Chapter1GettingInformationSecurityRight_ToptoBottom_InformationSecurityGovernanceSimplified.pdf

3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 1/13

1

Getting Information Security Right

Top to Bottom

Our chief want in life is somebodywho shall make us do what we can.

Ralph Waldo Emerson, 1803–1882

The Rocky Mountains are an amazing display of nature that stretch

across the western states. The mountains have been viewed many times

in travels to the West Coast, but the real beauty of the mountain tops

and the depths of the canyons can be appreciated best by taking a long

train ride from Chicago to San Francisco. It becomes clear that the ma-

jestic tops of the mountain cannot exist without the canyons down be-

low; rocks of all sizes grace the mountain, with little rocks sometimes

holding up the big rocks, and sometimes vice versa; vegetation is some-

times very sparse, yet it seems to have a role there; and finally, as strong

as the mountains are, man has sometimes blasted their way through,

with tunnels like the Moffat Tunnel, which is 6.2 miles long and cut the

distance between Denver and the Pacific Coast by 176 miles in 1928.

We like to think of our organizations as solid fortresses built on solid

rock foundations that cannot be blasted through. We like to believe that

all of the little rocks at the bottom in our organizations are being led to

a greater vision by the top, massive rocks that often sit at the top of the

mountain. We like to believe that our organizations are strong enough

to endure any headwinds or storms that will come our way. We want to

3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 2/13

believe that what may have taken many years to build will endure and

fend off competitors. Yes, we want to believe we have built a solid foun-

dation just like those shown in Figure 1.1. As we all know, large rocks

once at the top of the organization sometimes crumble, or are subject to

attacks by avalanches, acting as external forces that serve to threaten

the stability of the organization.

Figure 1.1 Building a security rock foundation.

What does this have to do with information security? Plenty and the

answer is twofold. First, without building within the organization an ad-

equate security foundation that can withstand external and internal

threats from the environment, our organizations will become reac-

tionary to protect the information assets. Second, the security organiza-

tion must be adopted within the context of a larger whole—involving

the board of directors, senior management, middle management, front-

3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 3/13

line supervisors, and the end user in order to have sustained success

over time. Engaging individuals in a constructive security commitment

to the organization does not happen by accident but rather must be in-

tentional. Individuals must know what their responsibilities are at all

levels to protect the confidentiality, integrity and availability of the as-

sets. We call this knowledge information security governance.

Information Security Governance

Governance comes from the Latin origins to define “steering” or to

“have power over.” Information security governance defines the roles

and expectations of the management levels and nonmanagement levels

alike so that each party understands what it is responsible for. Without

taking the time to define these expectations, organizations will still op-

erate with a set of practices, but they may not achieve the desired result.

Failure to define a set of security policies leads individuals to make up

their own rules and methods of operating, which may not be in the best

interest to the organization. Information security governance grants the

power to the appropriate individuals to carry out the security mission.

Performance expectations in the form of qualitative and quantitative

metrics should be set to ensure that the security program is being ful-

filled. For example, if it is expected that everyone in the organization re-

ceive security awareness training, including the executives, then this in-

formation should be tracked and evaluated against a standard, just as

market share, increases in revenue, and hitting cost targets are mea-

sured within the organization.

