Đại Học Fpt Cần Thơ

ĐẠI HỌC FPT CẦN THƠ
Business Drivers for Information Security

Policies
Chapter 2
1. Why Are Business Drivers
Important?
COST—COST OF IMPACT—IMPACT ON THE REGULATION—THE ADOPTION—THE DEGREE TO

IMPLEMENTING AND ABILITY OF THE BUSINESS TO ORGANIZATION'S ABILITY TO WHICH EMPLOYEES
MAINTAINING CONTROLS SERVE THE CUSTOMER DEFEND ITS POLICIES AND UNDERSTAND AND ARE
PRACTICES BEFORE WILLING TO FOLLOW
REGULATORS, SHOULD THE POLICIES—"TO MAKE THEM
NEED ARISE THEIR OWN," IN OTHER
WORDS
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 2
2. Maintaining Compliance
The term compliance refers to how well an individual or business adheres to a set of
rules. Security policy compliance means adhering to security policies. It is difficult to
know whether an organization complies with every security policy. To state that an
organization is compliant, you must be able to validate that the requirements within
security policies have been applied to security controls and information.
Difficulties arise due to the sheer volume of digital information. Even a relatively small
business with only a few hundred employees could have tens of thousands of files.
These files travel between servers, desktops, laptops, backup media, universal serial
bus (USB) drives, and more. The issue becomes even more complex in large
organizations with thousands of employees and millions of files.
Knowing exactly what data is captured where and how it is used in an ever-growing
complex environment is difficult. Businesses are concerned with not only files that
employees can access but also with files exposed to vendors and suppliers.
Compliance Requires Proper
Security Controls
Compliance Requires Proper
Security Controls
Security Controls Must Include
Information Security Policies
Physical control—As the name implies, this refers to some physical device that
prevents or deters access. A locked door, a camera, an electric fence, and a
security guard are all examples of physical controls.
Administrative control—Also known as a "procedural control," relies on a human

to take some action. A few examples of a procedural control could be providing
security awareness training or having a manager check an employee's work.
Technical control—Refers to software that creates a logical control. Passwords

and antiviral software are examples of technical controls. Dedicated hardware,
such as a firewall, would be considered a technical control because it contains the
necessary software to create the logical control.
Security Controls Must Include
Information Security Policies
Relationship Between Security
Controls and Information Security
Policy
Key relationships of security policies
3. Mitigating Risk Exposure
How can information security policies help? Well-defined security policies

balance business requirements and limit behavior. The policy reflects how
the business wants to manage its risks. The importance placed on such
issues as customer privacy and protecting company secrets directly
influences employee behavior.
Security policies must drive a culture that mitigates risk exposure. Policies,
and the way they are enforced, reflect the business perception of risk. They
are more than just simple business requirements that translate into
security controls. Policies can reduce business risks by setting the tone at
the top and promoting a risk-aware culture.
Educate Employees and Drive
Security Awareness
Repetition—Most employees do not deal with risk daily, so they need to be
reminded.
Onboarding—New employees should be told of their responsibilities

immediately.
Support—Leaders should provide visible support.
Relevance—Rules that show awareness of the business context are more

likely to be followed.
Metrics—Test your employees' knowledge of policies.
Educate Employees and Drive
Security Awareness
A security awareness program gains credibility when
the business sees a reduction of risk. Each employee
plays a role in the business process. Multiple benefits
come with a security awareness program that
emphasizes the business risk, including:
Value—Policies relevant to business are more likely
to be followed by the business.
Culture—Well-understood and enforced security
policies promote a broad risk culture.
Resiliency—Policies provide a basis for dealing with
the unexpected.
Prevent Loss of Intellectual
Property
One of the most important deliverables of security policies is
the labeling and data classification approach. The approach
selected will drive the cost of handling data. An employee
needs to know how to handle both kinds of information—
labeled and classified. Security policies instruct an employee
on the proper handling depending on the business
requirements. The combination of the following is a widely
accepted practice to help prevent loss of IP:
Label and classify IP data.
Restrict access.
Filter e-mail and other communication tools for IP data.
Educate employees on handling IP material.
Protect Digital Assets
Digital assets are any digital content an organization owns or has

