In Boyle and Panko, Chapter 2 Planning and Policy, it was discussed whether the security department in a companies’ organization chart should fall under the IT department or outside IT. Do you think security should be part of IT and report to the CIO or be separate from IT and report to another senior executive?
This is such a tough question. I will speak to this from the perspective of what is seen as best practice in the banking industry as well as my personal opinion. I believe that if there is a formal risk management program, such as Enterprise Risk Management, and a Chief Risk Officer, then security should report to that function. However, that is not always ideal. In some cases, the Chief Risk Officer may not have the expertise or background to supervise the security function. It may be more efficient and effective to have security and IT aligned given the need for technical knowledge and alignment in pursuits of technology. In such cases, I have seen it work relatively well where the security function is part of the IT organization chart reporting to the CIO, but that they provide reporting directly to a risk function. I think the key factor in having security report to the CIO is whether or not the CIO is able to have sole influence over the budget and the reporting of security. I think that should be avoided when at all possible.
Hi Nicholas,
I think the key consideration here is independence which is mentioned in the book. While it might make sense functionally for the security function to report to the CIO, the security function would not be truly independent. This could lead to fear of repercussions or retribution for reporting issues and deficiencies as it can put someone in an awkward position to communicate to your boss of a finding in the area.
In my personal experience, security reports directly to the CIO at my organization. I did not consider this to be an issue until it was discussed during my IT Governance class last year. So far it seems to be working effectively. While the CISO reports directly to the CIO, she also regularly reports to the Board and our National IT function. Although, I think to Megan’s point below, it would be better if she dotted line reported to a separate entity, whether it is Audit or Enterprise Risk Management, or similar function.
I was surprised to find the most common IT security outsourcing is done for e-mail from reading Chapter 2 in ‘Corporate Computer Security’. What are the pros and cons of IT security outsourcing for emails?
Quynh, I think email and many other cloud solutions provide an organization a cost-effective option compare to in-house hosted services. In addition to cloud providers’ high availability, high throughput, ease of scale-up and down, and the available hardware and software provided by the cloud provider to protect customers’ data and services such as DD0S attack, those are very attractive benefits.
I believe outsourcing for emails has many benefits for an organization as mention in the reply above. As far as the cons in the aspect of IT security, the emails are stored on servers that are not owned by the organization which is a concern if the emails contain sensitive information, such as HIPAA laws with medical information. Also, data retention or destruction, if the organization decides to stop using the outsourced company it may be extremely difficult to remove all of companies emails from their systems if other clients’ data they do business with reside of the same drives.
Hi Quynh, I believe the most important pro of outsourcing email security is to control the cost. It can decrease the cost and space of the servers. At the same time, it can increase the security of the email. Organization IT personnel can go for other development projects. One of the con would be the organization has to be mindful of the company’s sensitive information at the outsourcing party.
In chapter 2 – Planning and Policy, We have learned that Managed Security Service Provider (MSSP) is an alternate available for an outsourcing to authorize one or more controls to external firms and to provide security service to the companies. Why are MSSP likely to do a better job than IT security department employees?
MSSPs are likely to do a better job then IT security department security since many entities, particularly small to medium size organizations lack the technical skills and expertise to protect again cyber-attacks. In addition, some organization’s IT security department are already stretched thin, focusing on several other projects, so monitoring and filtering through a sea of suspicious incidents with little to none requiring remedial action might not sit high on their list of priorities.
Hi Wei, I believe MMSP likely to do a better job than IT security department employees because MMSP can meet its network security management requirements. At the same time, it can also fulfill the cost-efficiency of the organization. Cyber risks, threats, and violations continue to evolve. MMSP industry expertise can focus on cyber risk and respond quickly when things do happen.
The pros of using an MSSP are that that’s all they do. They can focus on security and have more experience in the field. They, ideally, have a robust training program and employees with great expertise. If an organization is small or not technically focused, they might find it hard to identify, recruit, and train security talent so they turn to an MSSP. However, some organizations are large or have enough resources enough that their IT security departments are better than MSSPs. In that case, the internal IT security employees have more intimate knowledge of the organization and are not worrying about other companies.
How should a small firm with budgetary constraints and lack of technical expertise initiate and carry out the security planning process, is it even possible?
