Cybersecurity Governance

There will be typos in this, and I will not apologize for them.

Eugene H. Spafford “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.“

This is a quote that I hope all aspiring cybersecurity professionals stumble across, which is why I included it here after I read it again in my textbook. Speaking of which the book that I will be utilizing for the bulk of my preparation for this exam is the All-In-One CISSP Exam Guide, Ninth Edition by Maymi and Harris. While I got this book for cheaper the price tag on it will run you $70, which is pricey for a book but is much more affordable then actual courses which can cost you thousands of dollars. Whether the economical route will work will depend on seeing if I pass the CISSP in January.

CIA Triad: One of the most fundamental concepts you have to be familiar with to become a CISSP. This isn’t a reference to the alphabet agency that you have to register with now that you have Red Team skills, it stands for confidentially, availability, and confidentiality. Meaning that the job of the CISSP is to ensure the confidentiality, integrity, and availability of your workspace. You also need to add in the authenticity and nonrepudiation of the audit logs that track the tasks and changes made in your system, but since it doesn’t fit as nicely into the acronym you just have to remember them.

Confidentiality: This is exactly what it sounds like, it means keeping your information assets safe and secret from unauthorized entities. This can mean making sure all data within or transferred from your organization is encrypted. In addition, you need to make sure that your users are trained to resist social engineering and be aware of shoulder surfers. Intent is irrelevant when it comes to confidentiality, because users can accidentally or intentionally disclose confidential and private information to malicious actors. Not all disclosures will be to hackers who will use it to compromise a system, sometimes it will be a person who is copied onto an email they shouldn’t have been, and now you have a security event that you have to document and rectify.

Integrity: This part of the CIA triad is a little less clear to those unfamiliar with cybersecurity and the importance of ensuring that your assets are free from unauthorized changes. Only authorized users, namely admins, should be able to modify your database, and you need to limit who is an admin and the admin privileges should be as minimal as possible to comply with the principal of least privilege. Maybe a better way to define integrity is that you should always know what the truth is in your workspace an audit logs. If a malicious actor inserts malware into your system your entire system could lose its integrity unless you can pinpoint where and when changes are made. Similarly, if one of your authorized users makes a mistake you need to have a record of who made the change, when and what the change was.

Availability: If an authorized user needs to access your system to review data then it needs to be available, full stop. Ensuring the availability of your system means that it needs to be reliable, predictable, quickly recoverable, and protected. This is not as easy as is sounds, because a corporate workspace is an extremely complex system with a myriad of moving parts where everything, from the network to the software, needs to be working properly in order for the entire system to be available. Even if you were able to keep your system up, if the physical building where you work cannot be accessed, in the event of a fire or a blackout, then the system is not available.

Authenticity: Is the source of the software or update the individual or company that you think that it is? That is the question this component is trying to address. Is that text message asking for your password really your boss? Is that link in the email really from a vendor? Having confidence in the authenticity means that we can trust that the claimed source is legitimate. Additionally, we want companies we work with to insist on authenticity so that others cannot masquerade as us when logging into an application. We want our bank to be certain that it is us when we log in before they allow thousands of dollars to be transferred out of our account.

Nonrepudiation: In the simplest terms possible, nonrepudiation means that a user or a customer cannot disavow being the source of an event. If a contract is signed we need to be able to prove that it was a specific individual who signed it. If terms and conditions have to be accepted for an application to be used then we need to keep a copy of the customers acceptance. This is usually accomplished through the means of digital signatures.

Balanced Security: Of the CIA triad (which is confusing since you need to include authenticity and nonrepudiation) the most well known and promoted of these is confidentiality. As that component is the easiest for the C-suite to understand. But as a CISSP you need to advocate for all parts of the CIA triad; confidentiality, integrity, availability, authenticity, and nonrepudiation in order to have a resilient system and balanced security.

Vulnerability: A vulnerability is a weakness in the system that can be exploited by a threat. Examples of this are human weaknesses, unenforced password managements, and open port on the firewall, or unpatched applications.

Threat: A threat is a potential danger that takes advantage of a vulnerability. So if a port is left open and a hacker is exploring that open port then they would be considered a threat. It is important to remember that the threat agent can only be mitigated, never truly eliminated.

Risk: A risk is how likely a vulnerability is to be exploited by a threat and how impactful that exploitation would be on day-to-day operations. For instance, if you don’t do regular internal phishing tests in your organization then your users may not be able to recognize when a real one arrives in their inbox, raising the risk of a threat taking advantage of this vulnerability.

Exposure: Exposures are what you could lose or compromise if a vulnerability is exploited. Such as if you do not protect the credit card information of your customers then you expose that information to potential threats.

