Chapter 4

Information Security
Planning and
Governance
 Planning levels
Strategic planning sets the long-term direction to be taken by the organization and each of its
component parts.
Strategic planning should guide organizational efforts and focus resources toward specific, clearly
defined goals.
After an organization develops a general strategy, it generates an overall strategic plan by extending
that general strategy into plans for major divisions.
Each level of each division then translates those plan objectives into more specific objectives for
the level below.
To execute this broad strategy, the executive team must first define individual responsibilities.
The executive team is sometimes called the organization’s C-level, as in CEO, COO, CFO, CIO, and so
on.
 Planning levels
Tactical planning focuses on short-term undertakings that will be completed within one or two
years.
The process of tactical planning breaks each strategic goal into a series of incremental objectives.
Each objective in a tactical plan should be specific and should have a delivery date within a year of
the plan’s start.
Budgeting, resource allocation, and personnel are critical components of the tactical plan.
Tactical plans often include project plans and resource acquisition planning documents (such as
product specifications), project budgets, project reviews, and monthly and annual reports.
The chief information security officer (CISO) and security managers use the tactical plan to
organize, prioritize, and acquire resources necessary for major projects and to provide support for
the overall strategic plan.
 Planning levels
Operational planning derived from tactical planning is used to organize the ongoing, day-to-day
performance of tasks.
An operational plan includes the necessary tasks for all relevant departments as well as
communication and reporting requirements, which might include weekly meetings, progress
reports, and other associated tasks.
These plans must reflect the organizational structure, with each subunit, department, or project
team conducting its own operational planning and reporting.
Frequent communication and feedback from the teams to the project managers and/or team
leaders, and then up to the various management levels, will make the planning process more
manageable and successful.
 Information Security Governance
Governance describes the entire function of controlling, or governing, the processes used by a
group to accomplish some objective.
It represents the strategic controlling function of an organization’s senior management, which is
designed to ensure informed, prudent strategic decisions made in the best interest of the
organization.
Just like governments, corporations and other organizations have guiding documents—corporate
charters or partnership agreements—as well as appointed or elected leaders or officers, and
planning and operating procedures.
These elements in combination provide corporate governance.
 Information Security Governance
Each operating unit within an organization also has controlling customs, processes, committees,
and practices.
The information security group’s leadership monitors and manages all of the organizational
structures and processes that safeguard information.
Information security governance then applies these principles and management structures to the
information security function.
To secure information assets, management must integrate information security practices into the
fabric of the organization, expanding corporate governance policies and controls to encompass the
objectives of the information security process.
 Information Security Governance
Information security governance includes all of the accountabilities and methods undertaken by the
board of directors and executive management to provide:
● Strategic direction
● Establishment of objectives
● Measurement of progress toward those objectives
● Verification that risk management practices are appropriate
● Validation that the organization’s assets are used properly
 Information Security Governance
Outcomes
The five goals of information security governance are:
Strategic alignment of information security with business strategy to support organizational objectives.
Risk management by executing appropriate measures to manage and mitigate threats to information
resources.
Resource management by using information security knowledge and infrastructure efficiently and
effectively.
Performance measurement by measuring, monitoring, and reporting information security governance
metrics to ensure that organizational objectives are achieved.
Value delivery by optimizing information security investments in support of organizational objectives.
 Information Security Policy, Standards,
and Practices
Management from all communities of interest, including general staff, information technology, and
information security, must make policies the basis for all information security planning, design, and
deployment.
Policies direct how issues should be addressed and how technologies should be used.
Policies do not specify the proper operation of equipment or software—this information should be
placed in the standards, procedures, and practices of users’ manuals and systems documentation.
Policy should never contradict law; policy must be able to stand up in court, if challenged; and
policy must be properly administered through dissemination and documented acceptance.
 Information Security Policy, Standards,
and Practices
Good security programs begin and end with policy.
Information security is primarily a management problem, not a technical one, and policy is a
management tool that obliges personnel to function in a manner that preserves the security of
information assets.
Security policies are the least expensive control to execute, but the most difficult to implement
properly.
They have the lowest cost in that their creation and dissemination require only the time and effort
of the management team.
