Quizz
3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 1/13
1
Getting Information Security Right
Top to Bottom
Our chief want in life is somebodywho shall make us do what we can.
Ralph Waldo Emerson, 1803–1882
The Rocky Mountains are an amazing display of nature that stretch
across the western states. The mountains have been viewed many times
in travels to the West Coast, but the real beauty of the mountain tops
and the depths of the canyons can be appreciated best by taking a long
train ride from Chicago to San Francisco. It becomes clear that the ma-
jestic tops of the mountain cannot exist without the canyons down be-
low; rocks of all sizes grace the mountain, with little rocks sometimes
holding up the big rocks, and sometimes vice versa; vegetation is some-
times very sparse, yet it seems to have a role there; and finally, as strong
as the mountains are, man has sometimes blasted their way through,
with tunnels like the Moffat Tunnel, which is 6.2 miles long and cut the
distance between Denver and the Pacific Coast by 176 miles in 1928.
We like to think of our organizations as solid fortresses built on solid
rock foundations that cannot be blasted through. We like to believe that
all of the little rocks at the bottom in our organizations are being led to
a greater vision by the top, massive rocks that often sit at the top of the
mountain. We like to believe that our organizations are strong enough
to endure any headwinds or storms that will come our way. We want to
3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 2/13
believe that what may have taken many years to build will endure and
fend off competitors. Yes, we want to believe we have built a solid foun-
dation just like those shown in Figure 1.1. As we all know, large rocks
once at the top of the organization sometimes crumble, or are subject to
attacks by avalanches, acting as external forces that serve to threaten
the stability of the organization.
Figure 1.1 Building a security rock foundation.
What does this have to do with information security? Plenty and the
answer is twofold. First, without building within the organization an ad-
equate security foundation that can withstand external and internal
threats from the environment, our organizations will become reac-
tionary to protect the information assets. Second, the security organiza-
tion must be adopted within the context of a larger whole—involving
the board of directors, senior management, middle management, front-
3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 3/13
line supervisors, and the end user in order to have sustained success
over time. Engaging individuals in a constructive security commitment
to the organization does not happen by accident but rather must be in-
tentional. Individuals must know what their responsibilities are at all
levels to protect the confidentiality, integrity and availability of the as-
sets. We call this knowledge information security governance.
Information Security Governance
Governance comes from the Latin origins to define “steering” or to
“have power over.” Information security governance defines the roles
and expectations of the management levels and nonmanagement levels
alike so that each party understands what it is responsible for. Without
taking the time to define these expectations, organizations will still op-
erate with a set of practices, but they may not achieve the desired result.
Failure to define a set of security policies leads individuals to make up
their own rules and methods of operating, which may not be in the best
interest to the organization. Information security governance grants the
power to the appropriate individuals to carry out the security mission.
Performance expectations in the form of qualitative and quantitative
metrics should be set to ensure that the security program is being ful-
filled. For example, if it is expected that everyone in the organization re-
ceive security awareness training, including the executives, then this in-
formation should be tracked and evaluated against a standard, just as
market share, increases in revenue, and hitting cost targets are mea-
sured within the organization.
Undesirable outcomes are avoided with a strong information security
governance program. Since expectations of each management level are
articulated and communicated according to their role, the likelihood is
reduced that activities are not performed correctly. For example, if the
3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 4/13
organization sets a policy of shredding sensitive documents at the end
of the day, and the vice president of the claims area decides to dedicate
an employee to shred the many claims that need to be disposed of
quickly, he or she may choose to hire an external contractor to come on-
site to shred the documents. If the vice president chooses this action, he
or she then needs to make sure that this is permissible under the infor-
mation security policy, even though intentions are consistent with the
policy. There may be retention requirements or background policies for
the contractor that could be violated. The decision-making process fol-
lowed by the executive must follow the thought process for the informa-
tion security program. In other words, can the executive make this deci-
sion on his or her own? Or does the executive need to obtain approval
from the information security officer? If an external vendor is chosen,
how does the executive ensure that the information will be properly
protected in transit and destruction? Are there existing contracts in
place? How will the documents be stored securely onsite until they can
be shredded? This example illustrates why it must be clear within the
organization who has what authority and role with respect to informa-
tion security. The individuals within the organization need to be able to
perform their roles within the policies and procedures that have been
agreed upon, as well as have the ability to recognize when an exception
to a policy needs to be considered and then subsequently seek appropri-
ate approval prior to implementation.