Hi Lakshmi – this is a great question. I believe that for a small firm with budgetary constraints, then performing a security planning process is all the more critical. Security planning is a great way to ensure the controls that are put in place are risk-based and cost effective. If the small firm can identify what their greatest risks are, they can use their limited budget to focus on mitigating those risks. The good news is that there are so many free resources like NIST or the CIS controls that the firm could use as a starting point. My suggestion on lack of technical expertise would be to use a framework like NIST or CIS and identify what areas they may specifically lack expertise, and either work on training or identifying a strategic partnership with a third party that can give cost-effective services. I know at least in my industry (financial services) there are several firms who specialize in security services/consulting for smaller companies and are able to provide support relatively cheaply.
I believe it is possible for small firms with budgetary constraints and lack of technical expertise to initiate and carry out the security planning process because there are plenty of free or low-cost resources for them to reference. Companies can refer to any one of the NIST publications for guidance or use videos on Youtube as well as tools like LinkedIn learning. Often times, security planning frameworks can be found online, the company can tweak and personalize certain sections to their needs.
Chapter 8 of the Information Security Handbook: A Guide for Managers, mentions that at a minimum, the basic plan/major section covered in the document must be completed, but that organizations also have discretion to add additional information and/or add sections. What other information do you think is important to add or would be relevant to include in a System Security Plan in addition to the minimum requirements?
With the security landscape today, the switch to a remote workforce has accelerated the adoption of cloud solutions, and organizations big and small are facing an increased number of attacks and new attack surfaces have emerged as a result of that. Existing business disaster recovery (BDR) plans are no longer sufficient. What would be some of the reasonable additions to a BDR plan, and how often should the plan be tested? Cloud vendors such as AWS and Azure always have high availability, outages in the past rarely have a root cause within the cloud providers themselves. Is it worth it for organizations to invest in resources to address such rare events?
Hi Xiduo, I’ve wondered the same thing as you. While most companies did a good job of switching to remote work quickly, it makes me wonder if some corners were cut, which will cause long term effects that may not be realized until much later. I would want to test this plan at least twice a year, or even quarterly. Remote work adds so many additional new challenges, and new vulnerabilities are being discovered all the time. To answer your second question, I think it is worth it for organizations to invest in those technologies. While it will be expensive, it can provide peace of mind in the event that something does happen. One of the main issues with cloud providers is that you are relying on their technology at all times, so this allows the organization to have a fallback option if something out of their control happens
Hi Xiduo,
I think most organizations had to learn lessons as they went along in terms of remote working. In my organization many controls and processes were revised to accommodate remote conditions including moving certain applications to cloud solutions. Audit was actively engaged during these discussions and we also performed testing to verify the effectiveness of the controls and the control environment.
I have noticed in many disaster recovery plans, remote working is usually mentioned as a contingency arrangement, which was certainly tested during the pandemic. I think there should be more focus on resources and what plans are made if there are certain thresholds in reduction of resources, i.e. plan for 50%, 75% and 100% reduction in staffing. In addition, if a location is not accessible or it is not safe to work in a physical space, cloud services can be useful as they offer virtual space and do not require a physical server or location in order for an organization to continue operations. This provides an organization an alternative means to keep critical operations running in times of crisis. In this instance, I think the benefits of continuing operations outweighs the cost.
I think disaster recovery plans should be reviewed minimally on an annual basis, but testing of the contingency plan should occur several times a year, if feasible.
Which of the minimum-security requirements is more important than the other and why?
(FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, page 2-4)
Hi To-Yin, I think all these 17 security-related areas are equally important. These areas represent a balanced information security program that addresses the management, operational, and technical aspects of protecting information systems. Policies and procedures also play an important role in the effective implementation of information security programs within organizations. Thus, organizations must develop and promulgate formal, documented policies and procedures governing the minimum security requirements set forth in this standard.
All security-related areas are important and are needed for operational purposes in protecting information systems. I believe “Awareness and Training” may be the most important because being made aware of security risks is of high priority for information security programs. That is why laws, orders, policies, procedures, and adequate
training for organizational personnel were implemented to be carried out in order to protect the confidentiality, availability, and availability of information systems and information processes.
