Security Program Development can be thought of as having an emphasis on establishing information security related roles and responsibilities throughout the organization. Two major areas are addressed in this section:
- Developing an effective Information Security Organization
- Mobile Computing and Teleworking standards (and the “BYOD challenge”)
Establishing an effective internal Information Security Organization can be further sub-divided into multiple topics of interest:
- One of the key sub-topics is information security roles and responsibilities, which addresses the need to designate and assign accountability for information security across the organization to ensure that employee apply appropriate protection to assets and information under their direct control. Additionally, this topic addresses the need to establish an information security governance framework and designate a leader who will manage the information security program and develop program initiatives. This designation should be documented in a formal job description for the individual with the designated responsibility and such designation should be utilized in properly demonstrating compliance with applicable regulatory and compliance requirements such as HIPAA, GLBA, and PCI DSS. Note that there are a variety of roles and responsibilities for information security leaders Avoiding conflicts of interest that can arise when segregation of duties is not considered. This is another area to be addressed to ensure that no single individual at an organization can escape detection if engaging in unauthorized activities or abusing access to information and technology systems.
- The information security organization is also responsible for appropriate contact with authorities and contact with special interest groups.
- Addressing information security in project management activities is important to ensure that risks are identified and addressed throughout the project management lifecycle.
- The information security organization is typically also responsible for developing information security policies and creating a comprehensive risk-based information security program.
- Mobile Computing and Teleworking relates to the risks of working with mobile devices in unprotected environments.
A. 6.1 Internal organization
To establish a management framework to initiate and control the implementation and operation of information security within the organization.
A.6.1.1 Information security roles and responsibilities
All information security responsibilities should be defined and allocated.
Allocation of information security responsibilities should be done in accordance with the information security policies. Responsibilities for the protection of individual assets and for carrying out specific information security processes should be identified. Responsibilities for information security risk management activities and in particular for acceptance of residual risks should be defined. These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities. Local responsibilities for the protection of assets and for carrying out specific security processes should be defined. Individuals with allocated information security responsibilities may delegate security tasks to others. Nevertheless they remain accountable and should determine that any delegated tasks have been correctly performed. Areas for which individuals are responsible should be stated. In particular the following should take place:
a) the assets and information security processes should be identified and defined;
b) the entity responsible for each asset or information security process should be assigned and the details of this responsibility should be documented;
c) authorization levels should be defined and documented;
d) to be able to fulfil responsibilities in the information security area the appointed individuals should be competent in the area and be given opportunities to keep up to date with developments;
e) coordination and oversight of information security aspects of supplier relationships should be identified and documented.
Many organizations appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of controls. However, responsibility for resourcing and implementing the controls will often remain with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection.
A.6.1.2 Segregation of duties
Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.
Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization. The possibility of collusion should be considered in designing the controls. Small organizations may find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision should be considered.
Segregation of duties is a method for reducing the risk of accidental or deliberate misuse of an organization’s assets.
A.6.1.3 Contact with authorities
Appropriate contacts with relevant authorities should be maintained.
Organizations should have procedures in place that specify when and by whom authorities (e.g. law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be reported in a timely manner (e.g. if it is suspected that laws may have been broken).
A. 6.1.4 Contact with special interest groups
Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained.
Membership in special interest groups or forums should be considered as a means to:
- improve knowledge about best practices and stay up to date with relevant security information;
- ensure the understanding of the information security environment is current and complete;
- receive early warnings of alerts, advisories and patches pertaining to attacks and vulnerabilities;
- gain access to specialist information security advice;
- share and exchange information about new technologies, products, threats or vulnerabilities;
- provide suitable liaison points when dealing with information security incidents.
Information sharing agreements can be established to improve cooperation and coordination of security issues. Such agreements should identify requirements for the protection of confidential information.
A.6.1.5 Information security in project management
Information security should be addressed in project management, regardless of the type of the project.
Information security should be integrated into the organization’s project management method to ensure that information security risks are identified and addressed as part of a project. This applies generally to any project regardless of its character, e.g. a project for a core business process, IT, facility management and other supporting processes. The project management methods in use should require that:
- information security objectives are included in project objectives;
- an information security risk assessment is conducted at an early stage of the project to identify necessary controls;
- information security is part of all phases of the applied project methodology.
Information security implications should be addressed and reviewed regularly in all projects. Responsibilities for information security should be defined and allocated to specified roles defined in the project management methods.
Annex A.6.1 is about internal organization. The objective in this Annex A area is to establish a management framework to initiate and control the implementation and operation of information security within the organization. Organization need to establish a mechanism to manage information security across the entire enterprise and gain the support of leadership to assist in providing overall direction.
Implementing a Security Strategy
An effective information security strategy for a organization must take into account the overall strategic objectives of the organizations and varied departments. Even when focusing on critical processes and legal mandates, it is necessary to extend protective measures beyond the underlying IT systems and associated staff. For example, many employees have access to critical customer records, and this access must be considered when assessing the security risks associated with these data. A failure to provide employees with securely configured workstations increases the risk of sensitive data being exposed via their computers. This risk can also be reduced by implementing a middleware solution to properly control which records each faculty member can access and to minimize the amount of sensitive data stored on their computers. Also, to be effective, security practices cannot rely completely on technological solutions. Continuing the example, policies are required to clearly define staff’ responsibilities relating to the data and the security of their workstations. Also, awareness programs aimed specifically at staff and their responsibilities to safeguard information might be developed, possibly in conjunction with the organization’s s information officer.
