Professional Documents
Culture Documents
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 2
2. Maintaining Compliance
The term compliance refers to how well an individual or business adheres to a set of
rules. Security policy compliance means adhering to security policies. It is difficult to
know whether an organization complies with every security policy. To state that an
organization is compliant, you must be able to validate that the requirements within
security policies have been applied to security controls and information.
Difficulties arise due to the sheer volume of digital information. Even a relatively small
business with only a few hundred employees could have tens of thousands of files.
These files travel between servers, desktops, laptops, backup media, universal serial
bus (USB) drives, and more. The issue becomes even more complex in large
organizations with thousands of employees and millions of files.
Knowing exactly what data is captured where and how it is used in an ever-growing
complex environment is difficult. Businesses are concerned with not only files that
employees can access but also with files exposed to vendors and suppliers.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 3
Compliance Requires Proper
Security Controls
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 4
Compliance Requires Proper
Security Controls
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 5
Security Controls Must Include
Information Security Policies
Physical control—As the name implies, this refers to some physical device that
prevents or deters access. A locked door, a camera, an electric fence, and a
security guard are all examples of physical controls.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 6
Security Controls Must Include
Information Security Policies
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 7
Relationship Between Security
Controls and Information Security
Policy
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 8
3. Mitigating Risk Exposure
Security policies must drive a culture that mitigates risk exposure. Policies,
and the way they are enforced, reflect the business perception of risk. They
are more than just simple business requirements that translate into
security controls. Policies can reduce business risks by setting the tone at
the top and promoting a risk-aware culture.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 9
Educate Employees and Drive
Security Awareness
Repetition—Most employees do not deal with risk daily, so they need to be
reminded.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 10
Educate Employees and Drive
Security Awareness
A security awareness program gains credibility when
the business sees a reduction of risk. Each employee
plays a role in the business process. Multiple benefits
come with a security awareness program that
emphasizes the business risk, including:
Value—Policies relevant to business are more likely
to be followed by the business.
Culture—Well-understood and enforced security
policies promote a broad risk culture.
Resiliency—Policies provide a basis for dealing with
the unexpected.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 11
Prevent Loss of Intellectual
Property
One of the most important deliverables of security policies is
the labeling and data classification approach. The approach
selected will drive the cost of handling data. An employee
needs to know how to handle both kinds of information—
labeled and classified. Security policies instruct an employee
on the proper handling depending on the business
requirements. The combination of the following is a widely
accepted practice to help prevent loss of IP:
Label and classify IP data.
Restrict access.
Filter e-mail and other communication tools for IP data.
Educate employees on handling IP material.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 12
Protect Digital Assets
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 13
Secure Privacy of Data
Limit Limit—Collect only the data from an individual you need to provide the service or product.
Disclose Disclose—Fully disclose to the individual what data is being collected and how it will be used.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 14
Secure Privacy of Data
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 15
Lower Risk Exposure
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 16
4. Minimizing Liability of the
Organization
A business liability emerges when an organization
cannot meet its obligation or duty. Business liability
is a subset of an organization's overall risk
exposure. An obligation can be either a legal or a
promised commitment.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 17
Separation Between Employer
and Employee
Be sure to work with in-house legal counsel on
policy strategies to lay the foundation for defending
the organization in the event of an incident.
Policy—Have clear security policies on the handling
of customer information.
Enforce—Express strong disapproval when policy is
not followed.
Respond—Quickly respond to incidents to minimize
the impact to customers.
Analyze—Understand what happened.
Educate—Improve employee training.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 18
Acceptable Use Policies
Acceptable use policies (AUPs) are formal written policies describing employee behavior
when using company computer and network systems. Most AUPs outline what is acceptable
and unacceptable behavior. They also need to outline the disciplinary process when an
employee violates policy. Because the disciplinary process could lead to termination, the
policy must be clear and concise. Many companies require the employee to sign the AUP to
acknowledge receipt of the rules.
