CISSP - Security and Risk Management Tutorial

1 Domain 01—Security and Risk Management

Hello and welcome to Domain 1 of the CISSP (read as C-I-S-S-P) certification course offered by Simplilearn. This domain provides an introduction to the information security and the risk management. Let us explore the objectives of this lesson in the next screen.

2 Objectives

After completing this domain, you will be able to: Recognize the importance of Information Security Management Describe Security Policy Implementation Describe Information Risk Management Define the process of Managing Personnel Security and Managing Security Function Define Computer Crime Explain the Business Continuity Plan process Let us discuss the importance of information security and risk management in the next screen.

3 Importance of Information Security and Risk Management

Kevin Butler is a Security Administrator in the Network Firewalls division at Nutri Worldwide Inc. He has to prepare for CISSP exam. He starts his preparation by reading a historical case of a competitor of Nutri Worldwide Inc. The competitor had failed to understand the importance of Information Security. The company had planned their Business Continuity Plan or BCP without continuous involvement of IT. IT security inputs were taken without the team playing an active role. The BCP was weak in the areas of IT security. When the headquarters of the competitor was hit by a tornado, there was a huge information leak as data protection measures were not well planned. The IT tried their best to prevent this. The company had to face losses, which led them to file for bankruptcy within a few years. Let us discuss the importance of confidentiality, integrity and availability in information security management in the next screen.

4 Role and Importance of CIA in ISM

Let us understand the role and importance of CIA (read as C-I-A) in information security management. The three components of the CIA triangle are confidentiality, integrity, and availability. They have served as the industry standard for computer security since the time of the first mainframes. These three concepts are a great foundation for the dynamic world of information technology. They are responsible for the development of several new key components in the expanded CIA triangle. Organizations look up to these basic components as the building blocks to information security. Confidentiality, Integrity, and Availability are the foundation for information security. CIA forms the basis on which the information security is built. Confidentiality, Integrity, and Availability work together to provide assurance that systems and data remain secure. Every part of CIA triad is equally important. Depending on the data and IT resource, different prioritization of the three will be required. In the next screen, we will learn about confidentiality.

5 Confidentiality

The principle of confidentiality asserts that information and functions can be accessed only by authorized parties. Private information about citizens has resulted in the proliferation of information systems operated by both government and industry. Typically, a personal profile containing many items of basic information are established when an individual begins a relationship with an organization. This relationship is started when a person makes a purchase, registers to vote, renews a driver’s license, pays taxes, or consults a physician. Even if the purpose or the duration of the relationship is brief, often the information will remain on the organization’s information systems for an extended period, often for many years. Individuals expect that their confidential information will not be disclosed to unauthorized parties and that it will be properly protected. However, some organizations may not handle the information properly, resulting in an unauthorized disclosure. This could result in an attempted identity theft or financial fraud carried out against the persons whose information was compromised. Military secrets, which are highly confidential information, can be taken as an example here. Military secrets can be accessed only by authorized personnel. Threats to confidentiality are from many sources. Hackers and Masqueraders compromise the confidentiality of the data. Any unauthorized user activity can also compromise the confidentiality of information. Other threats to confidentiality are unprotected downloaded files, unprotected networks, and unauthorized programs like Trojan horses and viruses. Social Engineering attack, which uses social skills to obtain information, is another threat. The next screen will focus on integrity.

6 Integrity

The principle of integrity asserts that information and functions can be added, altered, or removed only by authorized people and means. Integrity is achieved through a role-based access control, which is the generic name for a mechanism that controls the actions performed by individuals. Information may be stored in a database of tables consisting of tables, rows, and fields. The concept of integrity governs which individuals are able to modify which tables, rows, and fields in the database. Incorrect data entered by the user into a database can be taken as an example here. In data security, the need for integrity encompasses software, systems, and the people who design, build, and operate them. Software must operate properly, particularly when a program is accessing and modifying data. Systems must be properly configured so that the data that resides on them is managed and updated correctly. The people who design, build, and operate software and systems must be properly trained on the technologies that they are using, and they must adhere to a code of professional ethics that guides their behavior and decision-making. Similar to the confidentiality, the threats to integrity comes from hackers, masqueraders, unauthorized user activity, unprotected downloaded files, networks, and unauthorized programs like Trojan horses and viruses. Authorized users can also corrupt the data and programs accidentally or intentionally. Next, we will discuss availability in detail.

7 Availability

The principle of availability asserts that systems, functions, and data must be available on-demand according to agreed-upon parameters based on levels of service. In other words, systems should be available and in function. A good example for availability would be Network load balancing. Availability is multi-faceted and involves separate safeguards and mechanisms to ensure that systems and data are available when needed. These safeguards range from firewalls and anti-virus software to resilient architectures for disaster recovery planning. Availability covers nearly all the aspects of data security that directly or indirectly protects a system from any harm. Threats to availability are denial of service and distributed denial of service attacks, natural disasters like fires, floods, storms, or earthquakes. Availability can also be disturbed by human actions like bombs or strikes.

8 Information Security

Information Security refers to the process of protecting information and information systems from unauthorized disclosure, access, use, destruction, deletion, modification, or disruption. It describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Information security is concerned with the confidentiality, integrity and availability of data regardless of its form: electronic, print, or other forms.

9 Information Security Management

Information Security Management ensures that appropriate information security policies, standards, procedures, guidelines, baselines, information classification, risk management, security organization, and security education are implemented. Effective implementation provides proper balance of security controls with business operations. Security exists to support the goals, mission, and objectives of the organization.

