Policy serves as the foundation for any cybersecurity program, setting out the principles and rules that guide the execution of security efforts throughout the enterprise. Often, organizations base these policies on best practice frameworks developed by industry groups, such as the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO). In many cases, organizational policies are also influenced and directed by external compliance obligations that regulators impose on the organization. In this chapter, you will learn about the important elements of the cybersecurity policy framework.
An organization's information security policy framework contains a series of documents designed to describe the organization's cybersecurity program. The scope and complexity of these documents vary widely, depending on the nature of the organization and its information resources. These frameworks generally include four different types of document:
In the remainder of this section, you'll learn the differences between each of these document types. However, keep in mind that the definitions of these categories vary significantly from organization to organization, and it is very common to find the lines between them blurred. Though at first glance that may seem “incorrect,” it's a natural occurrence as security theory meets the real world. As long as the documents are achieving their desired purpose, there's no harm and no foul.
Policies are high-level statements of management intent. Compliance with policies is mandatory. An information security policy will generally contain broad statements about cybersecurity objectives, including:
In many organizations, the process to create a policy is laborious and requires very high-level approval, often from the chief executive officer (CEO). Keeping policy statements at a high level provides the CISO with the flexibility to adapt and change specific security requirements with changes in the business and technology environments. For example, the five-page information security policy at the University of Notre Dame simply states that
The Information Governance Committee will create handling standards for each Highly Sensitive data element. Data stewards may create standards for other data elements under their stewardship. These information handling standards will specify controls to manage risks to University information and related assets based on their classification. All individuals at the University are responsible for complying with these controls.
By way of contrast, the federal government's Centers for Medicare & Medicaid Services (CMS) has a 95-page information security policy. This mammoth document contains incredibly detailed requirements, such as
A record of all requests for monitoring must be maintained by the CMS CIO along with any other summary results or documentation produced during the period of monitoring. The record must also reflect the scope of the monitoring by documenting search terms and techniques. All information collected from monitoring must be controlled and protected with distribution limited to the individuals identified in the request for monitoring and other individuals specifically designated by the CMS Administrator or CMS CIO as having a specific need to know such information.
The CMS document even goes so far as to include a complex chart describing the many cybersecurity roles held by individuals throughout the agency. An excerpt from that chart appears in Figure 16.1.
This approach may meet the needs of CMS, but it is hard to imagine the long-term maintenance of that document. Lengthy security policies often quickly become outdated as necessary changes to individual requirements accumulate and become neglected because staff are weary of continually publishing new versions of the policy.
Organizations commonly include the following documents in their information security policy library:
As you read through the list, you may notice that some of the documents listed tend to conflict with our description of policies as high-level documents and seem to better fit the definition of a standard in the next section. That's a reasonable conclusion to draw. CompTIA specifically includes these items as elements of information security policy while many organizations would move some of them, such as password requirements, into standards documents.
Standards provide mandatory requirements describing how an organization will carry out its information security policies. These may include the specific configuration settings used for a common operating system, the controls that must be put in place for highly sensitive information, or any other security objective. Standards are typically approved at a lower organizational level than policies and, therefore, may change more regularly.
For example, the University of California at Berkeley maintains a detailed document titled the Minimum Security Standards for Electronic Information, available online at security.berkeley.edu/minimum-security-standards-electronic-information
. This document divides information into four different data protection levels (DPLs) and then describes what controls are required, optional, or not required for data at different levels using a detailed matrix. An excerpt from this matrix appears in Figure 16.2.
The standard then provides detailed descriptions for each of these requirements with definitions of the terms used in the requirements. For example, requirement 3.1 in Figure 16.2 simply reads “Secure configurations.” Later in the document, UC Berkeley expands this to read “Resource Custodians must utilize well-managed security configurations for hardware, software, and operating systems based on industry standards.” It goes on to defined “well-managed” as
This approach provides a document hierarchy that is easy to navigate for the reader and provides access to increasing levels of detail as needed. Notice also that many of the requirement lines in Figure 16.2 provide links to guidelines. Clicking on those links leads to advice to organizations subject to this policy that begins with this text:
UC Berkeley security policy mandates compliance with Minimum Security Standards for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance.
This is a perfect example of three elements of the information security policy framework working together. Policy sets out the high-level objectives of the security program and requires compliance with standards, which includes details of required security controls. Guidelines provide advice to organizations seeking to comply with the policy and standards.
In some cases, organizations may operate in industries that have commonly accepted standards that the organization either must follow due to a regulatory requirement or choose to follow as a best practice. Failure to follow industry best practices may be seen as negligence and can cause legal liability for the organization. Many of these industry standards are expressed in the standard frameworks discussed later in this chapter.
