CNIT 160 Ch 4 Information Security Program Development (Part 3)
0 likes158 views
This chapter discusses developing an information security program, including policy development, third-party risk management, and internal partnerships. It covers establishing security policies, assessing and managing risks from third parties, and collaborating internally with teams like legal, HR, IT, facilities, and business units. Developing strong internal partnerships is important for sharing security responsibilities and managing risks across the organization.
CNIT 160 Ch 4 Information Security Program Development (Part 3)
- 1. CNIT 160: Cybersecurity Responsibilities 4. Information Security Program Development Part 2 Pages 235-257
- 2. Chapter Topics • This lecture covers: • Policy Development (p. 235) • Third-Party Risk Management • Administrative Activities • Internal Partnerships • External Partnerships • Compliance Management • Personnel Management
- 3. Chapter Topics For Later Lectures • Administrative Activities • External Partnerships • Compliance Management • Personnel Management • Project and Program Management • Budget • Business Case Development • Vendor Management
- 4. • Security Program Operations • IT Service Management • Controls • Metrics and Monitoring • Continuous Improvement Chapter Topics For Later Lectures
- 6. Security Policy • Foundational • Defines principles and required actions • to protect assets and personnel • Audience is all personnel • Full-time and part-time employees • Temporary workers, contractors and consultants
- 7. Easily Accessible • So no personnel can claim ignorance • As an excuse for violating policy • Often personnel must acknowledge understanding of policy • At time of hire and annually thereafter
- 8. Considerations • Laws, regulations, standards • Risk tolerance • Controls • Organizational culture
- 9. Alignment • Alignment with Controls • Policies and controls must not contradict each other • Alignment with Audience • Policy must be understood by the workers • Avoid overly technical policies • May have a separate policy for technical workers
- 12. Policy Distribution and Acknowledgement • Policy should be well-known and easily accessible • High-ranking executive should inform workers that they are required to comply with the policy • Executives should lead by example
- 14. Outsourcing • Must identify risks of cloud services • You can outsource work • But you cannot outsource responsibility
- 15. Benefits from Use of Third Parties • Available skills and resources • Economies of scale • Objectivity • Reduced costs
- 16. Risks from Use of Third Parties • Higher-than-expected costs • Poor quality or performance • Loss of control • Employee integrity and background • Loss of competitive advantage
- 17. Risks from Use of Third Parties (continued) • Errors and omissions • Vendor failure • Differing mission and goals • Difficult recourse for problems • Lowered employee morale
- 18. Risks from Use of Third Parties (continued) • Audit and compliance • Applicable laws • Cross-border data transfer • Time zone differences • Language and cultural differences
- 19. Identifying Third Parties • Inventory third party vendors in use • Consult with stakeholders • Legal • Procurement • Accounts payable • Facilities • Department heads • Location-specific leaders
- 20. IT and Third Parties • Ways to identify third parties in use • Established data connections with third parties • Firewall, IDS, and IPS rules • Connections to Identity and Access Management (IAM) systems • Cloud Access Security Broker (CASB) systems
- 21. Applications to Manage Third Parties
- 22. Risk Tiering and Vendor Classification • Cannot perform all due diligence on all vendors • Apply a level of due diligence according to the level of risk
- 23. Criteria • Volume of sensitive customer data • Volume of sensitive internal data • Operational criticality • Physical access to company buildings • Access to information systems • Contractual obligations
- 24. Example
- 25. Ch 4c-1
- 26. Assessing Third Parties • Questionnaires • Questionnaire confirmation • E.g. requesting evidence • Site visit • External attestation • Such as compliance with SOC2, HITRUST, ISO/IEC 27001, etc.
- 27. Assessing Third Parties (continued) • External business intelligence • Services like Dunn & Bradstreet or Lexis Nexus • That collect information on health of companies • External cyber intelligence • Security scans • Dark web monitoring
- 28. Assessing Third Parties (continued) • Security scans and penetration tests • Intrusive monitoring • Third party can view internal control data in real time • Such as event logs, firewall logs, or packet captures
- 31. Proactive Issue Remediation • The only means of exchange between customer organization and third party are • Money and reputation • Especially when crossing national boundaries • Consider enforcement mechanisms
- 32. Contractual Provisions • Service Level Agreement (SLA) • Quality • Security policy and controls • Business continuity • Employee integrity • Ownership of intellectual property • Roles and responsibilities
- 33. Contractual Provisions (continued) • Schedule • Regulations and laws • Warranty • Dispute and resolution • Payment
- 34. Responsive Issue Remediation • Results from a questionnaire may be unacceptable • Such as no password change requirements • Discussions with third parties may provoke changes • Or expose satisfactory compensating controls
- 35. Onboarding • Process to begin a relationship with a third party • Up-front due diligence • To understand the level of risk • Before signing a legal agreement
- 37. Security Incidents • Incident response is more complex • When two organizations are involved
- 39. Importance • Partnerships • Are a source of information • And help manage security • Deputize team members from other groups • Designate security liaisons • But they need training and time allocated for these added duties
- 40. Legal • Manages business risk • Through contract negotiations • With service providers, customers, and others • Information security can help • With security clauses • Best if security assessment happens before signing a contract
- 41. Human Resources (HR) • Recruiting: background checks • Onboarding • Nondisclosure agreements • Training, including Security Awareness Training • Provisioning Human Resource Information Systems (HRISs)
- 42. Human Resources (HR) (continued) • Internal transfers • Move to a different department • Change access to systems and applications • Avoid accumulation of privileges
- 43. Human Resources (HR) (continued) • Offboarding • Notify security, IT and other departments • Terminate access rights promptly • To prevent revenge and sabotage • Collect company assets like laptops • Sign nondisclosure and noncompete agreements
- 44. Human Resources (HR) (continued) • Training • Investigations • Often in partnership with information security • Forensics and chain of custody • Discipline • Demotion, time off without pay, dismissal, etc.
- 45. Facilities • Access control • Workplace surveillance • Equipment check-in/check-out • Guest processing • Security guard • Asset security • Personnel safety
- 46. Information Technology (IT) • Access control • Architecture • Hardening • Scanning and patching • Security tools • Firewalls, IDS, spam filters, etc.
- 47. Information Technology (IT) (continued) • System monitoring • Security monitoring • Third-party connections
- 48. Product Development • Security by design • Secure development • Security testing • Code reviews • Security review of open source software • Developer training • Protection of the development process
- 49. Procurement • Due diligence for new purchases
- 50. Finance • Accounts Payable is the partnership of last resort for information security • Because when they get involved, the vendor relationship is already established
- 51. Business Unit Managers • Security manager should understand how each department functions • Develop relationships of trust
- 52. Affiliates and Key Business Partners • Half of all security breaches have their nexus in third parties
- 53. Ch 4c-2