Chapter 19. Business Unit Interaction

This chapter covers CAS-003 objective 5.3.

In every enterprise, security professionals must facilitate interaction across diverse business units to achieve security goals. The security goals must be written so that the different personnel in the business units are able to understand them. It is a security practitioner’s job to ensure that all the personnel within the business units understand the importance of enterprise security. This includes interpreting security requirements and goals to communicate with stakeholders from other disciplines, providing objective guidance and impartial recommendations to staff and senior management on security and controls, and establishing effective collaboration within teams to implement security solutions. The governance, risk, and compliance committee should work together to develop the security, governance, risk, and compliance goals for the organization.

Sales Staff

Sales staff are rarely concerned with organizational security and, due to the nature of their jobs, often have unique security issues. For many organizations, sales staff often spend days on the road, connecting to the enterprise from wherever they find themselves, including public Wi-Fi, hotel networks, partner networks, and so on. While sales staff simply need a convenient solution, it is often not in the best interest of the organization for sales staff to use any available public network. Because of the sensitive nature of the information that sales staff transmit, their devices are often targeted by attackers. Some of the security solutions that an organization should consider for sales staff include the following:

• Create a virtual private network (VPN) to allow remote sales staff to connect to the organization’s network.

• Implement full disk encryption on all mobile devices issued to sales staff.

• Implement geolocation/Global Positioning System (GPS) location tracking for all mobile devices issued to sales staff.

• Implement remote lock and remote wipe for all mobile devices issued to sales staff.

Security practitioners should ensure that sales staff periodically attend security awareness training focused on issues that the sales staff will encounter, including password protection, social engineering attacks, VPN usage, and lost device reporting.

Programmer

Programmers are responsible for developing software that the organization uses and must understand secure software development. For this reason, programmers should obtain periodic training on the latest secure coding techniques. Programmers should adhere to design specifications for all software developed, and security practitioners should ensure that the design specifications include security requirements. Secure software development should always be a priority for programmers.

A code audit analyzes source code in a program with the intention of discovering bugs, security breaches, or violations of secure programming conventions. It attempts to reduce errors before the software is released.

Because software often involves the integration of multiple computers and devices, programmers must also understand how these computers and devices work together and communicate. For example, an ecommerce application may interact with financial systems as well as an inventory database. Any communication between these systems would need to be properly protected to ensure that hackers cannot obtain the data.

Security practitioners should ensure that programmers periodically attend security awareness training that is focused on issues the programmers will encounter, including secure code development, code review, password protection, and social engineering. In addition, it may be necessary for programmers to have two levels of accounts: a normal user account for everyday use and an administrative-level account that is used only for performing tasks that require elevated credentials. The principle of least privilege should be thoroughly explained to programmers.

Database Administrator

A database administrator is responsible for managing organizational databases that store valuable information, including financial, personnel, inventory, and customer information. Because much of the data in a database can be considered confidential or private, security practitioners must ensure that database administrators understand the security requirements for the database.

If a database is implemented, each user who needs access to the database should have his or her own account. Permissions can be granted to the individual tables or even individual cells. Database administrators often use database views to ensure that users can read only the information to which they have access. But even with properly configured permissions and use of views, database information can still be compromised. For this reason, database administrators should consider implementing some form of encryption. Within most databases, database administrators can encrypt individual cells, tables, or the entire database. However, cell, table, or database encryption places additional load on the server.

Transparent data encryption (TDE) is a newer encryption method used in SQL Server 2008 and later. TDE provides protection for an entire database at rest, without affecting existing applications by encrypting the entire database. Another option would be to use Encrypting File System (EFS) or BitLocker Drive Encryption to encrypt the database files.

In addition, database administrators should be concerned with data integrity. Auditing should be configured to ensure that users can be held responsible for the actions they take. Backups should also regularly occur and should include backing up the transaction log.

Database administrators must periodically obtain database training to ensure that their skill level is maintained. In addition, security practitioners should ensure that database administrators attend security awareness training that is focused on issues that the database administrators will encounter, including database security, secure database design, password protection, and social engineering. In addition, it is necessary for database administrators to have two levels of accounts: a normal user account for everyday use and an administrative-level account to be used only for performing tasks that require elevated credentials. The principle of least privilege should be thoroughly explained to all database administrators.

Network Administrator

A network administrator is responsible for managing and maintaining the organization’s network. This includes managing all the devices responsible for network traffic, including routers, switches, and firewalls. The network administrator is usually more worried about network operation than network security. Because data is constantly being transmitted over the network, the network administrator must also understand the types of traffic that are being transmitted, the normal traffic patterns, and the average load for the network. Protecting all this data from attackers should be a primary concern for a network administrator. Security practitioners should regularly communicate with the network administrator about the security requirements for the network.

