MODULE 4
Understanding Security Governance
Organizations normally don’t function by asking everyone who works there to perform a task or act in a particular manner, and then leaving it up to their discretion to do so. Instead, organizations function by requiring employees to adhere to certain rules and conventions. Governance is the set of overarching rules, regulations, policies, and other directives that dictate how the organization and its employees will conduct themselves. Governance is necessary to establish authority in the organization and ensure that the personnel working in that organization behave and conduct their activities in accordance with that established authority. Although we will be focusing particularly on security governance, we will also discuss the different types of governance and the roles they fill in the organization. We will then discuss the particular security policies and governance concepts you may encounter as a security professional.
Security Governance
In Module 3, you learned about the concepts of due care and due diligence, which relate to an organization’s duty to think and act responsibly in its personal, societal, and business dealings. Due care and due diligence are imposed on individuals and organizations through their own morals and beliefs, but there are also laws, regulations, rules, standards, and policies that impose duties on individuals and organizations, and this collection of laws, regulations, rules, standards, and policies is known as governance.
These different sources of governance are related to one another and are often inherited from higher level governance. For example, laws that apply to the entire country must also be obeyed by an organizational entity such as a business. The business may, in turn, formulate rules that apply to its personnel to demonstrate its commitment to following the law, to state how its personnel will comply with the law, and to define what the ramifications are of not doing so. To assist in complying with these rules, the organization may enforce certain behavioral standards and dictate exact procedures people must follow to comply. Each of these rules, standards, and procedures are designed to support the law that the organization must obey. We will discuss each of these in depth in the upcoming sections.
Security governance involves the laws, regulations, policies, and other documentation that are designed to establish requirements and enforce behaviors associated with security-related topics and concerns. For example, laws dictate how certain types of sensitive data are handled within an organization. These laws may dictate that specific security mechanisms or controls be used to protect this data. An organization that processes this type of sensitive data must enact policies corresponding with these legal requirements. They must also mandate standards and develop procedures to ensure that the data is protected in accordance with the law, requiring all personnel to follow these rules.
In the next few sections, we’ll discuss the different levels of governance that can be imposed or developed by an organization, as well as the elements used to support governance. We’ll discuss laws and regulations, policies, procedures, standards, and guidelines, and the role they each play in security governance.
Laws and Regulations
At the highest levels of the governance chain are the legal sources of governance. This includes laws, of course, but it also covers regulations established by regulatory bodies, statutes, and case law (established through court decision or judicial precedent). Laws come from different sources, including the national, regional, state, and city levels, and through other municipalities. Additionally, laws differ based on the country of origin and how each country’s legal system is constructed. As a Security+ certified professional, you are not expected to know every law from every different country that relates to information technology or information security (we’re also not going to make you into a lawyer here). However, you need to be aware of how different laws at different levels of government can apply to you and how they might supplement or even supersede one another. You also should make yourself aware of the different laws in your country, state, or region, and know how they apply to your industry or business.
Some laws are region-specific and apply to businesses and people living or working in that region only. Some, however, may be enforced beyond the region’s borders, given the geographically unlimited nature of e-commerce. Consider, for example, California’s Online Privacy Protection Act (OPPA) of 2003. On the surface, it applies only to residents and businesses in California, but this isn’t necessarily the case. It also affects any businesses (even those not located in California) that do business with or collect personal data from California residents. Other laws are more far-reaching in geographic scope and may be enforced at a national or even international level.
Other laws are industry-specific and cover security concerns within a particular market segment or industry, such as banking or finance. Still other laws, such as the Health Insurance Portability and Accountability Act (HIPAA), target a particular class of data. HIPAA covers specific data relating to Personal Health Information (PHI) and applies to any business or entity (such as hospitals, clinics, doctors, and insurance companies) that create, process, store, transmit, or receive this type of data.
The point of this discussion is that it is your responsibility (and that of the senior managers, executives, and legal professionals in your organization) to be cognizant of the laws and regulations that apply to your particular business and the area in which it resides. You may be asked to help develop appropriate policy based upon those laws, as well as help enforce them.