Procedures are detailed, step-by-step processes that individuals and organizations must follow in specific circumstances. Similar to checklists, procedures ensure a consistent process for achieving a security objective. Organizations may create procedures for building new systems, releasing code to production environments, responding to security incidents, and many other tasks. Compliance with procedures is mandatory.
For example, Visa publishes a document titled What To Do If Compromised (usa.visa.com/dam/VCOM/download/merchants/cisp-what-to-do-if-compromised.pdf
) that lays out a mandatory process that merchants suspecting a credit card compromise must follow. Although the document doesn't contain the word procedure in the title, the introduction clearly states that the document “establishes procedures and timelines for reporting and responding to a suspected or confirmed Compromise Event.” The document provides requirements covering the following areas of incident response:
Each of these sections provides detailed information on how Visa expects merchants to handle incident response activities. For example, the forensic investigation section describes the use of Payment Card Industry Forensic Investigators (PFI) and reads as follows:
Upon discovery of an account data compromise, or receipt of an independent forensic investigation notification, an entity must:
- Engage a PFI (or sign a contract) within five (5) business days.
- Provide Visa with the initial forensic (i.e., preliminary) report within ten (10) business days from when the PFI is engaged (or the contract is signed).
- Provide Visa with a final forensic report within ten (10) business days of the completion of the review.
There's not much room for interpretation in this type of language. Visa is laying out a clear and mandatory procedure describing what actions the merchant must take, the type of investigator they should hire, and the timeline for completing different milestones.
Organizations commonly include the following procedures in their policy frameworks:
Of course, cybersecurity teams may decide to include many other types of procedures in their frameworks, as dictated by the organization's operational needs.
Guidelines provide best practices and recommendations related to a given concept, technology, or task. Compliance with guidelines is not mandatory, and guidelines are offered in the spirit of providing helpful advice. That said, the “optionality” of guidelines may vary significantly depending on the organization's culture.
In April 2016, the chief information officer (CIO) of the state of Washington published a 25-page document providing guidelines on the use of electronic signatures by state agencies. The document is not designed to be obligatory but, rather, offers advice to agencies seeking to adopt electronic signature technology. The document begins with a purpose section that outlines three goals of the guideline:
The first two stated objectives line up completely with the function of a guideline. Phrases like “help agencies determine” and “provide agencies with information” are common in guideline documents. There is nothing mandatory about them and, in fact, the guidelines explicitly state that Washington state law “does not mandate that any state agency accept or require electronic signatures or records.”
The third objective might seem a little strange to include in a guideline. Phrases like “provide direction” are more commonly found in policies and procedures. Browsing through the document, the text relating to this objective is only a single paragraph within a 25-page document, reading
The Office of the Chief Information Officer maintains a page on the
OCIO.wa.gov
website listing links to individual agency electronic signature and record submission policies. As agencies publish their policies, the link and agency contact information should be emailed to the OCIO Policy Mailbox. The information will be added to the page within 5 working days. Agencies are responsible for notifying the OCIO if the information changes.
Reading this paragraph, the text does appear to clearly outline a mandatory procedure and would not be appropriate in a guideline document that fits within the strict definition of the term. However, it is likely that the committee drafting this document thought it would be much more convenient to the reader to include this explanatory text in the related guideline rather than drafting a separate procedure document for a fairly mundane and simple task.
When adopting new security policies, standards, and procedures, organizations should also provide a mechanism for exceptions to those rules. Inevitably, unforeseen circumstances will arise that require a deviation from the requirements. The policy framework should lay out the specific requirements for receiving an exception and the individual or committee with the authority to approve exceptions.
The state of Washington uses an exception process that requires the requestor document the following information:
Many exception processes require the use of compensating controls to mitigate the risk associated with exceptions to security standards. The Payment Card Industry Data Security Standard (PCI DSS) includes one of the most formal compensating control processes in use today. It sets out three criteria that must be met for a compensating control to be satisfactory:
For example, an organization might find that it needs to run an outdated version of an operating system on a specific machine because software necessary to run the business will only function on that operating system version. Most security policies would prohibit using the outdated operating system because it might be susceptible to security vulnerabilities. The organization could choose to run this system on an isolated network with either very little or no access to other systems as a compensating control.
The general idea is that a compensating control finds alternative means to achieve an objective when the organization cannot meet the original control requirement. While PCI DSS offers a very formal process for compensating controls, the use of compensating controls is a common strategy in many different organizations, even those not subject to PCI DSS. Compensating controls balance the fact that it simply isn't possible to implement every required security control in every circumstance with the desire to manage risk to the greatest feasible degree.
In many cases, organizations adopt compensating controls to address a temporary exception to a security requirement. In those cases, the organization should also develop remediation plans designed to bring the organization back into compliance with the letter and intent of the original control.
