: Being a true reflection of reality
  • Authenticity: Being authentic or genuine
  • Validity: Being factually or logically sound
  • Nonrepudiation: Not being able to deny having performed an action or activity or being able to verify the origin of a communication or event
  • Accountability: Being responsible or obligated for actions and results
  • Responsibility: Being in charge or having control over something or someone
  • Completeness: Having all needed and necessary components or parts
  • Comprehensiveness: Being complete in scope; the full inclusion of all needed elements

The third principle of the CIA Triad is availability, which means authorized subjects are granted timely and uninterrupted access to objects.

  • Usability: The state of being easy to use or learn or being able to be understood and controlled by a subject
  • Accessibility: The assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations
  • Timeliness: Being prompt, on time, within a reasonable time frame, or providing a low-latency response

AAA services

  • Identification: Claiming to be an identity when attempting to access a secured area or system
  • Authentication: Proving that you are that identity
  • Authorization: Defining the permissions (i.e., allow/grant and/or deny) of a resource and object access for a specific identity
  • Auditing: Recording a log of the events and activities related to the system and subjects
  • Accounting (aka accountability): Reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions

 Security Infrastructure

  • Protection Mechanisms
    • Multiple layers or levels of access
    • Employing abstraction
    • Hiding data
    • Using encryption
  • Layering or Defence in Depth
    • Layering includes the concept that networks comprise numerous separate entities, each with its own unique security controls and vulnerabilities. In an effective security solution, there is a synergy between all networked systems that creates a single security front. Using separate security systems creates a layered security solution.
  • Abstraction is used for efficiency
    • The concept of abstraction is used when classifying objects or assigning roles to subjects
    • Abstraction is used to define what types of data an object can contain, what types of functions can be performed on or by that object, and what capabilities that object has. Abstraction simplifies security by enabling you to assign security controls to a group of objects collected by type or function.
  • Data Hiding: preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject
  • Encryption is the art and science of hiding the meaning or intent of a communication from unintended recipients

Organizational Processes

Security governance needs to address every aspect of an organization.

  • Change Control/Management
    • Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities.
    • Change management aims to ensure that any change does not lead to reduced or compromised security.
    • The change control process of configuration or change management has several goals or requirements:
      • Implement changes in a monitored and orderly manner. Changes are always controlled.
      • A formalized testing process is included to verify that a change produces expected results.
      • All changes can be reversed (also known as backout or rollback plans/procedures).
      • Users are informed of changes before they occur to prevent loss of productivity.
      • The effects of changes are systematically analyzed to determine whether security or business processes are negatively affected.
      • The negative impact of changes on capabilities, functionality, and performance is minimized.
      • Changes are reviewed and approved by a Change Advisory Board (CAB).
  • Data classification
    • Data classification, or categorization, is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality.
    • The following are benefits of using a data classification scheme:
      • It demonstrates an organization’s commitment to protecting valuable resources and assets.
      • It assists in identifying those assets that are most critical or valuable to the organization.
      • It lends credence to the selection of protection mechanisms.
      • It is often required for regulatory compliance or legal restrictions.
      • It helps define access levels, types of authorized uses, and parameters for declassification and/or destruction of resources that are no longer valuable.
      • It helps with data lifecycle management, which is the storage length (retention), usage, and destruction of the data.
    • Standardized classification systems:
      • The usefulness of the data
      • Timeliness of the data
      • Value or cost of the data
      • Maturity or age of the data
      • The lifetime of the data (or when it expires)
      • Association with personnel
      • Data disclosure damage assessment (that is, how the disclosure of the data would affect the organization)
      • Data modification damage assessment (that is, how the modification of the data would affect the organization)
      • National security implications of the data
      • Authorized access to the data (that is, who has access to the data)
      • Restriction from the data (that is, who is restricted from the data)
      • Maintenance and monitoring of the data (that is, who should maintain and monitor the data)
      • Storage of the data
To implement a classification scheme, you must perform seven major steps, or phases:
  • Identify the custodian, and define their responsibilities.
  • Specify the evaluation criteria of how the information will be classified and labeled.
  • Classify and label each resource. (The owner conducts this step, but a supervisor should review it.)
  • Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria.
  • Select the security controls that will be applied to each classification level to provide the necessary level of protection.
  • Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity.
  • Create an enterprise-wide awareness program to instruct all personnel about the classification system.

security policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. 

A security policy is an overview or generalization of an organization’s security needs. It defines the main security objectives and outlines the security framework of an organization.

Standards define compulsory requirements for the homogenous use of hardware, software, technology, and security controls.

baseline defines a minimum level of security that every system throughout the organization must meet. 

e. A guideline offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.

procedure or standard operating procedure (SOP) is a detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution. 

[subpages]