Planning for Security The 5 goals of security Governance

Planning Levels  Strategic alignment of information security with

business strategy to support organizational
Strategic Planning – the long-term direction to be taken objectives
by the organization and of its component parts.  Risk management by executing appropriate
Levels of Planning measures to manage and mitigate threats to
information resources
 Tactical Planning – focuses on short-term  Resource management by using information
undertakings that will be completed within one security knowledge and infrastructure
or two years. efficiently and effectively
 Operational Planning – derived from tactical  Performance measurement by measuring,
planning to organize the ongoing, day-to-day monitoring, and reporting information security
performance of tasks. governance metrics to ensure that
organizational objectives are achieved
Information Security Governance
 Value delivery by optimizing information
Governance – the entire function of controlling, or security investments in support of
governing, the processes used by a group to accomplish organizational objectives
some objective.
Information Security Policy, Standards, and Practices
Information Security Governance includes:
Policy – a set of principles of courses of action from an
 Strategic direction organization’s senior management intended to guided
 Establishment of objectives decisions, actions, and duties of constituents.
 Measurement of progress toward those
Standard – The normal, targeted, or desired level which
objectives
a behavior or action must be performed. These are the
 Verification that risk management practices are
detailed statements of what must be done to comply
appropriate
with policy
 Validation that the organization’s assets are
used properly  De facto standard - A standard that has been
widely adopted or accepted by a public group
Chief Executive Officer
rather than a formal standards organization.
 Oversee overall corporate security posture  De jure standard - A standard that has been
(accountable to board) formally evaluated, approved, and ratified by a
 Brief board, customers, public formal standards organization

Chief Security Officer, Chief Information Officer, Chief Guidelines - a set of recommended actions to assist an
Risk Officer, Department/agency head organizational stakeholder in complying with policy.

 Set security policy, procedures, program, Procedure - a set of steps an organization’s

training for company stakeholders must follow to perform a specified action
 Respond to security breaches (investigate, or accomplish a defined task.
mitigate, litigate)
Information Security Policy Types
 Responsible for independent annual audit
coordination The 3 major types of Information Security Policies
 Implement/audit/enforce/access compliance
 Enterprise Information Security Policy (EISP) -
Mid-level manager The high-level security policy that is based on
and directly supports the mission, vision, and
 Implement/audit/enforce/access compliance direction of the organization and sets the
 Communicate policies, program (training) strategic direction, scope, and tone for all
Enterprise staff/employees security efforts
 Issue-Specific Security Policy (ISSP) –
 Implement policy; report security vulnerabilities Commonly referred to as a fair and responsible
and breaches use policy; a policy designed to control
 constituents’ use of a particular resource, asset,
or activity, and provided to support the
organization’s goals and objectives.
 Systems-Specific Security Policy (SysSP) –
Policy document designed to bridge the gap
between managerial guidance and technical
implementation of a specific technology.
Enterprise Information Security Policy (EISP)
 Also known as a general security policy,
organizational security policy, IT security
policy, or information security policy.
 An executive-level document, usually
drafted by or in cooperation with the
organization’s chief information officer.
 According to National Institute of Standards
and Technology (NIST), the EISP typically
addresses compliance in two areas:
o General compliance to ensure that
an organization meets the
requirements for establishing a
program and assigning
responsibilities therein to various
organizational components
o The use of specified penalties and
disciplinary action
EISP Elements:
 An overview of the corporate philosophy on
security
 Information on the structure of the information
security organization and people who fulfill the
information security role
 Fully articulated responsibilities for security that
are shared by all members of the organization
(employees, contractors, consultants, partners,
and visitors)
Issue – Specific Security Policy (ISSP)
 Commonly referred to as a fair and
responsible use policy; a policy designed to
control constituents’ use of a particular
resource, asset, or activity, and provided to
support the organization’s goals and
objectives.
 ISSP’s must be frequently updated, and
contain a statement about an organization’s
position on a specific issue. ISSP’s may
cover the following topics, among others:
