Information Security Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 15 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
>> Hi, welcome back.
00:00
Today we're going to be covering Module 6,
00:00
Domain 5, Protection of Information Assets.
00:00
As with the other modules, these are
00:00
the main learning objectives and tasks
00:00
statements that [inaudible] put out for
00:00
this particular part of the course.
00:00
Use this as resources to review and
00:00
make sure that you've got a good understanding
00:00
before you go into the exam.
00:00
Let's begin our first part,
00:00
which is Information Security Management.
00:00
In this lesson, we'll be covering policy and procedures,
00:00
incident response, compliance, roles,
00:00
and functions within Information Security Management.
00:00
A little bit about privacy which is aligned to security,
00:00
but has a few different aspects.
00:00
Some other considerations you need to take into account,
00:00
the alignment to the business and also
00:00
a bit more about assets. Let's begin.
00:00
Information Security Management, in essence,
00:00
is a collection of policy process and procedures.
00:00
It's what governs the management of
00:00
security within the organization to put it simply.
00:00
It's composed of a number of
00:00
discrete and interrelated processes.
00:00
These all need to work together to form a system
00:00
which basically looks at
00:00
information security management as a whole.
00:00
Now, critically, it needs ongoing management support.
00:00
It needs very much top-level come up
00:00
from the very senior management all the way
00:00
down to actually be
00:00
effective and it also needs regular auditing.
00:00
This will be a common activity that you as
00:00
a Certified Information Systems Auditor,
00:00
we will be covering.
00:00
Policy and procedures will vary across organizations,
00:00
but there's a couple of commonalities across all of them.
00:00
Generally, they'll start with
00:00
a statement of executive support.
00:00
This will be endorsement from senior management.
00:00
There'll be definition of roles and
00:00
responsibilities within the policy.
00:00
That also be the value of information-related assets.
00:00
There'll be some definition about
00:00
what value given assets to fund in
00:00
the policy halts and there'll be procedures
00:00
and controls around the protection
00:00
of these information assets.
00:00
Now, you may come across
00:00
a variety of policies, but generally,
00:00
these days will be common across all organizations.
00:00
There'll be some form of
00:00
acceptable behavior or acceptable use policy.
00:00
Now this will vary from organization to organization,
00:00
and there might be multiple policies
00:00
depending upon the nature of the IT systems.
00:00
There'll be a risk management policy which will
00:00
define the organization's appetite for risk.
00:00
Now, this may cover the entire organization
00:00
or be a separate ones specifically for the IT systems.
00:00
There'll be any support for laws and regulations.
00:00
If there's any policies or laws and legislation
00:00
governing the operation of a business
00:00
they will be reflected in policy and procedures.
00:00
All policies and procedures will have
00:00
some full enforcement and consequences.
00:00
Now, security awareness is
00:00
a common one that you're going to come across.
00:00
This is usually the form of security awareness training,
00:00
but there should be a policy that actually supports it.
00:00
Generally a couple of the key features,
00:00
there'll be some fun with acknowledgment.
00:00
There'll be a formal acknowledgment that
00:00
all employees have actually seen red
00:00
and we'll agree to abide by
00:00
the security awareness requirements.
00:00
There'll be training upon employment.
00:00
Soon as people get onboarded
00:00
to an organization generally,
00:00
this is one of
00:00
the first training sessions that they'll go
00:00
through and that will be
00:00
followed up by periodic refreshers,
00:00
which is generally on 12 monthly basis.
00:00
Policy will also need to be accessible
00:00
to all people in the organization at all times.
00:00
Generally on organizations intranet site,
00:00
this will be available so that users can actually review
00:00
the policy as they require
00:00
and there'll be periodic messages,
00:00
signage and brushes, which will allow people to end
00:00
particular security matters that
00:00
are significant at the time.
00:00
Now, I personally haven't come across this in my career,
00:00
but rewarding good behavior can
00:00
sometimes be an aspect of security awareness.
00:00
This might be a reduction in the number of incidents at
00:00
the period of time results in
00:00
some form of reward for a particular work,
00:00
for example, it would be very much dependent
00:00
upon the culture of the organization as
00:00
to whether this would be appropriate or not.
00:00
Now, incident response. Basically incident response
00:00
is when things go wrong with
00:00
policy or procedures or there is a breach
00:00
of the security management policy procedures.
00:00
This can vary again depending organization,
00:00
but commonly you'll see
00:00
exposure or theft, so a data spills.
00:00
In other words, sensitive corporate data
00:00
or classified data,
00:00
if that's appropriate for the organization,
00:00
is exposed to either a person
00:00
who is unauthorized to say it,
00:00
or has been transmitted to an unauthorized device,
00:00
theft of systems are common one.
00:00
System damage as well,
00:00
information corruption or destruction.