10 Information Security Governance

Governance ensures that security strategies are aligned with business objectives and are consistent with regulations. The IT Governance Institute defines security governance as: “Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly.” In other words, strategy, objectives, and risks are developed and executed in a top-down manner. In a governance model, the executive management is in control of the activities intended to protect organizational assets from threats. Governance is intended to guarantee that appropriate information security activities are being performed to ensure that risks are reduced and information security investments are appropriately directed. It also ensures that the executive management has visibility of the program, and improving the effectiveness of the program. We will learn about security controls in the following screen.

11 IT Security and Organizational Goals, Mission, and Objectives

Let us begin with the goals, mission, and objectives of an organization. Goals, Mission, and Objectives are statements that define what the organization desires to achieve. They also indicate how the organization intends to achieve them. These statements help organizations create long-term and short-term strategies. Once Goals, Mission, and Objectives have been identified, it becomes easier to align information security to organizational goals and protect organizational assets.

12 Goals, Mission, and Objectives

The terms goals, mission, and objectives are described in detail here. Goals are statements that provide the overall context for what the organization is trying to accomplish. A goal can be defined as a desired result an organization envisions, plans, and commits to achieve. It is the desired end-point for any organizational development plan. An example of an organization’s goal statement can be “To Build, strengthen, and maintain collaboration among key organizations.” The organizational mission refers to a statement of its ongoing purpose and reason for existence. The mission statement should guide the actions of the organization, explain its overall goal, provide a path to achieve this goal, and guide the management in decision-making. An effective mission statement provides the framework or context within which the company's strategies are formulated. An organization usually publishes its mission statement, so that its employees, customers, suppliers, and partners are aware of the organization’s stated purpose. As an example of an organization’s mission statement, let us look at the mission statement of ISC². which is “To Support and provide members and constituents with credentials, resources, and leadership to secure information and deliver value to society.” Objectives refer to the map to reach the preset goals. An objective ties organizational mission to its strategies. Objectives support the organization’s mission and describe how the organization will fulfill its mission. Objectives are observable and measurable. People can determine whether the organization has met its objectives. Note that objectives do not necessarily specify how they will be met, or by whom. As an example, the organization’s objective may be to “Obtain ISO 27001 certification by the end of second quarter.”

13 Aligning Security with Goals, Mission, and Objectives

Information security can be aligned with organizational goals, mission, and objectives by reducing the risk posed by information security threats and with senior management support As a security professional in an organization, you will be directly responsible for minimizing and managing risk through appropriate activities and controls. You must have a thorough knowledge of the organization’s IT assets as well as its goals, mission, and objectives. Influencing an organization’s core activities requires the support of senior management. This support comes in the form of priorities and resources that permit security professionals to be closely involved with key activities.

14 Business Scenario

As an organization Nutriworld Inc. (read as Ink) would like to focus on improving the security of communication channels in this financial year. To achieve this goal, the General Manager of IT (read as I-T) security, Hilda Jacob announced in her recent address to the team that all Security Administrators and IT analysts in the IT Security division need to complete the CISSP certification. Kevin Butler is a Security Administrator in the Network Firewalls division at Nutri Worldwide. He is preparing for his CISSP exam. He has understood the importance of Mission, Goals and Objectives of organization and the importance of aligning its security to it. He read this statement on the company website. “Nutri Worldwide will pursue and foster opportunities for growth and enrichment for its employees and stakeholders with the customer being the focal point.” Is this statement, a mission, goal or objective statement? This is a mission statement. ‘Mission statement' is a statement of the purpose of an organization, company or person, and its reason for existence. It guides the actions of the company, tells its overall goal, provides a path, and guides management in decision-making.

15 Organizational Processes

As a security professional, it is imperative to understand some common organizational processes, such as Acquisition, Divestiture, and Governance Committee. An acquisition is the purchase of one business or company by another company or business entity. Acquisitions are divided into "private" and "public" acquisitions, depending on whether the acquiree or the merging company (also termed a target) is listed on the public stock markets. In finance and economics, divestment or divestiture is the reduction of some kind of asset for either financial or ethical objectives or sale of an existing business by a firm. A divestment is the opposite of an investment. Often, the term ‘Divestiture’ is used as a means to grow financially, in which a company sells off a business unit in order to focus their resources on a market that can be more profitable or promising. A governance committee is one of the most influential standing committees of the board. Sometimes referred to as the nominating committee or board development committee. The governance committee’s main role is to recruit new board members and to ensure that each board member is equipped with the proper tools and motivation to carry out his or her responsibilities. It ensures that the board fulfills its legal, ethical, and functional responsibilities through adequate governance policy development, recruitment strategies, training programs, monitoring of board activities, and evaluation of board members' performance.

16 Auditing

Auditing is a process of verifying compliance to a security control framework, standards, or published specification. It supports Risk Analysis by verifying that a company not only has the supporting documentation for, but also practices a robust information security program. Examples are ISMS audit and PCI audit.

17 Control Framework

Control Framework is a data structure that organizes and categorizes an organization’s internal controls. These are the practices and procedures established to create business value and minimize risk. A number of control frameworks are available to assist the auditing of Risk Analysis. Examples are COBIT, OCTAVE, and ISO 17799/27002.

18 Due Care

Due Care shows, that a company has taken responsibility for the activities that take place within the corporation and has taken necessary steps to protect the company, its resources, and the employees from possible threats. Training employees in security awareness is an example of due care. This is always better than creating a policy with no implementation plan or follow up. Mandating statements from the employees stating that they have read and understood appropriate computer behavior is also an example of due care.

