🟠 Security Program Management and Oversight

5.1 Summarize elements of effective security governance

Guidelines:

● Policies

• Acceptable Use Policy (AUP): Defines acceptable behavior regarding the use of the organization’s IT resources, outlining rules and restrictions to ensure security and productivity.

• Information Security Policies: A set of policies governing the protection of organizational data and information assets from unauthorized access, disclosure, alteration, or destruction.

• Business Continuity: Policies outlining procedures and protocols to ensure the organization can continue operating during and after a disruptive event, minimizing downtime and ensuring resilience.

• Disaster Recovery: Policies defining the steps and processes to recover IT systems and data after a catastrophic event, restoring normal operations as quickly as possible.

• Incident Response: Policies detailing the procedures and actions to be taken in response to security incidents, including detection, containment, eradication, and recovery.

• Software Development Lifecycle (SDLC): Policies guiding the development, testing, deployment, and maintenance of software applications, ensuring security, quality, and compliance.

• Change Management: Policies governing the process for requesting, reviewing, approving, implementing, and documenting changes to IT systems and infrastructure.

● Standards

• Password: Standard guidelines for creating, managing, and securing passwords, including complexity requirements, expiration periods, and reuse restrictions.

• Access Control: Standard protocols and procedures for managing user access to systems, applications, and data, ensuring only authorized users have appropriate permissions.

• Physical Security: Standard practices for securing physical premises, facilities, and assets, including access controls, surveillance, and environmental controls.

• Encryption: Standard algorithms, protocols, and key management practices for encrypting data at rest, in transit, and in use, protecting sensitive information from unauthorized access.

● Procedures

• Change Management: Detailed procedures for requesting, reviewing, approving, implementing, and documenting changes to IT systems and infrastructure, ensuring compliance with policies and minimizing disruptions.

• Onboarding/Offboarding: Procedures for provisioning and deprovisioning user accounts, access privileges, and IT resources for new hires, contractors, and departing employees.

• Playbooks: Step-by-step guides and instructions for responding to specific security incidents or scenarios, facilitating quick and effective incident response.

● External Considerations

• Regulatory: External regulations and compliance requirements governing the organization’s operations, data handling practices, and security controls.

• Legal: Laws and statutes applicable to the organization’s industry, jurisdiction, and geographical locations, influencing data privacy, intellectual property, and liability.

• Industry: Sector-specific standards, guidelines, and best practices relevant to the organization’s industry vertical, ensuring compliance and addressing industry-specific risks.

• Local/Regional/National/Global: Geographic-specific regulations, laws, and standards applicable at the local, regional, national, or global level, influencing governance and compliance obligations.

● Monitoring and Revision

• Processes for ongoing monitoring, review, and revision of policies, standards, and procedures to ensure they remain current, effective, and aligned with organizational objectives and external requirements.

● Types of Governance Structures

• Boards/Committees: Governing bodies responsible for setting strategic direction, overseeing risk management, and ensuring compliance with policies and regulations.

• Government Entities: Regulatory bodies, government agencies, or industry associations providing oversight, guidance, and enforcement of laws and standards.

• Centralized/Decentralized: Organizational structures determining the distribution of authority, decision-making processes, and accountability for governance and compliance functions.

● Roles and Responsibilities for Systems and Data

• Owners: Individuals or groups responsible for the overall management and stewardship of systems, applications, or data assets, including accountability for security and compliance.

• Controllers: Individuals or entities responsible for determining the purposes and means of processing personal data, ensuring compliance with data protection regulations.

• Processors: Individuals or entities that process personal data on behalf of the data controller, subject to contractual obligations and security requirements.

• Custodians/Stewards: Individuals or groups responsible for the day-to-day management, protection, and maintenance of specific IT systems, applications, or data sets.

🟠 5.2 Explain elements of the risk management process

Risk Management

● Risk Identification

• The process of identifying potential threats, vulnerabilities, and events that could impact the organization’s objectives, operations, or assets.

Risk Assessment

● Ad Hoc: Occasional assessments conducted on an as-needed basis in response to specific events or changes.

● Recurring: Regularly scheduled assessments conducted at predefined intervals to evaluate and manage risks systematically.

● One-time: Single, comprehensive assessment performed to identify and analyze risks within a specific context or project.

