Journal CL

CYB 4304, Cybersecurity Law and Policy 1

Course Learning Outcomes for Unit IV Upon completion of this unit, students should be able to:

3. Outline a risk assessment policy defining a separation of duties to deter fraudulent actions within the seven domains and policy definitions. 3.1 Explain the purpose of separation of duties. 3.2 Explore how management can address separation of duties.

Required Unit Resources Chapter 8: IT Security Policy Framework Approaches Unit Lesson

IT Security Policy Framework Approaches As we saw in Unit III, an information security framework is critical to an entity’s business objectives, core values, and legal obligations. Ultimately, it will define how an organization manages, identifies, and disposes of risk and informs risk culture. Therefore, selecting the proper security framework begins with selecting the correct approach whether it is industry-specific or takes more of a comprehensive view applicable to multiple industries. Notable characteristics of a viable policy framework and risk assessment that we have also covered earlier bear repeating and must be thoroughly disseminated throughout the organization’s hierarchy. Again, these policies dictate the information technology culture within an organization and serve as guidance to employees on how they should secure information and mitigate risk. All policy frameworks must contain mechanisms to periodically identify risks to ensure the successful continuation of the business process. The separation of duty that will be explained later in detail during this lesson is the pivotal security point of how much one individual should or should not have access to critical information within the organization (Johnson & Easttom, 2022). The IT security policy framework exists to ensure the organization as a means of reducing the risks that affect the company’s goals. The security framework must identify and mitigate those risks through numerous security policies and procedures governed through the roles, responsibilities, separation of duties, and compliance of the different types of security policy frameworks.

Domain Models The following illustration represents a simplified framework domain model.

UNIT IV STUDY GUIDE Information Technology Security Policy Framework Approaches

CYB 4304, Cybersecurity Law and Policy 2

UNIT x STUDY GUIDE Title

Simplified IT security policy framework domain model (Johnson & Easttom, 2022, p. 201)

In a security event, a well-chosen and developed security policy will help demonstrate that your business followed established industry norms. The above figure shows how governance and management of risks dominate a policy framework. To ensure that you have chosen an appropriate and practical framework, you must first establish the framework’s scope. Once the scope has been found, you may address specific strengths and weaknesses utilizing the following steps.

• Review industry regulatory requirements. For example, a government agency must implement the Federal Information Security Management Act (FISMA).

• Look for guidance through your auditors and regulators. For example, some audit firms use the Committee of Sponsoring Organizations (COSO) or the Control Objectives for Information and Related Technologies (COBIT).

• Choose frameworks that have had broad support in the industry over time. It is more likely that these long-held frameworks will be considered industry practice (Johnson & Easttom, 2022).

Risk Mitigation Through Domain Types

As we stated, a framework must dispose of risk daily by adding a control so that the risk no longer exists, or the framework must simply accept the risk and monitor for it with a detective control. All frameworks have their own particular characteristics, are all risk-based, speak to risk appetite, and deal with operation disruption and losses. Risk appetite refers to the level of risk that the organization is willing to accept, and the key to controlling this risk is through risk mitigation. Risk appetite is tightly correlated with cost, since risk mitigation can be costly, and there are limits as to exactly how much mitigation the organization is willing to fund. The risk IT process model contains three domains: risk governance, risk evaluation, and risk response, which according to Johnson and Easttom (2022) are listed below.

• Risk governance: This domain provides the business view and context for risk evaluation. It ensures that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk- adjusted return.

CYB 4304, Cybersecurity Law and Policy 3

UNIT x STUDY GUIDE Title

• Risk evaluation: This domain ensures that IT-related risks and opportunities are identified, analyzed, and presented to leadership in business terms.

• Risk response: This domain ensures that IT-related risk issues, opportunities, and events are addressed cost effectively and in line with business priorities at acceptable levels.

All of these domains build on each other and create agility and flexibility throughout the entity. Further, it allows the framework to identify and coordinate responses for any given risk type.

Personnel Roles Within Typical Infrastructure Domains Within the seven domains of a typical IT infrastructure (user, workstation, LAN, WAN, LAN-to-WAN, remote access, and system/application), there are roles, responsibilities, and accountability for the personnel. The personnel must work with the security teams to ensure critical data quality. These roles are mentioned below (Johnson & Easttom, 2022).

• Head of information management: This individual is the single point of contact (SPOC) responsible for the enterprise data quality.

• Data stewards: Individuals who are responsible for data quality within the business unit. These individuals are the owners of the data and approve access to the data.

• Data administrators: These individuals are responsible for executing the policies and procedures for backing up of data, versioning, uploading, downloading, and data administration.

• Data security administrators: These individuals play a critical restricted role since they grant the access rights and assess threats to the information assurance (IA) program.

Organizational Structure and Separation of Duties

Organizational structure is critical in addressing risk. No one individual at a transactional or organization level should have the power to implement all necessary high-risk transactions or the ability to conceal errors or commit fraud during his or her duties. This is known as separation of duties (SOD), and it describes an internal control related to transactions within a layer of a domain (Johnson & Easttom, 2022). Layered security contains multiple levels, providing redundancy in the event of a risk or threat. If one layer or level fails, the next layer can prevent the intrusion. Such separation of duties and responsibilities should be divided between two or more individuals within the organization. Of course, the cost is a factor in developing a layered approach, though it is safe to say no defensive strategy should fall into a single layer. The eTextbook discusses a three lines of defense model that is often used in the financial sector and provides a good illustration of a layered organizational approach that creates a separation of duties (Johnson & Easttom, 2022). In this model, the first line of defense is the business unit, which identifies risk daily and creates strategies to identify and mitigate by developing short- and long-term strategy. The second line of defense is the enterprise risk management program, made up of controlling partners who gauge risk appetite and engage the business to develop a risk strategy. The third line of defense is the independent auditor, who provides independent assurance to executive management and the board that the risk function is doing what it was intended to do and who acts as an advisor to the first and second lines of defense. Recall that a separation of duties must prevent a conflict of interest and the appearance of conflict of interest; it helps to detect control failures, including information theft, breaches, and the avoidance of security controls. The ISO/IEC 27002 was introduced in the last unit; many other frameworks exist as mentioned in this lesson. Such frameworks as the COBIT, COSO, FISMA, including the Information Technology Infrastructure Library (ITIL) are prominent frameworks in which organizations may want to implement. Which framework works best will determine what the organization’s infrastructure looks like and the IT culture (Johnson & Easttom, 2022).

Reference Johnson, R., & Easttom, C. (2022). Security policies and implementation issues (3rd ed.). Jones & Bartlett

Learning. https://online.vitalsource.com/#/books/9781284200034