Governance and

Compliance
Objectives
• Understand organization approach to
cybersecurity

• Identify the code of responsible digital behavior

• Understand ISO/IEC cybersecurity model

Outlines
• Governance

• The ethics of cybersecurity

• IT security management framework

Governance
Introduction
There is an air of excitement at @Larry! You have made a huge impact in such
a short space of time. It’s time to level up once again.
I think you are ready for this final task. I need your help to develop an IT
governance structure at @Larry that aligns with the overall business goals and
ensures that everyone within the organization is aware of their responsibilities
when it comes to cybersecurity.
Governance
IT security governance determines who is authorized to make decisions
about cybersecurity risks within an organization. It demonstrates accountability
and provides oversight to ensure that any risks are adequately mitigated and
that security strategies are aligned with the organization’s business objectives
and are compliant with regulations.
IT security governance is different from IT security management, which
defines and implements the controls that an organization needs to have in
place to mitigate risks. Likewise, data governance determines who is
authorized to make decisions about data within an organization.
Data Owner
A person who ensures compliance with policies and procedures, assigns the proper classification
to information assets, and determines the criteria for accessing information assets.
Data Controller
A person who determines the purposes for which, and the way in which, personal data is
processed.
Data Processor
A person or organization who processes personal data on behalf of the data controller.
Data Custodian
A person who implements the classification and security controls for the data in accordance with
the rules set out by the data owner.
Data Steward
A person who ensures that data supports an organization’s business needs and meets regulatory
requirements.
Data Protection Officer
A person who oversees an organization’s data protection strategy.
Cybersecurity Policies
A cybersecurity policy is a high-level document that outlines an organization’s vision
for cybersecurity, including its goals, needs, scope and responsibilities. Specifically,
it:
• Demonstrates an organization’s commitment to security.
• Sets the standards of behavior and security requirements for carrying out
activities, processes and operations, and protecting technology and information
assets within an organization.
• Ensures that the acquisition, use and maintenance of system operations,
software and hardware is consistent across the organization.
• Defines the legal consequences of policy violations.
• Gives the security team the support they need from senior management.
There are various types of cybersecurity policies.

Master Cybersecurity Policy

The blueprint for an organization’s cybersecurity program, this policy serves as the
strategic plan for implementing cybersecurity controls.

System – Specific Policy

Developed for specific devices or computer systems and aims to establish

standardization for approved applications, software, operating system configurations,
hardware and hardening countermeasures within an organization.

.Issue Specific Policy

Developed for certain operational issues, circumstances or conditions that may

require more detailed requirements and directions.
Types of Security Policies
Identification and Authentication Policy
Specifies who should be permitted access to network resources and what verification
procedures are in place to facilitate this.
Password Policy
Defines minimum password requirements, such as the number and type of characters
used and how often they need to be changed.
Acceptable Use Policy
Highlights a set of rules that determine access to and use of network resources. It
may also define the consequences of policy violations.
Remote Access Policy
Sets out how to remotely connect to an organization’s internal network and explains
what information is remotely accessible.
Network Maintenance Policy
Outlines procedures for updating an organization’s specified operating systems and end-user
applications.
Incidence Handling Policy
Provides guidance on how to report and respond to security-related incidents within an
organization.
Data Policy
Sets out measurable rules for processing data within an organization, such as specifying where
data is stored, how data is classified (high, medium, low, confidential, public or private), and
how data is handled and disposed of.
Credential Policy
Enforces the rules for composing credentials, such as the minimum and maximum length of a
password.
Organizational Policy
Provides guidance for how work should be carried out in an organization. Examples might
include change management, change control or asset management policies.
Guiding Principles for HR
Background Checks
This may involve a simple reference check or more rigorous procedures such as
verifying educational credentials, employment history, the validity of criminal records
or drug testing.
Onboarding and Offboarding
This includes making them aware of acceptable use, data handling and disposal
policies as well as the repercussions of policy violations.
Clean Desk
Organizations often request a clean desk policy to ensure that neither personal
identifiable information nor confidential information falls into the wrong hands. Clean
desk policy messaging increases employee awareness of the importance of not
leaving potentially sensitive documents on their desk.
The Need To Know Policy
Employees in an organization are typically granted access to the data and information that they
need in order to do their job.
Separation of Duty

This measure is often put in place to ensure that more than one employee is required to
complete a particular task, effectively adding in extra checks and balances for security. This
distribution of control limits the power of any single employee over critical processes and
reduces the risk of a task being compromised.