19 Due Diligence

Due Diligence is the act of investigating and understanding the risks the company faces. Due diligence may be mandated by various legal requirements in the organization’s industry or compliance with governmental regulatory standards. For example, it is important to ensure that the security controls are regularly monitored and updated frequently. In the case of firewalls, security controls should be monitored regularly and rules should be updated depending on the requirement.

20 Security Controls

The three types of security controls are described here Administrative Security Controls are primarily policies and procedures put into place to define and guide employee actions in dealing with the organization’s sensitive information. Administrative Controls include developing and publishing of policies, standards, procedures and guidelines, screening of personnel, conducting security-awareness training, and implementing change control procedures. Technical controls also called as logical controls are the software tools used to restrict subject’s access to objects. Technical Security Controls include implementing and maintaining access control mechanisms, password and resource management, identification and authentication methods, security devices, and configuration of the infrastructure. Technical controls protect the integrity and availability of resources by limiting the number of subjects that can access them. They protect the confidentiality of resources by preventing disclosure to unauthorized subjects. Physical controls support and work with administrative and technical controls to supply the right degree of access control. Physical Security Controls involve controlling individual access into the facility and different departments, locking systems, protecting the perimeter of the facility, monitoring for intrusion, and environmental controls.

21 Service Level Agreements

Service Level Agreement or SLA is a formally defined level of service provided by an organization. Within the context of security management, SLAs may be defined for many activities, including: Security incident response. A security team may be required to mobilize within a stipulated period of time when a security incident has been called. Security alert delivery. Security alerts, which may be bulletins of threats or vulnerabilities, may need to be delivered to recipients within a stipulated period of time. Security investigation. A security investigator may be required to respond to a call for assistance within a stipulated period of time. Policy and procedure review. A security team may be required to periodically review policies, procedures, and other documents. SLAs can be defined for other tactical activities performed by security management and staff. The next screen will focus on managing third-party governance.

22 Managing Third - Party Governance

Outsourcing is the subcontracting of a business process to a third-party company. Organizations outsource different functions for many reasons, including redirecting energy on the organization’s core competencies and controlling the efficient use of capital and other resources. There are some information security risks associated with the outsourcing of business processes to third parties, including Loss of control of confidential information, Accountability and Compliance. Let us look at each of these now. Loss of control of confidential information. An organization will have to equip the outsourcer with the information required to perform its functions efficiently. Since this information is now out of the organization’s direct control, protection of that information is now entirely dependent upon the outsourcer’s actions. Accountability. While the organization has outsourced functions to a third party and is at the complete mercy of the third party’s integrity, the organization is still completely accountable for the actions performed by the outsourcer. Compliance. The risks identified can also result in compliance risks. Regulators hold outsourcer accountable and not the third party for ensuring compliance. Outsourcing IT support, desktop support, and infrastructure is relatively common and an increasing number of organizations are investing in outsourcing e-commerce systems, datacenter hosting and software and application development. The security of the outsourced data is of prime importance to the organizations. Secure Outsourcing can be achieved by periodic On-site assessments, Document exchange and document reviews, and Policy and process reviews. Let us look at each of these now. On-site assessment of IT governance includes a review of all the formal and adhoc IT governance mechanisms and interviews of key business and IT personnel. Document exchange and document review. A proper document management should be in place so as to secure and control the documentation flow to the third party. Users must also be able to regulate the access to documents and ensure that others can’t alter them. A regular policy and process review will help the organization create an efficient and secure environment. In the next screen, we will learn about the privacy requirements and compliance.

23 Offshoring—Privacy Requirements and Compliance

Outsourcing is using a third party to provide Information Technology support services that were previously performed in-house. Offshoring is outsourcing to another country. Offshoring can increase privacy and regulatory issues. Let us look at an example to understand this. For a U.S. medical transcription organization’s data offshored to India, there is no Health Insurance Portability and Accountability Act (HIPAA) certification, which is the major regulation covering healthcare data in the United States. A thorough and accurate Risk Analysis must be performed before outsourcing or offshoring sensitive data. If the data will reside in another country, it is important to ensure that the laws and regulations governing it are thoroughly followed, even beyond the country’s jurisdiction. A good contract ensures that regulations and laws governing privacy are followed, even beyond the country’s jurisdiction. In the example we looked at already, the Indian company to which the U.S. Medical Transcription organization’s data was offshored to can agree to follow HIPAA via contract.

24 Business Scenario

As a part of the preparation for the CISSP exam, Kevin is studying the importance of Information Security Governance and Management. While doing so, he lists out the distinguishing points about governance and management to ensure he understands the difference between the two. Governance is associated with providing an oversight, enacting policies, establishing accountability, resources planning, and strategic planning. Management on the other hand involves implementation, enforcement of policies, handling responsibilities, resource planning, and project planning. Based on his observations, Kevin concluded that doing the right thing is Management and doing things right is Governance. Is this statement true? It is not true. The correct statement would be: Doing the right thing is Governance and doing things right is Management.

25 Layers of Responsibility

Let us look at the roles of responsibilities of all the participants in the information classification program in this screen. The roles and responsibilities of all the participants must be clearly defined. The key element of the classification scheme is the role that the users, owners, or custodians of the data play with respect to the data. These roles are important to remember. Various officials are involved with the computer security, some of them are shown here. Senior Manager has the ultimate responsibility for security. Information Security Officer has the functional responsibility for security. Data Owner determines the data classification. Data Custodian is responsible for preserving the information. System Owner is responsible for security of the system containing the data. Security Administrator will setup the security configurations on a system. Security Analyst defines and implements security program elements. The User or an Operator is responsible for following the security procedures. Auditor examines the security.