The readings for this week included highly specific, detailed methodologies for categorizing and handling information systems and security issues. Are there any benefits to incorporating flexibility and vagueness in planning and policy, or is it always better to be as specific as possible?
I think being as specific as possible in planning and policy is better. When vagueness is incorporated it opens the door for employees to have to make judgement calls or waste valuable time in the event of an emergency to get feedback from supervisors. Humans tend to be the weakest-link in security which can lead to mistakes, so giving specific instructions that have been thought out and previously agreed upon in the planning and policy phase would be more beneficial in my opinion.
I think it depends on the situation on an individual basis, as there are some instances which require specificity and some instances require a certain amount of flexibility. When writing policy documents, there should be a consideration of achievability, i.e. can the policy be enforced or executed as written.
For example, when an employee leave an organization, their access should be terminated. If the policy states “Employee access is terminated after their last day”, this leaves too much interpretation and is not a defined timeline for removing access, which could lead to inappropriate access to data. If the policy states “Employee access is terminated within 24 hours of separation”, that is a specific measure that is achievable, as long as the correct process is put into place and ensures the access will be removed timely.
An example where specificity is not needed could be for review and sign off of monitoring reports. A policy can state “The XYZ report must be reviewed and signed by the next business day”. Depending on the criticality of the report and the individuals job responsibilities, this might not be feasible to achieve. A different way to write this policy is “The XYZ report is reviewed and approved on a periodic basis” As long as everyone understand what “periodic” means, it is ok to exercise a little bit of flexibility when developing the policy. In addition, this ensure a proper review can be performed and not rushed.
What is the trade-off an organization accepts as it increases the level of implementation guidance it enforces on functional business units? In what situations would increased guidance harm the organization rather than benefit it?
The guidance outlined in FIPS 200 for minimum security controls is pretty straight-forward and simple. What challenges might you see in selecting and implementing security controls for a new system using the approach outlined in our readings this week?
A challenge I can see in selecting and implementing security controls for a new system using the handbooks and guides in this week’s reading is that the new system is not yet fully understood. IN order to use the FIPS 200, the organization must assign a risk level most appropriate to each risk that the new system poses. However, if little is understood about the new system, the risk rating may not be accurate.
Outside of financial value(cost, data value, etc…), how are planning and policy scaled based on the size of the firm? What is the most useful tip to secure your company without spending too much money, regardless of firm size?
The most useful tip I can come up with is that when creating a plan, you must know your business thoroughly. This allows you to properly allocate your funds, without over covering other aspects of the business. This is the easiest way to save money when creating a plan
My question would be regarding the assignment of low, moderate, or high. Is it common for there to be disagreement among the IT Auditor and the client regarding the ranking since this seems to me to be more subjective than objective? If so, how should the IT Auditor find consensus agreeable assignment of risk?
Hi Elia, I think the most challenging thing is for IT auditors is to follow the rules and do the estimation, and at the same time keep a good relationship with the client. IT auditors should attentively listen to the customer’s point of view; collect and understand the facts. After carefully reassessing the situation, reworded the report, not only emphasizing the problem, but also the real root cause. Although the customer is not satisfied with what happened, he is satisfied with the way the report presents the issue.
I think a good way to help IT Auditors find consensus on assignment of low, moderate, or high when there is a disagreement is to see if there if the organization has created a data classification document. If that document is not available, then I would ask who in the company is responsible for data governance, e.g. data steward, to help make that decision.
Why do security plans need to have templates? What value do they add to your organization? How will the security plans for a larger organization differ from a smaller one?
Security plans have templates so that it’s easier for companies to fill in the details and not miss any crucial details. It is also a good starting point for orgs to use templates, because they can always had on more information they deem fit . They add value to the organization because using a template saves time and costs of starting from scratch. Larger organizations will definitely have more resources to protect as well as more departments to outline. Smaller companies may be less in-depth.
I think templates are great to streamline the auditing process. Templates help to organize the data in a more concise document. For larger organizations, I think the template should be adjusted and tailored to the larger data expected or adjusted for a smaller organization with similar and smaller amounts of data.
What happens if an organization starts the process, but completed missed the security classification step and did not complete. How successful well their plan be? How could you help them correct?