Mandatory Vacation

Most organizations will insist that employees take a minimum period of vacation every year,
during which time another employee will cover their role. This helps an organization discover if
any employees have been involved in long-term, malicious activities.

Job Rotation Policy

Job rotation is a strategy where employees rotate between different job assignments in an
organization.
The Ethics of
Cybersecurity
Introduction
Sometimes you may be faced with a dilemma or a challenging situation where
the right course of action is not immediately clear. Trust me, I know! In such
cases, you must act responsibly and use your judgment or ethics to guide you
along the right path.

Ethics of Cybersecurity Specialist

As a cybersecurity specialist, you need to understand both the law and an
organization’s interests in order to be able to make such decisions.
Utilitarian Ethics
In the nineteenth century, philosophers Jeremy Bentham and John Stuart Mill articulated the theory
of utilitarian ethics. This is based on the guiding principle that the consequence of an action is the
most important factor in determining if the action is moral or not. For example, an action that maximizes
the greatest good for the greatest amount of people is an ethical choice.

The Right Approach

The rights approach is guided by the principle which states that an individual has the right to make
their own choices, which cannot be violated by another person’s decision. This decision must respect
and consider the fundamental rights of the individual such as privacy.

The Common Good Approach

The common good approach proposes that ethical actions are those that benefit the entire
community. It challenges individuals to recognize and pursue the values and goals shared with other
members of a community.
Ten Commandment of Computer
Ethics
Based in Washington, DC, the Computer Ethics Institute is a resource for
identifying, assessing and responding to ethical issues throughout the information
technology industry.
It was one of the first organizations to recognize the ethical and public policy
issues arising from the rapid growth of the information technology field.
They created the ten commandments of computer ethics presented here.
Cybercrime
Cybercrime falls into three categories:
1.Computer-targeted crime is where a computer is the target of criminal
activity. Examples include malware attacks, hacking or denial of service attacks.
2.Computer-assisted crime occurs when a computer is used to commit a
crime, such as theft or fraud.
3.Computer-incidental crime is where a computer provides information that is
incidental to an actual crime. For example, a computer is used to stored images
of child pornography, not the actual tool used to commit the crime.
Several agencies working to combat cybercrime, including the Federal Bureau of
Investigation Internet Crime Complaint Center (IC3), InfraGard, and Software
and Information Industry Association (SIIA) in the U.S.
Cyber Law
In the U.S, there are three primary sources of laws and regulations, all of which involve aspects of
computer security.
Statutory Law
The U.S. Congress has established federal administrative agencies and a regulatory framework that
includes both civil and criminal penalties for failing to follow the rules.
The Computer Fraud and Abuse Act is a statutory law that prohibits accessing a computer without
authorization, or in excess of authorization. Violating these rules could result in a fine or prison sentence.
Administrative Law
A legal framework that governs the activities of administrative agencies of government, administrative
law ensures that public bodies act in accordance with the law.
For example, the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC)
have been concerned with issues such as intellectual property theft and fraud.
Common Law
Common law cases work their way through the judicial system providing precedents and constitutional
bases for lawmaking.
Federal Information Security
Management Act
Federal IT systems contain and use a large amount of valuable information and
are therefore considered high-value targets for cybercriminals.
In 2002, the U.S. Congress created FISMA to cover federal agencies’ IT systems.
Specifically, FISMA stipulates that federal agencies must create an information
security program that includes:
• Risk assessments.
• An annual inventory of IT systems.
• Policies and procedures to reduce risk.
• Security awareness training.
• Testing and evaluation of all IT system controls.
• Incident response procedures.
• A continuity of operations plan.
Industry Specific Laws
Finance
The Gramm-Leach-Bliley Act (GLBA) is a piece of legislation that mainly
affects the financial industry.

