CSG3309

IT Security Management
Governance, Strategy, Policy
and Planning
Learning Objectives

• Understand governance and the role of governance in organisations

• Examine how top level strategies rely on good governance to fulfil their goals
• Review some established governance frameworks
• Do some planning
• Understand how strategies and operational plans translate to policies
• Examine different types of policies (broad enterprise information security policy vs.
technical policies to enforce compliance)
• Examine the process for implementing IT security policies
• Discuss compliance with respect to IT security policies
• Review the relationship between governance, risk and compliance
• Understand the concept of Defence–in-Depth
• Review the Design of Architecture and understand how it relates to planning
• Introduce the SETA program and how it can be sued to achieve business objectives
Governance and Strategy
 Let’s try to define this beast

Governance is
• “The set of responsibilities and practices exercised by the
board and executive management with the goal of providing
strategic direction, ensuring that objectives are achieved,
ascertaining that risks are managed appropriately, and
verifying that the enterprise’s resources are used
responsibly”
Strategic planning and corporate responsibility are best
accomplished using an approach many call Governance, Risk
management, and Compliance (GRC)

Source: Management of Information Security, 5th Edition - © Cengage Learning

Governance structures and frameworks

Define the responsibility structure of a organisation, for example:

• A monarchy is a governance structure where the king/queen says, and
people do.
• A democracy should be governed by fairly elected representatives.
• A hackers’ collective might be a tightly controlled oligarchy, or it may be
anarchical (a state of society without government or law1).
• IT Security Governance frameworks have been defined by standards
organisations and;
Different structures are suited to different communities and environments.

1. (Macquarie dictionary : Australia’s national dictionary online., 2003)

 Roles of governance

Connect directors, shareholders, management, operational staff Information Security Governance

and other stakeholders through top-level organisational rules outcomes
Clearly define roles and responsibilities of senior executives with
respect to delivering the outcomes defined in the strategic plan Five goals are:
 Strategic alignment
Provide a framework for an organisation to develop and monitor  Risk management
plans based on the organisation's:  Resource management
• goals  Performance measures
• legal obligations  Value delivery
• ethical aspirations
• shareholder responsibilities
• corporate responsibilities
• social responsibilities
Information security governance roles and
responsibilities

Source: This information is derived from the Corporate Governance Task Force Report, “Information
Security Governance: A Call to Action,” April 2004, National Cyber Security Task Force.
Governance without strategy

Would be a very strange concept...

• “Thank you, as the newly elected
president of this organisation I promise I
will do random stuff and hope things
work out.”
• “The board has no idea what it’s doing
or why it’s here, that’s why we’ve hired
a new CEO to implement our vision.”
Strategy – the first step in governance

...just a plan, but it’s a big plan.

• “a plan which is devised to achieve a particular
outcome.” (Macquarie dictionary : Australia’s national
dictionary online, 2003)
A bunch of goals and statements which provide a
direction or focus for an organisation.

Developed at senior levels within an organisation

Seeks to satisfy the needs of many influential stakeholders
Needs broad support from stakeholders to have a chance
of success
Monty Python's Flying Circus
- the 100 yards for people with
no sense of direction.
Strategic Plan

First priority of management and the information security team is the

creation of a strategic plan that will accomplish the information security
objectives of the organization

Strategic plan sets the long-term direction to be taken

• Mission / vision
• Core values
• SWOT (strengths, weaknesses, opportunities, threats)
• Performance Measures / Funding
• Business Objectives / Strategies
South Australian Government Cyber Security Strategic Plan
Example strategic goals and statements

Australia’s Cyber Security Strategy “... Will invest $1.67

billion over 10 years to achieve our vision, a more secure
online world for Australians, their businesses and the
essential services upon which we all depend.” (Australian
Government Department of Home Affairs)
“IBM's new strategy included a goal to eliminate 1,100,000
megawatt-hours (MWh) of energy consumption by year-
end 2012 through conservation and efficiency” (IBM,
2011)
ECU’s Strategic goals “...will enhance excellence in:
learning and teaching; research and knowledge translation;
internationalisation; and organisational sustainability.”
(Edith Cowan University, 2017)
Strategic Plan – Precursors to Planning

