Chapter 16: Security Policies, Standards, and Compliance
Memorandum of Understanding (MOU)
A letter written to document aspects of the relationship They are an informal mechanism that allows the parties to document their relationship to avoid future misunderstandings Commonly used between different business units within the same organization
NIST Risk Management Framework (RMF)
A mandatory standard for federal agencies that provides a formalized process that federal agencies must follow to select, implement, and assess risk-based security and privacy controls
Industry Standards
An organization may choose to follow commonly accepted standards as a best practice. Failure to follow them may be seen as negligent in the legal realm
Sarbanes-Oxley Act
Applies to the financial records of US publicly traded companies and requires that those companies have a strong degree of assurance for the IT systems that store and process those records
SOC 2 Engagements
Assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. Audit results are confidential and are normally only shared outside the organization under an NDA
SOC 3 Engagements
Assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. Audit results are intended for public discourse
SOC 1 Engagements
Assess the organization's controls that might impact the accuracy of financial reporting
The Framework Implementation
Assesses how an organization is positioned to meet cybersecurity objectives. A maturity model may be used, which describes the current and desired positioning of an organization along a continuum of progress. In the case of the NIST maturity model, organizations are assigned to one of four maturity model tiers
Data governance policy
Clearly states the ownership of information created or used by the organization
Service Organization Controls (SOC) Audit
Conducted by the American Institute for Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements 18 (SSAE 18)
Information Security Policy Framework
Contains a series of documents designed to describe the organization's cybersecurity program: 1) Policies 2) Standards 3) Procedures 4) Guidelines
Gramm-Leach-Bliley Act (GLBA)
Covers US financial institutions, broadly defined. It requires that those institutions have a formal security program and designate an individual as having overall responsibility for the program
Credential Management Policy
Describes the account lifecycle from provisioning through active use and decommissioning. This policy should include specific requirements for personnel who are employees of the organization as well as third-party contractors. It should also include requirements for credentials used by devices, service accounts, and administrator/root accounts
Data classification policy
Describes the classification structure used by the organization and the process used to properly assign classifications to data
Continuous Monitoring Policy
Describes the organization's approach to monitoring and informs employees that their activity is subject to monitoring in the workplace
Asset Management
Describes the process that the organization will follow for accepting new assets (such as computers and mobile devices) into inventory, tracking those assets over their lifetime, and properly disposing of them at the end of their useful life
NIST Cybersecurity Framework (CSF)
Designed to assist organizations attempting to meet one or more of the following five objectives: 1) Describe their current cybersecurity posture 2) Describe their target state for cybersecurity 3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process 4) Assess progress toward the target state 5) Communicate among internal and external stakeholders about cybersecurity risk
Benchmarks
Detailed configuration guides published by government agencies, vendors, and industry groups. They provide instruction on operating systems, web servers, application servers, and network infrastructure devices An example of one publisher is the Center for Internet Security (CIS)
Business Partnership agreements (BPAs)
Exist when two organizations agree to do business with each other in a partnership For example, if two companies jointly develop and market a product, the BPA might specify each partner's responsibilities and the division of profits
Mandatory Vacactions
Forcing employees to take an annual vacation that is at least one week long
Audits
Formal reviews of an organization's security program or specific compliance issues conducted on behalf of a third party. Require rigorous, formal testing of controls and result in a formal statement from the auditor regarding the entity's compliance. May be conducted by an internal team or an external company
Social Media
Organizations may choose to adopt social media policies that constrain the behavior of employees on social media, both on personal and professional accounts
Data Retention Policy
Outlines what information the organization will maintain and the length of time different categories or work product will be retained prior to destruction
Capture the Flag (CFT)
Programs that pit technologists against one another in an attempt to attack a system and achieve a specific goal, such as stealing a sensitive file. Participants gain an appreciation for attacker techniques and learn how to better defend their own systems against similar attacks
Master Service Level Agreements (MSA)
Provide an umbrella contract for the work that a vendor does with an organization over an extended period of time Typically includes detailed security and privacy requirements
Guidelines
Provide best practices and recommendations related to a given concept, technology, or task. Compliance with guidelines is not mandatory, and guidelines are offered in the spirit of providing helpful advice
Standards
Provide mandatory requirements describing how an organization will carry out its information security policies These may include the specific configuration settings used for a common operating system, the controls that must be put in place for highly sensitive information, or any other security objective. Typically approved at a lower level and change more regularly
Payment Card Industry Data Security Standard (PCI DSS)
Provides detailed rules about the storage, processing, and transmission of credit and debit card information. PCI DSS is not a law but rather a contractual obligation that applies to credit card merchants and service providers worldwide
ISO 31000
Provides guidelines for risk management programs. This document is not specific to cybersecurity or privacy but covers risk management in a general way so that it may be applied to any risk
Acceptable Use Policy (AUP)
Provides network and system users with clear direction on permissible uses of information resources
The International Organization for Standardization (ISO)
Publishes a series of standards that offer best practices for cybersecurity and privacy
Job rotation
Takes employees with sensitive roles and moves them periodically. The idea is that fraudulent activity often requires ongoing concealment, and workers would not be able to conceal their fraud if they get moved to a new duty
Offboarding
The process involved when employees leave an organization. Ensures that the organization retains control of its assets and handles the revocation of credentials and privileges in an orderly manner