● Continuous: Ongoing monitoring and assessment of risks to maintain awareness and responsiveness to evolving threats and vulnerabilities.

Risk Analysis

● Qualitative: Subjective assessment of risks based on expert judgment, categorizing risks by severity, likelihood, and impact.

● Quantitative: Objective assessment of risks using numerical data and mathematical models to calculate potential losses and probabilities.

• Single Loss Expectancy (SLE): Monetary value associated with a single occurrence of a risk event.

• Annualized Loss Expectancy (ALE): Expected monetary loss from a risk over a one-year period.

• Annualized Rate of Occurrence (ARO): Frequency at which a risk event is expected to occur annually.

• Probability/Likelihood: Likelihood of a risk event occurring based on historical data, expert judgment, or statistical analysis.

• Exposure Factor: Percentage of loss expected if a risk event occurs.

• Impact: Consequence or effect of a risk event on the organization’s objectives, assets, or operations.

Risk Register

● A document or database containing information about identified risks, including their likelihood, impact, mitigation strategies, and risk owners.

Risk Tolerance/Risk Appetite

● Risk Tolerance: Maximum acceptable level of risk exposure that an organization is willing to tolerate in pursuit of its objectives.

● Risk Appetite: Organization’s willingness to take on risk to achieve strategic goals, categorized as expansionary, conservative, or neutral.

Risk Management Strategies

● Transfer: Shifting risk to third parties, such as insurance companies or vendors, through contractual agreements.

● Accept: Acknowledging the existence of a risk without taking active measures to mitigate it.

● Exemption: Specific instances where certain risks are exempt from mitigation due to their low likelihood or impact.

● Exception: Unique circumstances where risks are deemed acceptable based on specific criteria or business needs.

● Avoid: Taking actions to eliminate or minimize the likelihood or impact of identified risks.

● Mitigate: Implementing measures to reduce the likelihood or impact of risks to an acceptable level.

Risk Reporting

● Communication of risk-related information to stakeholders, including executive management, board members, and relevant parties, to facilitate informed decision-making and risk oversight.

Business Impact Analysis

● Recovery Time Objective (RTO): Maximum acceptable downtime for restoring operations after an incident.

● Recovery Point Objective (RPO): Maximum acceptable data loss tolerated during the recovery process.

● Mean Time to Repair (MTTR): Average time required to repair systems or processes after a failure.

● Mean Time Between Failures (MTBF): Average time elapsed between system failures.

🟠  Third-Party Risk Assessment and Management

● Vendor Assessment

• Evaluation of vendors based on their security measures, reputation, financial stability, and overall ability to meet the organization’s requirements.

● Penetration Testing

• Assessment method involving simulated cyber attacks on a vendor’s systems or infrastructure to identify vulnerabilities and assess security posture.

● Right-to-Audit Clause

• Contractual provision granting the organization the authority to conduct audits or assessments of the vendor’s operations, processes, or compliance with security requirements.

● Evidence of Internal Audits

• Documentation or reports demonstrating that the vendor conducts internal audits or assessments of their systems, processes, and controls to ensure compliance with standards and regulations.

● Independent Assessments

• Third-party evaluations or audits conducted by independent organizations to assess the vendor’s security practices, controls, and compliance with contractual or regulatory requirements.

● Supply Chain Analysis

• Examination of the vendor’s supply chain to identify potential risks, vulnerabilities, or dependencies that could impact the organization’s operations or security posture.

● Vendor Selection

• Process of evaluating and choosing vendors based on factors such as reputation, capabilities, security posture, and alignment with organizational needs.

● Due Diligence

• Comprehensive investigation or assessment conducted to evaluate the vendor’s financial stability, reputation, legal compliance, and other relevant factors before entering into a business relationship.

● Conflict of Interest

• Evaluation of potential conflicts of interest that may arise from the vendor’s relationships, affiliations, or competing interests that could impact their ability to fulfill contractual obligations impartially.

● Agreement Types

• Service-Level Agreement (SLA): Contractual agreement outlining the services, performance standards, and responsibilities of both parties.

• Memorandum of Agreement (MOA): Formal document outlining terms and conditions of a specific agreement or understanding between parties.

• Memorandum of Understanding (MOU): Non-binding agreement outlining mutual intentions or goals between parties.