To implement effective planning, an organization’s leaders usually begin from previously

developed positions that explicitly state the organization’s ethical, entrepreneurial, and
philosophical perspectives

Mission Statement:
• “Random Widget Co designs and manufactures quality widgets and associated
equipment and supplies for use in modern business environments”
Values Statement:
• “Random Widget Co values commitment, honesty, integrity and social responsibility
among its employees, and is committed to providing its services in harmony with its
corporate, social, legal and natural environments”
Vision Statement:
• “Random Widget Co will be the preferred manufacturer of choice for every business’s
widget equipment needs, with an RWW widget in every machine they use”
Some formal governance frameworks

Don’t re-invent the wheel many organisations have already

published their guidelines and best practices for IT Security
Governance:
• ITGI (Information Technology Governance Institute
• NACD (National Association of Corporate Directors)
• CGTF/NCSP/ (Corporate Government Task Force; National Cyber
Security Partnership)
• ISO 27014 (International Standards Organisation)

Can form the foundation of your organisations governance approach

Governance Models and and Frameworks
NCSP – Framework for Information Security
Governance
Develop plans and initiate actions to provide adequate
InfoSec for networks, facilities, systems, and
information
Treat InfoSec as an integral part of the system life
cycle
Provide InfoSec awareness, training, and education to
personnel
Conduct periodic testing and evaluation of the
effectiveness of InfoSec policies and procedures
Create and execute a plan for remedial action to
address any InfoSec deficiencies
Develop and implement incident response procedures
Establish plans, procedures, and tests to provide
continuity of operations
Use security best practices guidance, such as the ISO
27000 series, to measure InfoSec performance
ISO/IEC 27014” Governance of Information
Security
The standard specifies six high-level “action-oriented”
information security governance principles:
Establish organization-wide information security
Adopt a risk-based approach
Set the direction of investment decisions
Ensure conformance with internal and external
requirements
Foster a security-positive environment
Review performance in relation to business outcomes
ISO 27014:2013 is the ISO 27000 series
standard for Governance of Information
Security
Policy
Information Security Policy, Standards & Practices

A quality information security program begins and ends with policy

Communities of interest must consider policies

as the basis for all information security efforts
 Policies direct how issues should be addressed, and
technologies used
 Policies should never contradict law
 Security policies are the least expensive controls to
execute but most difficult to implement properly
 Shaping policy is difficult
 What policy?

Definition:
• a definite course of action adopted as expedient or
from other considerations: a business policy.1

• “a set of ideas or a plan of what to do in particular

situations that has been agreed to officially by a group
of people, a business organization, a government, or a
political party” (Cambridge, n.d).

1. Macquarie dictionary : Australia’s national dictionary online. (2003)

What policy?

Tools for governing:

• Policies formally define rules, guidelines and procedures that must be
followed.
• Document requirements for managing and controlling assets
• Document rights and responsibilities
• Help non-technical staff and users understand requirements and
responsibilities
• Map high level strategies through to day-to-day operational requirements.
• Control IT and information related risks
• Allow organisations to measure compliance.
• Make end-users cranky because they just don’t understand why they can’t
install whatever Barcode Reader1app they want (hint, it’s to control malware).
 Policy, standards, and practices

Policies define what you can do and not do, whereas

the other documents (standards, procedures,
guidelines) focus on the how.