Undesirable outcomes are avoided with a strong information security

governance program. Since expectations of each management level are

articulated and communicated according to their role, the likelihood is

reduced that activities are not performed correctly. For example, if the

3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 4/13

organization sets a policy of shredding sensitive documents at the end

of the day, and the vice president of the claims area decides to dedicate

an employee to shred the many claims that need to be disposed of

quickly, he or she may choose to hire an external contractor to come on-

site to shred the documents. If the vice president chooses this action, he

or she then needs to make sure that this is permissible under the infor-

mation security policy, even though intentions are consistent with the

policy. There may be retention requirements or background policies for

the contractor that could be violated. The decision-making process fol-

lowed by the executive must follow the thought process for the informa-

tion security program. In other words, can the executive make this deci-

sion on his or her own? Or does the executive need to obtain approval

from the information security officer? If an external vendor is chosen,

how does the executive ensure that the information will be properly

protected in transit and destruction? Are there existing contracts in

place? How will the documents be stored securely onsite until they can

be shredded? This example illustrates why it must be clear within the

organization who has what authority and role with respect to informa-

tion security. The individuals within the organization need to be able to

perform their roles within the policies and procedures that have been

agreed upon, as well as have the ability to recognize when an exception

to a policy needs to be considered and then subsequently seek appropri-

ate approval prior to implementation.

A security governance framework controls and coordinates the secu-

rity activities within the company. For example, knowing that an end

user department must have all access requests for its local applications

processed by security administration increases the likelihood that the

appropriate segregation of duties principles are being enforced. It also

indicates the organization’s desire to control all access through central-

ized management and not permit individual departments to set up their

3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 5/13

own administration activities, where the organization may have de-

cided that there was a likelihood that the access approvals would be

granted by someone who was also a user of the system having the ac-

cess capability but not the proper management authority. The proper

logging mechanisms of the request, approval, and granting of the access

request may also not be in place in the end-user department. Just as the

organization controls who enters individuals into payroll (human re-

sources) and who approves salary increases (managers and the

manager’s supervisor), it needs to establish clear control over the infor-

mation security activities.

Information security governance also defines processes to control the

activities. Standard operating procedures should include documented

processes to carry out the security mission as well as indicating who has

the authority to approve the processes.

The policies, processes, and decision rights for a specific area of re-

sponsibility must be maintained to provide consistent management of

the enterprise. The IT Governance Institute’s (ITGI) definition of infor-

mation security governance reads, “Information Security Governance is

a subset of enterprise governance that provides strategic direction, en-

sures objectives are achieved, manages risk appropriately, uses organi-

zational resources responsibly, and monitors the success or failure of

the information security programme” (ITGI, n.d.).

Tone at the Top

Why is it at a third-grade concert, you hear the squeaky flute or the

strings on the violin that went astray? The entire saxophone section

could be sounding in perfect harmony, but if one, and just one was play-

ing with a bad reed, the efforts of the rest of the saxophone section will

not even be heard or recognized for its good work. If we like to think of

3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 6/13

our organizations as orchestras, then the conductors leading the instru-

ments of all types need to also ensure that they are contributing to ex-

cellence by walking the walk. People in companies are very smart and

look for cues that the senior management is advocating and following

the rules that it is expected to follow. If it is not, then associates at the

lower organizational level in the company fail to see the credibility in

the rule and feel that they can also bypass the security policy.

Tone at the Bottom

Some legislation, such as the Health Insurance Portability and

Accountability Act (HIPAA) final security rule mandated that all people

within the organization receive security awareness training (DHHS,

2003). The senior executives were not exempt from attending the train-

ing. Subsequent audits could reveal that the senior management was

not participating. In practice, when the senior management would at-

tend security awareness training along with their staffs, it had the side

effect of showing the staff, “Hey, this must be important.” The words

and actions from senior management should not be underestimated in

their impact. Alternatively, if a manager is discounting the need for a

policy and decides not to follow it, he cannot expect others on his team

to take the policy seriously. If, for example, he comes to work one day

and forgets his physical ID access badge and asks a staff member to “just

let me in,” the manager should not be surprised when a staff member

holds the door open for another person at another time.

Organizations have traditionally been managed with a hierarchical

command and control structure, whereby the individuals at the top of

the organization define the policies that must be adhered to by the rest

of the organization. As long as management is demonstrating consistent

application of the rules and these rules make sense to them, these rules

3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 7/13

are likely to be followed. If the manager encourages the associate to cut

corners to meet deadlines on a regular basis, this may carry over into

the end users attitude toward sidestepping information security policies

to meet their deadlines.