Corporate Accounting
Following several high-profile corporate accounting scandals in the U.S., Congress
passed the Sarbanes-Oxley Act (SOX) in 2002 to overhaul financial and
corporate accounting standards. Specifically, it targeted the financial standards
and practices of publicly traded firms in the country.
Credit Card
Private industry also recognizes how important uniform and enforceable
standards are and, in 2006, a Security Standards Council composed of the top
organizations in the payment card industry designed a private sector initiative to
improve the confidentiality of network communications.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of
contractual rules that seek to protect payment cardholder payment data during a
transaction and reduce fraud. In theory, the PCI DSS is a voluntary standard.
However, in practice, any organization that stores, processes or transmits
cardholder data that fails to comply with the PCI DSS standard may face
significantly higher transaction fees, fines up to $500,000 and, in extreme
circumstances, lose the ability to process payment cards.
Cryptography
Organizations that import or export commercial encryption products are
subject to regulations that are overseen by the Bureau of Industry and Security in
the Department of Commerce.
Export restrictions to rogue states and terrorist organizations may be in place due
to national security concerns.
Also, some countries may decide to restrict the import of cryptography
technologies due to concerns that:
• The technology contains a backdoor or security vulnerability.
• Citizens can use this technology to communicate anonymously and elude
monitoring by the authorities.
• Privacy levels could increase above an acceptable level.
Security Breach Notification
Law
There are several laws in the U.S. that require organizations to notify individuals
if a breach of their personal data occurs.

Electronic Communications Privacy Act

(ECPA) 1986
The ECPA aims to ensure workplace privacy and protects a range of electronic
communications such as email and telephone conversations from unauthorized
interception, access, use and disclosure.
Computer Fraud and Abuse Act (CFAA) 1986
Enacted in 1986 as an amendment to the Comprehensive Crime Control Act of
1984, CFAA prohibits unauthorized access to computer systems. Knowingly
accessing a government computer without permission or accessing any computer
used in or affecting interstate or foreign commerce is a criminal offense. The Act
also criminalizes the trafficking of passwords or similar access information, as well
as knowingly transmitting a program, code or a command that results in damage.

Privacy Act of 1974

This act establishes a code of fair information practices that governs the
collection, maintenance, use and dissemination of personally identifiable
information about individuals that is maintained in systems of records by federal
agencies.
Protecting Privacy
Freedom of Information Act (FOIA)
FOIA enables public access to U.S. government records.
It carries a presumption of disclosure, which means that the burden is on the government to provide
a good reason as to why any information cannot be released.
There are nine disclosure exemptions pertaining to FOIA:
1.National security and foreign policy information.
2.Internal personnel rules and practices of an agency.
3.Information specifically exempted by statute.
4.Confidential business information.
5.Inter- or intra-agency communication subject to deliberative process, litigation and other privileges.
6.Information that, if disclosed, would constitute a clearly unwarranted invasion of personal privacy.
7.Law enforcement records that implicate one of a set of enumerated concerns.
8.Agency information from financial institutions.
9.Geological and geophysical information concerning wells.
Family Education Records and Privacy Act (FERPA)
This federal law governs the access to education records.
It operates on an opt-in basis. This means that parents must approve the disclosure of a student’s
educational information to public entities prior to the actual disclosure. When a student turns 18 years
old, or enters a postsecondary institution at any age, their rights under FERPA transfer from the parents
to the student.

US Children’s Online Privacy Protection Action

(COPPA)
This federal law was created to protect the privacy of children under 13 years of age by
imposing certain requirements on website operators and online services under U.S.
jurisdiction.
For example, parental consent needs to be obtained before an organization can collect and
use information from children under the age of 13.
US Children’s Internet Protection Action
The U.S. Congress passed CIPA in 2000 to protect children under the age of 17
from exposure to offensive Internet content and obscene material.