Control or Countermeasure: This is what you (the CISSP) put into place in order to reduce potential risk. A control can be something as simple having strong password requirements, or making sure that you patch your systems regularly.

Security Governance Principles: Security governance is a framework that balances and supports the security aspirations of an organization. These goals are likely to be set by upper management, communicated to lower levels, and applied with consistency. Security governance delegates power and authority to the individuals (or teams) the need to implement and enforce security measures while providing ways to verify that these actions are working and increasing your organizations security. Upper management needs to be able to measure whether their directives are being followed and whether these measures are effective. Security governance is often implemented as a planned cybersecurity program which needs to be a collection of policies, baselines, procedures, and standards that your company implements to make sure that its security interests reconcile with business needs.

Aligning Security to Business Strategy: Your cybersecurity infrastructure should be considered by the company as an important component of the entire businesses enterprise architecture. Security should not only be considered a facet and responsibility of the IT department, and choices made regarding security need to align with realistic business interests. If the company makes one million dollars a year then spending five hundred thousand dollars on IT security would be insane.

Strategic Alignment: This means that the business interests and critical legal requirements are being met and considered important within the companies cybersecurity program. This is important to remember because IT and business management live work within the same building they don’t see the company the same way. The business can survive without IT, it just wouldn’t be healthy. IT does not exist without without a business to maintain. IT is only a tool that supports the business, but it cannot exist on its own.

Business Enablement: IT and IT security should be a force that helps the company thrive by providing mechanisms to do ventures safely and securely, and should not be considered a hinderance by other members of the company so that they don’t circumvent security controls.

Process Enablement: As companies integrate security into their processes they can (and should) take the oppurtunity to improve the processes that exist. Such as automating processes that are automatible.

Mergers and Acquisitions: M and A has major implications for a companies cybersecurity infrastructure, as it requires divulging and combining diasaprate business processes. Now many companies do compromise assessments before they merge with or acquire another company in order to determine if they have been breached or are likely to be breached.

Divestures: Which is when your company sells off a part of its buiness, which makes it the antithesis of mergers and acquisitions. With M and A we ask the questions, with divestures we are the ones who are questioned. With divestures your security processes are likely to be audited so you will need to work closely with legal so that you provide the required information without accidentally oversharing and giving confidential or proprietary information.

Governance Committees: is a group within the organization whose goal is to review the structures and practices of the company and report what it sees to the board of directors.

Organizational Roles and Responsibilities: Responsibilities that must be assigned need to be delegated to a few individuals or a large security team.

Executive Management: Often members of the C-Suite they are ultimately responsible for everything that occurs within the company and should be considered the function owners. The roles outlined in this section of the text are as follows: Chief Executive Officer, Chief Financial Officer, Chief Information Officer, Chief Privacy Officer, Chief Security Officer, Data Owner, Data Custodian, System Owner, Security Administrator, Supervisor, Change Control Analyst, Data Analyst, User, Auditor. Could I define exactly what those roles are, sure, but it is pushing midnight and I don’t want to.

Security Policy: Is an overarching statement created by upper management to outline the role that security plays within the company. This policy needs to take into account not only the business interests, but applicable laws and regulations. It also needs to outline the amount of risk that the company is willing to absorb. Business objectives should drive security policy, not the other way around. While policies should and need to change over time the goal should be that these policies stand for a number of years, and when they do need to be changed there is a version and date history kept. In addition to the security policy there needs to be - for lack of a better term - a policy of punishment for noncompliance and a written policy that outlines what that looks like.

Organizational vs. Issue Specific Policy: In a hierarchical structure the organizational policy is King, with many issue specific (aka functional) policies below it that define and dictate expectations for certain issues. For example an organizational policy could be the risk management policy that illustrates how the organization understands and manages risk, the issue specific policy could be about the risk of insufficient passwords and how the company resolves that problem.

Standards: These are unambiguous, detailed, and measurable requirements. These are mandatory rules that allow our policy goals to succeed. Within a company standards are compulsory, and most importantly, enforced. If you require 2FA as a requirement that is enforced within your organization, that is a standard.

Three Types of Policies - Regulatory, Advisory and Informative: Regulatory policies ensure that your company is following standards set by specific industry regulations (generally government regulated), think HIPPA. Advisory policies - as the name suggests - strongly advises employees what should and should not take place, it also informs employees of what the consequences of no following these policies would be. Informative policies are not enforceable but can help inform employees about company norms, such as what the reporting structure is.

Baselines: Is a moment in time that can be referenced in the future. This is a consistent reference point that can be considered the minimum level of protection. So if your baseline is patching software once a month (for example) and you find that you haven’t for two month, then you are worse then your baseline.