To complicate matters, the operational needs of organization networks often directly conflict with security practices such as perimeter firewalls, port authentication, centralized configuration management, and strong authentication. The networks must therefore be designed to balance security and privacy requirements while accommodating a wide variety of end users and their needs – e.g., visitors, new employees arriving with computers, managers sharing large quantities of data with other managers, remote access to a variety of network services for individuals who are traveling or telecommuting, and mobile users moving between different locations. Although firewalls are becoming widely used to protect critical systems on organizations networks, their use at the perimeter is less common because it is difficult to reconcile their restrictiveness with the need for an open networking environment that supports high-speed networking. Although centralized management is feasible for certain hosts on a network, this approach is not suitable for most computers and many systems. In the end, security and privacy practices need to be integrated into operational practices in a way that makes the most sense for each locations. This is not to say that organization cannot be secured; many organization are successfully balancing the need for security and an open, collaborative networking environment.
Information Security Governance
Effective governance of the information security function is critical to a successful program. It can be both the “proof of the pudding…” with regard to management commitment and provide necessary guidance when deciding where to allocate scarce resources.
- What is Information Security Governance and What it is Not
- Why Information Security Governance is Needed
- How to Govern Information Security
- Organizational Structure
- Roles and Responsibilities
- Strategic Planning
- Risk Management
- Measuring and Reporting Performance
- Governance Models and Success Stories
Information Security Roles & Responsibilities
All information security responsibilities need to be defined and allocated. Information security is the responsibility of everyone at the organization. It is important to establish roles and responsibilities so that everyone knows what is expected of them when handling information. Leadership is also very important, and many organizations have at least one person who is primarily responsible for organizing the information security program. Typically this is a Chief Information Security Officer (CISO), Information Security Officer (ISO), Director of Information Security, although the title may vary depending on the organizations. No matter what title is selected, there should be someone at the organizations who can provide a high level of decision-making support to organizations leadership when considering information security issues and solutions. Information security responsibilities can be general (e.g. protecting information) and/or specific (e.g. the responsibility for granting a particular permission). Consideration should be given to the ownership of information assets or groups of assets when identifying responsibilities. Some examples of the business roles which are likely to have some information security relevance include; Departmental heads; Business process owners; Facilities manager; HR manager; and Internal Auditor. The auditor will be looking to gain assurance that the organization has made clear who is responsible for what in an adequate and proportionate manner according to the size and nature of the organization. For smaller organizations, it is generally unrealistic to have full-time roles associated with these roles and responsibilities. As such, clarifying specific information security responsibilities within existing job roles is important e.g. the Operations Director or CEO might also be the equivalent of the CISO, the Chief Information Security Officer, with overarching responsibility for all of the ISMS. The CTO might own all the technology related information assets etc.
Segregation of Duties
Segregation of duties is the concept of having more than one person required to complete a task. This is a best practice, especially in cases where sensitive data is being handled. Segregation of duties is a control put in place by many organizations to mitigate the risk of an insider threat or accidental employee mistakes. Sometimes this isn’t practical or possible, but the organizations should be aware of the risks of a single person having too much access. Ideally, critical processes or activities should be split up between multiple people. For example the initiation of a process, its execution, and authorization should be separated when possible. When this is not possible, monitoring and auditing critical processes is very important. Conflicting duties and areas of responsibility must be segregated in order to reduce the opportunities for unauthorized or unintentional modification or misuse of any of the organization’s assets. The organization needs to ask itself whether or not the segregation of duties been considered and implemented where appropriate. Smaller organizations may struggle with this, but the principle should be applied as far as possible and good governance & controls put in place for the higher risk/higher value information assets, captured as part of the risk evaluation and treatment.
Contact with Authorities
Relationships with law enforcement are important to an organization, and should be established prior to an emergency. Having a protocol for engagement established before there is an emergency will help in handling an incident appropriately. A protocol for engagement with law enforcement can be a part of the security incident response plan or a broader crisis management procedure. The plan should be clear about which situations require working with law enforcement, such as when laws are broken. The plan should also clearly state who contacts authorities and under what circumstances (e.g., when law enforcement should be contacted by the information security office or campus safety). Appropriate contacts with relevant authorities must be maintained. Remember when adapting this control to think about the legal responsibilities for contacting authorities such as the Police, the Information Commissioner’s Office or other regulatory bodies. Consider how that contact is to be made, by whom, under what circumstances, and the nature of the information to be provided.
Contact with Special Interest Groups
There are many groups that support Information Security that an organizations can collaborate and participate in. The information security threat landscape is ever changing and security professionals can benefit from collaborating together. Being connected to special interest groups allows for knowledge transfer and best practice development. Warnings about potential threats can also help security operations prepare and respond appropriately. Appropriate contacts with special interest groups or other specialist security forums and professional associations must also be maintained. When adapting this control to your specific needs remember that memberships of professional bodies, industry organizations, forums and discussion groups all count towards this control. It is important to understand the nature of each of these groups and for what purpose they have been set up (e.g. is there a commercial purpose behind it).
6.2 Mobile devices and teleworking
To ensure the security of teleworking and use of mobile devices.
If you need assistance or have any doubt and need to ask any question contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.