In Boyle and Panko, Chapter 2 Planning and Policy, it was discussed whether the security department in a companies’ organization chart should fall under the IT department or outside IT. Do you think security should be part of IT and report to the CIO or be separate from IT and report to another senior executive?
Hi Nicholas,
This is such a tough question. I will speak to this from the perspective of what is seen as best practice in the banking industry as well as my personal opinion. I believe that if there is a formal risk management program, such as Enterprise Risk Management, and a Chief Risk Officer, then security should report to that function. However, that is not always ideal. In some cases, the Chief Risk Officer may not have the expertise or background to supervise the security function. It may be more efficient and effective to have security and IT aligned given the need for technical knowledge and alignment in pursuits of technology. In such cases, I have seen it work relatively well where the security function is part of the IT organization chart reporting to the CIO, but that they provide reporting directly to a risk function. I think the key factor in having security report to the CIO is whether or not the CIO is able to have sole influence over the budget and the reporting of security. I think that should be avoided when at all possible.
Hi Nicholas,
I think the key consideration here is independence which is mentioned in the book. While it might make sense functionally for the security function to report to the CIO, the security function would not be truly independent. This could lead to fear of repercussions or retribution for reporting issues and deficiencies as it can put someone in an awkward position to communicate to your boss of a finding in the area.
In my personal experience, security reports directly to the CIO at my organization. I did not consider this to be an issue until it was discussed during my IT Governance class last year. So far it seems to be working effectively. While the CISO reports directly to the CIO, she also regularly reports to the Board and our National IT function. Although, I think to Megan’s point below, it would be better if she dotted line reported to a separate entity, whether it is Audit or Enterprise Risk Management, or similar function.
I was surprised to find the most common IT security outsourcing is done for e-mail from reading Chapter 2 in ‘Corporate Computer Security’. What are the pros and cons of IT security outsourcing for emails?
Quynh, I think email and many other cloud solutions provide an organization a cost-effective option compare to in-house hosted services. In addition to cloud providers’ high availability, high throughput, ease of scale-up and down, and the available hardware and software provided by the cloud provider to protect customers’ data and services such as DD0S attack, those are very attractive benefits.
I believe outsourcing for emails has many benefits for an organization as mention in the reply above. As far as the cons in the aspect of IT security, the emails are stored on servers that are not owned by the organization which is a concern if the emails contain sensitive information, such as HIPAA laws with medical information. Also, data retention or destruction, if the organization decides to stop using the outsourced company it may be extremely difficult to remove all of companies emails from their systems if other clients’ data they do business with reside of the same drives.
Hi Quynh, I believe the most important pro of outsourcing email security is to control the cost. It can decrease the cost and space of the servers. At the same time, it can increase the security of the email. Organization IT personnel can go for other development projects. One of the con would be the organization has to be mindful of the company’s sensitive information at the outsourcing party.
In chapter 2 – Planning and Policy, We have learned that Managed Security Service Provider (MSSP) is an alternate available for an outsourcing to authorize one or more controls to external firms and to provide security service to the companies. Why are MSSP likely to do a better job than IT security department employees?
MSSPs are likely to do a better job then IT security department security since many entities, particularly small to medium size organizations lack the technical skills and expertise to protect again cyber-attacks. In addition, some organization’s IT security department are already stretched thin, focusing on several other projects, so monitoring and filtering through a sea of suspicious incidents with little to none requiring remedial action might not sit high on their list of priorities.
Hi Wei, I believe MMSP likely to do a better job than IT security department employees because MMSP can meet its network security management requirements. At the same time, it can also fulfill the cost-efficiency of the organization. Cyber risks, threats, and violations continue to evolve. MMSP industry expertise can focus on cyber risk and respond quickly when things do happen.
The pros of using an MSSP are that that’s all they do. They can focus on security and have more experience in the field. They, ideally, have a robust training program and employees with great expertise. If an organization is small or not technically focused, they might find it hard to identify, recruit, and train security talent so they turn to an MSSP. However, some organizations are large or have enough resources enough that their IT security departments are better than MSSPs. In that case, the internal IT security employees have more intimate knowledge of the organization and are not worrying about other companies.
How should a small firm with budgetary constraints and lack of technical expertise initiate and carry out the security planning process, is it even possible?
