Business Considerations for the Framework

An organization’s collection of security policies, and therefore the entire security framework, shows its commitment to protecting information. As with security policies in general, a couple of considerations for implementing a framework are:

  • Cost—Cost of implementing and maintaining the framework
  • Impact—Impact of the controls required by the framework on employees, customers, and business processes

Creating a policy framework from the ground up takes time and effort. It’s important for management to budget for these expenses. In addition, as the number of documents in the framework grows, you may need a content management system to manage the documents. Many organizations already use Microsoft SharePoint Server or a similar product to manage all business-related documents. You can use the same system to manage documents in a policy framework.

Employees often resist change, especially changes that affect how they need to perform their jobs. However, a comprehensive policy framework can help employees do their jobs more efficiently. The framework includes guidelines that employees can follow and procedures that specify how to perform tasks. Essentially, a policy framework provides a structure within which employees can work more efficiently.

Adding a taxonomy and glossary of terms is critically important. A well-formed taxonomy becomes the “Rosetta stone” for the framework’s policy documents. It’s used to interpret the meaning of the policies and scope efforts. Let’s assume your policies include the terms platform and network infrastructure. What does platform mean? Do platform requirements include a firewall? Maybe. Maybe not. Yes, a firewall sits on a platform. There’s a physical box with an operating system. But the taxonomy and glossary of terms may define platform as devices upon which an application resides, such as application and database servers. All other nonapplication networked devices may fall under the definition of network infrastructure. In this case, for firewall controls, you would go to the framework’s network infrastructure documents. This distinction is not academic. Most likely the control requirements for platforms would be different from those for network infrastructure. And it is critically important to get the right controls for the different devices.

Complying with the Sarbanes-Oxley Act

As technology further expands, laws and regulations eventually follow to compel positive action to protect information systems. In 2002, the U.S. Senate passed the Sarbanes-Oxley (SOX) Act, which gained the attention of U.S. corporate CEOs. The act passed in the wake of the collapse of Enron, Arthur Andersen, WorldCom, and several other large firms. SOX requires publicly traded companies to maintain internal controls. The controls ensure the integrity of financial statements to the Securities and Exchange Commission (SEC) and shareholders. The act also requires that CEOs attest to the integrity of financial statements to the SEC.

Because of this mandate, controls related to information processing and management are now highly scrutinized. Since the law took effect, the need for a comprehensive library of current operating documents is underscored.

A policy framework also helps management adhere to compliance requirements. Your security policy framework enables you to show regulators that you are using best practices. Many regulations provide specific details that must be included in your security policies. It’s often helpful to create a “cheat sheet” that cross-references your security documents with the standards. For example, an entry might state that “HR Policy 2010-033 entitled ‘Pre-Employment Screening’ satisfies PCI DSS requirement 12.7.” This will come in very handy if you are ever audited; you can use the cheat sheet to show auditors the exact sections of policy that implement each requirement. The challenge is maintaining these cheat sheets. It’s important to build in a process of updating the cheat sheets whenever you revise the policies they’re based on.

Roles for Policy and Standards Development and Compliance

Developing and maintaining a policy framework is a major undertaking. In large organizations, it usually requires many people. TABLE 6-2 lists roles commonly found in the development, maintenance, and compliance efforts related to a policy and standards library.

TABLE 6-2 Roles Related to a Policy and Standards Library
ROLE ACTIVITY
CISO Establishes and maintains security and risk management programs for information resources
Information resources manager Maintains policies and procedures that provide for security and risk management of information resources
Information resources security officer Directs policies and procedures designed to protect information resources, identifies vulnerabilities, and develops security awareness program
Owners of information resources Responsible for carrying out the program that uses the resources. This does not imply personal ownership. These individuals may be regarded as program managers or delegates for the owner.
Custodians of information resources Provide technical facilities, data processing, and other support services to owners and users of information resources
Technical managers (network and system administrators) Provide technical support for security of information resources
Internal auditors Conduct periodic risk-based reviews to ensure the effectiveness of information resources security policies and procedures
Control partners Typically in areas such as compliance and operational risk. Ensure that security policies result in operational compliance with risk appetite and regulatory requirements.
Users Have access to information resources in accordance with the owner-defined controls and access rules
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.135.219.209