User Security Training
Users at an organization should receive regular security awareness training to ensure that they understand the risks associated with your computing environment Should be role-based and may come in the form of computer-based training (CBT)
Quality Control Procedures
Verify that an organization has sufficient security controls in place and they are functioning properly Regular informal tests, as well as regular formal evaluations should be conducted. The formal evaluations should be either audits or assessments
Privilege Creep
When users move around within the organization and retain privileges even when they no longer need them
ISO 27701
Whereas ISO 27001 and ISO 27002 focus on cybersecurity controls, ISO 27701 contains standard guidance for managing privacy controls. ISO views this document as an extension to their ISO 27001 and ISO 27002 security standards
Service level agreement (SLA)
Written contracts that specify the conditions of service that will be provided by the vendor and the remedies available to the customer if the vendor fails to meet the SLA. SLAs commonly cover issues such as system availability, data durability, and response time
Information Security Policy
provides high-level authority and guidance for the security program
Onboarding
The process for hiring new employees
Type 2 Reports
A SOC report that goes further and also provides the auditor's opinion on the operating effectiveness of the controls. That is, the auditor actually confirms that the controls are functioning properly
Type 1 Reports
A SOC report that provides the auditor's opinion on the description provided by management and the suitability of the design of the controls
Procedures
A detailed, step-by-step process that individuals and organizations must follow in specific circumstances. Similar to checklists, they ensure a consistent process for achieving a security objective. Compliance with them is mandatory Examples of what they are used for: building new systems, releasing code to prod, responding to security incidents
Framework Core
A set of five security functions that apply across all industries and sectors: identify, protect, detect, respond, and recover
ISO 27002
A standard that goes beyond control objectives and describes the actual controls that an organization may implement to meet cybersecurity objectives, such as: 1) Select information security controls 2) Implement information security controls 3) Develop information security management guidelines
Various data breach notification laws
Describe the requirements that individual states place on organizations that suffer data breaches regarding notification of individuals affected by the breach
Code of Conduct/Ethics
Describes expected behavior of employees and affiliates and covers situations not specifically addressed in policy
Framework Profiles
Describe how a specific organization might approach the security functions covered by Framework Core. An organization might use a framework profile to describe its current state and then a separate profile to describe its desired future state
Monitoring Procedures
Describe how the organization will perform security monitoring activities, including the possible use of continuous monitoring technology
Evidence Production Procedures
Describe how the organization will respond to subpoenas, court orders, and other legitimate requests to produce digital evidence.
Change Management and Change Control Policies
Describe how the organization will review, approve, and implement proposed changes to information systems in a manner that manages both cybersecurity and operational risk
Patching Procedures
Describe the frequency and process of applying patches to applications and systems under the organization's care
Separation of duties
Dividing responsibilities between two or more people to limit fraud. For example, two specific duties may yield a great amount of power when combined, so separation of duties ensures that one person cannot perform both
Statement of Work (SOW)
Each time the organization enters into a new project with the vendor, they may then create a statement of work (SOW) that contains project-specific details and references the MSA
Policies
High-level statements of management intent. Compliance with them is mandatory. May contain broad statements, such as: 1) A statement on the importance of cybersecurity to the organization 2) Requirements that all staff and contracts take measures to protect the confidentiality, integrity, and availability of information and information systems 3) Statement on the ownership of information created and/or possessed by the organization 4) Designation of the chief information security officer (CISO) or another individual as the executive responsible for cybersecurity issues 5) Delegation of authority granting the CISO the ability to create standards, procedures, and guidelines that implement the policy
NIST Cybersecurity Framework (CSF) Five Key Security Functions
Identify, protect, detect, respond, recover
General Data Protection Regulation (GDPR)
Implements security and privacy requirements for the personal information of European Union residents worldwide
Health Insurance Portability and Accountability Act (HIPAA)
Includes security and privacy rules that affect health-care providers, health insurers, and health information clearinghouses in the United States
Assessments
Less formal reviews of security controls that are typically requested by the security organization itself in an effort to engage in process improvement. Employees are often interviewed and taken at their word, rather than conducting rigorous independent testing
Gamification
Making security training more fun by making it game-like
Nondisclosure agreements (NDAs)
Require that employees protect any confidential information that they gain access to in the course of their employment. Typically signed when hired. The employee typically receives reminders throughout employment and during exit interviews
Family Educational Rights and Privacy Act (FERPA)
Requires that US educational institutions implement security and privacy controls for student educational records
Clean Desk Policy
Requires that employees secure all information that is on paper when they leave their desk
National Institute for Standards and Technology (NIST)
Responsible for developing cybersecurity standards across the US federal government. The guidance and standard documents they produce have wide applicability and are often used by nongovernmental security analysts
Password policy
Sets forth requirements for password length, complexity, reuse, and similar issues
ISO 27001
The ISO (International Organization for Standardization) 27001 standard is a code of practice for implementing an information security management system, against which organizations can be certified. Covers 14 categories, such as information security policies, access control, etc.
Difference between NIST CSF and RMF
The RMF is a formal process for implementing security controls and authorizing system use CSF provides a broad structure for cybersecurity controls Both are mandatory for government agencies, but only the CSF is commonly used in private industry
Two person control
The organization of a task or process so that at least two individuals must work together to complete it. Also known as dual control.