Video Privacy Protection Act (VPPA)

This act was originally enacted to prevent the sharing of videotape, DVD and
video game rental information to another party.
This was amended in 2013 to allow organizations such as Netflix to collect
customer consent that allows them to store their rental histories and/or make
them public for up to two years. This amendment means that these organizations
can provide recommendations to or on behalf of their users.
Health Insurance Portability and Accountability Act
(HIPPA)
This act required the creation of national standards to impose safeguards for the physical
storage, maintenance, transmission and access to individuals’ health information.
Any organization that uses electronic signatures must meet these standards ensuring
information integrity, signer authentication and nonrepudiation (meaning the validity of the
signature cannot be denied).

California Senate Bill 1386 (SB 1386)

California was the first U.S. state to pass a law requiring the disclosure of any personal data
security breach. Since then, many other states have followed suit.
This bill requires that all affected individuals should be given notice and be advised of their
rights and responsibilities in the event of their personal information being lost or disclosed.
Privacy Policies
A direct outcome of the range of legal statutes relating to privacy and data collection has
been the generation of privacy policies that help to ensure organizational compliance with
the law.

Privacy Impact Assessment (PIA)

A PIA is a process that helps ensure that personally identifiable information (PII) is properly
handled throughout an organization. They generally involve a simple process:
1. Establish PIA scope.
2. Identify key stakeholders.
3. Document how the organization handles PII.
4. Review legal and regulatory requirements.
5. Document any potential issues when comparing requirements and current practices.
6. Review findings with key stakeholders.
International Laws
International efforts to target cybercrime are growing. Ratified by 65 states, the
Convention on Cybercrime is the first international treaty that seeks to address
Internet and digital crimes, dealing particularly with copyright infringement,
computer-related fraud, child pornography and violations of network security.
Meanwhile, the Electronic Privacy Information Center (EPIC) is a nonprofit
research center in Washington, which aims to promote privacy and open
government laws and policies. With strong ties to organizations around the world,
EPIC has a global focus on digital privacy.
IT Security Management
Framework
Twelve Domains of Cybersecurity
ISO/IEC 27000 is a series of information security standards or best practices to
help organizations improve their information security. Published by the
International Organization for Standardization (ISO) and the International
Electrotechnical Commission (ICO), the ISO 27000 standards set out
comprehensive information security management system (ISMS) requirements.
An ISMS consists of all of the administrative, technical and operational controls
that address information security within an organization.
The ISO 27000 standard is represented by twelve independent domains. These
twelve domains provide the basis for developing security standards and effective
security management practices within organizations, as well as helping to
facilitate communication between organizations.
Risk Assessment
First step in risk management process, which determines the quantitative and
qualitative value of risk related to a specific situation or threat.

Security Policy
This document addresses the constraints and behaviors of individuals within an
organization and often specifies how data can be accessed, and what data is
accessible by whom.

Organization of Information Security

This is the governance model set out by an organization for information security.

Asset Management
This is an inventory of and classification scheme for information assets within an
organization.
Human Resources Security
This refers to the security procedures in place that relate to employees joining, moving
within and leaving an organization.

Physical and Environmental Security

This refers to the physical protection of an organization’s facilities and information.

Communication and Operations Management

This refers to the management of technical security controls of an organization’s systems
and networks.

Information System Acquisition, Development and

Maintenance
This refers to security as an integral part of an organization’s information systems.
Access Control
This describes how an organization restricts access rights to networks, systems,
applications functions and data in order to prevent unauthorized user access.

Information Security Incident Management

This describes an organization’s approach to the anticipation of and response to
information security breaches.

Business Continuity Management

This describes the ability of an organization to protect, maintain and recover
business-critical activities following a disruption to information systems.

Compliance
This describes the process of ensuring conformance with information security
policies, standards and regulations.
Control Objectives
These twelve domains are made up of control objectives (ISO 27001) and controls (ISO
27002).

Control Objectives
Control objectives define the high-level requirements for implementing a comprehensive
information security management system within an organization, and usually provide a
checklist to use during an ISMS audit.
Passing this audit indicates that an organization is ISO 27001 compliant and provides
partners with confidence in the security of the organization’s data and operations.

