More on this book
Kindle Notes & Highlights
as information security professionals, our mission is to Protect to Enable. This mission aligns our security goals with those of the business. It helps maintain the perception of shared values. Research suggests that people with whom we share values are deemed more trustworthy (Breakwell 2007, 143). If employees trust us, they are more likely to believe our warnings and act on our recommendations.
how we could provide limited access to the environment from “untrusted” devices,
Controls that are initially very effective can become inadequate over time.
enterprise IT, a typical “set and forget” error is the failure to keep controls up-to-date, particularly if the controls are designed to mitigate a relatively low risk.
The danger of misperception is particularly acute when decision makers rely on a narrow range of sources who all share similar viewpoints. Without obtaining a diversity of viewpoints, managers don’t get a full picture of the risk.
When a group is composed solely of people with similar backgrounds and viewpoints, it may be particularly prone to group polarization (Breakwell 2007, 99) and the group’s decision may be more extreme than the mean of their individual views.
even broader concern is how a focus on business goals can drive people to make unethical decisions. When these decisions are made by managers at the organizational level rather than at the individual level, the impact is compounded by the potential for widespread disaster.
We can start by ensuring we include a diversity of viewpoints when making risk management decisions. Whenever possible, we should involve a broad cross-section of individuals representing groups across the organization. This diversity helps compensate for individual biases.
we can establish credibility by demonstrating consistency, striving for objectivity, and showing that we can accurately predict the real security issues
If we are together nothing is impossible. If we are divided all will fail. —Winston Churchill
A framework for decision rights and accountability to encourage desirable behavior in the use of IT. Governance identifies who will make key IT decisions and how will they be held accountable.”
Information risk governance is the component of IT governance that enables the organization to effectively sense, interpret, and act on risk.
Information risk governance focuses on enabling the business while protecting the confidentiality, integrity, and availability of information—whether it is corporate data or pe...
This highlight has been truncated due to consecutive passage length restrictions.
the organization can make tactical and strategic risk management decisions based on business priorities...
This highlight has been truncated due to consecutive passage length restrictions.
To some people, the word governance may imply unnecessary bureaucracy, or perhaps even a dictatorial approach.
When implemented well, a concise decision-making process can be a powerful mechanism for helping to achieve business objectives.
Effective governance helps drive alignment and solid decision-making; it enables the organization to move more quickly while managing risk.
As MIT CISR notes, “good governance is enabling and reduces bureaucracy and dysfunctional politics by formalizing organizational learning and thus avoiding the trap of ...
This highlight has been truncated due to consecutive passage length restrictions.
Research at MIT CISR shows that the more businesses leverage the structure, tools, and techniques of governance, th...
This highlight has been truncated due to consecutive passage length restrictions.
leveraging governance doesn’t imply slavishly following rules and procedures.
continually make adjustments using their senses and experience to achieve the best results.
IT policies provide a valuable framework. However, their value lies in what we can achieve by following the guidelines. Sometimes we need to make adjustments based on sensing changes in business needs.
This is one reason that partnerships are so critical. They provide channels for dialogue, helping us sense changing business priorities so that we mitigate risk based on those priorities rather than our preconceptions.
Without a governance structure that facilitates this dialogue, organizations may take too rigid an approach when applying controls to manage and mitigate risks.
There’s no single IT governance model, but in the influential book IT Governance, researchers at Massachusetts Institute of Technology Center for Information Systems Research described several archetypal models based on deliberately provocative political archetypes.
Our goal is to implement a comprehensive and balanced approach to risk management. To achieve this goal, our approach includes a large number of risk management activities grouped into five broad focus areas, as shown in Figure 3-1: oversight, monitoring, engagements, operations, and strategic activities.
How we manage the risks: Intel’s internal information risk management focus areas. Source: Intel Corporation, 2012 Oversight. This area focuses on making informed risk decisions and reviewing risks. It includes committees and review boards that set strategic direction, and review key risk areas such as ethics, compliance, and corporate investigations. Monitoring. We monitor (sense) risk through external and internal sources. External sources include industry research and analysis. Internal sources include internal partners who inform us of new business risks or legal requirements. These
...more
This highlight has been truncated due to consecutive passage length restrictions.
By providing vehicles for dialogue and decision-making, internal partnerships enable information security teams to become more agile and responsive to business needs.
Today, Intel’s information security team partners with many internal groups for a variety of functions, including risk management decisions, incident response, and monitoring. These groups include legal, finance, human resources, and business groups. Partnerships may include formal structures such as standing committees and risk review boards, as described in the information risk governance section of this chapter. We also maintain a large number of informal and ad hoc relationships. These are created and maintained through everyday communication with people in other groups. We might initially
...more
We also gain business acumen, which helps us play a more valuable role within the organization.
At Intel, partnerships have been critical to our success in understanding the broader risk picture, helping us sense, interpret, and act on risk. Through these relationships, other groups can act as additional eyes and ears for the information security group, helping us sense new risks, such as security threats and compliance concerns.
As privacy regulations continue to grow in complexity and reach, many organizations need to comply with multiple requirements at local, regional, and national levels. Legal specialists across the organization can help us understand what’s required in each geography, align policies and controls for protecting personal information, and decide how to manage responses in the event of a breach.
Guidance from the US Securities and Exchange Commission specifically discusses the obligation to disclose the impact of cyber attacks, including those that result in IP thefts. Companies are also required to disclose material increases in security spending in response to an attack, even if the attack didn’t result in a loss of IP (SEC 2011).
The human resources group is the organization’s center of expertise on employee procedures.
HR is also responsible for other functions, including internal and external communications. Because of this broad charter, the security team may form valuable partnerships with HR in several areas, including employee policies related to appropriate use and protection of information assets, internal communications, and investigations.
critical to create employee policies that set expectations for secure behavior.
Careless behavior can have highly damaging consequences.
work extensively with the employee communications group to create engaging security awareness messages, including interactive content that helps encourage secure practices when using social media and the Web.
Privacy breaches or other compromises can have a major impact on a company’s revenue, cost, and brand image.
insurance against cyber risks is a rapidly growing category, and we can expect a growing need to partner with the corporate risk management team to ensure adequate coverage of information risks.
Privacy and security are closely linked. However, increasing security doesn’t always enhance privacy.
Unfettered monitoring of information and activities can increase security but intrude on personal privacy.
This creates inherent tension between security and privacy interests. This tension is apparent at a national level in the way that privacy advocates respond ...
This highlight has been truncated due to consecutive passage length restrictions.
We need to carefully manage the relationship between security and privacy, ensuring that we apply the appropriate level of controls to protect information without infringing on personal privacy.
This arrangement necessitates careful management of the relationship between security and privacy teams to manage tension, align policies, and control breaches.
Laws define privacy rights; the organization’s interpretation of those laws drives compliance requirements.
Direct relationships with business group managers and any risk management specialists within their groups, are invaluable for strategic and tactical reasons.
Business group managers can help drive decision-making and incident response. They can also help improve security by setting the “tone at the top”—publicly setting expectations for their employees’ security behavior.
Information risk has become a major concern for the entire organization.
as information security professionals, we are in the behavior modification business. Our goals include creating a more security-conscious workforce so that users are more aware of threats and vulnerabilities and make better security decisions.