Remember that laws and other legal sources of governance (regulations, statutes, and court decisions) are the highest levels of governance that apply to any organization.
Organizational Governance
Organizational governance, unlike laws and other legal sources of governance, comes from within the organization. Governance produced from within a business is typically created to establish the organization’s commitment to the law. It describes the requirements levied on the organization’s personnel relating to security behavior and mandates how the organization will comply with laws. Organizations establish policies to comply with laws and to protect themselves from legal liability, as well as to demonstrate due care and diligence. Although law is certainly the main source of internal organizational governance, it’s not the only source.
Beyond the need to support and comply with the law, organizations also establish governance that reflects their own particular corporate culture, ethics, and standards of behavior. Often, this is the culture and ethics of the senior level management, but it could also come from personal beliefs and societal norms that people have come to expect from working within a professional environment. Some governance is also established to support practical business objectives. For example, the prohibition most organizations have on unlimited, arbitrary Internet use are not only designed to reflect the law (such as laws against online child exploitation) but also the organization’s values (such as content relating to hate speech, gambling, content of a sexual nature, and so on). Likewise, the rules against unlimited Internet use also help maximize business productivity by preventing employees from wasting their work time surfing to otherwise harmless sites such as sports or news outlets.
Organizational governance consists of several different instruments, which include policies, standards, procedures, and guidelines. The instruments differ in their purposes and what aspects of governance they communicate and support. Figure 4-1 illustrates the relationships between the different policy and governance instruments. In the next few sections, we’ll discuss each of these as well as other governance instruments.
Figure 4-1 Policies, standards, procedures, and guidelines
Organizational governance is produced inside the organization and may be written to support compliance with the law or to serve the interests of the organization’s culture, ethics, and business objectives.
Policies
Policies are the cornerstone of organizational-level governance. They are directive in nature and inform organizational personnel of requirements to which they must adhere. They state, in generally broad terms, the “what” (and sometimes even the “why”) that must be done. They lay out rules for behavior and dictate the organization’s stance on particular subjects related to security. For example, an organizational policy may dictate that all personnel must use strong passwords or that everyone must follow data protection procedures. Policies do not normally go into the “how” of accomplishing a directive or to what degree something must be done; that is left for other instruments, such as procedures and standards, which are discussed later in the module.
Policies may also assign roles and responsibilities at a higher level to establish overall accountability for the policy to a particular role or position. They also may reference other governance, such as laws or standards. For example, a policy may set forth a requirement for encrypting data; it may reference a law (such as HIPAA) that requires encryption, as well as dictate the standard to which the organization will adhere in using encryption technologies. Policies should be written so that they can be easily understood, and all personnel should be made aware of them.
Policies dictate mandatory requirements at a high level but do not normally describe how a requirement is to be implemented.
Standards
A standard is a document that dictates a level of performance or functionality for a requirement. For example, a policy may state that all personnel encrypt sensitive data, but it might not define the characteristics of the encryption mechanism that must be used. A standard would describe the requirements a suitable encryption mechanism must use, to include minimum algorithm, encryption strength, and so on. Standards could be included in a policy document, but often, for more complex requirements, they are developed as separate stand-alone documents for particular topics.
Many standards are optional and may be developed by government or industry for adoption by organizations. An organization could also develop its own standards, but most adopt publicly available standards in the interest of interoperability, or if directed to do so by a higher level governance. An example of government standards are those produced by the National Institute of Standards and Technology (NIST), an organization under the US Department of Commerce. Although government agencies are required to use the NIST standards (particularly those associated with information security), they are optional for any private or non-governmental organization to adopt. An example of an industry standard is the Payment Card Industry Data Security Standards (PCI-DSS). These standards were developed by different vendors in the consumer credit card industry (such as Visa and MasterCard) and detail steps merchants must take to secure credit card payment information. In an interesting example of market self-regulation, although there is no government mandate requiring that businesses use this standard, the credit card industry itself requires that all participating merchants use it or they will not be permitted to process credit card payments.