Even if the management team hires an outside consultant to help develop policy, the costs are
minimal compared to those of technical controls.
 Policy as the Foundation for Planning
Policies function like laws in an organization because they dictate acceptable and unacceptable
behavior there.
Like laws, policies define what is right and wrong, the penalties for violating policy, and the appeal
process.
Standards, on the other hand, are more detailed statements of what must be done to comply with
policy.
They have the same requirements for compliance as policies.
Standards may be informal or part of an organizational culture, as in de facto standards.
Or, standards may be published, scrutinized, and ratified by a group, as in formal or de jure
standards. Practices, procedures, and guidelines effectively explain how to comply with policy.
 Policy as the Foundation for Planning
The meaning of the term security policy depends on the context in which it is used.
Governmental agencies view security policy in terms of national security and national policies to
deal with foreign states.
In general, a security policy is a set of rules that protects an organization’s assets.
An information security policy provides rules for protection of the organization’s information assets.
Management must define three types of security policy:
◦ Enterprise information security policies
◦ Issue-specific security policies
◦ Systems-specific security policies
 Policy as the Foundation for Planning
A policy must meet the following criteria to be effective:
Dissemination (distribution): The organization must be able to demonstrate that the policy has been made
readily available for review by the employee. Common dissemination techniques include hard copy and
electronic distribution.
Review (reading): The organization must be able to demonstrate that it disseminated the document in an
intelligible form, including versions for employees who are illiterate, reading-impaired, and unable to read
English.
Comprehension (understanding): The organization must be able to demonstrate that the employee
understands the requirements and content of the policy. Common techniques include quizzes and other
assessments.
Compliance (agreement): The organization must be able to demonstrate that the employee agrees to
comply with the policy through act or affirmation.
Uniform enforcement: The organization must be able to demonstrate that the policy has been uniformly
enforced, regardless of employee status or assignment.
 Enterprise Information Security Policy
An enterprise information security policy (EISP) is also known as a general security policy,
organizational security policy, IT security policy, or information security policy.
The EISP is an executive-level document, usually drafted by or in cooperation with the
organization’s chief information officer.
This policy is usually 2 to 10 pages long and shapes the philosophy of security in the IT
environment.
The EISP usually needs to be modified only when there is a change in the strategic direction of the
organization.
The EISP guides the development, implementation, and management of the security program.
It sets out the requirements that must be met by the information security blueprint or framework.
 Enterprise Information Security Policy
EISP typically addresses compliance in two areas:
1. General compliance to ensure that an organization meets the requirements for establishing a
program and assigning responsibilities therein to various organizational components
2. The use of specified penalties and disciplinary action

When the EISP has been developed, the CISO begins forming the security team and initiating
necessary changes to the information security program.
Components of the EISP
 Issue-Specific Security Policy
As an organization supports routine operations by executing various technologies and processes, it
must instruct employees on their proper use.
In general, the issue-specific security policy, or ISSP,
(1) addresses specific areas of technology
(2) requires frequent updates
(3)contains a statement about the organization’s position on a specific issue.
 Issue-Specific Security Policy
An ISSP may cover the following topics:
● E-mail
● Use of the Internet and World Wide Web
● Specific minimum configurations of computers to defend against worms and viruses
● Prohibitions against hacking or testing organization security controls
● Home use of company-owned computer equipment
● Use of personal equipment on company networks
● Use of telecommunications technologies, such as fax and phone
● Use of photocopy equipment
● Use of portable storage devices
● Use of cloud-based storage services t
 Issue-Specific Security Policy
Several approaches are used to create and manage ISSPs within an organization.
Three of the most common are:
1. Independent ISSP documents, each tailored to a specific issue
2. A single comprehensive ISSP document that covers all issues
3. A modular ISSP document that unifies policy creation and administration while maintaining each
specific issue’s requirements
 Systems-Specific Security Policy (SysSP)
While issue-specific policies are formalized as written documents readily identifiable as policy,
systems-specific security policies (SysSPs) sometimes have a different look.
SysSPs often function as standards or procedures to be used when configuring or maintaining
systems.