A security governance framework controls and coordinates the secu-
rity activities within the company. For example, knowing that an end
user department must have all access requests for its local applications
processed by security administration increases the likelihood that the
appropriate segregation of duties principles are being enforced. It also
indicates the organization’s desire to control all access through central-
ized management and not permit individual departments to set up their
3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 5/13
own administration activities, where the organization may have de-
cided that there was a likelihood that the access approvals would be
granted by someone who was also a user of the system having the ac-
cess capability but not the proper management authority. The proper
logging mechanisms of the request, approval, and granting of the access
request may also not be in place in the end-user department. Just as the
organization controls who enters individuals into payroll (human re-
sources) and who approves salary increases (managers and the
manager’s supervisor), it needs to establish clear control over the infor-
mation security activities.
Information security governance also defines processes to control the
activities. Standard operating procedures should include documented
processes to carry out the security mission as well as indicating who has
the authority to approve the processes.
The policies, processes, and decision rights for a specific area of re-
sponsibility must be maintained to provide consistent management of
the enterprise. The IT Governance Institute’s (ITGI) definition of infor-
mation security governance reads, “Information Security Governance is
a subset of enterprise governance that provides strategic direction, en-
sures objectives are achieved, manages risk appropriately, uses organi-
zational resources responsibly, and monitors the success or failure of
the information security programme” (ITGI, n.d.).
Tone at the Top
Why is it at a third-grade concert, you hear the squeaky flute or the
strings on the violin that went astray? The entire saxophone section
could be sounding in perfect harmony, but if one, and just one was play-
ing with a bad reed, the efforts of the rest of the saxophone section will
not even be heard or recognized for its good work. If we like to think of
3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 6/13
our organizations as orchestras, then the conductors leading the instru-
ments of all types need to also ensure that they are contributing to ex-
cellence by walking the walk. People in companies are very smart and
look for cues that the senior management is advocating and following
the rules that it is expected to follow. If it is not, then associates at the
lower organizational level in the company fail to see the credibility in
the rule and feel that they can also bypass the security policy.
Tone at the Bottom
Some legislation, such as the Health Insurance Portability and
Accountability Act (HIPAA) final security rule mandated that all people
within the organization receive security awareness training (DHHS,
2003). The senior executives were not exempt from attending the train-
ing. Subsequent audits could reveal that the senior management was
not participating. In practice, when the senior management would at-
tend security awareness training along with their staffs, it had the side
effect of showing the staff, “Hey, this must be important.” The words
and actions from senior management should not be underestimated in
their impact. Alternatively, if a manager is discounting the need for a
policy and decides not to follow it, he cannot expect others on his team
to take the policy seriously. If, for example, he comes to work one day
and forgets his physical ID access badge and asks a staff member to “just
let me in,” the manager should not be surprised when a staff member
holds the door open for another person at another time.
Organizations have traditionally been managed with a hierarchical
command and control structure, whereby the individuals at the top of
the organization define the policies that must be adhered to by the rest
of the organization. As long as management is demonstrating consistent
application of the rules and these rules make sense to them, these rules
3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 7/13
are likely to be followed. If the manager encourages the associate to cut
corners to meet deadlines on a regular basis, this may carry over into
the end users attitude toward sidestepping information security policies
to meet their deadlines.