Controls
Controls set out how to accomplish an organization’s control objectives. They establish
guidelines for implementing, maintaining and improving the management of information
security in an organization.
For example...
An organization’s control objective is to control access to networks by using the
appropriate authentication mechanisms for users and equipment.
A relevant control, therefore, is to use strong passwords consisting of at least
eight characters and a combination of upper and lowercase letters, numbers and
symbols.
Remember, controls are like guidelines. They are not mandatory and there is
often more than one way to comply with a control objective. But controls should
always be neutral and not endorse a specific product or organization.
ISO 27001 & CIA Triad
ISO 27000 is a universal framework that is applicable to every type of
organization. In order to use it effectively, an organization must identify which
domains, control objectives and controls apply to its environment and operations.
Most organizations do this by producing a statement of applicability (SOA) which
allows it to tailor the available control objectives and controls to best meet its
priorities around confidentiality, integrity and availability.
Different organizations will prioritize confidentiality, integrity and availability
differently.
For example, data Confidentiality and Availability are the highest priorities
at Google, while Integrity is a lower priority (Google does not verify user
data). While Amazon places priority on Availability
The National Cybersecurity
Standard Framework
The National Institute of Standards and Technologies (NIST) created the National
Cybersecurity Workforce Framework to support organizations seeking
cybersecurity professionals. The framework organizes cybersecurity work into
seven categories, outlining the main job roles, responsibilities and skills needed
for each one.
Operate and Maintain
Provides the support, administration and maintenance required to ensure
effective and efficient IT system performance and security.
Protect and Defend
Identifies, analyzes and mitigates threats to internal systems and networks.
Investigate
Investigates cybersecurity events and/or cyber attacks involving IT resources.
Collect and Operate
Provides specialized denial and deception operations and collection of
cybersecurity information.
Analyze
Performs highly specialized review and evaluation of incoming cybersecurity
information to determine its usefulness for intelligence.
Oversea and Govern
Provides leadership, management, direction or development and advocacy so an
organization may effectively conduct cybersecurity work.
Securely Provision
Conceptualizes, designs, procures or builds secure IT systems.
CIS Control Structure
The Center for Internet Security (CIS) developed a set of critical security
controls to help organizations with different levels of resources and expertise at
their disposal to improve their cyber defenses.

Basic Control
Organizations with limited resources and cybersecurity expertise available should
implement:
• Inventory and control of hardware assets.
• Inventory and control of software assets.
• Continuous vulnerability management.
• Controlled use of administrative privileges.
• Secure configurations for hardware and software.
• Maintenance, monitoring and analysis of audit logs.
Foundational Control
Organizations with moderate resources and cybersecurity expertise available
should implement the basic controls as well as:
• Email and web browser protections.
• Malware defense.
• Limitation and control of network ports, protocols and services.
• Data recovery capabilities.
• Secure configurations for network devices.
• Boundary defense.
• Data protections.
• Controlled access based on the ‘need to know’ principle.
• Wireless access control.
• Account monitoring and control.
Organizational Control
Organizations with significant resources and cybersecurity expertise available
should implement the basic and foundational controls, as well as:
• A security awareness and training program.
• Application software security.
• Incident response and management.
• Penetration tests and red team exercises (simulated attack exercises to gauge
an organization’s security capabilities).
Compliance
Service providers may need to provide assurances to their client organizations
that the security controls they implement are properly designed and operate
effectively.
Statement on Standards on Attestation
Engagements (SSAE)
This is an independent audit of an organization’s reporting controls as they relate
to the security, availability, processing integrity, confidentiality and privacy of a
system. An attestation report will confirm that controls are in place at a specific
point in time (Type I) or managed over a period of at least six months (Type II).
These reports provide assurance to a client organization that there are controls in
place and operating to protect sensitive data.
Cybersecurity Maturity Model Certification
(CMMS)
This certification is aimed at any organizations providing a service to the U.S.
Department of Defense (DoD) and verifies that these organizations have
adequate cybersecurity practices and processes in place to ensure ‘basic’ cyber
hygiene at a minimum.
The CMMC establishes five certification levels that range from ‘basic cyber
hygiene practices’ to ‘enhanced practices that provide more sophisticated
capabilities to detect and respond to APTs.’ It is likely that service providers will
have to achieve the appropriate CMMC requirement in order to be considered for
a DoD contract award.
Thank You