Unit 4
Unit 4
Unit 4
GUIDELINES:
Guidelines are advice/steps about how to achieve the goals of the security policy, but they
are suggestions, not rules. They are an important communication tool to let people know
how to follow the policy’s guidance. They convey best practices for using technology
systems or behaving according to management’s preferences.
1)Physical and environmental security guidelines
Interior security: The organization must ensure that all information systems and assets are
accessed by only authorized staff
Protection from hazard: The organization must ensure protection from natural and man-
made hazard for all assets
2) Application security guidelines
Application design: The organization must ensure that the system specification and design
phase should incorporate necessary and relevant practices for application security
Application security testing: The organization must have a plan for testing applications for
identifying vulnerabilities and weaknesses
3) Data security guidelines
Cryptography & encryption: Ensure that proportionate encryption protection is applied to
protect sensitive information
Information access rights: The organization must establish appropriate procedures to
govern access rights of users to access information systems and assets
4) Personnel security guidelines
Awareness & training: The organization must develop an appropriate information security
awareness and training program for all personnel.
Employee verification: The organization must conduct background checks or security
clearance as part of its employee hiring process
FRAMEWORKS:
Security governance frameworks represent solutions to manage security effectively.
Information security frameworks are a collection of standardized policies, procedures and
guides, meant to direct an organization on how to protect its hardware, software, data,
information, network, computing devices, users and clients from breaches or risks through
their use of the firm's resources or services.
1. Committee of Sponsoring Organizations of the Treadway Commission (COSO):The
Foreign Corrupt Practices Act of 1977 (FCPA) is a law that requires any publicly
traded company to accurately document any transactions or monetary exchanges it
is involved in. Goal is to improve the accuracy of financial reports and to
standardize on internal control methods to reduce fraudulent reporting.
Control environment: The CEO, Board of Directors, and Executive Management are
mostly involved at this level. Assignment of roles and responsibilities. The control
environment consists of the people, culture and ethics of the business.
Risk assessment: Thorough risk assessment provides the data to help a company
design controls to protect its assets and achieve its goals.
Control activities: This section covers the controls that COSO recommends to help
mitigate risk. It highlights the various activities that should be controlled, but leaves
it up to management to figure out how to do it.
Information and communication: Having an organization in which information and
communication are free to flow between all aspects of the business is addressed in
this component of COSO. Communication is the mechanism that drives the other
four components of the COSO framework.
Monitoring: Monitoring can be the alarm system that identifies a problem and
provides valuable data for fixing issues for the future. Monitoring can consist of
periodic reports, audits or testing mechanisms that provide the status of individual
controls.
2. Control Objectives for Information and Related Technology (COBIT): It is a series of
manuals and implementation to develop, implement, monitor, and improve IT
governance and information management. Its key point of focus is on reducing
technical risks in an organization.
COBIT works with COSO by fully detailing the necessary controls required and how to
measure and audit them. It defines the control areas(CIAEE)
Confidentiality
Integrity:
• Availability
• Effectiveness
• Efficiency