26 Security Policies

Security policy can be defined as an overall general statement produced by senior management or a selected policy board or committee that dictates the role of security within the organization. Building a good security policy lays foundation for the successful implementation of security related projects in the future. This is an important measure to reduce the risk of unacceptable use of any of the company's information resources. The first step towards enhancing a company's security is the introduction of a precise yet enforceable security policy, informing staff on the various aspects of their responsibilities, general use of company resources, and explaining how to handle sensitive information. The policy will also describe the meaning of acceptable use, as well as list prohibited activities. An effective policy should be generic, non-technical, and easily understood by everyone. It should provide a mission statement for security and should represent the business objectives. It should be developed to integrate security into all business functions and processes. As the company changes over a period, the security policy should be reviewed and modified accordingly. Like any other important document, it is very essential that it should be dated and version controlled. Finally, the policy should be forward thinking which means it should support vision and mission of the organization. Types of security policies will be covered in the next screen.

27 Types of Security Policies

Security policies may be different types, depending on the specific need for policy. Different security policies work together to meet the objectives of a comprehensive security program. They are Regulatory, Advisory, and Informative. Regulatory policy ensures that the organization is following the standards set by industry-specific regulations. These policies are security policies that an organization must implement based on compliance, regulation, or other legal requirements. These companies might be financial institutions, public utilities, or other type of organizations that operates in public interest. These policies are usually very detailed and are specific to the industry in which the organization operates. Examples are HIPPA, PCI-DSS, etc. Advisory policy strongly advises the employees or users on the type of behaviors and activities to be followed within the organization. These policies are not mandatory, however are strongly suggested. Non-compliance may lead to serious consequences, such as termination or a job action warning. For example, policy for handling medical or personal information. Informative policies are the policies that exist simply to inform the reader. There are no implied or specified requirements, and the audience for this information could be certain internal, that is, within the organization or external parties. For example, policy explaining the goals and mission of an organization.

28 Security Policy Implementation

Let us learn about security policy implementation in this screen. Policies are typically propagated through official written documents. Policy documents often come with the endorsement or signature of the executive powers within an organization. Such documents often have standard formats that are particular to the organization issuing the policy. While such formats differ in form, policy documents should have the following objectives when writing policy such as, writing purpose statement, fixing responsibility, setting policy objectives, providing resources provision, staff allocation, and use of guidelines and standards for implementation. All policies should contain the basic elements, such as purpose, scope, responsibilities, and compliance. Purpose describes the need for the policy, typically to protect the confidentiality, integrity, and availability of data. Scope describes the systems, people, facilities, and organizations that are covered by the policy. Any related entities that are not in scope should be documented to avoid confusion. Responsibilities include those of the information security staff and policy and management teams, as well as those of all members of the organization. Compliance describes two related issues: how to judge the effectiveness of the policies and what happens when a policy is violated. Few guidelines for policy creation include assigning a principal function to be responsible for control, compliance with policy is a condition of employment, keep the policy document brief and avoid exceeding two pages, use generic terms which can be understood by everyone. Management responsibilities for policy include protecting resource assets within their control, ensuring employees know their duty to protect company assets, implementing security in accordance with company policy, initiating corrective actions for security violations. Few best practices for policy enforcement are avoiding errors that can lead to legal challenges, avoiding writing policies that can lead to general noncompliance and ensuring compliance with policy.

29 Policy Chart

A strategic goal can be viewed as the ultimate endpoint, while tactical goals are the steps necessary to achieve it. General security policies are derived from laws, regulations, and requirements. The functional implementation policies are subsets of General organizational policy. A policy is implemented using standards, guidelines, procedures, and baselines. As shown in the flowchart, standards, guidelines, procedures, and baselines are the tactical tools used to achieve and support the directives in the security policy, which is considered the strategic goal. As you can see from the policy hierarchy chart in Figure, policies are considered the first and highest level of documentation, from which the lower level elements of standards, procedures, baselines, and guidelines flow. However, this order does not mean that the policies are more important than the lower elements. These higher-level policies, which are the general policies and statements, should be created first in the process for strategic reasons, and then the tactical elements can follow. We will discuss these tactical tools in the next screen.

30 Standards, Guidelines, Procedures, and Baselines

Standards, Guidelines, Procedures, and Baselines are described in detail here. Standards refer to the mandatory activities, actions, or rules. Standards can give a policy its support and reinforcement in direction. They can be internal or can be externally mandated, like the government laws and regulations. Organizational security standards may specify how the hardware and software products are to be used. They can also be used to indicate expected user behavior. They provide a means to ensure that specific technologies, applications, parameters, and procedures are implemented in a uniform manner across the organization. An example would be ISO 27001 standard Guidelines are the recommended actions and operational guides to the users, IT staff, operations staff, and others when a specific standard does not apply. Guidelines can deal with the methodologies of technology, personnel, or physical security. An example would be Security password guidelines. Procedures are the step-by-step tasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members, and others who are required to carry out specific tasks. Procedures are considered the lowest level in the policy chain because they are closest to the computers and users when compared to the policies. An example would be Incident response procedure. A baseline can refer to a point in time that is used as a comparison for future changes. Once risks have been mitigated, and security is in place, a baseline is formally reviewed and agreed upon, after which, all further comparisons and development are measured against it. A baseline results in a consistent reference point. Baselines are also used to define the minimum level of protection required. Security personnel must assess the systems as changes take place and ensure that the baseline level of security is always being met. For example a baseline may specify that all windows7 systems must have service pack or SP1 installed.