• Master Service Agreement (MSA): Comprehensive contract outlining general terms and conditions for future transactions or services between parties.

• Work Order (WO)/Statement of Work (SOW): Detailed document outlining specific tasks, deliverables, and timelines for a project or service.

• Non-Disclosure Agreement (NDA): Contractual agreement outlining confidentiality obligations regarding proprietary or sensitive information shared between parties.

• Business Partners Agreement (BPA): Contractual agreement outlining the terms and conditions of a partnership or joint venture between businesses.

● Vendor Monitoring

• Ongoing oversight and evaluation of the vendor’s performance, compliance, and security posture throughout the duration of the business relationship.

● Questionnaires

• Surveys or assessments used to gather information from vendors about their practices, controls, and compliance with security requirements.

● Rules of Engagement

• Guidelines or protocols established to define the scope, objectives, and boundaries of assessments, audits, or engagements with vendors.

🟠  Elements of Effective Security Compliance

● Compliance Reporting

• Internal: Reporting mechanisms and processes established within the organization to monitor and document compliance with internal policies, procedures, and standards.

• External: Reporting activities and submissions to external entities such as regulatory authorities, industry regulators, or certification bodies to demonstrate compliance with applicable laws, regulations, or standards.

● Consequences of Non-Compliance

• Fines: Monetary penalties imposed by regulatory authorities or governing bodies for failure to comply with legal or regulatory requirements.

• Sanctions: Punitive measures or restrictions imposed on the organization for non-compliance, which may include limitations on business activities or operations.

• Reputational Damage: Negative impact on the organization’s reputation or brand perception resulting from non-compliance with laws, regulations, or industry standards.

• Loss of License: Revocation or suspension of licenses, permits, or certifications necessary for the organization to conduct business operations legally.

• Contractual Impacts: Adverse effects on contractual relationships with customers, partners, or vendors due to breaches of compliance obligations outlined in contractual agreements.

● Compliance Monitoring

• Due Diligence/Care: Proactive measures taken by the organization to ensure compliance with applicable laws, regulations, and industry standards through diligent monitoring, risk assessment, and adherence to best practices.

• Attestation and Acknowledgment: Formal declarations or acknowledgments made by responsible parties within the organization to confirm compliance with specific requirements or standards.

• Internal and External: Monitoring activities conducted both internally by the organization’s compliance teams and externally by regulatory authorities or third-party auditors.

• Automation: Use of automated tools, systems, or processes to streamline compliance monitoring, reporting, and enforcement activities, enhancing efficiency and accuracy.

● Privacy

• Legal Implications: Legal considerations and obligations related to privacy protection, including local, regional, national, and global laws, regulations, or directives governing data privacy and protection.

• Data Subject: Individuals whose personal data is collected, processed, or stored by the organization, entitled to certain rights and protections regarding the handling of their information.

• Controller vs. Processor: Distinction between entities responsible for determining the purposes and means of processing personal data (controllers) and those processing data on behalf of controllers (processors), with different compliance obligations and responsibilities.

• Ownership: Clarification of ownership rights and responsibilities regarding the management, protection, and use of personal data collected or processed by the organization.

• Data Inventory and Retention: Documentation and management of the organization’s data assets, including inventorying and categorizing data, defining retention periods, and implementing appropriate controls for data protection and privacy compliance.

• Right to be Forgotten: Individuals’ right to request the erasure or deletion of their personal data held by the organization, as mandated by certain privacy regulations such as the General Data Protection Regulation (GDPR).

🟠  Types and Purposes of Audits and Assessments

● Attestation:

• Internal processes and activities to confirm adherence to regulatory requirements, industry standards, and organizational policies.

● Audit Committee:

• Oversight body responsible for reviewing and validating the effectiveness of internal controls, compliance efforts, and audit findings.

● Self-Assessments:

• Internal evaluations conducted by the organization to assess its compliance posture, identify gaps, and implement corrective actions.

● External:

• Regulatory: Compliance verification conducted by regulatory authorities or government agencies to ensure adherence to applicable laws, regulations, and standards.

• Examinations: Formal reviews or assessments performed by external entities, such as auditors or regulators, to evaluate the organization’s compliance with legal and regulatory requirements.

• Assessment: Comprehensive evaluations conducted by independent assessors or third-party auditors to assess the organization’s adherence to industry standards, best practices, and contractual obligations.