Guidelines: Are recommendations that help your organization approach a gray area. Unlike standards - with there specific mandatory rules - guidelines are recommendations that can offer guidance and flexibility in complex situations.

Procedures: Are specific step-by-step lists that must be performed in order for a task to be completed. An IT department may have procedures on how to properly set up a firewall, or how to onboard a new employee to the workspace. Procedures are considered the lowest level of the documentation ladder because of their specificity and proximity to users.

Implementation: A policy on privacy would lead to a standard on that mandates all user data must be deleted within 30 days. The supporting procedures would lay out exactly how this data needs to be deleted, and the guidelines would help the team determine their actions if data had to be held for legal purposes. Once the computers have been configured and data properly deleted this would be considered the baseline setting of the company. All of this is useless though if employees within the company are unaware the documentation exists, so it is necessary to communicate security expectations through emails, presentations, meetings etc.

Personnel Security: You can’t run a company without people, but unfortunately in security people will be your weakest link. Whether they make mistakes accidentally or through intentional fraud the human element is where most security operations should focus their attention. One way to mitigate risk in this area is to implement the policy of separation of duties (SoD) which means that an individual cannot complete a critical task all by themselves, there needs to be another individual involved. This should help reduce the potential for fraud, since it would require collusion between two or more employees to commit the crime. Other variations of separation of duties is split knowledge and dual control, in both situations at least two individuals are required in order for an action to be facilitated. In the case of split knowledge no one person knows the complete details of how to perform the task (such as having two separate passwords where no one person knows both codes), so it requires two individuals to work together. In duel control two people have to be knowledgable and available for a task to be performed, such as turning two keys simultaneously in opposite buildings. If we want to be even more broad this is also known as m of n control or quorum authentication, where m is the number of people required to complete task and n is the number of people who are authorized to complete the task. So if it requires 3 people to open a safe and 7 people are authorized with the codes to open the safe then that is 3 of 7 control. It is important to keep a balance between those numbers because too high of an n (too many people who can open the safe) gives rise to a higher probability that an m number (amount of people required to open the safe) could collude and commit fraud. On the other hand too low an n number and you run the risk of not having the appropriate quorum of people available to complete a vital function.

Job Rotation and Mandatory Vacation: Some of the most effective ways to detect fraudulent activities is to prevent people from staying in any one position for too long so that they can’t gain too much control over a specific business function. This also increases the probability that fraudulent activity will be detected when a new person is put into the role and can observe any suspicious activity the former employee may have done. This can also be done in a less permanent way by enforcing mandatory vacations so someone else must temporarily fill that role and potentially detect any anomalies that the employee on vacation was hiding or compensating for in ways that go against company policy. Mandatory Vacations work because employees who commit fraudulent activities don’t take vacations so they don’t get discovered.

Candidate Screening and Hiring: While the above is an important component of personnel security the real work begins much earlier, before they are even hired. The depth of investigation will differ depending on the position being filled, but the caliber and character of a candidate must be considered. When a person is hired they bring not only their talent, but all other baggage they have which is why evaluating a person’s a character is so critical. In depth background checks serve as the first line of defense for a corporation because it validates how truthful and trustworthy a candidate as well as dredging up any undisclosed liabilities.

Employment Agreements and Policies: After the perfect candidate has been identified and hired it is a good step to get the new employee to sign an agreement where they acknowledge what their role and responsibilities are, and that they are aware of any and all policies that apply to them. This isn’t a requirement in every state or country but even if it isn’t it is recommended because it can protect the company from certain liability. This way the new employee acknowledges their responsibility and the policies that they must comply with when they are hired. Without a signed employee agreement and employee could make a mistake (or act maliciously) by accessing a system they are not meant to and plead ignorance of the policy and your company may not be able to prove otherwise. The CISSP also recommends a probationary period so that it is easier to fire an employee who is not living up to expectations or who engages in suspicious or outright fraudulent behavior.

Onboarding, Transfers, and Termination Process: Onboarding is the process of turning a candidate into an employee and giving them all the access, credentials, and training that comes along with being an employee. This should be a documented process not only to make sure that it is done right, but so that it no critical security steps get accidentally skipped. Organizations need to have and utilize in house NDA’s is that new hires are required to keep sensitive company information confidential from the jump. One of the most common issues that a company has with credentials occurs when they are promoted or transfer to another position. Generally a new job comes with new required credentials or authorizations which are granted to the user, but rarely are old outdated credentials that the employee no longer needs access to removed. So an employee who has been promoted a couple times might have a plethora of credentials they don’t need in their current role. As such it is recommended that IT is involved whenever a change of positions is made to ensure that the policy of least privilege is followed. When an employee is terminated the actions of the company with be different because it can be hard to predict the reaction of a fired employee. So there should be procedure in place to immediately revoke access to services and remove the former employee from the building as soon as they are terminated.

