INFORMATION SECURITY AND MANAGEMENT

MODULE 3
Benjamin Franklin asserted: “Those who would give up essential Liberty, to purchase a little temporary Safety,
deserve neither Liberty nor Safety.”
As Jean-Jacques Rousseau explained in The Social Contract, or Principles of Political Right, the rules that
members of a society create to balance the individual rights to self-determination against the needs of the society
as a whole are called laws.
The key difference between laws and ethics is that laws carry the authority of a governing body and ethics do not.
Ethics in turn are based on cultural mores. Some ethical standards are universal.
Even if there is no breach of criminal law, there can still be liability—legal responsibility. Liability includes the
legal obligation to make restitution for wrongs committed.
An organization increases its liability if it refuses to take measures known as due care (or a standard of due care).
Similarly, due diligence requires that an organization make a valid attempt to continually maintain this level of
effort. Whereas due care means the organization acts legally and ethically, due diligence means it ensures
compliance with this level of expected behavior.
Within an organization, information security professionals help maintain security via the establishment and
enforcement of policies. Organizations formalize desired behavior in documents called policies. Policies must be
read and agreed to before they are binding.
Types of Law:
• Civil law comprises a wide variety of laws that govern a nation or state and deal with the relationships
and conflicts between organizations and people.
• Criminal law addresses activities and conduct harmful to society, and is actively enforced by the state.
Law can also be categorized as private or public.
• Private law encompasses family law, commercial law, and labor law, and regulates the relationship
between individuals and organizations.
• Public law regulates the structure and administration of government agencies and their relationships with
citizens, employees, and other governments. Public law includes criminal, administrative, and
constitutional law.
Key Terms:
✓ Cultural mores - the fixed moral attitudes or customs of a particular group.
✓ Ethics - codes or principles of an individual or group that regulate and define acceptable behavior.
✓ Laws - rules that mandate or prohibit certain behavior and are enforced by the state.
✓ Due care - the legal standard that requires a prudent organization and its employees to act legally and
ethically and know the consequences of their actions. Also referred to as the standard of due care.
✓ Due diligence - considered a subset of the standard of due care, the legal standard that requires a prudent
organization and its employees to maintain the standard of due care and ensure that their actions are
effective. Also referred to as the standard of due diligence.
✓ Jurisdiction - a court’s right to hear a case if a wrong is committed in its territory or involves its citizenry.
✓ Liability - the legal obligation of an entity that extends beyond criminal or contract law.

A.F.B. 1
 INFORMATION SECURITY AND MANAGEMENT

✓ Long-arm jurisdiction - the application of laws to people currently residing outside a court’s normal
jurisdiction, usually granted when a person performs an illegal action within the court’s jurisdiction and
then leaves
✓ Restitution - the legal obligation to compensate an injured party for wrongs committed.
✓ Policies - managerial directives that specify acceptable and unacceptable employee behavior in the
workplace.
*Cultural differences can make it difficult to determine what is ethical and what is not—especially when it
comes to the use of computers. Studies on ethics and computer use reveal that people of different nationalities
have different perspectives; difficulties arise when one nationality’s ethical behavior violates the ethics of
another national group
*Education is the overriding factor in leveling ethical perceptions within a small population.
*Deterrence can prevent an illegal or unethical activity from occurring. Deterrence requires significant penalties,
a high probability of apprehension, and an expectation that penalties will be enforced
*As part of an effort to encourage ethical behavior, many professional organizations have established codes of
conduct or codes of ethics that their members are expected to follow.
Three general causes of unethical and illegal behavior:
1. Ignorance: Ignorance of the law is no excuse; however, ignorance of policy and procedures is. The first
method of deterrence is education, which is accomplished by designing, publishing, and disseminating an
organization’s policies and relevant laws, and obtaining agreement to comply with these policies and laws
from all members of the organization.
2. Accident: People who have authorization and privileges to manage information within the organization
are most likely to cause harm or damage by accident. Careful planning and control help prevent accidental
modification to systems and data.
3. Intent: Criminal or unethical intent goes to the state of mind of the person performing the act; it is often
necessary to establish criminal intent to successfully prosecute offenders. Protecting a system against
those with intent to cause harm or damage is best accomplished by means of technical controls, and
vigorous litigation or prosecution if these controls fail.
The Ten Commandments of Computer Ethics from the Computer Ethics Institute
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people’s computer work.
3. Thou shalt not snoop around in other people’s computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people’s computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are
designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