Network administrators should ensure that all network devices, such as routers and switches, are stored in a secure location, usually a locked closet or room. If wireless networks are used, the network administrator must ensure that the maximum protection is provided. While it is much easier to install a wireless access point without all the security precautions, security practitioners must ensure that the network administrators understand how and why to secure the wireless network. In addition, these administrators should know who is on their network, which devices are connected, and who accesses the devices. Remember that physical and logical security controls should be considered as part of any security plan.

Network administrators must periodically obtain training to ensure that their skill level is maintained. In addition, security practitioners should ensure that the network administrators attend security awareness training that is focused on issues that the network administrators will encounter, including network security, new attack vectors and threats, new security devices and techniques, password protection, and social engineering. In addition, each network administrator must have two levels of accounts: a normal user account for everyday use and an administrative-level account to be used only for performing tasks that require elevated credentials. The principle of least privilege should be thoroughly explained to all network administrators.

Management/Executive Management

High-level management has the ultimate responsibility for preserving and protecting organizational data. High-level management includes the CEO, CFO, CIO, CPO, and CSO. Other management levels, including business unit managers and business operations managers, have security responsibilities as well.

The chief executive officer (CEO) is the highest managing officer in any organization and reports directly to the shareholders. The CEO must ensure that an organization grows and prospers.

The chief financial officer (CFO) is the officer responsible for all financial aspects of an organization. Although structurally the CFO might report directly to the CEO, the CFO must also provide financial data for the shareholders and government entities.

The chief information officer (CIO) is the officer responsible for all information systems and technology used in the organization and reports directly to the CEO or CFO. The CIO usually drives the effort to protect company assets, including any organizational security program.

The chief privacy officer (CPO) is the officer responsible for private information and usually reports directly to the CIO. As a newer position, this role is still considered optional but is becoming increasingly popular, especially in organizations that handle lots of private information, including medical institutions, insurance companies, and financial institutions.

The chief security officer (CSO) is the officer who leads any security effort and reports directly to the CEO. This role, which is considered optional at this point, must be solely focused on security matters. Its independence from all other roles must be maintained to ensure that the organization’s security is always the focus. The CSO is usually responsible for the organization’s risk management and compliance initiatives.

Business unit managers provide departmental information to ensure that appropriate controls are in place for departmental data. Often a business unit manager is classified as the data owner for all departmental data. Some business unit managers have security duties. For example, the business operations department manager would be best suited to overseeing security policy development.

Security practitioners must be able to communicate with all these groups regarding the security issues that an organization faces and must be able to translate those issues into security requirements and goals. But keep in mind that management generally is concerned more with costs and wants to control costs associated with security as much as possible. It is the security practitioner’s job to complete the appropriate research to ensure that the security controls that he or she suggests fit the organization’s goals and that the reasons behind the decision are valid. Management must be sure to convey the importance of security to all personnel within the organization. If it appears to personnel that management is reluctant to value any security initiatives, personnel will be reluctant as well.

For high-level management, security awareness training must provide a clear understanding of potential risks and threats, effects of security issues on organizational reputation and financial standing, and any applicable laws and regulations that pertain to the organization’s security program. Middle management training should discuss policies, standards, baselines, guidelines, and procedures, particularly how these components map to the individual departments. Also, middle management must understand their responsibilities regarding security. These groups also must understand password protection and social engineering. Most members of management will also have two accounts each: a normal user account for everyday use and an administrative-level account to be used only for performing tasks that require elevated credentials. The principle of least privilege should be thoroughly explained to all members of management.

Financial

Because the financial staff handles all the duties involved in managing all financial accounting for the organization, it is probably the department within the organization that must consider security the most. The data that these staff deal with on a daily basis must be kept confidential. In some organizations, it may be necessary to isolate the accounting department from other departments to ensure that the data is not compromised. In addition, the department may adopt a clean-desk policy to ensure that others cannot obtain information by picking up materials left on a desk. Financial staff may also need to implement locking screensavers.

Financial department personnel must periodically obtain training to ensure that their skill level is maintained and that they understand new laws or regulations that may affect the organization’s financial record-keeping methods. In addition, security practitioners should ensure that financial department personnel attend security awareness training that is focused on issues they will encounter, including password protection and social engineering. Financial personnel should be familiar with retention policies to ensure that important data is retained for the appropriate period. The organization’s asset disposal policy should stipulate how assets should be disposed, including instructions on shredding any paper documents that include private or confidential information.

Human Resources

Similar to the personnel in the financial department, personnel in the human resources department probably already have some understanding of the importance of data security. Human resources data includes private information regarding all of an organization’s personnel. For this reason, clean-desk policies and locking screensavers are also often used in the human resources department.