Legislators and regulators around the world take an interest in cybersecurity due to the potential impact of cybersecurity shortcomings on individuals, government, and society. While the European Union (EU) has a broad-ranging data protection regulation, cybersecurity analysts in the United States are forced to deal with a patchwork of security regulations covering different industries and information categories.
Some of the major information security regulations facing U.S. organizations include the following:
Remember that this is only a brief listing of security regulations. There are many other laws and obligations that apply to specific industries and data types. You should always consult your organization's legal counsel and subject matter experts when designing a compliance strategy for your organization. The advice of a well-versed attorney is crucial when interpreting and applying cybersecurity regulations to your specific business and technical environment.
Developing a cybersecurity program from scratch is a formidable undertaking. Organizations will have a wide variety of control objectives and tools at their disposal to meet those objectives. Teams facing the task of developing a new security program or evaluating an existing program may find it challenging to cover a large amount of ground without a roadmap. Fortunately, there are several standard security frameworks available to assist with this task and provide a standardized approach to developing cybersecurity programs.
The National Institute for Standards and Technology (NIST) is responsible for developing cybersecurity standards across the U.S. federal government. The guidance and standard documents they produce in this process often have wide applicability across the private sector and are commonly referred to by nongovernmental security analysts due to the fact that they are available in the public domain and are typically of very high quality.
In 2014, NIST released a Cybersecurity Framework designed to assist organizations attempting to meet one or more of the following five objectives:
The NIST framework includes three components:
The NIST Cybersecurity Framework provides organizations with a sound approach to developing and evaluating the state of their cybersecurity programs.
TABLE 16.1 NIST Cybersecurity framework implementation tiers
Source: Framework for Improving Critical Infrastructure Cybersecurity, National Institute of Standards and Technology
Tier | Risk management process | Integrated risk management program | External participation |
Tier 1: Partial | Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. | There is limited awareness of cybersecurity risk at the organizational level. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. | The organization does not understand its role in the larger ecosystem with respect to either its dependencies or dependents. |
Tier 2: Risk Informed | Risk management practices are approved by management but may not be established as organizationwide policy. | There is an awareness of cybersecurity risk at the organizational level, but an organizationwide approach to managing cybersecurity risk has not been established. | Generally, the organization understands its role in the larger ecosystem with respect to either its own dependencies or dependents, but not both. |
Tier 3: Repeatable | The organization's risk management practices are formally approved and expressed as policy. | There is an organizationwide approach to manage cybersecurity risk. | The organization understands its role, dependencies, and dependents in the larger ecosystem and may contribute to the community's broader understanding of risks. |
Tier 4: Adaptive | The organization adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators. | There is an organizationwide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. | The organization understands its role, dependencies, and dependents in the larger ecosystem and contributes to the community's broader understanding of risks. |
The International Organization for Standardization (ISO) publishes ISO 27001, a standard document titled “Information technology—Security techniques—Information security management systems—Requirements.” This standard includes control objectives covering 14 categories:
The ISO 27001 standard was once the most commonly used information security standards, but it is declining in popularity outside of highly regulated industries that require ISO compliance. Organizations in those industries may choose to formally adopt ISO 27001 and pursue certification programs where an external assessor validates their compliance with the standard and certifies them as operating in accordance with ISO 27001.
The Control Objectives for Information and Related Technologies (COBIT) is a set of best practices for IT governance developed by the Information Systems Audit and Control Association (ISACA). COBIT divides information technology activities into four domains:
COBIT addresses each of these four domains of technology by providing five COBIT framework components:
The Information Technology Infrastructure Library (ITIL) is a framework that offers a comprehensive approach to IT service management (ITSM) within the modern enterprise. ITIL covers five core activities:
Figure 16.5 shows how these activities fit together in the ITIL service life cycle. Although it is not widely used as a cybersecurity framework, many organizations choose to adopt ITIL ITSM practices and then include cybersecurity functions within their ITIL implementation.
Security policy frameworks and the specific security policies adopted by organizations lay out control objectives that an organization wishes to achieve. These control objectives are statements of a desired security state, but they do not, by themselves, actually carry out security activities. Security controls are specific measures that fulfill the security objectives of an organization.
Security controls are categorized based on their mechanism of action—the way that they achieve their objectives. There are three different categories of security control:
Organizations should select a set of security controls that meets their control objectives based on the criteria and parameters that they either select for their environment or have imposed on them by outside regulators. For example, an organization that handles sensitive information might decide that confidentiality concerns surrounding that information require the highest level of control. At the same time, they might conclude that the availability of their website is not of critical importance. Given these considerations, they would dedicate significant resources to the confidentiality of sensitive information while perhaps investing little, if any, time and money protecting their website against a denial-of-service attack.