Both the legal and HR departments always approve final draft policies. It is important that an
AUP keep up with technology changes. It must be clear when personal devices are allowed
during business hours. In particular, mobile phone use is covered in many company policies
today. Often, these policies also include an overview of the use of cameras.
However, today few policies cover the use of the wearable devices that are becoming
available. Google Glass, for example, can take a picture with a blink of an eye.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 19
Confidentiality Agreement
and Nondisclosure Agreement
A confidentiality agreement (CA), also known as a
nondisclosure agreement (NDA), is a binding legal
contract between two parties. It is a promise not to
disclose to any third-party information covered by
the agreement. The agreement needs to clearly
define the information covered. This reduces
problems that may arise between the two parties or
any other party asked to resolve legal disputes.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 20
Business Liability Insurance
Policies
Business liability insurance lowers the financial loss
to the business in the event of an incident. Even
when a business has well-defined security policies,
problems can still occur. Business liability insurance
will pay for losses within the limits of the policy.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 21
5. Implementing Policies to
Drive Operational Consistency
Operational consistency means ensuring that an
organization's processes are repeatable and
sustainable. The business goal is to have these
processes executed each time with the same
consistency and quality. This reliability allows the
business to continuously improve quality. Processes
evolve over time and the more repeatable a
process can be, the more likely it is that risks can
be detected and removed.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 22
Forcing Repeatable Business
Processes Across the Entire
Organization
Operational efficiency means lower costs to the business. By applying
this principle across the enterprise, greater quality results can be
achieved at a lower cost. For organizations with multiple divisions,
developing processes once and repeating them saves time and
resources. This approach also allows the organization to develop centers
of excellence. These centers are typically small teams with very deep
knowledge of a subject area.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 23
Forcing Repeatable Business Processes
Across the Entire Organization
To achieve this repeatable behavior, you must measure both consistency and
quality. Additionally, you will need to measure whether the implemented policy is
achieving the desired results. It is not surprising to find processes that run for years
while providing no real value. A typical example might be a report that was specially
designed for an executive who has since left the company. The new executive
continues to receive the report. He or she may even occasionally review it out of
curiosity. But the executive never leverages its content for any real purpose. This
report might be highly repeatable and sustainable but does not provide value.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 24
Forcing Repeatable Business
Processes Across the Entire
Organization
The following oversight phases are typically found when trying to achieve
operational consistency:
Manage—Manage process execution and note exceptions to standard
procedures.
Measure—Measure volume, consistency, and quality.
Review—Periodically assess to ensure desired results are achieved.
Track—Track defects, errors, and incidents.
Improve—Improve quality continuously by making adjustments as
needed.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 25
Differences Between
Mitigating and Compensating Controls
A mitigating control limits the damage caused by not having a control in place.
It assumes the absence or breakdown of a primary control. It is a control after the fact. For
example, suppose someone enters an invalid account number. Either a control did not exist
to prevent this, or that control did not work. Either way, as long the account number is
validated before further action can be taken, there is a mitigating control in place. A
mitigating control, however, may not achieve the full intent of a policy.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 26
Policies Help Prevent
Operational Deviation
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 27
Chapter Summary
People manage risk every day of their lives. They choose when to go bed, when
to wake up, what foods to eat, what route to drive their cars, and much more.
Each decision has risk and rewards attached. This is no different in the business
world. Many decisions face people daily. They often operate with incomplete
information. They are faced with critical deadlines that could be more easily met
by sharing information outside policy guidelines. As you gain experience, these
decisions become more instinctive.
For business, it is daily processes and decisions that control risk. Policies provide
guidance on how to think about risk. Policies and their related controls detail
how to prevent, detect, and correct errors. This landscape of controls and
processes makes risk management real for every employee. Most important, it
encourages behavior that positively drives the organization's risk culture.
Chapter 2: Business Drivers for Information Security Policies - Huong Hoang Luong 28