A.F.B. 2
 INFORMATION SECURITY AND MANAGEMENT

Codes of Ethics at Professional Organizations

Professional Web resource
Description Focus
organization location
Association of www.acm.org Code of 24 imperatives of personal and Ethics of security
Computing Machinery ethical responsibilities for security professionals
professionals
Information Systems www.isaca.org Focus on auditing, information security, Tasks and knowledge
Audit and Control business process analysis, and IS planning required of the
Association through the CISA and CISM certifications information systems
audit professional
Information Systems www.issa.org Professional association of information Professional security
Security Associations systems security professionals; provides information sharing
education forums, publications, and peer
networking for members
International www.isc2.org International consortium dedicated to Required certificants to
Information Systems improving the quality of security follow its published
Security Certification professional through SSCP and CISSP code of ethics
Consortium (ISC) certifications
SANS Institute’s www.giac.org GIAC certification focus on four security Requires certificants to
Global Information areas; security administration, security follow its published
Assurance management, IT audits, and software code of ethics
Certification security; these areas have standard, gold,
and expert levels

Major Information Security Professional Organizations

o Association of Computing Machinery (ACM) The ACM is a respected professional society that was
established in 1947 as “the world’s first educational and scientific computing society.” It is one of the few
organizations that strongly promotes education and provides discounts for student members. The ACM’s
code of ethics requires its more than 100,000 members to perform their duties in a manner befitting an
ethical computing professional. The code contains specific references to protecting the confidentiality of
information, causing no harm (with specific references to viruses), protecting the privacy of others, and
respecting the intellectual property and copyrights of others.
o International Information Systems Security Certification Consortium, Inc. (ISC) (ISC) is a nonprofit
organization that focuses on the development and implementation of information security certifications
and credentials. The organization manages a body of knowledge on information security and administers
and evaluates examinations for information security certifications. The code of ethics put forth by (ISC)
is primarily designed for the more than 90,000 information security professionals who have earned an
(ISC) certification, and has four mandatory canons: “Protect society, the commonwealth, and the
infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent
service to principals; and advance and protect the profession.”
o SANS Formerly known as the System Administration, Networking, and Security Institute, SANS
was founded in 1989 as a professional research and education cooperative organization and has awarded
certifications to more than 55,000 information security professionals. SANS offers a set of certifications
called the Global Information Assurance Certification (GIAC). All GIAC-certified professionals are

A.F.B. 3
 INFORMATION SECURITY AND MANAGEMENT

required to acknowledge that certification, and its privileges carry a corresponding obligation to uphold
the GIAC code of ethics.
o ISACA Originally known as the Information Systems Audit and Control Association, ISACA is a
professional association that focuses on auditing, control, and security. The membership comprises both
technical and managerial professionals. ISACA (www.isaca.org) provides IT control practices and
standards, and includes many information security components within its areas of concentration, although
it does not focus exclusively on information security.
o Information Systems Security Association (ISSA) ISSA is a nonprofit society of more than 10,000
information security professionals in over 100 countries. As a professional association, its primary mission
is to bring together qualified information security practitioners for information exchange and educational
development.

MODULE 4
An information security program begins with policy, standards, and practices, which are the foundation for the
information security architecture and blueprint. The creation and maintenance of these elements requires
coordinated planning.
Strategic Planning
- sets the long-term direction to be taken by the organization and each of its component parts.
- Strategic planning should guide organizational efforts and focus resources toward specific, clearly defined
goals.
- After an organization develops a general strategy, it generates an overall strategic plan by extending that
general strategy into plans for major divisions.
Once the organization’s overall strategic plan is translated into strategic plans for each major division or operation,
the next step is to translate these plans into tactical objectives that move toward reaching specific, measurable,
achievable, and time-bound accomplishments.
The process of strategic planning seeks to transform broad, general, sweeping statements into more specific and
applied objectives. Strategic plans are used to create tactical plans, which in turn are used to develop operational
plans.
❖ Tactical planning. Focuses on short-term undertakings that will be completed within one or two years.
The process of tactical planning breaks each strategic goal into a series of incremental objectives. Each
objective in a tactical plan should be specific and should have a delivery date within a year of the plan’s
start.
❖ Operational planning. Derived from tactical planning to organize the ongoing, day-to-day performance
of tasks. An operational plan includes the necessary tasks for all relevant departments as well as
communication and reporting requirements, which might include weekly meetings, progress reports, and
other associated tasks.
Planning and the CISO – The first priority of the CISO and the information security management team is the
creation of a strategic plan to accomplish the organization’s information security objectives. The plan is an
evolving statement of how the CISO and various elements of the organization will implement the objectives of
the information security charter, which is expressed in the enterprise information security policy (EISP).