00:00
This could either be through accidental or malicious.
00:00
For example, failure of
00:00
a hard drive or somebody deliberately
00:00
destroys data and malware
00:00
is obviously quite a common one,
00:00
which could also tie into any of
00:00
these other instances depending upon the type of malware.
00:00
Now compliance, so security is backed a lot by
00:00
compliance that can exist at various levels of society.
00:00
Depending on the jurisdiction,
00:00
that could be national laws which
00:00
enforce particular security requirements,
00:00
state and local laws.
00:00
Consumer protection agencies can often be
00:00
involved in security management as well.
00:00
Obviously different industries
00:00
will have different standards
00:00
which requires security management.
00:00
A good example of this is
00:00
the United States HIPAA regulations, for example.
00:00
Now the roles and responsibilities will need to be
00:00
defined at various levels.
00:00
Generally, we're talking about
00:00
three main high levels across organizations.
00:00
Executive level, functional level
00:00
, and operational level.
00:00
At the executive level, the direction and
00:00
the strategic goals of
00:00
the policy is set as interpreted and
00:00
as defined by the business strategic goals.
00:00
Functional level, we'll look
00:00
at implementing those policies,
00:00
and the operational level,
00:00
look at running those policies on a day-to-day basis.
00:00
Now privacy, as I said,
00:00
it's a little bit different to security,
00:00
but it's certainly is implemented by security controls.
00:00
This will vary greatly from country to
00:00
country and from jurisdiction to jurisdiction.
00:00
Areas such as European Union have what's called the GDPR.
00:00
In Australia, we have the Australian Privacy Act.
00:00
This will vary from
00:00
country to country and state to state.
00:00
But basically, in summary,
00:00
it's realistically just a right of
00:00
an individual to trust that others will
00:00
appropriately and legitimately handle their data and as
00:00
an order so this will often become
00:00
a significant aspect of your role.
00:00
A couple of points of good practice.
00:00
I won't go into details because as I
00:00
mention that there's great variety across jurisdictions.
00:00
In general, what you will see from
00:00
good practice regardless of jurisdiction,
00:00
is that privacy will be built in by design.
00:00
Privacy won't be an afterthought like with security.
00:00
It will be a consideration right
00:00
from the initial system design.
00:00
>> Any private data is collected
00:00
in an open and transparent manner.
00:00
There's usually some form of
00:00
acknowledgment or some form of
00:00
alert to a user of a system
00:00
as to what data is being collected and for what.
00:00
Private data is kept secure throughout its life cycle.
00:00
Life cycle management which we'll talk about
00:00
in some slides coming up,
00:00
is a key aspect of managing data within an organization.
00:00
It also needs to be collected and used only for
00:00
the purposes for which it has been identified.
00:00
Certainly within Australia,
00:00
under the Australian Privacy Act,
00:00
if an organization collects data for a stated purpose
00:00
and in future they want to
00:00
use that data for a different purpose,
00:00
then they need to inform
00:00
their employees of that in writing,
00:00
to be compliant with the Privacy Act.
00:00
Data also needs to be accurate, complete,
00:00
and current, and certainly in some jurisdictions,
00:00
users and individuals have the right to have that
00:00
assessed and have any data
00:00
corrected if it's been identified as incorrect.
00:00
We mentioned with lifecycle,
00:00
data needs to be deleted when no longer required.
00:00
The privacy impact assessment is a tool that can be
00:00
used to basically to be
00:00
a governance document or a governance mechanism to ensure
00:00
that data is used appropriately in a particular system.
00:00
What a privacy impact assessment
00:00
does or what it sets out to do is identify
00:00
the personally identifiable information or
00:00
PII that's associated with the business function.
00:00
There could be a privacy impact assessment conducted on
00:00
an individual system or could be
00:00
conducted on a subset function of the system.
00:00
Now, basically document is
00:00
a collection use and disclosure
00:00
and destruction of the PII.
00:00
In other words, it defines the life cycle,
00:00
so it determines what is collected,
00:00
how it is used, how it's disclosed,
00:00
and how it is ultimately destroyed.
00:00
The intent of this is to ensure
00:00
that there is a level of accountability.
00:00
For any system or sub-element within a system,
00:00
it's documented exactly how, what, when,
00:00
where, why the privacy information is used.
00:00
This will also tie into any legislative, regulatory,
00:00
or contractual requirements for privacy that may
00:00
be applicable in a jurisdiction for an organization,
00:00
and ensures informed policy, operation system,
00:00
design decisions are all based around privacy risk.
00:00
Obviously, as an auditor there's
00:00
many considerations for you to look at here.
00:00
Identifying areas such as choice and consent,
00:00
so personal and sensitive information life cycle.