31 Business Scenario

Kevin was examining a security policy of Nutri Worldwide Inc. that was introduced a decade ago and turned out to be a bad example. This policy was withdrawn within a month after its launch. During his examination of the policy, he identified that it covered elements of a good security policy like Purpose, Objective, Responsibilities, Compliance, and Review. Which important element of the policy is missing from the list Kevin identified? Scope is the missing element in the policy.

32 Compliance—Need for Compliance

Let us now discuss the need for compliance. Compliance means conforming to a rule, such as a specification, policy, standard, or law. Due to the increasing number of regulations and need for operational transparency, organizations are adopting the use of consolidated and harmonized sets of compliance controls. This approach is used to ensure that all necessary governance requirements can be met without the unnecessary duplication of effort and activity from resources. The need for compliance are as follows: It is important to protect the information critical to an organization. To enforce controls, it is necessary to have a formal written policy that can be used as the basis for all standards, guidelines, baselines, and procedures. It is important to understand the requirements for protecting organizational information. Identifying requirements for protecting organizational information is not enough. Inadequate implementation and enforcement controls can lead to fines, penalties, and imprisonment. Failures can lead to loss of customer confidence, competitive advantage, contracts, jobs, etc. To protect the shareholder interests is a key component in the need to implement effective controls. Good controls make good business sense. We will look into the regulatory compliance in the next screen.

33 Regulatory Compliance

Regulatory compliance describes the goal that corporations or public agencies aspire to, in their efforts to ensure the personnel are aware of and take steps to comply with the relevant laws and regulations. Regulatory environment covers data privacy, computer misuse, software copyright, data protection, controls on cryptography, etc. It also addresses environmental protection, intellectual property, national security, personal privacy, public order, health and safety, and prevention of fraudulent activities. Non-compliance will result in fines, imprisonment, or closure of the business. In the following screen, we will discuss compliance requirements and procedures. ?

34 Compliance

Audits are performed to ensure compliance to contracts, regulations, and laws. It assist in detecting abnormal activities, provides authorized personnel with the ability to see any action that can potentially cause access to, damage to, or in some way affect the release of organizational information. Level and type of auditing depend on the auditing requirements for the systems/situation, and the sensitivity of data that is processed and stored. Key element is that the audit provides information on the types of unauthorized activities that have taken place and identify the person or processes included. It is advisable to employ standardized methods of audit wherever required.

35 Compliance (contd.)

Reporting. The format, content, and timing of internal compliance reporting, unless prescribed by law, is tailored to the nature of the issue reported as per the following guidelines: Incidents and potential breaches are reported as and when they occur to business unit management, and escalated to the Compliance Manager or Executive Management, as per Breach Reporting Process. Reporting on performance for compliance risks is as per Risk Management Policy. The Annual Compliance Plan will be reported and signed-off at the start of each year. Changes in compliance requirements and obligations should be reported to Compliance Manager as and when they occur. Results of assurance activities are reported to the Compliance Manager, Executive Management, and the Audit Committee as required. During the year, compliance issues will be reported as required on an ad hoc basis in: - Executive Meetings, - Audit Committee Meetings.

36 Compliance (contd.)

Compliance Process Function includes: Establishing policies, standards, baselines, guidelines, and procedures to guide the workforce. Appointing a high-level manager to oversee compliance with the policies, standards, baselines, guidelines, and procedures. Enforcing the policies, standards, baselines, guidelines, and procedures consistently through appropriate disciplinary measures. Exercising due care when granting discretionary authority to employees. Ensuring that compliance policies are being carried out. Communicating the policies, standards, baselines, guidelines, and procedures to all employees and others. Implementing procedures for corrections in case of violations. Partnering with other fiduciary roles, organizations, personnel.

37 Standards/Manuals/Guidelines for Compliance

Let’s look at the Standards or Manuals or Guidelines for Compliance in this screen. It is very important to understand the laws and regulations with which the organization needs to be yielding. This will help determine the type of security framework or standard that should be set up within the organization. Manuals and Guidelines help us to understand and deploy various controls and processes. Few examples of standards, manuals, or guidelines are mentioned below. They are as follows: Control Objectives for Information and Related Technology or COBIT. Federal Information System Controls Audit Manual or FISCAM . U.S. Government Accountability Office or GAO & Government Auditing Standards or GAS (read as G-A-S). GAO and President’s Council on Integrity and Efficiency or PCIE jointly issued the GAO/PCIE Financial Audit Manual or FAM. ISO 27000 Series—specifically reserved by ISO for information security matters. In the next slide, we will discuss the third party governance and security.

38 Computer Crimes

Cybercrimes are defined as, "Offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm to the victim directly or indirectly, using modern telecommunication networks such as the Internet through chat rooms, emails, notice boards, groups, and mobile phones through SMS or MMS ". In the next screen, we will discuss computer crimes.

39 Introduction to Computer Crimes

Computer crimes refer to any crime that involves a computer and a network. These crimes may threaten a nation’s security and financial health. There are also problems of privacy when confidential information is lost or intercepted. Computer-related crimes have increased due to the connectivity of the Internet and the low costs of computational resources. The reasons for the increase in computer crimes are, they could be initiated anywhere from the world and are difficult to investigate and prosecute. It is difficult to estimate the economic impact of these crimes, because many are never detected or reported. These crimes result in financial losses to companies in the worldwide economy. Examples of computer crimes are cracking, copyright infringement, child pornography, child grooming, etc. In the next screen, we will identify the categories of computer crimes.