Standards dictate the level of performance needed in meeting a mandatory policy requirement.
Procedures
Policies dictate the “what” of requirements and compliance, sometimes also discussing why compliance is mandatory. Standards partially describe the “how” part of compliance, in that they prescribe what level or degree of performance is necessary to meet the requirement. Procedures complete the “how” portion of compliance by discussing, in as much detail as is needed, how personnel must meet the requirements of a policy. This usually comprises a detailed, step-by-step procedure document that describes how best to accomplish a process or task. Procedures could be developed in house by the organization, or they could be adopted from a vendor or industry partner. For example, a policy might require an organization to secure its Windows Active Directory implementation. The procedures to do so could be adopted from Microsoft’s documentation and industry best practices, also including organizational specific directions based upon business needs. The very people who will use procedures often write them; however, management often must officially review and approve procedures to ensure that they support policy requirements.
Guidelines
While compliance with policies, standards, and procedures is typically mandatory in the organization, guidelines are usually optional. Guidelines are documents that may describe alternative methods of implementing a requirement or procedure, based upon an organization’s particular needs; or they may simply present best practices or optional information that an organization is encouraged to use. Guidelines may also come from government or industry sources, as well as vendors, security associations, and other professional organizations. They may cover a broad area or address a very specific technology or function.
Guidelines are optional, whereas policies, procedures, and standards are mandatory.
Other Governance
In addition to the preceding sources of governance are other sources that an organization may occasionally need to consider. Professional organizations, industry partners, vendors, non-profits, and other organizations often offer best practices, guidelines, and standards that organizations can use and incorporate into their own governance frameworks. For example, an organization could mandate that the SANS Institute “Top 20 Security Controls” be implemented as a security requirement in its infrastructure. Or perhaps the business could adopt and require the use of the Federal Information Processing Standards (FIPS), published by NIST, as a mandatory standard.
Although the preceding examples indicate that organizations can adopt otherwise optional governance from external organizations, a business may often be required to adopt governance in order to participate in a business agreement, market segment, or trade association. Consider the PCI-DSS standards, for example, or a private company that conducts business with the federal government and must subject itself to government standards before it can be allowed to process sensitive government data on its own systems.
Security Policies
Now let’s look at some specific instances of policies that you will likely encounter as a security professional. We’ll discuss some of the more common (and important) examples of security policy, but understand that we cannot list every single security policy an organization could have. Additionally, how policy is developed and maintained is unique to each organization; an organization could have one very large overarching security policy that covers many different topics, or it could have many different policies, each addressing a particular security concern. In any case, the policies we’ll discuss are often used in most organizations.
Acceptable Use Policy
The acceptable use policy is probably the most common policy employed in organizations. This policy addresses what users can and cannot do with regard to organizational computing assets, such as computers, data, network connections, and, of course, the Internet. Acceptable use policies cover the very basics of user restrictions and prohibitions, including Internet use, use of company assets for personal reasons, the requirement to obey all security policies, and so on. A well-written acceptable use policy clearly explains user restrictions and details the consequences for violating the policy.
Acceptable use policies should cover a wide gamut of restrictions on employee use of computer assets, but they can’t include every possibility. Normal restrictions found in an acceptable use policy include those on gaming, accessing sexually explicit sites, online gambling, accessing hate-related content, and use of personal e-mail. Acceptable use policies, like all policies, should be living documents and should be updated regularly to include relevant changes.
Data Sensitivity and Classification Policy
Another important policy often found in organizations covers data sensitivity and classification. Remember from our last module that organizations create data sensitivity levels to ensure that adequate protection is afforded to the most critical and sensitive data, without spending too much money or resources on data that is not as sensitive. It’s not enough for organizations simply to decide on these sensitivity levels; there must be a policy in place that states what the levels are, what protections are required for them, and under what circumstances these sensitivity labels must be used. This policy also goes hand-in-hand with an access control policy, discussed next.
