What would be your approach to introduce potential information systems security (ISS) risks to management? Also, how could you enforce the security control

CYB 4304, Cybersecurity Law and Policy 1

Course Learning Outcomes for Unit I Upon completion of this unit, students should be able to:

2. Assess an acceptable use policy implementation plan for an organization. 2.1 Define an acceptable use policy. 2.2 Plan an acceptable use policy for an organization.

Required Unit Resources Chapter 1: Information Systems Security Policy Management Chapter 2: Business Drivers for Information Security Policies Chapter 3: Compliance Laws and Information Security Policy Requirements Unit Lesson

Information Security Systems, Defined We all know that information security is essential, both in our personal lives and in a business context. But how do we define the concept of information systems security (ISS), and what essential functions should an ISS policy address? These considerations form a cornerstone element of our initial unit on information security systems and policy management. Many organizations consider ISS as the practice for protecting the network, information, resources, and assets. When a business undertakes such an effort, it must consider that not all employees will know how to best protect the information they encounter as part of their duties. Therefore, policies and procedures should be created to assist employees in properly handling information and ultimately lead to better and more consistent ISS outcomes.

Information Systems Security Frameworks Typically, ISS-focused policies utilize a lifecycle process to reduce errors and ensure all requirements are considered. The lifecycle process breaks up tasks into more minor, manageable phases. For instance, the control objectives for information and related technology (COBIT) is a widely accepted best practice framework that provides a structure for managing and governing information technology (IT) practices that allow businesses to align themselves to outcomes that they and their customers expect. Johnson and Easttom (2022) state that frameworks like COBIT contain four domains that collectively represent a conceptual information systems security management lifecycle on which policies are built.

1. Align, plan, and organize: This domain contains the basic details of an organization’s necessities and goals.

2. Build, acquire, and implement: This domain deals with schedules and deliverables. 3. Deliver, service, and support: This domain adjusts the environment to lessen risks. 4. Monitor, evaluate, and assess: This domain consists of the testing and monitoring of controls and

analyzing the results.

UNIT I STUDY GUIDE Security Governance and Policy Management

CYB 4304, Cybersecurity Law and Policy 2

UNIT x STUDY GUIDE Title

Each phase builds on the next, and a failure in one phase can lead to vulnerability in the next—commonly referred to as the “single point of failure.”

This simplified ISS management lifecycle uses COBIT 5.0. (Johnson & Easttom, 2022, p. 6)

Information Assurance Information assurance (IA) is a form of ISS that ensures information is protected while being utilized or transferred. IA contains several security tenets that are known as the five pillars of the IA model. Johnson and Easttom (2022) discuss in Chapter 1 that the pillars below are important to guarantee the integrity of data while it is routed or stored.

• Confidentiality: Only authorized personnel should be able to access confidential information, and employees should only be granted access to the specific information needed to perform their job— commonly referred to as the need-to-know principle.

• Integrity: This principle is concerned with confirming whether any data changes have been approved by the owner of that data.

• Availability: This principle is concerned with guaranteeing users will be able to access information. • A significant challenge for availability is the denial of service (DoS) attack, which overwhelms and

crashes a system. • Authentication: This principle is concerned with verifying a user’s identity, which requires good

housekeeping practices such as periodic password changes. • Nonrepudiation: This principle refers to the ability to confirm that someone can’t dispute or deny that

he or she digitally signed a contract or was party to a transaction. This showing would require the transaction was unique to a certain person.

Governance

Governance is both a concept and a specific set of actions an organization takes to ensure compliance with its policies, processes, standards, and guidelines (Johnson & Easttom, 2022). The idea is to have a structure in place so everyone in the organization follows the same rules.

Information Security Policies Security policies generally consist of a variety of items that lay out rules that apply across the business. Collectively, they set up mandatory controls and processes. These policies address threats to all of the various physical assets, data, and employees of the business. The documents in this framework usually consist of principles, policies, standards, procedures, guidelines, and definitions.

CYB 4304, Cybersecurity Law and Policy 3

UNIT x STUDY GUIDE Title

It is essential to distinguish policies from the standards themselves, which are laws or industry norms that evolve into agreed on practices. Likewise, policies and procedures are distinguishable. While policies impose some type of control on a process, procedures help to achieve those goals by laying out individual, necessary steps to get there. ISS policies ensure the organization is consistent and is protected through the process. Foundational reasons for using and enforcing security policies include the following.