acquired the right to use. PC Magazine defines digital assets as
"Any digital material owned by an enterprise or individual
including text, graphics, audio, video and animations. A digital
asset is owned by an organization if it was created on the
computer by its employees or if it was custom developed for and
purchased by the organization. Images scanned into the
computer are also a digital asset if the original work was owned
by the company.
Secure Privacy of Data
Examine Examine—Understand local state and federal requirements.
Collaborate Collaborate—Work closely with CPO.
Align Align—Coordinate privacy policies with data classification policies.
Educate Educate—Conduct awareness training on handling of PII data.
Retain Retain—Ensure proper controls around data retention and destruction.
Limit Limit—Collect only the data from an individual you need to provide the service or product.
Disclose Disclose—Fully disclose to the individual what data is being collected and how it will be used.
Encrypt Encrypt—Consider using encryption when storing or transmitting PII data.
Secure Privacy of Data
Full Disclosure and Data Encryption
Privacy regulations involve two important principles. Full

disclosure gives the consumer an understanding of what and
how the data is collected and used. Data encryption provides
a standard for handling consumer information.
Lower Risk Exposure
Well-defined and enforced security policies lead to

well-defined controls. These controls in turn protect
the information. So how do you achieve lower risk
exposure? The concept of exposure relies on a
calculation that estimates the losses to the business
in the event the risk is realized. First you need a
scale that allows you to measure risk against
predicted business losses. Over time, you invest in
people, processes, and technology to lower that
risk to an acceptable level. That acceptable level is
sometimes called your "risk appetite."
4. Minimizing Liability of the
Organization
A business liability emerges when an organization
cannot meet its obligation or duty. Business liability
is a subset of an organization's overall risk
exposure. An obligation can be either a legal or a
promised commitment.
Separation Between Employer
and Employee
Be sure to work with in-house legal counsel on
policy strategies to lay the foundation for defending
the organization in the event of an incident.
Policy—Have clear security policies on the handling
of customer information.
Enforce—Express strong disapproval when policy is
not followed.
Respond—Quickly respond to incidents to minimize
the impact to customers.
Analyze—Understand what happened.
Educate—Improve employee training.
Acceptable Use Policies
Acceptable use policies (AUPs) are formal written policies describing employee behavior
when using company computer and network systems. Most AUPs outline what is acceptable
and unacceptable behavior. They also need to outline the disciplinary process when an
employee violates policy. Because the disciplinary process could lead to termination, the
policy must be clear and concise. Many companies require the employee to sign the AUP to
acknowledge receipt of the rules.
Both the legal and HR departments always approve final draft policies. It is important that an
AUP keep up with technology changes. It must be clear when personal devices are allowed
during business hours. In particular, mobile phone use is covered in many company policies
today. Often, these policies also include an overview of the use of cameras.
However, today few policies cover the use of the wearable devices that are becoming
available. Google Glass, for example, can take a picture with a blink of an eye.
Confidentiality Agreement
and Nondisclosure Agreement
A confidentiality agreement (CA), also known as a
nondisclosure agreement (NDA), is a binding legal
contract between two parties. It is a promise not to
disclose to any third-party information covered by
the agreement. The agreement needs to clearly
define the information covered. This reduces
problems that may arise between the two parties or
any other party asked to resolve legal disputes.
Business Liability Insurance
Policies
Business liability insurance lowers the financial loss
to the business in the event of an incident. Even
when a business has well-defined security policies,
problems can still occur. Business liability insurance
will pay for losses within the limits of the policy.
5. Implementing Policies to
Drive Operational Consistency
Operational consistency means ensuring that an
organization's processes are repeatable and
sustainable. The business goal is to have these
processes executed each time with the same
consistency and quality. This reliability allows the
business to continuously improve quality. Processes
evolve over time and the more repeatable a
process can be, the more likely it is that risks can
be detected and removed.
Forcing Repeatable Business
Processes Across the Entire
Organization
Operational efficiency means lower costs to the business. By applying
this principle across the enterprise, greater quality results can be
achieved at a lower cost. For organizations with multiple divisions,
developing processes once and repeating them saves time and
resources. This approach also allows the organization to develop centers
of excellence. These centers are typically small teams with very deep
knowledge of a subject area.
Forcing Repeatable Business Processes
Across the Entire Organization
Policies Are Key to Repeatable Behavior
To achieve this repeatable behavior, you must measure both consistency and
quality. Additionally, you will need to measure whether the implemented policy is
achieving the desired results. It is not surprising to find processes that run for years
while providing no real value. A typical example might be a report that was specially
designed for an executive who has since left the company. The new executive
continues to receive the report. He or she may even occasionally review it out of
curiosity. But the executive never leverages its content for any real purpose. This
report might be highly repeatable and sustainable but does not provide value.
Forcing Repeatable Business
Processes Across the Entire
Organization
The following oversight phases are typically found when trying to achieve
operational consistency:
Manage—Manage process execution and note exceptions to standard
procedures.
Measure—Measure volume, consistency, and quality.
Review—Periodically assess to ensure desired results are achieved.
Track—Track defects, errors, and incidents.
Improve—Improve quality continuously by making adjustments as
needed.
Differences Between
Mitigating and Compensating Controls
A mitigating control limits the damage caused by not having a control in place.
It assumes the absence or breakdown of a primary control. It is a control after the fact. For
example, suppose someone enters an invalid account number. Either a control did not exist
to prevent this, or that control did not work. Either way, as long the account number is
validated before further action can be taken, there is a mitigating control in place. A
mitigating control, however, may not achieve the full intent of a policy.
Policies Help Prevent
Operational Deviation
Operational deviation is inevitable. It's important the intent be clear in a