Many control objectives require a combination of technical, operational, and management controls. For example, an organization might have the control objective of preventing unauthorized access to a datacenter. They might achieve this goal by implementing biometric access control (technical control), performing regular reviews of authorized access (operational control), and conducting routine risk assessments (managerial control).
CompTIA also divides security into types, based on their desired effect. The types of security control include
Quality control procedures verify that an organization has sufficient security controls in place and that those security controls are functioning properly. Every security program should include procedures for conducting regular internal tests of security controls and supplement those informal tests with formal evaluations of the organization's security program. Those evaluations may come in two different forms: audits and assessments.
Audits are formal reviews of an organization's security program or specific compliance issues conducted on behalf of a third party. Audits require rigorous, formal testing of controls and result in a formal statement from the auditor regarding the entity's compliance. Audits may be conducted by internal audit groups at the request of management or by external audit firms, typically at the request of an organization's governing body or a regulator.
Assessments are less formal reviews of security controls that are typically requested by the security organization itself in an effort to engage in process improvement. During an assessment, the assessor typically gathers information by interviewing employees and taking them at their word, rather than preforming the rigorous independent testing associated with an audit.
Policies form the basis of every strong information security program. A solid policy framework consists of policies, standards, procedures, and guidelines that work together to describe the security control environment of an organization. In addition to complying with internally developed policies, organizations often must comply with externally imposed compliance obligations. Security frameworks, such as the NIST Cybersecurity Framework and ISO 27001, provide a common structure for security programs based on accepted industry best practices. Organizations should implement and test security controls to achieve security control objectives that are developed based on the business and technical environment of the organization.
Describe policy frameworks and what they consist of. Policies are high-level statements of management intent for the information security program. Standards describe the detailed implementation requirements for policy. Procedures offer step-by-step instructions for carrying out security activities. Compliance with policies, standards, and procedures is mandatory. Guidelines offer optional advice that complements other elements of the policy framework. Frameworks used to set security approaches may be either prescriptive or risk-based.
Describe how organizations often adopt a set of security policies covering different areas of their security programs. Common policies used in security programs include an information security policy, an acceptable use policy, a data ownership policy, a data retention policy, an account management policy, and a password policy. The specific policies adopted by any organization will depend on that organization's culture and business needs.
Know that policy documents should include exception processes. Exception processes should outline the information required to receive an exception to security policy and the approval authority for each exception. The process should also describe the requirements for compensating controls that mitigate risks associated with approved security policy exceptions.
Understand the variety of security compliance requirements that organizations face. Healthcare providers must comply with the Health Insurance Portability and Accountability Act (HIPAA). Merchants and credit card service providers must comply with the Payment Card Industry Data Security Standard (PCI DSS). Financial institutions are subject to the Gramm–Leach–Bliley Act (GLBA), whereas public companies must comply with the Sarbanes–Oxley Act (SOX). Educational institutions must follow the Family Educational Rights and Privacy Act (FERPA).
Define the purpose of standards frameworks. Organizations may choose to base their security programs on a framework, such as the NIST Cybersecurity Framework, ISO 27001, or the IT Infrastructure Library (ITIL). These frameworks sometimes include maturity models that allow an organization to assess its progress. Some frameworks also offer certification programs that provide independent assessments of an organization's progress toward adopting a framework.
Know that controls may be categorized based on their mechanism of action and their intent. Controls are grouped into the categories of managerial, operational, and technical based on the way that they achieve their objectives. They are divided into the types of preventive, detective, corrective, deterrent, compensating, and physical based on their intended purpose.
Explain how audits and assessments are used to monitor compliance with requirements. Audits are externally commissioned, formal reviews of the capability of an organization to achieve its control objectives. Assessments are less rigorous reviews of security issues, often performed or commissioned by IT staff.
Match the following policy documents with their descriptions.
Policy | Outlines a step-by-step process for carrying out a cybersecurity activity |
Standard | Includes advice based on best practices for achieving security goals that are not mandatory |
Guideline | Provides high-level requirements for a cybersecurity program |
Procedure | Offers detailed requirements for achieving security control objectives |
Download and read the current version of the NIST Framework for Improving Critical Infrastructure Cybersecurity (nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
).
Choose a specific category from the framework core that appears in Table 2 at the end of the document. If you are currently employed, describe how your organization addresses each of the subcategories for that function and category. If you are not currently employed, perform the same analysis for an organization with which you are familiar to the best of your ability.
The Payment Card Industry Data Security Standard (PCI DSS) includes detailed testing procedures for each one of the standard's requirements.
Download a copy of the current PCI DSS standard from the PCI Security Standards Council website (www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss
). Find the section of the standard that includes requirements for password construction (section 8.2.3 in PCI DSS version 3.2.1).
Describe the testing procedures that an auditor would follow to determine whether an organization is in compliance with this requirement.