Nonmanagement associates tend to discuss what is going on in their

departments and their leadership, and even if an individual’s own

leader is a stickler for following the rules, failure to follow the rules by

other department leaders can have a negative impact on the perfor-

mance of the individual, questioning why the other department does

not have to follow the same security rules.

Governance, Risk, and Compliance (GRC)

A variety of laws and regulations have surfaced over the past decade in

an attempt to strengthen the security of information stored within the

companies to which the information assets are entrusted. As a result of

the laws that have been enacted, various security control “standards”

and “frameworks” have evolved and become popular means to meet the

requirements of the laws. Since laws and regulations are intentionally

developed at a higher “what needs to happen” level versus the “how to

secure the information” level, the standards and control frameworks

become valuable tools to ensure that security is planned, organized, im-

plemented, tested, and monitored.

Governance, risk, and compliance (GRC) is a term that has been em-

braced primarily by the vendor community in recent years in recogni-

tion of the fact that companies are struggling with the plethora of con-

trols which must be implemented to meet the extensive requirements of

the laws and regulations. Governance is simply the structure, policies,

and practices that are put in place by the organization to ensure that the

controls are adequately communicated, carried out, and enforced by en-

3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 8/13

gaging direction and support at the appropriate organizational level.

Risk is the act of making informed decisions about the losses that the

company is willing to accept given a breach of security and building the

appropriate mitigating risk strategies to reduce the risk to acceptable

levels defined by the business. Compliance is ensuring that the controls

are being adhered to on an ongoing basis, thereby increasing the likeli-

hood of a reduction of risk and increased adherence to the governance

intended by the organization (Fitzgerald, 2008).

The three components of governance, risk, and compliance are neces-

sary for adequate security controls; however, implementing them does

not ensure that a security program is adequate. Compliance is a neces-

sary control that has been recognized by governments for centuries.

Criminal acts, by their very nature, are forms of noncompliance with

the laws that are in place. Take driving a car for example. As a teenager

obtains his or her driver’s license, the diligent parent warns about the

downside of not following the laws, reckless driving, speeding, and pay-

ing attention to parking and vehicle regulations. The teenager says,

“Sure Dad, no problem” and forgets 5 minutes later as they morph into

their busy teenage social network of friends and peer pressure, away

from the constant reminders of Mom and Dad. Teenagers do not realize

at the time the consequences of their actions. Or, maybe they do subcon-

sciously, but it is not the most important thought in their daily “work

life.” Time goes on, piling up speeding tickets, tickets for excessive win-

dow tinting, unpaid parking tickets, and so on until one day they have

the opportunity to pay their own car insurance! The parent at that point

transfers the risk to the child, and then the learning of true cost of non-

compliance begins. The risk is ultimately acknowledged and accepted,

and new mitigating strategies are put in place, such as better driving.

Organizations are made up of many busy “teenagers,” each of which are

influenced by their peer work groups and need to be educated as to the

3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 9/13

future costs of noncompliance to the security controls. Adopting a con-

trol framework is a good start. However, compliance must be addressed

as an ongoing, deliberate strategy.

The Compliance Dilemma

Answers.com provides a definition for compliance as “the act of com-

plying with a wish, request, or demand; acquiescence.” It further pro-

vides a definition that may resonate with how many companies feel

about the plethora of government regulations: “a disposition or ten-

dency to yield to the will of others.” Compliance with security regula-

tions is no trivial task; in fact, in a survey conducted by the Security

Compliance Council, as much as 34% of information technology re-

sources were being consumed to demonstrate compliance (Hurley,

2006). These are valuable, technical resources that could be deployed to

other high-value, new development efforts or to improving the effi-

ciency of operations, but rather are being utilized to ensure that the reg-

ulations are being followed. This is a significant burden for large busi-

nesses. However, in smaller businesses the resources dedicated may be

smaller in numbers, except that the hidden costs must be considered,

such as burnout of the one or two information technology (IT) people

who are working many hours of overtime to comply.