For policies to be effective they must be:

• properly disseminated
• read
• understood
• agreed-to
• uniformly enforced
Source: Management of Information Security, 5th Edition - © Cengage Learning
Policies, Standards & Practices
Specific types of security policies

Policies differ depending on what they’re trying to

achieve.
• Compliance with business procedures and strategic direction
• Compliance on procedures for handling specific issues (probably
the most common?)
• Information about implementing and maintaining specific systems
• guidelines for managing systems or technology
• technical specifications to ensure configuration compliance.
 Enterprise information security policy (EISP)

Enterprise information security policy (EISP) is that high-level information security policy
that sets the strategic direction, scope, and tone for all of an organization’s security efforts.
Provides an overview of the corporate philosophy on security
Information on the structure of the InfoSec organization and individuals who fulfill the
InfoSec role
Fully articulated responsibilities for security that are shared by all members of the
organization (employees, contractors, consultants, partners, and visitors)
Fully articulated responsibilities for security that are unique to each role within the
organization

An EISP is also known as a security program policy, general security policy, IT security
policy, high-level InfoSec policy, or simply an InfoSec policy

Source: Management of Information Security, 5th Edition - © Cengage Learning

 EISP Elements

Management of Information Security, 5th Edition, © Cengage Learning 23

 Issue-specific security policy (ISSP)

An Issue-specific security policy (ISSP) is

• An organizational policy that provides detailed, targeted
guidance to instruct all members of the organization in the use
of a resource, such as one of its processes or technologies

An issue-specific security policy (ISSP) is designed to regulate the

use of some technology or resource issue within the organization
In some organizations, ISSPs are referred to as fair and
responsible use policies, describing the intent of the policy to
regulate appropriate use

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Examples issue-specific security policies

Electronic mail, IM and other communications
apps
Use of the Internet, the Web, and company
networks
Malware protection requirements
Non-organizationally issued software or
hardware on organization assets
Organizational information on non-
organizationally owned computers
Prohibitions against hacking or testing security Company information while outside company
controls or attempting to modify or escalate
privileges
Personal and/or home use of company
equipment
Removal of organizational equipment from
organizational property
Personal equipment on company networks
Personal technology during work hours
Organizational telecommunications technologies
and networks
Photocopying and scanning equipment
facilities
Access control credentials by users

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Elements of the ISSP

Statement of Purpose Systems Management

• Scope and Applicability • Management of Stored Materials
• Definition of Technology Addressed • Employer Monitoring
• Responsibilities • Virus Protection
• Physical Security
Authorized Access and Usage of
• Encryption
Equipment
• User Access Violations of Policy
• Fair and Responsible Use • Procedures for Reporting Violations
• Protection of Privacy • Penalties for Violations

Prohibited Usage of Equipment Policy Review and Modification

• Disruptive Use or Misuse • Scheduled Review of Policy and Procedures for
• Criminal Use Modification
• Offensive or Harassing Materials Limitations of Liability
• Copyrighted, Licensed or other Intellectual Property • Statements of Liability or Disclaimers
• Other Restrictions

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Systems-Specific Security Policy

Systems-Specific Security Policies (SysSPs) sometimes have a

different look and may seem more like procedures to some
readers
They may often function as standards or procedures to be
used when configuring or maintaining systems
SysSPs can be separated into:
• Managerial guidance
• Technical specifications
or
• combined in a single unified SysSP document

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Managerial guidance SysSPs

 Created by management to guide the

implementation and configuration of technology
 Applies to any technology that affects the
confidentiality, integrity or availability of information
 Informs technologists of management intent

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Technical specifications SysSPs

System administrators directions on implementing

managerial policy.

Each type of equipment has its own type of policies

There are two general methods of implementing such
technical controls:
• access control lists
• configuration rules

Source: Management of Information Security, 5th Edition - © Cengage Learning

Access Control Lists (ACLs)

Include the user access lists, matrices, and capability tables that govern the
rights and privileges
A capability table specifies which subjects and objects that users or groups can
access
These specifications are frequently complex matrices, rather than simple lists or
tables
In general ACLs enable administrations to restrict access according to user,
computer, time, duration, or even a particular file.
In general ACLs regulate:
• Who can use the system
• What authorized users can access
• When authorized users can access the system
• Where authorized users can access the system from
• How authorized users can access the system

Management of Information Security, 5th Edition, © Cengage Learning 30

Configuration Rules

Configuration rules are instructional

codes that guide the execution of the
system when information is passing
through it
Rule policies are more specific to the
operation of a system than ACLs, and
may or may not deal with users
directly
Many security systems require specific
configuration scripts telling the
systems what actions to perform on
each set of information they process