For example, a SysSP might describe the configuration and operation of a network firewall.
This document could include a statement of managerial intent; guidance to network engineers on
the selection, configuration, and operation of firewalls; and an access control list that defines levels
of access for each authorized user.
SysSPs can be separated into two general groups, managerial guidance SysSPs and technical
specifications SysSPs, or they can be combined into a single policy document that contains elements
of both.
 Managerial Guidance SysSPs
A managerial guidance SysSP document is created by management to guide the implementation
and configuration of technology and to address the behavior of employees in ways that support
information security.
Any system that affects the confidentiality, integrity, or availability of information must be assessed
to evaluate the trade-off between improved security and restrictions.
Systems-specific policies can be developed at the same time as ISSPs, or they can be prepared in
advance of their related ISSPs.
Before management can craft a policy informing users what they can do with certain technology
and how to do it, system administrators might have to configure and operate the system.
Some organizations may prefer to develop ISSPs and SysSPs in tandem so that operational
procedures and user guidelines are created simultaneously.
 Technical Specifications SysSPs
While a manager can work with a systems administrator to create managerial policy, the systems
administrator in turn might need to create a policy to implement the managerial policy.
Each type of equipment requires its own set of policies, which are used to translate management’s
intent for the technical control into an enforceable technical approach.
For example, an ISSP may require that user passwords be changed quarterly; a systems
administrator can implement a technical control within a specific application to enforce this policy.
There are two general methods of implementing such technical controls: access control lists and
configuration rules.
 Technical Specifications SysSPs
Access control lists (ACLs) consist of details about user access and use permissions and privileges
for an organizational asset or resource, such as a file storage system, software component, or
network communications device.
ACLs focus on assets and the users who can access and use them.
In general, ACLs regulate the following:
● Who can use the system
● What authorized users can access
● When authorized users can access the system
● Where authorized users can access the system
 Technical Specifications SysSPs
Configuration rules (or policies) govern how a security system reacts to the data it receives.
Rule-based policies are more specific to the operation of a system than ACLs, and they may or may
not deal with users directly.
Many security systems—for example, firewalls, intrusion detection and prevention systems (IDPSs),
and proxy servers—use specific configuration scripts that represent the configuration rule policy to
determine how the system handles each data element they process.
 Combination SysSPs
Many organizations create a single document that combines the managerial guidance SysSP and the
technical specifications SysSP.
While this document can be somewhat confusing to casual users, it is practical to have the guidance
from managerial and technical perspectives in a single place.
If this approach is used, care should be taken to clearly articulate the required actions.
Some might consider this type of policy document a procedure, but it is a hybrid that combines
policy with procedural guidance to assist implementers of the system being managed.
This approach is best used by organizations that have multiple technical control systems of different
types, and by smaller organizations that want to document policy and procedure in a compact
format.
 Security Education, Training, and
Awareness Program
Security Education
Everyone in an organization needs to be trained and made aware of information security, but not
everyone needs a formal degree or certificate in information security.
When management agrees that formal education is appropriate, an employee can investigate
courses in continuing education from local institutions of higher learning.
Several universities have formal coursework in information security.
 Security Education, Training, and
Awareness Program
Security Training
Security training provides employees with detailed information and hands-on instruction to prepare
them to perform their duties securely.
Management of information security can develop customized in-house training or outsource the
training program.
Alternatives to formal training programs are industry training conferences and programs offered
through professional agencies.
Many of these programs are too technical for the average employee, but they may be ideal for the
continuing education requirements of information security professionals.
 Security Education, Training, and
Awareness Program
Security Awareness
A security awareness program is one of the least frequently implemented but most beneficial programs in
an organization.
A security awareness program is designed to keep information security at the forefront of users’ minds.
These programs don’t have to be complicated or expensive.
Good programs can include newsletters, security posters, videos, bulletin boards, flyers, and trinkets.
Trinkets can include security slogans printed on mouse pads, coffee cups, T-shirts, pens, or any object
frequently used during the workday that reminds employees of security.
In addition, a good security awareness program requires a dedicated person who is willing to invest time
and effort to promoting the program, and a champion willing to provide the needed financial support.