Human resources department personnel must periodically obtain training to ensure that their skill level is maintained and that they understand new laws or regulations that may affect personnel. In addition, security practitioners should ensure that human resources department personnel attend security awareness training that is focused on issues they will encounter, including password protection and social engineering.

Emergency Response Team

The emergency response team is composed of organizational personnel who are responsible for handling any emergencies that occur. Many of the members of this team have other primary job duties and perform emergency response duties only when an emergency occurs. For the CASP exam, the focus is on any emergencies that affect the organization’s enterprise. This team should have a solid understanding of security and its importance to the organization. The team will coordinate any response to an emergency based on predefined incident response procedures. Some members of this team may need to obtain specialized training on emergency response. In addition, they may need access to tools needed to address an emergency. If possible, at least one member of the team should have experience in digital forensic investigations to ensure that the team is able to fully investigate an incident.

Emergency response team personnel must periodically obtain training for any newly identified emergencies that may occur. In addition, security practitioners should ensure that the emergency response team attends security awareness training that is focused on issues the team will encounter. Finally, the emergency response team should review any emergency response procedures at regular intervals to ensure that the procedures are still accurate, and they should perform testing exercises, including drills, to ensure that the emergency response plan is up-to-date.

Facilities Manager

A facilities manager ensures that all organizational buildings are maintained by building maintenance and custodial services. The facilities manager works closely with the physical security manager because both areas are tightly interwoven in many areas. Today, facilities managers are increasingly coming into contact with supervisory control and data acquisition (SCADA) systems, which allow the manager to monitor and control many aspects of building management, including water, power, and heating, ventilation, and air-conditioning (HVAC).

The facilities manager needs to understand the need to update the firmware and other software used by SCADA or other environmental management systems. In addition, security practitioners should ensure that the facilities manager attends security awareness training that is focused on issues he or she will encounter, including password protection and social engineering. Special focus should be given to vendor default accounts and the risks of logical backdoors in administrative tools.

Physical Security Manager

A physical security manager ensures that the physical security of all buildings and secure locations is maintained and monitored to prevent intrusions by unauthorized individuals. Controls that may be used include fences, locks, biometrics, guards, and closed-circuit television (CCTV). The physical security manager should always be looking into new ways of securing access to the building. In addition, the physical security manager needs to be involved in the design of any internal secure areas, such as a data center.

A physical security manager needs to understand any new technologies that are used in physical security and should assess the new technologies to determine whether they would be beneficial for the organization. In addition, security practitioners should ensure that the physical security manager attends security awareness training that is focused on the issues he or she will encounter.

Legal Counsel

Legal counsel ensures that the organization complies with all laws and regulations. Legal counsel should provide guidance on the formation of all organizational policies and controls and ensure that they comply with all laws and regulations that affect the organization. In addition, legal counsel should review all agreements with personnel, vendors, service providers, and other entities for compliance with laws and regulations and to ensure that due diligence is performed. Finally, legal counsel should ensure that all incident response procedures and forensic investigation procedures follow legal procedure. Legal counsel should report to the CEO and board of directors.

Legal counsel must periodically obtain training to ensure that their knowledge of current laws and regulations that affect the organization is maintained. In addition, security practitioners should ensure that legal counsel attend security awareness training that is focused on issues they will encounter, including password protection and social engineering.

• Administrative or management controls: These controls are implemented to administer the organization’s assets and personnel and include security policies, procedures, standards, baselines, and guidelines that are established by management.

• Logical or technical controls: These software or hardware components are used to restrict access.

• Physical controls: These controls are implemented to protect an organization’s facilities and personnel.

Any time your advice is solicited, you need to research all the options, provide explanations on each of the options you researched, and provide a final recommendation on which options you would suggest. It is also good if you can provide comparative pros and cons of the different options and include purchasing and implementation costs. Any effects on existing systems or technologies should also be investigated. Remember that your thoroughness in assessing any recommended controls helps ensure that the best decisions can be made.

Let’s look at an example. Suppose that an employee has been terminated and promptly escorted to his exit interview, after which the employee left the building. It is later discovered that this employee had started a consulting business in which he had used screenshots of his work at the company, including live customer data. The information was removed using a USB device. After this incident, a process review is conducted to ensure that this issue does not recur. You should include a member of human resources and IT management as part of the review team to determine the steps that could be taken to prevent such a situation from happening again in the future.

As another example, say that a team needs to create a secure connection between software packages to list employees’ remaining or unused benefits on their paycheck stubs. The team to design this solution should include a finance officer, a member of human resources, and the security administrator.

Keep in mind that it is always best to involve members of different departments when you are designing any security policies, procedures, or guidelines. You need to ensure that you get their input. Including these people also helps ensure that all the departments better understand the importance of the new policies. You should always discuss the requirements of the new security solutions with the stakeholders from each of the internal departments that will be affected.