Management of Information Security, 5th Edition, © Cengage Learning 31

 Combination SysSPs

Many organizations create a single document combining

elements of both Management Guidance and Technical
Specifications SysSPs

While this document can be somewhat confusing to the users

of the policies, it is very practical to have the guidance from
both perspectives in a single place
Such a document should carefully articulate the required
actions for each procedure described

Source: Management of Information Security, 5th Edition - © Cengage Learning

Implementing Policy
 Implementing policy

Like any major project, a policy

development or redevelopment project
should be well planned, properly funded,
and aggressively managed to ensure
that it is completed on time and within
budget
One way to accomplish this goal is to
use a systems development life cycle
(SDLC), a formal approach to problem
solving based on a structured sequence
of procedures

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Investigation phase

The policy development team should attain:

• Support from senior management,
• Support and active involvement of IT management, specifically
the CIO
• Clear articulation of goals
• Participation of the correct individuals from the communities of
interest affected by the policies
• Be composed from Legal, Human Resources and end-users
• Assign a project champion with sufficient stature and prestige
• Acquire a capable project manager
• A detailed outline of the scope of the policy development
project and sound estimates for the cost and scheduling of the
project

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Analysis phase

The Analysis phase should include the

following activities:
• A new or recent risk assessment or IT audit
documenting the current InfoSec needs of the
organization
• The gathering of key reference materials—
including any existing policies

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Design phase

The first task in the design phase is the drafting of the

actual policy document
While this task can be done by a committee, it is most
commonly done by a single author
• There are a number of references and resources available on
the Web, through professional literature and from peers and
consultants
Next, the development team or committee reviews the
work of the primary author and makes recommendations
about its revision
Once the committee approves the document, it goes to the
approving manager or executive for sign-off

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Implementation phase

In the implementation phase, the team must create a plan to

distribute and verify the distribution of the policies
Members of the organization must explicitly acknowledge that they
have received and read the policy (compliance)
The simplest way to document acknowledgment of a written policy is
to attach a cover sheet that states “I have received, read,
understood, and agreed to this policy”
• The employee’s signature and date provide a paper trail of his or her
receipt of the policy

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Maintenance phase

During the maintenance phase, the policy development team monitors,

maintains, and modifies the policy as needed to ensure that it remains
effective as a tool to meet changing threats
The policy should have a built-in mechanism via which users can report
problems with the policy, preferably anonymously
Periodic review should be built in to the process

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Policy compliance

“Policies must be agreed to by act or affirmation. Agreement by act

occurs when the employee performs an action, which requires them to
acknowledge understanding of the policy, prior to use of a technology
or organizational resource”
What if an employee refuses explicitly to agree to comply with policy?
It seems clear that failure to agree to a policy is tantamount to refusing
to work and thus may be grounds for termination

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Policy enforcement

The final component of the design and implementation of effective policies

is uniform and impartial enforcement
As in law enforcement, policy enforcement must be able to withstand
external scrutiny
Enforcement may also be achieved though technical controls:
• Don’t accept short passwords
• Restrict the BYOD Wi-Fi network from access to the corporate network.
• Disable user’s swipe card access to non-essential buildings

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

 Other Approaches to Information Security
Policy Development

There are a number of other approaches to developing

information security policy
• Information Security Policies Made Easy Approach (ready to go
security policy template library)
• SANS Institute
• SP 800-18, Rev.1: Guide for Developing Security Plans for Federal
Information Systems

Source: Management of Information Security, 5th Edition - © Cengage Learning

Policy in the context of governance

One word: compliance.

• Because policies define the rules of an organisation, good governance must
ensure compliance.
• No point in having rules that people don’t follow.
 Remember, it’s ALL about risk

Policies are risk management tools.