Hi Lakshmi – this is a great question. I believe that for a small firm with budgetary constraints, then performing a security planning process is all the more critical. Security planning is a great way to ensure the controls that are put in place are risk-based and cost effective. If the small firm can identify what their greatest risks are, they can use their limited budget to focus on mitigating those risks. The good news is that there are so many free resources like NIST or the CIS controls that the firm could use as a starting point. My suggestion on lack of technical expertise would be to use a framework like NIST or CIS and identify what areas they may specifically lack expertise, and either work on training or identifying a strategic partnership with a third party that can give cost-effective services. I know at least in my industry (financial services) there are several firms who specialize in security services/consulting for smaller companies and are able to provide support relatively cheaply.
I believe it is possible for small firms with budgetary constraints and lack of technical expertise to initiate and carry out the security planning process because there are plenty of free or low-cost resources for them to reference. Companies can refer to any one of the NIST publications for guidance or use videos on Youtube as well as tools like LinkedIn learning. Often times, security planning frameworks can be found online, the company can tweak and personalize certain sections to their needs.
What type of situation, whether small or large, would be a good reason why the Plan-Protect-Respond Cycle is needed?
Chapter 8 of the Information Security Handbook: A Guide for Managers, mentions that at a minimum, the basic plan/major section covered in the document must be completed, but that organizations also have discretion to add additional information and/or add sections. What other information do you think is important to add or would be relevant to include in a System Security Plan in addition to the minimum requirements?
Which of the problems with classic risk analysis calculations is the most significant?
With the security landscape today, the switch to a remote workforce has accelerated the adoption of cloud solutions, and organizations big and small are facing an increased number of attacks and new attack surfaces have emerged as a result of that. Existing business disaster recovery (BDR) plans are no longer sufficient. What would be some of the reasonable additions to a BDR plan, and how often should the plan be tested? Cloud vendors such as AWS and Azure always have high availability, outages in the past rarely have a root cause within the cloud providers themselves. Is it worth it for organizations to invest in resources to address such rare events?
Hi Xiduo, I’ve wondered the same thing as you. While most companies did a good job of switching to remote work quickly, it makes me wonder if some corners were cut, which will cause long term effects that may not be realized until much later. I would want to test this plan at least twice a year, or even quarterly. Remote work adds so many additional new challenges, and new vulnerabilities are being discovered all the time. To answer your second question, I think it is worth it for organizations to invest in those technologies. While it will be expensive, it can provide peace of mind in the event that something does happen. One of the main issues with cloud providers is that you are relying on their technology at all times, so this allows the organization to have a fallback option if something out of their control happens
Hi Xiduo,
I think most organizations had to learn lessons as they went along in terms of remote working. In my organization many controls and processes were revised to accommodate remote conditions including moving certain applications to cloud solutions. Audit was actively engaged during these discussions and we also performed testing to verify the effectiveness of the controls and the control environment.
I have noticed in many disaster recovery plans, remote working is usually mentioned as a contingency arrangement, which was certainly tested during the pandemic. I think there should be more focus on resources and what plans are made if there are certain thresholds in reduction of resources, i.e. plan for 50%, 75% and 100% reduction in staffing. In addition, if a location is not accessible or it is not safe to work in a physical space, cloud services can be useful as they offer virtual space and do not require a physical server or location in order for an organization to continue operations. This provides an organization an alternative means to keep critical operations running in times of crisis. In this instance, I think the benefits of continuing operations outweighs the cost.
I think disaster recovery plans should be reviewed minimally on an annual basis, but testing of the contingency plan should occur several times a year, if feasible.
Which of the minimum-security requirements is more important than the other and why?
(FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, page 2-4)
Hi To-Yin, I think all these 17 security-related areas are equally important. These areas represent a balanced information security program that addresses the management, operational, and technical aspects of protecting information systems. Policies and procedures also play an important role in the effective implementation of information security programs within organizations. Thus, organizations must develop and promulgate formal, documented policies and procedures governing the minimum security requirements set forth in this standard.
All security-related areas are important and are needed for operational purposes in protecting information systems. I believe “Awareness and Training” may be the most important because being made aware of security risks is of high priority for information security programs. That is why laws, orders, policies, procedures, and adequate
training for organizational personnel were implemented to be carried out in order to protect the confidentiality, availability, and availability of information systems and information processes.