40 Categories of Computer Crimes

Computer crimes are often divided into the following categories: •Computer assisted crimes •Computers as the target of crimes •Computers incidental to the crimes Computer assisted crimes are criminal activities carried out using computers as mere tools and are not specific to computers. For example, fraud, distributed denial of service attacks, counterfeit, theft, child pornography, etc. As a tool, computers merely allow criminals to become efficient at practicing their criminal tradecraft, able to target victims, or easily able to share contraband. With the increasing dependency on technology, currently, 80% of all criminal investigations include evidence that is digital in nature. In this context, computers as incidental is almost a useless category because it is generic to encompass all except a very few types of criminal behavior. Computers as the target of crimes are criminal activities focused on systems, servers, networks, and the data stored on these systems. For example, sniffing, denial of service, password attacks, viruses, digital identity theft, computer hacking, etc. These crimes target information systems and the underlying architecture and represent some of the largest issues for information security. These activities denote concepts that legal systems are not experienced dealing with and are not effectively embodied into the statutes, regulations, etc. Computers incidental to the crimes are those crimes where the computer is related or incidental to the crime. This means that the crime could occur without the use of computers. For example, list of customer for traffickers. The computer as incidental is a direct artifact of the present wired society. Online activities, whether based on the Internet or cell phone are logged and recorded, often these are archived and open for anyone to look at without any court orders. For example, news group postings or social network archives. Computers and computing technology, such as cell phones, smart phones are often a repository of digital information related to the online activities, conversations, preferences, etc., This type of information is often of interest during an investigation, including the more routine non-technology-related cases such as murders, kidnappings, drug trafficking, custody disputes, etc.

41 Business Scenario

Towards the end of the last year, many users at Nutri Worldwide Inc. reported unusual activities on their systems. The IT security team had identified that some cyber criminals had targeted Skype, Facebook, and Windows users on the organization computers by using multiple Black Hole activities. For completing the attack, the Black Hole exploits required users to open links of compromised websites hosting malicious files that will be downloaded and executed. These files contained a JavaScript which infected the machines. Hilda Jacobs, General Manager – IT Security, instructed Kevin to scan all the systems for malicious software and block Facebook and Skype on all corporate machines until further orders. What type of computer crime is referred to in the scenario? The scenario talks about computer-targeted crime.

42 Major Legal Systems

Legal systems provide the framework that determines how a country develops laws pertaining to information systems. These systems refer to a process and procedure for enforcing and interpreting the law. Any or combinations of the basic legal systems form the basis of the modern legal systems of the world. The basic legal systems include civil law, common law, and religious law. Crimes involving information systems or targeted at them, have no geographical boundaries. Information systems security is now a global phenomenon. Therefore, the information security professional should understand the different legal systems followed internationally. In the following screen, we will discuss in detail the major types of legal systems.

43 Common Law and Civil Law

Common law is the legal system used in the United States, Canada, the United Kingdom, and most of the former British colonies, among others. Its primary distinguishing feature is the significant emphasis on particular cases and judicial precedent as a determinant of laws. Most common law systems consist of three branches of law: criminal law, tort law, and administrative law. Criminal law deals with behaviors or conduct that is seen as harmful to the public or society. Tort law deals with civil wrongs or torts against an individual or business entity. Administrative or Regulatory law is concerned with the governance of public bodies and the designation of power to administrative agencies, commissions, boards, administrative tribunals, or professional associations. It deals with the performance and conduct of industries. Civil code or law deals with wrongs against individuals or companies that result in damages or loss. This is referred to as tort law. Examples include trespassing, battery, negligence, and products liability. A civil lawsuit would result in financial restitution and/or community service instead of a jail sentence. Civil law is the branch of laws that generally involve two parties that have a grievance that needs to be settled. It is rule based and not precedence based. It is used in continental European countries like France, Germany, Spain, Norway, Switzerland, etc., Many Asian countries have legal systems based on the German model of civil law. Civil law includes contract law, tort law, property law, employment law, and corporate law.

44 Customary Law and Religious Law

Custom or customary law systems are regionalized systems and reflect the society’s norms and values based on programmatic wisdom and traditions. These customs or norms over the years have become recognized as defining legitimate social contracts and have become part of the rule of law. It is rare to find a country whose rule of law is based solely on customary law. Most countries that have a strong law of custom also prescribe to another legal system, such as civil or common law (for example, many African countries, China, India). Punishment under customary law systems focuses on restitution to the victim by means of some kind of fine. All laws have been influenced by religion. Although there are technically several religious law systems, we will confine to the discussion of Muslim law. This system was chosen because the Islamic faith is practiced by a large portion of the world’s population. Muslim societies in North Africa and the Middle East follow Islamic laws or Sharia. Traditional Islamic law is separated into rules of worship and rules of human interaction and is guided by the Quran and the “way,” or Sunnah—the manner in which the prophet Muhammad lived his life. Sharia covers all aspects of a person’s life, from religious practices, dietary choices, dress code, marriage/family life, commerce, domestic justice, and sexual behavior. Law is not considered as a manmade entity but as decreed by divine will. Jurists and clerics play a central role in this system and have a high degree of authority within the society. Like the civilian systems, Sharia has been codified, but remains open to interpretation and modification. ?

45 Mixed Law

Mixed law by definition is the convergence of two or more legal systems, usually civil law and common law, or customary, religious, and civil or common law. The interaction of these legal systems can be the result of historical, economic, or political pressures. Examples of mixed systems can be found in Europe with Holland, in North America with Quebec and Louisiana, in Africa with South Africa, and in the United Kingdom with Scotland.

46 Business Scenario

Kevin Butler was studying the major legal systems, which are followed throughout the world. Curiously, he thought of going through the archives of legal cases involving Nutri Worldwide Inc. He came across one of the recent cases where Nutri Worldwide Inc. lost a legal battle against one of its partner organization. The dispute was regarding breach of some clause of the partner agreement. The partner filed a lawsuit against Nutri Worldwide Inc. for violation of its rights and claimed a compensation of $2 million. Under which type of law the partner had filed the lawsuit? The partner had filed the lawsuit under the Civil Law.