I’ll bet we can relate ANY policy back to risk:
• Password policy → defend against risk of
accounts being compromised.
• Conflict of interest policy → defend against risks due to
people not acting in the best interest of the
organisation.
• Abercrombie & Fitch's hair style policy1 → defend
against risks to the brand image (whether you like it or
not it’s their image; obviously someone likes it).

1. Exclusive: The Hairstyles Abercrombie Has Deemed "Unacceptable” (BuzzFeed / Maheshwari, 2013)
The Information Security Blueprint
Information Security Blueprint

A framework or security model customised to an

organisation, including implementation details.

Once an organisation has developed its information security

policies and standards, the information security community
can begin developing the blueprint for the information
security program
Information Security Blueprint

 Basis for design, selection, and implementation of all

security policies, education and training programs, and
technological controls
 Detailed version of security framework (outline of
overall information security strategy for organization)
 Specifies tasks and order in which they are to be
accomplished
 Should also serve as a scalable, upgradeable, and
comprehensive plan for the current and future
information security needs
Design of Architecture
Design of Security Architecture 1/2

Spheres of security: foundation of the security framework

Levels of controls:
• Management controls set the direction and scope of the
security processes and provide detailed instructions for its
conduct.
• Operational controls address personnel and physical security
and the protection of production inputs/outputs.
• Technical controls are the tactical and technical
implementations related to designing and integrating security in
the organization.
Recap –Week 1 POLC
Design Security Architecture 2/2– Key Terms

Defense in depth
• Implementation of security in layers
• Requires that organization establish multiple layers of security
controls and safeguards
Security perimeter
• Border of security protecting internal systems from outside
threats
• Does not protect against internal attacks from employee threats
or onsite physical threats
Design of Security Architecture- Spheres of
Security
Defense in Depth
Design of Security Architecture

Defense in Depth

Security Perimeters
Security Education, Training & Awareness
(SETA) Program
Security Education, Training & Awareness (SETA)
Program

 Once general security policy exists, implement security

education, training, and awareness (SETA) program.
 SETA is a control measure designed to reduce accidental
security breaches.
 The SETA program consists of security education, security
training, and security awareness.
 It enhances security by improving awareness, developing
skills and knowledge, and building in-depth knowledge.
Comparative Framework of SETA

Education Training Awareness

Attribute Why How What

Objective Understanding Skill Exposure

Teaching method Theoretical instruction Practical instruction Media

• Discussion seminar • Lecture • Videos
• Background reading • Case study workshop • Newsletters
• Hands-on practice • Posters

Test measure Essay (interpret learning) Problem solving (apply • True or False
learning) • Multiple choice
(identify
learning)

Impact timeframe Long term Intermediate Short term

Source: NIST SP 800-12

Summary
 Summary

• Governance is responsibilities and practices that are exercised by the board and executives of
an organisation
• Governance, Risk, Compliance are a often quoted trio (GRC)
• Governance closely relates to strategy – it is the set of practices that will help an organisation
achieve it’s strategic goals
• Many information security governance frameworks already exist, you don’t need to reinvent
the wheel – just find one that’s appropriate to your needs
• Planning is an essential business process closely related to governance.
• Planning occurs and several levels: strategic, tactical and operational
• Policies are the tools used to turn plans in to real-world instructions and rules
• Policies come in many flavours, from general business guidelines, to operational rules and
system specific requirements
• Policy development is a very important process in managing IT security
 Summary
• Policy development can follow similar phases to other products or services: Investigation;
Analysis; Design; Implementation; Maintenance
• Policies without compliance don’t achieve anything
• Policy compliance is generally sought through agreement, but...
• Consider how to achieve compliance when there’s no agreement?
• Policy enforcement can involve management directives “do this or else..”.
• Policies may also be enforced through technical means (turn off the Wi-Fi, force password
complexity)
• Information security education, training, and awareness (SETA) is a control measure that
reduces accidental security breaches and increases organizational resistance to many other
forms of attack
• Defense-in-depth requires that organization establish multiple layers of security controls
and safeguards
• The security parameter is the border of security protecting internal systems from outside
threats