Nonmanagement associates tend to discuss what is going on in their
departments and their leadership, and even if an individual’s own
leader is a stickler for following the rules, failure to follow the rules by
other department leaders can have a negative impact on the perfor-
mance of the individual, questioning why the other department does
not have to follow the same security rules.
Governance, Risk, and Compliance (GRC)
A variety of laws and regulations have surfaced over the past decade in
an attempt to strengthen the security of information stored within the
companies to which the information assets are entrusted. As a result of
the laws that have been enacted, various security control “standards”
and “frameworks” have evolved and become popular means to meet the
requirements of the laws. Since laws and regulations are intentionally
developed at a higher “what needs to happen” level versus the “how to
secure the information” level, the standards and control frameworks
become valuable tools to ensure that security is planned, organized, im-
plemented, tested, and monitored.
Governance, risk, and compliance (GRC) is a term that has been em-
braced primarily by the vendor community in recent years in recogni-
tion of the fact that companies are struggling with the plethora of con-
trols which must be implemented to meet the extensive requirements of
the laws and regulations. Governance is simply the structure, policies,
and practices that are put in place by the organization to ensure that the
controls are adequately communicated, carried out, and enforced by en-
3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 8/13
gaging direction and support at the appropriate organizational level.
Risk is the act of making informed decisions about the losses that the
company is willing to accept given a breach of security and building the
appropriate mitigating risk strategies to reduce the risk to acceptable
levels defined by the business. Compliance is ensuring that the controls
are being adhered to on an ongoing basis, thereby increasing the likeli-
hood of a reduction of risk and increased adherence to the governance
intended by the organization (Fitzgerald, 2008).
The three components of governance, risk, and compliance are neces-
sary for adequate security controls; however, implementing them does
not ensure that a security program is adequate. Compliance is a neces-
sary control that has been recognized by governments for centuries.
Criminal acts, by their very nature, are forms of noncompliance with
the laws that are in place. Take driving a car for example. As a teenager
obtains his or her driver’s license, the diligent parent warns about the
downside of not following the laws, reckless driving, speeding, and pay-
ing attention to parking and vehicle regulations. The teenager says,
“Sure Dad, no problem” and forgets 5 minutes later as they morph into
their busy teenage social network of friends and peer pressure, away
from the constant reminders of Mom and Dad. Teenagers do not realize
at the time the consequences of their actions. Or, maybe they do subcon-
sciously, but it is not the most important thought in their daily “work
life.” Time goes on, piling up speeding tickets, tickets for excessive win-
dow tinting, unpaid parking tickets, and so on until one day they have
the opportunity to pay their own car insurance! The parent at that point
transfers the risk to the child, and then the learning of true cost of non-
compliance begins. The risk is ultimately acknowledged and accepted,
and new mitigating strategies are put in place, such as better driving.
Organizations are made up of many busy “teenagers,” each of which are
influenced by their peer work groups and need to be educated as to the
3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 9/13
future costs of noncompliance to the security controls. Adopting a con-
trol framework is a good start. However, compliance must be addressed
as an ongoing, deliberate strategy.
The Compliance Dilemma
Answers.com provides a definition for compliance as “the act of com-
plying with a wish, request, or demand; acquiescence.” It further pro-
vides a definition that may resonate with how many companies feel
about the plethora of government regulations: “a disposition or ten-
dency to yield to the will of others.” Compliance with security regula-
tions is no trivial task; in fact, in a survey conducted by the Security
Compliance Council, as much as 34% of information technology re-
sources were being consumed to demonstrate compliance (Hurley,
2006). These are valuable, technical resources that could be deployed to
other high-value, new development efforts or to improving the effi-
ciency of operations, but rather are being utilized to ensure that the reg-
ulations are being followed. This is a significant burden for large busi-
nesses. However, in smaller businesses the resources dedicated may be
smaller in numbers, except that the hidden costs must be considered,
such as burnout of the one or two information technology (IT) people
who are working many hours of overtime to comply.
Compliance ensures that due diligence has been exercised within the
organization to meet the government regulations for security practices.