47 Introduction to Intellectual Property (IP) Law

Intellectual property laws are designed to protect both tangible and intangible items and property. The main goal of the intellectual property law is to protect property from those who want to copy or use it without due compensation to the inventor or creator. According to the World Intellectual Property Organization or WIPO (read as W-I-P-O), intellectual property is divided into two categories. Industrial property, which includes inventions or patents, trademarks, industrial designs, and geographical indications of source. Copyright, which includes literary and artistic works such as novels, poems, plays, films, musical works, drawings, paintings, photographs, sculptures, and architectural designs. A company must go through many steps to protect resources that it claims to be intellectual property and must show that it exercised due care in its efforts to protect those resources. In the following screen, we will discuss in detail the major types of Intellectual Property or IP Law.

48 Types of Intellectual Property (IP) Law

A patent grants the owner a legally enforceable right to exclude others from practicing the invention covered for a specific time like 20 years. A patent is the strongest form of intellectual property protection. A patent protects novel, useful, and nonobvious inventions. Formal application to a government entity is required to grant a patent. Once a patent is granted, it is published in the public domain, to stimulate other innovations. After the expiry of a patent, the invention is open to public domain. World Intellectual Property Organization or WIPO (read as W-I-P-O), an agency of the United Nations, looks after the filing and processing of international patent applications. Trademark laws are designed to protect the goodwill a merchant or vendor invests in its products. Trademark law creates exclusive rights to the owner of markings that the public uses to identify various vendor or merchant products or goods. A trademark consists of any word, name, symbol, color, sound, product shape, device, or combination of these that is used to identify goods and distinguish them from those made or sold by others. The trademark must be distinctive and cannot mislead or deceive consumers or violate public order or morality. Trademarks are registered with a government registrar. WIPO oversees international trademark law efforts, including international registration. The following symbols are designated for trademark: The TM symbol is used for an unregistered trademark. This mark is used for brand goods or promotion The SM symbol is used for an unregistered service mark. This mark is used for brand goods or promotion. The R symbol is used for a registered trademark.

49 Types of Intellectual Property (IP) Law (contd.)

A copyright covers the expression of ideas rather than the ideas themselves; it usually protects artistic property such as writing, recordings, databases, and computer programs. Copyright protection is weaker than patent protection, but the duration of protection is considerably longer, for example, a minimum of 50 (fifty) years after the creator’s death or 70 (read as seventy) years under the U.S. copyright protection. Although individual countries may have slight variations in their domestic copyright laws, as long as the country is a member of the international Berne Convention, the protection afforded will be at least at a minimum level, as dictated by the convention. Copyright is typically denoted by the following symbol: Trade secret law protects certain types of information or resources from unauthorized use or disclosure. A trade secret is something that is proprietary to a company and important for its survival and profitability. The resource that is claimed to be a trade secret must be confidential and protected with certain security precautions and actions. A trade secret could be the formula used for a soft drink, such as Coke or Pepsi, a new form of mathematics, the source code of a program, a method of making the perfect jellybean, or ingredients for a special secret sauce. A trade secret has no expiration date unless the information is no longer secret or no longer provides economic benefit to the company. Many companies require their employees to sign a nondisclosure agreement, confirming that they understand its contents and promise not to share the company’s trade secrets with competitors. The nondisclosure agreement also gives the company the right to fire the employee or bring charges if the employee discloses a trade secret.

50 Types of Intellectual Property (IP) Law (contd.)

Software licenses are a contract between a provider of software and the consumer. Most of the commercial software licensing provides explicit limits on the use and distribution of the software. Software licenses such as end-user license agreements (EULAs) are used to constitute contractual agreement by many companies. There are four categories of software licensing. Freeware is a software license available free of charge and can be used, copied, studied, modified, and redistributed without restriction. A shareware or trialware is a software license used by vendors to market their software. Users obtain a free, trial version of the software. Once the user tries out the program, the user is asked to purchase a copy of it. Commercial software is sold for or serves commercial purposes, and academic software is provided for academic purposes at a reduced cost. It can be an open source, a freeware, or commercial software.

51 Business Scenario

Kevin Butler was studying about Intellectual Property laws as a part of his preparation for CISSP exam. While studying the topic, he remembered a recent case in which his organization had successfully won a lawsuit against a competitor organization. The case in question was regarding the use of Nutri Worldwide Inc.’s product name for a similar kind of its product by the competitor organization. The court gave its verdict in favor of Nutri Worldwide Inc. and the opposite party had to pay heavy fine. Under which type of IP law, was the lawsuit filed? The dispute was over the violation of Nutri Worldwide Inc.’s Trademark.

52 Import or Export Controls and Trans - Border Data Flow

Following are the basic concepts of Import or Export Controls and Trans-border Data Flow: Import or Export Controls ensure software complies with the local laws where it will be deployed and used. In some countries, it is illegal to import or export some types of software. A very common example is encryption software. It can also be a potential threat to the national security. The United Nations or UN Security Council can impose sanctions on any country as voted on by member nations of the council. Due to the sanctions, technology transfer to these countries is strictly prohibited. Companies operating internationally need to be aware of sanctions regimes and how to comply with them. Trans-border Data Flow involves transfer of data from one country to another. The prevailing laws regarding data security and privacy may differ from one country to another. Therefore, the information security professional should understand the jurisdiction over the data when moving from one country to the other. Let us discuss the importance of privacy, in the next screen.