Vendors, Consultants, and Contractors: There are few companies in business today who can operate without the use of vendors, consultants or contractors. But just because these entities may not be official employees of your organization doesn’t mean that security policies shouldn’t apply to them. Any service agreement that is signed is recommended to stipulate that the service company’s security procedure are at least as good as yours and be required to prove it. Another approach is to assume these service companies or contractors are untrusted entities and treat them as such, i.e. making highly sensitive assets of limits. Keep in mind though that this may make building a relationship with that service company more difficult. The main take away from this is that there is no one best way to handle third party companies.

Compliance Policies: What regulations you have to comply with and what compliance policies you have to implement will depend largely on what your company does. For instance most companies probably don’t need to worry about HIPAA and if you don’t handle any data from the EU you don’t need to worry about the GDPR. If your industry is regulated then your internal policies need to reflect that. As a CISSP, it will be your (my) job to know what those regulations are and how they impact your company.

Privacy Policies: Even if you aren’t in an industry, state or country that requires you to have specific privacy policies it is recommended that you have one so that customers and employees are aware of what is happening to their data and your company has less liability issues.

Security Awareness, Education, and Training Programs: You can have the most thorough and thought our security policy in history, but it is useless if no body in the company is aware of the procedures. Training needs to be comprehensive and easy to comprehend for employees without a technical background. Security also needs to cultivate a relationship with management so that their is buy-in on that level and they help spread adoption amongst the people they manage. The ultimate goal here is to make everyone in the company understand and respect the importance of security so that we change behavior towards implemented security systems.

How to Train: Within a security awareness program you are likely to be addressing one of three groups - management, staff, and technical employees and whatever training program you have needs to address their specific responsibilities, skills, and concerns. Senior management trainings should focus on potential losses and the liability surrounding a poorly adopted or designed security system. Often, mentioned potential losses in the stock market really grabs their attention and should help the comprehend how important they should consider security. For middle managers you should focus more on the policies that need to be followed and what they need to enforce, what the consequences would be for their employees if they don’t comply and how the managers themselves may be reprimanded if they don’t enforce these policies. The largest group that will be trained will be the staff so it can be useful to give plenty of detailed examples while also underscoring what the consequences of noncompliance would be. For technical employees the training should be more advanced and have specific procedures and technical specifications that they should follow. No matter the group it can be a good idea to have the employees sign a document that says they received and understood the training, this can help to underscore the importance of the training they attended and to serve as proof if someone later tries to plead ignorance.

Social Engineering: What most of your training will need to address is why it is important for staff to be vigilant about odd requests so that we can minimize the risk posed by social engineering, which is the deliberate manipulation of a person/employee in order to get them to do something they are not supposed to. The most prevalent form of this is phishing which uses emails to get the person/employee to click a link or compromise information to a malicious actor.

Security Champions: These are employees within a company who do not technically have security as a part of their job duties but can be trained to have knowledge about the security standards in your organization and understand why these standards are important. Thus they become advocates within their business units and can be a first point of contact that their peers feel comfortable asking questions of.

Periodic Content Review: This one is a bit of a no-brainer, but obviously your security policies will change overtime and your training content needs to change with it. This review should be done on a regular cadence, such as annually, to make sure that the training is updated consistently. A content review can also be triggered when their is a major policy change.

Program Effectiveness Evaluation: Much of the content of the trainings you give can be measured to see if your training was effective. For instance if you have a training that focuses on preventing successful phishing attacks you can run internal phishing campaigns in order to see if the training made sense and affected employee behavior. So it is recommended to have a measurement of whatever you are trying to affect before the training so you can compare it to a measurement after the training and see if there was any value in the training.

Professional Ethics: What is illegal and what is unethical or vice versa can be a bit unclear when dealing with computer security and hacking. As a result the organization (ISC)2 that administrates the CISSP requires that all CISSP’s fully commit its Code of Ethics. If this Code of Ethics is violated the CISSP certification for that individual can be revoked. There are four key elements to the code of ethics which CISSP’s must adhere to:

• Protect society, the common good, necessary public trust and confidence, and the infrastructure

• Act honorably, honestly, justly, responsibly, and legally

• Provide diligent and competent service to principals

• Advance and protect the profession

Organizational Code of Ethics: Depending on your industry or where your company resides your organization may be required to have an ethical statement or ethical program in place. In order for the declared ethics to be effective there needs to be buy-in from the very top of the company in order to have an culture where “the ends justify the means” is not accepted.

Done, finally with chapter 1! I don’t even want to know how many words this is, but I hope someone out there in the ether finds these notes helpful.