Access Control Policy
An access control policy states the organization’s requirements for accessing systems and data. It may state the different data sensitivity levels and describe the access requirements for each. For example, it may state that for company proprietary financial data, an individual needs to work in a certain area or be at a certain management level within the company. It also may detail requirements for any security clearance (in the case of government contractors, for example) and need-to-know. It may also cover the requirement for strong identification and authentication methods, such as biometrics or smart cards. The organization’s access control policy should address and support the principle of least privilege and mandate that only the minimum rights, permissions, and privileges necessary to accomplish a job or task be granted to individuals.
Access control policies may also be absorbed into other types of policies, including data sensitivity classification, acceptable use, privacy, and so on. Additionally, you may find that elements of each of those policies are also contained in a central access control policy. Often, policies tend to overlap or address different aspects of the same security concerns.
Password Policy
An organization’s password policy usually details the requirements for strong passwords, if password authentication is used. Normally, the policy would detail rules that address restrictions on password sharing, the use of different passwords for different systems, and the secure construction of passwords. It may also detail password standards that require passwords be a certain number of characters in length, use certain character sets, and not be composed of dictionary words or commonly used combinations. Organizations often implement other rules for passwords, which might include password change requirements, password compromise instructions, and so on. All of these requirements should be addressed in the organization’s password policy.
Password policies may contain the standards for password creation, but these may also be included in other standards as well. Additionally, password policies may be included in access control policies or as part of an overarching authentication policy if the organization uses multiple forms of authentication in addition to passwords, such as biometrics or smart cards.
Care and Use of Equipment
Another common policy document often found in businesses addresses the care and use of equipment. Some of the restrictions on equipment use might also be found in the acceptable use policy, since it covers use of computing assets. However, other aspects of caring for equipment might be in a separate policy, such as the requirement to keep equipment clean and serviceable, periodic maintenance requirements, and restrictions on employees removing equipment from company premises.
Equipment use policies may include requirements for care and maintenance of equipment but may not address items such as the data that resides on those systems or equipment. Often, security policies regarding data are included in separate documents.
Privacy Policy
One particular type of policy receiving a great deal of attention these days is an organization’s privacy policy. This policy doesn’t apply only to internal users, such as employees, but may also address external users, such as customers or business partners, for example. In addition, different privacy policies may apply to employees versus external users. Privacy policies that cover employees normally dictate several things, including the lack of expectation of privacy when using company computers, as well as the right of the organization to monitor and view any personal data sent over the company network, including to the Internet. Privacy policies that apply to customers and external users may describe what data they collect from those users, how it is used, under what circumstances it is transferred to third parties, and what rights customers and external users have with regard to collection and use of that data. Several laws define privacy policies that companies must maintain for customers, as well as the type of data collected and used.
There can be different types of privacy policies for internal users, such as employees, and external users, such as customers, particularly in an organization that maintains a large amount of personal customer data, such as healthcare or financial data.
Personnel Policies
Personnel policies address the requirements regarding how employees interact with systems and data, and how the organization manages personnel from a security perspective. For example, company policy may require background checks and security clearances for certain employees who require access to highly sensitive data. These background checks often include criminal checks, credit reporting agency checks, and so on. Another example of a personnel policy may describe separation of duties, job rotation, and mandatory vacations. These particular elements of a personnel policy might be included to prevent fraud, misuse of assets, and collusion.
Personnel policies are typically the purview of the human resources department and may be wider in scope than simply the security aspect of personnel. Although specific personnel policies may address security duties and methods of enforcing personnel security, they may also address non–security-related aspects of personnel management, such as discipline and termination.