The readings for this week included highly specific, detailed methodologies for categorizing and handling information systems and security issues. Are there any benefits to incorporating flexibility and vagueness in planning and policy, or is it always better to be as specific as possible?
I think being as specific as possible in planning and policy is better. When vagueness is incorporated it opens the door for employees to have to make judgement calls or waste valuable time in the event of an emergency to get feedback from supervisors. Humans tend to be the weakest-link in security which can lead to mistakes, so giving specific instructions that have been thought out and previously agreed upon in the planning and policy phase would be more beneficial in my opinion.
Hi Taylor,
I think it depends on the situation on an individual basis, as there are some instances which require specificity and some instances require a certain amount of flexibility. When writing policy documents, there should be a consideration of achievability, i.e. can the policy be enforced or executed as written.
For example, when an employee leave an organization, their access should be terminated. If the policy states “Employee access is terminated after their last day”, this leaves too much interpretation and is not a defined timeline for removing access, which could lead to inappropriate access to data. If the policy states “Employee access is terminated within 24 hours of separation”, that is a specific measure that is achievable, as long as the correct process is put into place and ensures the access will be removed timely.
An example where specificity is not needed could be for review and sign off of monitoring reports. A policy can state “The XYZ report must be reviewed and signed by the next business day”. Depending on the criticality of the report and the individuals job responsibilities, this might not be feasible to achieve. A different way to write this policy is “The XYZ report is reviewed and approved on a periodic basis” As long as everyone understand what “periodic” means, it is ok to exercise a little bit of flexibility when developing the policy. In addition, this ensure a proper review can be performed and not rushed.
What is the trade-off an organization accepts as it increases the level of implementation guidance it enforces on functional business units? In what situations would increased guidance harm the organization rather than benefit it?
The guidance outlined in FIPS 200 for minimum security controls is pretty straight-forward and simple. What challenges might you see in selecting and implementing security controls for a new system using the approach outlined in our readings this week?
A challenge I can see in selecting and implementing security controls for a new system using the handbooks and guides in this week’s reading is that the new system is not yet fully understood. IN order to use the FIPS 200, the organization must assign a risk level most appropriate to each risk that the new system poses. However, if little is understood about the new system, the risk rating may not be accurate.
Outside of financial value(cost, data value, etc…), how are planning and policy scaled based on the size of the firm? What is the most useful tip to secure your company without spending too much money, regardless of firm size?
The most useful tip I can come up with is that when creating a plan, you must know your business thoroughly. This allows you to properly allocate your funds, without over covering other aspects of the business. This is the easiest way to save money when creating a plan
My question would be regarding the assignment of low, moderate, or high. Is it common for there to be disagreement among the IT Auditor and the client regarding the ranking since this seems to me to be more subjective than objective? If so, how should the IT Auditor find consensus agreeable assignment of risk?
Hi Elia, I think the most challenging thing is for IT auditors is to follow the rules and do the estimation, and at the same time keep a good relationship with the client. IT auditors should attentively listen to the customer’s point of view; collect and understand the facts. After carefully reassessing the situation, reworded the report, not only emphasizing the problem, but also the real root cause. Although the customer is not satisfied with what happened, he is satisfied with the way the report presents the issue.
I think a good way to help IT Auditors find consensus on assignment of low, moderate, or high when there is a disagreement is to see if there if the organization has created a data classification document. If that document is not available, then I would ask who in the company is responsible for data governance, e.g. data steward, to help make that decision.
Why do security plans need to have templates? What value do they add to your organization? How will the security plans for a larger organization differ from a smaller one?
Security plans have templates so that it’s easier for companies to fill in the details and not miss any crucial details. It is also a good starting point for orgs to use templates, because they can always had on more information they deem fit . They add value to the organization because using a template saves time and costs of starting from scratch. Larger organizations will definitely have more resources to protect as well as more departments to outline. Smaller companies may be less in-depth.
I think templates are great to streamline the auditing process. Templates help to organize the data in a more concise document. For larger organizations, I think the template should be adjusted and tailored to the larger data expected or adjusted for a smaller organization with similar and smaller amounts of data.
What happens if an organization starts the process, but completed missed the security classification step and did not complete. How successful well their plan be? How could you help them correct?