● Independent Third-Party Audit:

• Examination of the organization’s compliance status and controls by external auditors or assessors who are independent of the organization’s management structure.

● Penetration Testing:

• Physical: Testing focused on assessing the physical security controls, vulnerabilities, and potential points of entry to facilities or premises.

• Offensive: Simulation of cyber attacks and exploitation attempts to identify weaknesses in networks, systems, and applications from the perspective of potential adversaries.

• Defensive: Evaluation of defensive measures, detection capabilities, and incident response processes to assess the organization’s ability to withstand and mitigate cyber attacks.

• Integrated: Coordinated testing approach that combines offensive and defensive strategies to simulate real-world attack scenarios and evaluate overall security posture.

• Known Environment: Testing conducted in environments where the organization has full knowledge of its infrastructure, systems, and security controls.

• Partially Known Environment: Assessment performed in environments where the organization has limited knowledge or visibility into its infrastructure, systems, or security measures.

• Unknown Environment: Testing conducted in environments where the organization has no prior knowledge or information about its infrastructure, systems, or security controls.

● Reconnaissance:

• Initial phase of penetration testing focused on gathering information about the target environment through passive or active methods.

• Passive: Gathering information without directly interacting with the target, such as through public sources or passive network monitoring.

• Active: Proactively seeking information by directly interacting with the target environment, such as through network scans or vulnerability assessments.

🟠  Implementing Security Awareness Practices

● Phishing:

• Campaigns: Coordinated efforts by attackers to distribute fraudulent communications, typically via email, aimed at deceiving recipients into divulging sensitive information or performing actions that compromise security.

• Recognizing a Phishing Attempt: Training employees to identify common indicators of phishing emails, such as suspicious sender addresses, unfamiliar URLs, grammatical errors, urgent language, and requests for sensitive information.

• Responding to Reported Suspicious Messages: Establishing protocols for promptly investigating and addressing reported phishing attempts, including verification, communication with affected parties, and mitigation measures to prevent further exposure.

● Anomalous Behavior Recognition:

• Risky: Identifying behaviors or actions that deviate from established norms or pose a potential risk to the organization’s security, such as accessing unauthorized resources or downloading suspicious files.

• Unexpected: Noticing actions or events that are unusual or unexpected in the context of typical user behavior, which may indicate a security incident or compromise.

• Unintentional: Recognizing inadvertent actions or mistakes made by users that could inadvertently compromise security, such as clicking on malicious links or sharing sensitive information.

● User Guidance and Training:

• Policy/Handbooks: Providing employees with clear guidelines and policies regarding acceptable use of technology resources, security best practices, and procedures for handling sensitive information.

• Situational Awareness: Educating users about the tactics and techniques used by cyber attackers, promoting awareness of potential threats, and encouraging vigilance in identifying and reporting suspicious activities.

• Insider Threat: Raising awareness about the risks posed by insider threats, including unintentional and malicious actions by employees, contractors, or other trusted entities.

• Password Management: Educating users on the importance of strong, unique passwords, and implementing password management practices such as regular updates and the use of multifactor authentication.

• Removable Media and Cables: Providing guidance on the secure use of removable media and cables to prevent data loss or unauthorized access, including policies for encryption and secure disposal.

• Social Engineering: Training employees to recognize and resist social engineering tactics used by attackers to manipulate individuals into divulging confidential information or performing actions that compromise security.

• Operational Security: Promoting operational security practices to safeguard sensitive information and assets, including physical security measures, data encryption, and secure communication protocols.

• Hybrid/Remote Work Environments: Offering guidance and best practices for maintaining security in hybrid or remote work environments, including secure connectivity, device management, and data protection measures.

● Reporting and Monitoring:

• Initial: Establishing channels for employees to report suspicious activities, security incidents, or potential threats, ensuring timely response and investigation by security teams.

• Recurring: Implementing ongoing monitoring and reporting mechanisms to track security-related events, analyze trends, and identify areas for improvement in security posture.

• Development: Creating and delivering training programs and materials to educate employees on security awareness, phishing prevention, and incident response procedures.

• Execution: Implementing security awareness training initiatives, phishing simulations, and incident response exercises to test and reinforce the effectiveness of user training and awareness efforts.