Compliance ensures that due diligence has been exercised within the

organization to meet the government regulations for security practices.

Compliance can be achieved in many ways, as many of these regula-

tions provide a higher-level definition of the requirement of what must

be done; however, the lower-level, platform-specific details of how the

solution is implemented are typically not stated in the regulation itself.

The regulation’s primary task is to ensure that the appropriate pro-

cesses are in place, people are aware of their responsibilities, and tech-

3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 10/13

nical issues are appropriately managed. The regulations are drafted at a

policy level and, as such, it would be difficult to mandate the selection

of a specific platform from a particular vendor, as this would provide

an undue advantage for that vendor. Furthermore, because technology

changes at a pace faster than the policy-making process, by the time

new legislation was enacted, the legislation would most likely be out of

date. This approach would also stifle innovation by mandating the use

of specific, currently present technology to address security challenges.

The landscape of government regulations and security control frame-

works covered in the subsequent sections is shown in Figure 1.2. These

laws, regulations, and security control standards and frameworks are

covered in more detail in subsequent chapters. These provide the struc-

ture for what must be complied with to protect the particular vertical

industry security protection and assurance needs, as well as some po-

tential frameworks for selecting and managing the controls within those

frameworks. There is value in reviewing the security laws and stan-

dards outside of the mandates within a particular industry (for exam-

ple, reviewing the Federal Financial Institutions Examination Council

[FFIEC] handbook while being subject to HIPAA security requirements),

as this may provide security control thought leadership to strengthen

the security program.

3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 11/13

Figure 1.2 Landscape of governing security laws, regulations, and standards.

3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 12/13

1.

2.

3.

4.

5.

6.

7.

8.

It is important to recognize at this point that the information security

governance program leverages the laws, regulations, frameworks, and

standards from multiple places and may have to simultaneously be

compliant with multiple laws and regulations. The chapters that follow

provide the necessary “security rocks” for laying the information secu-

rity governance foundation.

Suggested Reading

National Institute of Standards and Technology (NIST). August 2009. Special

Publication 800-53 Rev3: Recommended security controls for federal informa-

tion systems and organizations, http://csrc.nist.gov/publications/nistpubs/800-

53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

Government Accountability Office. January 1999. Federal Information Systems

Controls Audit Manual (GAO/AIMB-12.19.6).

http://gao.gov/special.pubs/ai12.19.6.pdf

Cobit 4.1, IT Governance Institute, http://www.itgi.org, n.d.

Hurley, J. 2006. The CSO’s security compliance agenda: Benchmark research re-

port. CSI Computer Security Journal 22: 37–44.

Wikipedia,

http://www.en.wikipedia.org/wiki/information_security_governance, n.d.

Defense Information Systems Agency (DISA). Security Technical Implementation

Guides (STIGS), http://iase.disa.mil/stigs/stig

International Organization for Standardization (ISO). ISO/IEC 17799:2005

Information technology security techniques—Code of practice for information

security management. http://www.iso.org/iso/en/prods-

services/popstds/informationsecurity.html

SANS Institute Top 20, www.sans.org/top20

3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 13/13

9.

10.

11.

12.

NIST National Vulnerability Database, http://nvd.nist.gov

Department of Health and Human Services, Office of the Secretary. February 20,

2003. 45 CFR Parts 160, 162, and 164 Health insurance reform: Security stan-

dards; Final rule. Federal Register 68(24).

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf

Department of Health and Human Services, Office of the Secretary. August 14,

2002.45 CFR Parts 160 and 164 Standards for privacy of individually identifiable

health information; Final rule. Federal Register 67(157).

http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/privruletxt.txt

Fitzgerald, T. 2008. Compliance assurance: Taming the beast. In Information

Security Handbook, H.Tipton and M. Krause, eds., chap. 28. Boca Raton, FL:

Auerbach.