53 Introduction to Privacy

Privacy can be defined as “the rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information.” Personal information is a rather generic concept and encompasses any information that is about or on an identifiable individual. Although international privacy laws are somewhat different in respect to their specific requirements, they all tend to be based on core principles or guidelines. The Organization for Economic Cooperation and Development or OECD has broadly classified these core principles into the collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability. The actual enactment of regulations or, in some cases, laws dealing with privacy depend on the jurisdiction. Some countries have opted for a generic approach to privacy regulations or horizontal enactment that is across all industries, including government, while others have decided to regulate by industry or vertical enactment such as, financial, health, publicly traded, etc. Regardless of the approach, the overall objective is to protect a citizen’s personal information, while at the same time balancing the business, governmental, and academic or research need to collect and use this information appropriately. The following issues have increased the need for more privacy laws and governance: - Data aggregation and retrieval technologies advancement—Large data warehouses are continually being created, full of private information - Loss of borders (globalization)—Private data flows from country to country for many different reasons; Business globalization - Convergent technologies advancements—Gathering, mining, and distributing sensitive information We will discuss the U.S. Privacy Laws in the following screen.

54 U.S. Privacy Laws

The major privacy laws in the United States are as follows. The Federal Privacy Act of 1974 The Privacy Act of 1974 was created to codify protections of U.S. citizens’ data that is used by the federal government. It defines guidelines regarding how citizens’ personally identifiable information can be used, collected, and distributed. An additional protection allows individuals to have access to the data related to them, limited only by some national security?oriented exceptions. It forbids the U.S. Federal agencies from sending private information without consent. The Gramm-Leach-Bliley Act of 1999 Under this act, financial institutions must develop privacy notices and give their customers the option to prohibit financial institutions from sharing their information with nonaffiliated third parties. The act dictates that the board of directors is responsible for many of the security issues within a financial institution. A risk management must be implemented and all employees need to be trained on information security issues. They also ensure that the implemented security measures are fully tested. It also requires these institutions to have a written security policy in place.

55 U.S. Privacy Laws (contd.)

Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act, a U.S. federal regulation, has been mandated to provide national standards and procedures for the storage, use, and transmission of personal medical information and health care data. This regulation provides a framework and guidelines to ensure security, integrity, and privacy when handling confidential medical information. HIPAA mandates steep federal penalties for noncompliance. Provide Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act of 2001 The PATRIOT is expanded to “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.” The main thrust of the Act is less stringent oversight of law enforcement regarding data collection. Wiretaps have become broader in scope. Searches and seizures can be carried out without immediate notification of the person whose data or property might be seized. Additionally, the Act amends the Computer Fraud and Abuse Act to strengthen penalties for those convicted of attempting to damage a protected computer such that conviction of a second offense can mean up to 20 years in prison. In the next screen, we will look at the U.S. guidelines for managing privacy.

56 U.S. Guidelines for Managing Privacy

The following are some of the U.S. Guidelines for Managing Privacy: Government laws such as Sarbanes-Oxley Act of 2002 or SOX, is also known as Public Company Accounting Reform and Investor Protection Act of 2002. This act ensures that a comprehensive control framework is implemented on the financial accounting, IT systems, and infrastructure of the U.S. public companies. Health Insurance Portability and Accountability Act or HIPAA of 1996 prevents unauthorized disclosure of health information and allows easy transmission of data between health-related organizations. Gramm-Leach-Bliley Act (GLBA) of 1999 provides the financial Privacy Rule and the safeguards rule for financial services organizations to disclose privacy policies to customers and to provide adequate safeguards to protect customers’ private information. BASEL II stands for the Bank for International Settlements that devised a means for protecting banks from over-extending themselves and becoming insolvent. Industry regulations such as Payment Card Industry Data Security Standard or PCI DSS apply to any entity that processes, transmits, stores, or accepts credit card data. Individual actions including strong passwords, encryption of stored data, and user awareness help in protecting the critical personal information. Self-regulation, like internal corporate policies, thrusts corporates to take initiatives to protect the privacy information by creating policies to that effect. Let us discuss EU Council Directive or Law on Data Protection in the next slide.

57 EU Council Directive (Law) on Data Protection

The protection of information on private individuals from intentional or unintentional disclosure or misuse is the goal of the information privacy laws. The intent and scope of these laws widely varies from country to country. The European Union or EU (read as E-U) has defined privacy principles, which are more protective of individual privacy than those applied in the United States. Therefore, the transfer of personal information from the EU to the United States is prohibited in the absence of equivalent personal protections. The EU principles include the following: The reason for gathering data must be specified at the time of collection Data cannot be used for purposes other than what it was originally intended for Unnecessary data should not be collected Data should only be kept for as long as it is needed to accomplish the stated task Only the necessary individuals who are required to accomplish the stated task should be allowed access to the data Whoever is responsible for securely storing the data must prevent unintentional “leakage” of data Prohibit transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection In the next screen, we will focus on European Union—US Safe Harbor.

58 The U.S.-European Union Safe Harbor

The U.S. Department of Commerce in consultation with the European Commission developed a "safe harbor" framework. It is created to bridge the differences between the U.S. privacy laws and EU Council Directive (Law) on Data Protection; also, to provide a streamlined and cost-effective means for the U.S. organizations to satisfy the Directive’s “adequacy” requirement. The U.S.-EU (read as U-S-E-U) Safe Harbor Framework, which was approved by the EU in 2000, is an important way for the U.S. organizations to avoid experiencing interruptions in their business dealings with th

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Phone Number*
Job Title*