Suppose the CEO asks you to provide recommendations on the task distribution for a new project. The CEO thinks that by assigning areas of work appropriately, the overall security will be increased because staff will focus on their areas of expertise. The following groups are involved in the project: networks, development, project management, security, systems engineering, and testing. You should assign the tasks in the following manner:

• Systems engineering: Decomposing requirements

• Development: Code stability

• Testing: Functional validation

• Project management: Stakeholder engagement

• Security: Secure coding standards

• Networks: Secure transport

As collaboration is used, business units across the organization will learn to work together. As a security practitioner, you should ensure that the security of the organization is always considered as part of any new solution.

In some organizations, there is a known lack of governance for solution designs. As a result, there are inconsistencies and varying levels of quality for the designs that are produced. The best way to improve this would be to introduce a mandatory peer review process before a design can be released.

Organizations should form a governance, risk, and compliance committee that is composed of personnel from departments throughout the company and from all levels. The governance, risk, and compliance committee should address all three elements:

• Governance: The oversight role and the process by which companies manage and mitigate business risks

• Risk management: All relevant business and regulatory risks and controls and monitoring of mitigation actions in a structured manner

• Compliance: The processes and internal controls to meet the requirements imposed by governmental bodies, regulators, industry mandates, or internal policies

The governance process for this committee includes defining and communicating corporate control, key policies, enterprise risk management, regulatory and compliance management, and oversight and evaluating business performance through balanced scorecards, risk scorecards, and operational dashboards.

The risk management process for this committee includes systemically identifying, measuring, prioritizing, and responding to all types of risk in the business and then managing any exposure accordingly.

The compliance process for this committee includes identifying laws and regulations that affect the organization and ensuring that projects put into place the controls needed to comply. When an organization is dealing with multiple regulations at the same time, a streamlined process of managing compliance with each of these initiatives is critical. Otherwise, costs spiral out of control, and the risk of noncompliance increases.

1. Your organization has decided to convert two rarely used conference rooms into a secure data center. This new data center will house all servers and databases. Access to the data center will be controlled using biometrics. CCTV will be deployed to monitor all access to the data center. Which staff members should be involved in the data center design and deployment?

• database administrator, network administrator, facilities manager, physical security manager, and management

• database administrator, programmer, facilities manager, physical security manager, and management

• database administrator, network administrator, facilities manager, physical security manager, and programmer

• database administrator, network administrator, programmer, physical security manager, and management

2. During the design of a new application, the programmers need to determine the performance and security impact of the new application on the enterprise. Who should collaborate with the programmers to determine this information?

• database administrator

• network administrator

• executive management

• physical security manager

3. During the design of a new data center, several questions arise as to the use of raised flooring and dropped ceiling that are part of the blueprint. Which personnel are most likely to provide valuable information in this area?

• database administrator and facilities manager

• database administrator and physical security manager

• facilities manager and physical security manager

• emergency response team and facilities manager

• legal counsel and facilities manager

4. Which statement is not true regarding an organization’s sales staff?

• The sales staff is rarely concerned with organizational security.

• The sales staff has unique security issues.

• The sales staff will often use publicly available Internet connections.

• The sales staff’s devices are rarely targets of attackers.

5. Which statement is not true regarding an organization’s database administrator?

• Database administrators should grant permissions based on user roles.

• Database administrators use database views to limit the information to which users have access.

• Database administrators should implement encryption to protect information in cells, tables, and entire databases.

• Database administrators should use auditing so that users’ actions are recorded.

6. As part of a new security initiative, you have been asked to provide data classifications for all organizational data that is stored on servers. As part of your research, you must interview the data owners. Which staff are most likely to be considered data owners?

• business unit managers and CEO

• business unit managers and CIO

• CIO and CSO

• physical security manager and business unit managers

7. Which of the following statements regarding the security requirements and responsibilities for personnel is true?

• Only management and senior staff have security requirements and responsibilities.

• Although executive management is responsible for leading any security initiative, executive management is exempt from most of the security requirements and responsibilities.

• All personnel within an organization have some level of security requirements and responsibilities.

• Only the physical security manager should be concerned with the organization’s physical security.

8. You have been hired as a security analyst for your organization. As you begin your job, you are asked to identify new administrative controls that should be implemented by your organization. Which of the following controls should you list? (Choose all that apply.)

• departmental security policies

• security awareness training

• data backups

• auditing

9. You have been hired as a security analyst for your organization. As you begin your job, you are asked to identify new physical controls that should be implemented by your organization. Which of the following controls should you list? (Choose all that apply.)

• separation of duties

• encryption

• biometrics

• guards

10. You have been hired as a security analyst for your organization. As you begin your job, you are asked to identify new technical controls that should be implemented by your organization. Which of the following controls should you list? (Choose all that apply.)

• personnel procedures

• authentication

• firewalls

• badges