Compliance can be achieved in many ways, as many of these regula-
tions provide a higher-level definition of the requirement of what must
be done; however, the lower-level, platform-specific details of how the
solution is implemented are typically not stated in the regulation itself.
The regulation’s primary task is to ensure that the appropriate pro-
cesses are in place, people are aware of their responsibilities, and tech-
3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 10/13
nical issues are appropriately managed. The regulations are drafted at a
policy level and, as such, it would be difficult to mandate the selection
of a specific platform from a particular vendor, as this would provide
an undue advantage for that vendor. Furthermore, because technology
changes at a pace faster than the policy-making process, by the time
new legislation was enacted, the legislation would most likely be out of
date. This approach would also stifle innovation by mandating the use
of specific, currently present technology to address security challenges.
The landscape of government regulations and security control frame-
works covered in the subsequent sections is shown in Figure 1.2. These
laws, regulations, and security control standards and frameworks are
covered in more detail in subsequent chapters. These provide the struc-
ture for what must be complied with to protect the particular vertical
industry security protection and assurance needs, as well as some po-
tential frameworks for selecting and managing the controls within those
frameworks. There is value in reviewing the security laws and stan-
dards outside of the mandates within a particular industry (for exam-
ple, reviewing the Federal Financial Institutions Examination Council
[FFIEC] handbook while being subject to HIPAA security requirements),
as this may provide security control thought leadership to strengthen
the security program.
3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 11/13
Figure 1.2 Landscape of governing security laws, regulations, and standards.
3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 12/13
1.
2.
3.
4.
5.
6.
7.
8.
It is important to recognize at this point that the information security
governance program leverages the laws, regulations, frameworks, and
standards from multiple places and may have to simultaneously be
compliant with multiple laws and regulations. The chapters that follow
provide the necessary “security rocks” for laying the information secu-
rity governance foundation.
Suggested Reading
National Institute of Standards and Technology (NIST). August 2009. Special
Publication 800-53 Rev3: Recommended security controls for federal informa-
tion systems and organizations, http://csrc.nist.gov/publications/nistpubs/800-
53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
Government Accountability Office. January 1999. Federal Information Systems
Controls Audit Manual (GAO/AIMB-12.19.6).
http://gao.gov/special.pubs/ai12.19.6.pdf
Cobit 4.1, IT Governance Institute, http://www.itgi.org, n.d.
Hurley, J. 2006. The CSO’s security compliance agenda: Benchmark research re-
port. CSI Computer Security Journal 22: 37–44.
Wikipedia,
http://www.en.wikipedia.org/wiki/information_security_governance, n.d.
Defense Information Systems Agency (DISA). Security Technical Implementation
Guides (STIGS), http://iase.disa.mil/stigs/stig
International Organization for Standardization (ISO). ISO/IEC 17799:2005
Information technology security techniques—Code of practice for information
security management. http://www.iso.org/iso/en/prods-
services/popstds/informationsecurity.html
SANS Institute Top 20, www.sans.org/top20
3/27/23, 10:33 PM Chapter 1 Getting Information Security Right: Top to Bottom | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/012-9781466551282-001.xhtml#ch1 13/13
9.
10.
11.
12.
NIST National Vulnerability Database, http://nvd.nist.gov
Department of Health and Human Services, Office of the Secretary. February 20,
2003. 45 CFR Parts 160, 162, and 164 Health insurance reform: Security stan-
dards; Final rule. Federal Register 68(24).
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf
Department of Health and Human Services, Office of the Secretary. August 14,
2002.45 CFR Parts 160 and 164 Standards for privacy of individually identifiable
health information; Final rule. Federal Register 67(157).
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/privruletxt.txt
Fitzgerald, T. 2008. Compliance assurance: Taming the beast. In Information
Security Handbook, H.Tipton and M. Krause, eds., chap. 28. Boca Raton, FL:
Auerbach.