A.F.B. 4
 INFORMATION SECURITY AND MANAGEMENT

Governance describes the entire function of controlling, or governing, the processes used by a group to
accomplish some objective. It represents the strategic controlling function of an organization’s senior
management, which is designed to ensure informed, prudent strategic decisions made in the best interest of the
organization.
Just like governments, corporations and other organizations have guiding documents— corporate charters or
partnership agreements—as well as appointed or elected leaders or officers, and planning and operating
procedures. These elements in combination provide corporate governance.
The information security group’s leadership monitors and manages all of the organizational structures and
processes that safeguard information. Information security governance then applies these principles and
management structures to the information security function.
According to the Information Technology Governance Institute (ITGI), information security governance
includes all of the accountabilities and methods undertaken by the board of directors and executive management
to provide:
• Strategic direction
• Establishment of objectives
• Measurement of progress toward those objectives
• Verification that risk management practices are appropriate
• Validation that the organization’s assets are used properly

A.F.B. 5
 INFORMATION SECURITY AND MANAGEMENT

Effective communication among stakeholders is critical to the structures and processes used in governance at
every level, especially in information security governance. This requires the development of constructive
relationships, a common language, and a commitment to the objectives of the organization.
The five goals of information security governance are:
1. Strategic alignment of information security with business strategy to support organizational objectives
2. Risk management by executing appropriate measures to manage and mitigate threats to information
resources.
3. Resource management by using information security knowledge and infrastructure efficiently and
effectively
4. Performance measurement by measuring, monitoring, and reporting information security governance
metrics to ensure that organizational objectives are achieved
5. Value delivery by optimizing information security investments in support of organizational objectives.
Policy
- direct how issues should be addressed and how technologies should be used.
- do not specify the proper operation of equipment or software—this information should be placed in the
standards, procedures, and practices of users’ manuals and systems documentation.
- should never contradict law;
- must be able to stand up in court, if challenged; and p
- must be properly administered through dissemination and documented acceptance. Otherwise, an
organization leaves itself exposed to significant liability.
Good security programs begin and end with policy. Information security is primarily a management problem,
not a technical one, and policy is a management tool that obliges personnel to function in a manner that preserves
the security of information assets.
Security policies are the least expensive control to execute, but the most difficult to implement properly.
Policies function like laws in an organization because they dictate acceptable and unacceptable behavior there.
Like laws, policies define what is right and wrong, the penalties for violating policy, and the appeal process.
Standards, on the other hand, are more detailed statements of what must be done to comply with policy. They
have the same requirements for compliance as policies. Standards may be informal or part of an organizational
culture, as in de facto standards. Or, standards may be published, scrutinized, and ratified by a group, as in
formal or de jure standards. Practices, procedures, and guidelines effectively explain how to comply with policy.
An enterprise information security policy (EISP) is also known as a general security policy, organizational
security policy, IT security policy, or information security policy. The EISP is an executive-level document,
usually drafted by or in cooperation with the organization’s chief information officer. This policy is usually 2 to
10 pages long and shapes the philosophy of security in the IT environment. The EISP usually needs to be modified
only when there is a change in the strategic direction of the organization.
Issue-Specific Security Policy – as an organization supports routine operations by executing various technologies
and processes, it must instruct employees on their proper use. In general, the issue-specific security policy, or
ISSP, (1) addresses specific areas of technology as listed below, (2) requires frequent updates, and (3) contains a
statement about the organization’s position on a specific issue. An ISSP may cover the following topics, among
others:
A.F.B. 6
 INFORMATION SECURITY AND MANAGEMENT