Other Policies
As we mentioned, we can’t hope to cover every single policy that you might find in your organization, but we have mentioned some of the more common ones. Others that you might encounter include data destruction policies, backup policies, encryption requirements, and so on. Many organizations also create social media policies, which impose restrictions on what employees may post on social media sites, particularly regarding company-specific or customer information. The policies a company chooses to create depends upon the risk to the company regarding legal liability. Policies can help reduce legal liability by demonstrating due diligence and due care. Additionally, if a policy has been created to direct employee behavior, and the employee is aware of the policy, the employee cannot later claim ignorance if they are disciplined or terminated for violating the policy.
Module 4 Questions and Answers
Questions
1. Which of the following is the highest form of governance that applies to businesses?
A. Statutes
B. Policies
C. Guidelines
D. Standards
2. Which of the following describes, in detail, how a policy will be implemented?
A. Best practice
B. Guideline
C. Procedure
D. Standard
3. All of the following are reasons for an organization to develop its policies, except:
A. Compliance with law
B. Organizational ethics
C. Satisfy business objectives
D. Avoid lawsuits
4. Mike has been using the company’s Internet connection to play online games during work hours. Which of the following could he be in violation of?
A. Security procedures
B. Federal law
C. Company policy
D. FIPS standards
5. Which of the following is an optional form of governance?
A. Policy
B. Guideline
C. Standard
D. Procedure
6. A business wants to ensure that employees cannot access non–work-related sites during business hours. Which policy would it create to include the restriction?
A. Social media policy
B. Acceptable use policy
C. Equipment use policy
D. Privacy policy
7. Which of the following policies might require that data from critical servers be saved on a nightly basis?
A. Data classification policy
B. Care of equipment policy
C. Acceptable use policy
D. Backup policy
8. Mike, a system administrator, has failed to complete several assigned tasks over the past few months, yet he continually works overtime. Which of the following types of policy would the company use to audit Mike’s actions, as well as discipline him for failure to complete these projects?
A. Acceptable use policy
B. Privacy policy
C. Personnel policy
D. Data sensitivity policy
9. Your company is being sued because it allowed another company to use its customers’ personal information without their prior consent. Which of the following should be reviewed to ensure that it addresses concerns regarding the transfer of personal information to third parties?
A. Customer privacy policy
B. Employee privacy policy
C. Access control policy
D. Data sensitivity policy
10. A company employee has recently posted details of a pending partnership with another business on her blog site and Twitter account. You want to discipline her for this, but your human resources department tells you that there are currently no social media restrictions prohibiting her action. Which of the following should you do to prevent further incidences of this sort?
A. Terminate her immediately to set an example for other employees.
B. Terminate the partnership.
C. Discipline the employee for violating the acceptable use policy.
D. Create a social media policy and ensure that all employees are made aware of it.
Answers
1. A. Statutes are public laws that override any internal organizational governance.
2. C. A procedure describes, in detail, how a policy will be implemented.
3. D. Developing a policy alone will not help an organization avoid lawsuits; however, it might demonstrate due care and diligence and reduce legal liability.
4. C. Mike could be in violation of any existing company policy that restricts Internet usage. He would not be in violation of any federal law, since playing online games during work hours is not illegal. Security procedures dictate how to accomplish a task, and FIPS standards do not cover Internet usage requirements.
5. B. Guidelines are optional forms of governance.
6. B. The acceptable use policy would be created to cover restrictions on Internet use during work hours.
7. D. The company’s backup policy would dictate requirements to back up critical data on a routine basis.
8. C. Personnel policies would address security concerns such as separation of duties, mandatory vacations, and job rotation in order to audit an employee’s activities, as well as the process for disciplining an employee for failure to perform his or her assigned duties.
9. A. The company’s customer privacy policy should be examined to ensure that it addresses transfer of personal customer data to third parties.
10. D. The first step you should take is to create a company social media policy restricting what employees can post on social media regarding the company. You should also make sure that each employee is made aware of the new policy and understands its ramifications. Terminating her without a policy already in place would open up the company to legal liability, since she may sue the company for firing her when there were no restrictions on what she did. The same would apply to disciplining her, since the acceptable use policy does not contain social media restrictions. Terminating the partnership over this infraction does not make good business sense.