• Ensure that insider users with authorized access cannot attack the systems. Information should not be vulnerable, either when it is in transit, or when it is at rest. Information at rest is on backup tape, whereas information in transit is flowing through the system.

• Confirm that there is a great deal of oversite as to who can make any changes to IT infrastructure because during these times, the system is vulnerable.

• Verify that the business can reliably deliver. It can be expensive to develop responsible and effective policies, but it can be just as costly to discover you did not have the proper policy in place. Examples include lack of regulatory compliance and customer dissatisfaction. Further, not having the proper policies will make any data open to attack. However, it should be noted that there are barriers to policy acceptance and enforcement, such as employees taking shortcuts and lack of organizational support, policy awareness, and understanding. Further, policy language may be vague or even unenforceable if it is not well-crafted.

Maintaining Compliance Effective policies need to be clear as to how compliance will be achieved. Unclear policies can lead to confusion and incorrect choices. If the policies are clear and are followed correctly, they should work and result in some compliance metric that can be measured and shows effectiveness of the policy. Accurate measurements give an organization the ability to understand its risks, which forms the basis of finding solutions to any identified problems.

Security Controls Security controls provide the ability to enforce a security policy. Controls ensure confidentiality, integrity, and availability of information, protect physical resources, and provide the means to measure security compliance (Johnson & Easttom, 2022). In a way, security policies and controls are intertwined. Without security controls, you would not have a viable information security policy, but there would be no security controls without the security policy.

U.S. Compliance Laws The ubiquity of the internet has fueled economic growth and opportunity and the potential to invade personal privacy and cybercrime. Therefore, governments must intervene with laws and regulations intended to control better the information upon which the digital economy relies. Johnson and Easttom (2022) displayed the most important laws related to consumer rights and personal privacy, summarized below.

• Federal Information Security Management Act (FISMA): These regulations only apply to government agencies. It requires certain types of information security standards to be utilized. Security control requirements include consideration of inventory, risk level, controls, risk assessment, system security plan, certification and accreditation, and continuous monitoring.

• Health Insurance Portability and Accountability Act (HIPAA): This is enforced by the Privacy Rule of the Department of Health and Human Services that governs the documentation and dissemination of all patients’ protected health information (PHI) by medical providers, insurance companies, and third parties such as billing companies and clearinghouses.

• Gramm-Leach-Bliley Act (GLBA): This is also known as the Financial Services Modernization Act of 1999. It was enacted to control the ways that financial institutions deal with the private information of individuals. To be compliant, security policies must include critical components such as information governance, information security risk assessment, information security strategy, controls implementation, monitoring, and updating.

CYB 4304, Cybersecurity Law and Policy 4

UNIT x STUDY GUIDE Title

• Sarbanes-Oxley (SOX) Act: The SOX Act protects shareholders and ordinary citizens from accounting errors and fraud. SOX defines which records are stored and for how long.

• Family Educational Rights and Privacy Act (FERPA): Federal law requires that education records be protected and that students be able to access their records.

• Children's Internet Protection Act (CIPA): Libraries cannot allow explicit sexual material like pornography on their computers. This material must be blocked.

In each of the regulations mentioned above, the laws help protect or control information. This can only be done through adequate security controls and policies. Therefore, security controls need to be developed and implemented to enforce the control. Knowing which regulatory concept is applicable to one’s field is also essential to protecting information systems. Each regulatory law is explicitly created for different areas. For example, HIPAA is developed for health care facilities only; however, FERPA is created for academic colleges and universities. HIPAA will not work in an academic environment, nor will FERPA work within a health care facility. All security professionals need to know which regulatory law to embed in the correct organization to protect the organization’s information assets successfully. There are also international laws of which ISS professionals should be aware. Johnson and Easttom (2022) provide the following regulations to review.

• General Data Protection Regulation (GDPR) • European Telecommunications Standards Institute (ETSI) • Asia-Pacific Economic Framework (APEC)

Reference Johnson, R., & Easttom, C. (2022). Security policies and implementation issues (3rd ed.). Jones & Bartlett

Learning. https://online.vitalsource.com/#/books/9781284200034