• E-mail
• Use of the Internet and World Wide Web
• Specific minimum configurations of computers to defend against worms and viruses
• Prohibitions against hacking or testing organization security controls
• Home use of company-owned computer equipment
• Use of personal equipment on company networks (BYOD: bring your own device)
• Use of telecommunications technologies, such as fax and phone
• Use of photocopy equipment • Use of portable storage devices such as USB memory sticks, backpack
drives, game players, music players, and any other device capable of storing digital files
• Use of cloud-based storage services that are not self-hosted by the organization or engaged under contract;
such services include Google Drive, Dropbox, and Microsoft Live.
Components of ISSP
1. Statement of Policy - The policy should begin with a clear statement of purpose. Consider a policy that
covers the issue of fair and responsible Internet use.
2. Authorized Access and Usage of Equipment - This section of the policy statement addresses who can
use the technology governed by the policy, and what it can be used for. Remember that an organization’s
information systems are its exclusive property, and users have no particular rights of use.
3. Prohibited Use of Equipment - Unless a particular use is clearly prohibited, the organization cannot
penalize its employees for misuse. The following can be prohibited: personal use, disruptive use or misuse,
criminal use, offensive or harassing materials, and infringement of copyrighted, licensed, or other
intellectual property.
4. Systems Management - The systems management section of the ISSP policy statement focuses on the
users’ relationship to systems management. Specific rules from management include regulating the use of
e-mail, the storage of materials, the authorized monitoring of employees, and the physical and electronic
scrutiny of e-mail and other electronic documents.
5. Violations of Policy - The people to whom the policy applies must understand the penalties and
repercussions of violating it. Violations of policy should carry penalties that are appropriate, not
draconian. This section of the policy statement should contain not only specific penalties for each category
of violation, but instructions for how people in the organization can report observed or suspected
violations.
6. Policy Review and Modification - Because any document is only useful if it is up to date, each policy
should contain procedures and a timetable for periodic review. As the organization’s needs and
technologies change, so must the policies that govern their use.
7. Limitations of Liability - The policy should state that if employees violate a company policy or any law
using company technologies, the company will not protect them, and the company is not liable for their
actions.
Information security blueprint is the basis for the design, selection, and implementation of all security program
elements, including policy implementation, ongoing policy management, risk management programs, education
and training programs, technological controls, and program maintenance.
The security blueprint builds on top of the organization’s information security policies. It is a detailed version
of the information security framework. The blueprint specifies tasks and the order in which they are to be
accomplished, just as an architect’s blueprint serves as the design template for the construction of a building. The

A.F.B. 7
 INFORMATION SECURITY AND MANAGEMENT

framework is the philosophical framework from which the blueprint is designed, like the style or methodology
in which an architect was trained.
To select a methodology in which to develop an information security blueprint, you can adapt or adopt a published
information security model. This exemplar framework can outline steps for designing and implementing
information security in the organization.
The ISO 27000 Series. One of the most widely referenced security models is the Information Technology—
Code of Practice for Information Security Management, which was originally published as British Standard
BS7799. In 2000, this code of practice was adopted as ISO/IEC 17799, an international standard framework for
information security by the International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC). The document was revised in 2005 to become ISO 17799:2005, and then it
was renamed as ISO 27002 in 2007 to align it with ISO 27001.
Security Education, Training, and Awareness Program (SETA) - The SETA program is the responsibility of
the CISO and is a control measure designed to reduce incidents of accidental security breaches by employees.
SETA programs are designed to supplement the general education and training programs that many organizations
use to educate staff about information security.
The purpose of SETA is to enhance security by doing the following:
• Improving awareness of the need to protect system resources
• Developing skills and knowledge so computer users can perform their jobs more securely
• Building in-depth knowledge as needed to design, implement, or operate security programs for
organizations and systems
Security Education Everyone in an organization needs to be trained and made aware of information security, but
not everyone needs a formal degree or certificate in information security. When management agrees that formal
education is appropriate, an employee can investigate courses in continuing education from local institutions of
higher learning. Several universities have formal coursework in information security.
Security Training Security training provides employees with detailed information and hands-on instruction to
prepare them to perform their duties securely.
Security Awareness A security awareness program is one of the least frequently implemented but most beneficial
programs in an organization. A security awareness program is designed to keep information security at the
forefront of users’ minds. These programs don’t have to be complicated or expensive.
A key role for all managers is contingency planning (CP). Managers in the IT and information security
communities are usually called on to provide strategic planning to assure the continuous availability of
information systems.
Various types of contingency plans are available to respond to events, including incident response plans, disaster
recovery plans, and business continuity plans. In some organizations, these might be handled as a single integrated
plan. Plans for incident response, disaster recovery, and business continuity are components of contingency
planning. A contingency plan is prepared by the organization to anticipate, react to, and recover from events that
threaten the security of information and information assets in the organization. This plan also helps restore the
organization to normal modes of business operations after an event.