00:00
Does one exists, for example,
00:00
or is it just collected and not really
00:00
managed throughout its lifespan?
00:00
Accuracy and quality,
00:00
are there any controls in place
00:00
for promoting those two asterisks?
00:00
Legitimate purpose specification and use limitation.
00:00
Is it clearly identifying
00:00
exactly what is being collected for,
00:00
what it's going to be used for,
00:00
and more importantly, what it's not going to be used for?
00:00
This could runnings on openness, transparency,
00:00
and notice basically so that it pretty much lets the user
00:00
know exactly how it's going to be
00:00
used and where it's going to be used.
00:00
It also identifies any potentials
00:00
for individual participation and
00:00
accountability that needs to be
00:00
managed within controls within the organization.
00:00
Some additional considerations. As I said,
00:00
security is not privacy but it certainly is allied area.
00:00
Privacy controls are essentially
00:00
managed by security safeguards.
00:00
Aspects of monitoring, measuring,
00:00
and reporting are quite critical in case,
00:00
so how do we actually know
00:00
that the information is being used appropriately?
00:00
Preventing harm can be an aspect depending
00:00
upon often the legislation and the jurisdiction.
00:00
Some jurisdictions will define
00:00
certain types of information as being
00:00
particularly sensitive and potentially
00:00
harming of the individuals,
00:00
and that can often come with
00:00
additional security control requirements.
00:00
Third-party or vendor management is quite critical,
00:00
particularly in organizations that have elements that
00:00
are outsourced to potentially to cloud providers.
00:00
As the organization,
00:00
collecting the data you are generally
00:00
responsible for making sure that
00:00
the privacy is managed regardless of where
00:00
the data happens to be stored
00:00
even if it is in a third-party.
00:00
Breach management, so exactly what happens with
00:00
breaches and any records of
00:00
breaches is a key audit requirement,
00:00
and security privacy by design,
00:00
does that basically exist and is that
00:00
evidenced within the design documentation?
00:00
Also the free flow of information and
00:00
illegitimate restriction around that information.
00:00
These are all considerations for you as an auditor.
00:00
Now, business alignment. Back onto
00:00
information security management in general.
00:00
Basically information security management
00:00
needs to align with the business.
00:00
As we've spoken throughout within this course,
00:00
that security needs to basically
00:00
be informed by the strategic goals
00:00
and objectives of the organization,
00:00
and so you need as
00:00
an auditor to ensure that there's alignment
00:00
between the security implementation
00:00
and the business in that regard.
00:00
There also need to be an understanding by
00:00
the employee of the relationship
00:00
between the security and the business.
00:00
As a security practitioner within the security areas,
00:00
often cases there will be very much
00:00
a day-to-day business and that will be an understanding,
00:00
but it needs to also go down to
00:00
all areas and all strata within the organization.
00:00
Employees need to understand what the role
00:00
of security is in the overall business objectives.
00:00
They need to understand that it is
00:00
a requirement of the organization
00:00
and the requirement of the business.
00:00
We've spoken a little bit about assets
00:00
before but just to reiterate.
00:00
Assets can cover information which is data but also
00:00
software and information systems
00:00
which is essentially anything from servers,
00:00
workstations, mobile devices,
00:00
network equipment, gateways,
00:00
or any other types of hardware devices that are
00:00
critical to storing or processing that information.
00:00
Hardware will have certain attributes
00:00
which will need to be recorded.
00:00
Basically identification of what the hardware is.
00:00
Their relative value which could be in
00:00
basically dollars or
00:00
business-critical value to the organization.
00:00
Where it's actually located,
00:00
the classification that it exists at.
00:00
In other words, seem level of data that it processes.
00:00
Any grouping or configuration and also the owner and
00:00
the custodian of that hardware.
00:00
Now, information.
00:00
This is sometimes overlooked as we've certainly
00:00
spoken about previously in this course.
00:00
It covers both your business data and software,
00:00
and generally it will be basically
00:00
defined by the criticality of the classification.
00:00
All organizations will have a level that will define
00:00
exactly how critical the data is to the organization,
00:00
which could be anything from insignificant all the
00:00
way through to extreme business criticality.
00:00
That's our lesson. This lesson
00:00
we've covered policy and procedures,
00:00
a little bit about incident response and how that
00:00
relates to the policy and procedures,
00:00
compliance requirements, roles and functions
00:00
within incidence security management, privacy,
00:00
and how that is aligned to but it was also
00:00
a little bit different to security requirements,
00:00
considerations for you as an auditor,
00:00
the alignment of information security management
00:00
to the business itself,
00:00
and a little bit more detail about definitions of assets,
00:00
both information and hardware.
00:00
I hope you enjoyed this lesson
00:00
and I will see you at the next one.
Up Next