policy. From clearly communicated intent comes a better understanding
of the desired outcome.
Intent also helps employees know better what risks the company is not
willing to take. It is impossible to foresee every possible circumstance.
For one thing, security policies tend to cover broad topics. Second,
technology is always evolving. Good policies allow the employee to
apply the intent and understanding of risk to situations not explicitly
outlined.
Chapter Summary
People manage risk every day of their lives. They choose when to go bed, when
to wake up, what foods to eat, what route to drive their cars, and much more.
Each decision has risk and rewards attached. This is no different in the business
world. Many decisions face people daily. They often operate with incomplete
information. They are faced with critical deadlines that could be more easily met
by sharing information outside policy guidelines. As you gain experience, these
decisions become more instinctive.
For business, it is daily processes and decisions that control risk. Policies provide
guidance on how to think about risk. Policies and their related controls detail
how to prevent, detect, and correct errors. This landscape of controls and
processes makes risk management real for every employee. Most important, it
encourages behavior that positively drives the organization's risk culture.

Đại Học Fpt Cần Thơ

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Đại Học Fpt Cần Thơ

Uploaded by

Copyright:

Available Formats

ĐẠI HỌC FPT CẦN THƠ

Business Drivers for Information Security

COST—COST OF IMPACT—IMPACT ON THE REGULATION—THE ADOPTION—THE DEGREE TO

Administrative control—Also known as a "procedural control," relies on a human

Technical control—Refers to software that creates a logical control. Passwords

Key relationships of security policies

How can information security policies help? Well-defined security policies

Onboarding—New employees should be told of their responsibilities

Support—Leaders should provide visible support.

Relevance—Rules that show awareness of the business context are more

Metrics—Test your employees' knowledge of policies.

Digital assets are any digital content an organization owns or has

Examine Examine—Understand local state and federal requirements.

Collaborate Collaborate—Work closely with CPO.

Align Align—Coordinate privacy policies with data classification policies.

Educate Educate—Conduct awareness training on handling of PII data.

Retain Retain—Ensure proper controls around data retention and destruction.

Encrypt Encrypt—Consider using encryption when storing or transmitting PII data.

Full Disclosure and Data Encryption

Privacy regulations involve two important principles. Full

Well-defined and enforced security policies lead to

Policies Are Key to Repeatable Behavior

Operational deviation is inevitable. It's important the intent be clear in a

You might also like