A.F.B. 8
 INFORMATION SECURITY AND MANAGEMENT

CP includes incident response planning (IRP), disaster recovery planning (DRP), and business continuity planning
(BCP), in preparation for adverse events that become incidents or disasters. The primary functions of these three
types of planning are as follows:
a. The incident response plan (IR plan) focuses on immediate response, but if the attack escalates or is
disastrous (for example, a fire, flood, earthquake, or total blackout), the process moves on to disaster
recovery and the BC plan.
b. The disaster recovery plan (DR plan) typically focuses on restoring systems at the original site after
disasters occur, and so is closely associated with the BC plan
c. The business continuity plan (BC plan) occurs concurrently with the DR plan when the damage is major
or ongoing, and requires more than simple restoration of information and information resources. The BC
plan establishes critical business functions at an alternate site.
Business Impact Analysis The first phase in developing the contingency planning process is the business impact
analysis (BIA). The BIA, a preparatory activity common to both CP and risk management, helps determine which
business functions and information systems are the most critical to the success of the organization. When
undertaking the BIA, the organization should consider the following:
• Scope: The parts of the organization to be included in the BIA should be carefully considered to determine
which business units to cover, which systems to include, and the nature of the risk being evaluated.
• Plan: The needed data will likely be voluminous and complex, so work from a careful plan to ensure that
the proper data is collected to enable a comprehensive analysis. Getting the correct information to address
the needs of decision makers is important
• Balance: Some information may be objective in nature and other information may be available only as
subjective or anecdotal references. Facts should be weighted properly against opinions; however,
sometimes the knowledge and experience of key personnel can be invaluable.
• Know the objective: Identify in advanced what the key decision makers require for making choices.
Structure the BIA so the information they need facilitates consideration of those choices.
• Follow-up: Communicate periodically to ensure that process owners and decision makers will support
the process and the end result of the BIA

Key Terms:
✓ Goals Sometimes used synonymously with objectives; the desired end of a planning cycle.
✓ Objectives Sometimes used synonymously with goals; the intermediate states obtained to achieve progress
toward a goal or goals.
✓ Strategic plan the documented product of strategic planning; a plan for the organization’s intended strategic
efforts over the next several years.
✓ Strategic planning the actions taken by senior management to specify the long-term goals and objectives of
the organization, to plan its future direction, actions, and efforts, and to estimate and schedule the of resources
necessary to achieve those goals and objectives.
✓ Operational plan the documented product of operational planning; a plan for the organization’s intended
operational efforts on a day-to-day basis for the next several months.
✓ Operational planning The actions taken by management to specify the short-term goals and objectives of
the organization in order to obtain specified tactical goals, followed by estimates and schedules for the
allocation of resources necessary to achieve those goals and objectives.

A.F.B. 9
 INFORMATION SECURITY AND MANAGEMENT

✓ Tactical plan The documented product of tactical planning; a plan for the organization’s intended tactical
efforts over the next few years.
✓ Tactical planning The actions taken by management to specify the intermediate goals and objectives of the
organization in order to obtain specified strategic goals, followed by estimates and schedules for the allocation
of resources necessary to achieve those goals and objectives.
✓ Corporate governance Executive management’s responsibility to provide strategic direction, ensure the
accomplishment of objectives, oversee that risks are appropriately managed, and validate responsible resource
use.
✓ Governance “The set of responsibilities and practices exercised by the board and executive management with
the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are
managed appropriately and verifying that the enterprise’s resources are used responsibly.”
✓ Information security governance The application of the principles of corporate governance to the
information security function.
✓ De facto standard A standard that has been widely adopted or accepted by a public group rather than a formal
standards organization. Contrast with a de jure standard.
✓ De jure standard A standard that has been formally evaluated, approved, and ratified by a formal standards
organization. Contrast with a de facto standard.
✓ Guidelines Within the context of information security, a set of recommended actions to assist an
organizational stakeholder in complying with policy.
✓ Information security policy A set of rules that protects an organization’s information assets.
✓ Policy A set of principles or courses of action from an organization’s senior management intended to guide
decisions, actions, and duties of constituents.
✓ Practices Within the context of information security, exemplary actions that an organization identifies as
ideal and seeks to emulate. These actions are typically employed by other organizations.
✓ Information security blueprint The basis for all security program elements; a scalable, upgradeable,
comprehensive plan to meet the organization’s current and future information security needs.
✓ Information security framework An outline or structure of the organization’s overall information security
strategy that is used as a road map for planned changes to its information security environment; often
developed as an adaptation or adoption of a popular methodology, like NIST’s security approach or the ISO
27000 series.
✓ Information security model An established information security framework, often popular among other
organizations and backed by a recognized security agency, with exemplar details an organization may want
to emulate in creating its own framework and blueprint.

A.F.B. 10