Organizational Roles and Responsibility

A security role is the part an individual plays in the overall scheme of security implementation and administration within an organization.

The following roles are presented in the logical order in which they appear in a secured environment:

Apart from these, Auditor is another role is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate.

Case Study:

For example, say that a data owner requests more room on a system for the storage of data. The data owner strongly believes that the new data being collected will help the sales team be more efficient. However, storage on the system owner’s asset is at a premium. The system owner is unwilling to allow the data owner to use the amount of space he has requested. In this case, the business/mission owner would need to review both sides and decide whether collecting and storing the new data would result in enough increased revenue to justify the cost of allowing the data owner more storage space. If so, it may also be necessary to invest in more storage media for the system or to move the data to another system that has more resources available. But keep in mind that moving the data would possibly involve another system owner.

Security professionals should always be part of these decisions because they understand the security controls in place for any systems involved and the security controls needed to protect the data. Moving the data to a system that does not have the appropriate controls may cause more issues than just simply upgrading the system on which the data currently resides. Only a security professional is able to objectively assess the security needs of the data and ensure that they are met.

Enterprise Architecture & Security Control Framework

A security program is a framework made up of many entities: logical, administrative, and physical protection mechanisms; procedures; business processes; and people that all work together to provide a protection level for an environment. Each has an important place in the framework, and if one is missing or incomplete, the whole framework may be affected. The program should work in layers: each layer provides support for the layer above it and protection for the layer below it. Below mindmap explains most of the Enterprise Architecture and Security frameworks discussed in CISSP exam.

The most important security planning steps is to consider the overall security control framework or structure of the security solution desired by the organization.

One can choose from several options in regard to security concept infrastructure; however, one of the more widely used security control frameworks is Control Objectives for Information and Related Technology (COBIT). COBIT is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). COBIT is based on below 5 principle

Principle 1: Meeting Stakeholder Need
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management

There are many other standards and guidelines for IT security. A few of these are:

  • Open Source Security Testing Methodology Manual (OSSTMM): A peer-reviewed guide for the testing and analysis of a security infrastructure
  • ISO/IEC 27002 (which replaced ISO 17799): An international standard that can be the basis of implementing organizational security and related management practices
  • Information Technology Infrastructure Library (ITIL): Initially crafted by the British government, ITIL is a set of recommended best practices for core IT security and operational processes and is often used as a starting point for the crafting of a customized IT security solution

Intellectual Property Law

So far we have seen who is “RIGHT” or who is “WRONG.” Let us take a look at how does a company or individual can protect their Intellectual Property from being Reproduced.

Intellectual property can be protected by several different laws, depending upon the type of resource it is. Intellectual property divided into two categories: industrial property—such as inventions (patents), industrial designs, and trademarks—and copyrighted property, which covers things like literary and artistic works. These topics are discussed in more details in the following mindmaps.

A simple rule of thumb to understand difference between Patent and Copyrights is; consider “Patent” is an “Idea” & “Copyrights” as “Implementation of Idea”

Software Licensing & Import/Export Law

As a Security professional should also be familiar with the legal issues surrounding software licensing agreements. There are four main types of License Agreement in use today. Refer to below mindmap for details.

Also, Import/Export law will help company to control their Information across multiple countries.

Case Study:
Below case study will help us to understand “why” encryption export control is required for a Company/Enterprise.

  • Let us assume one of the Hosts in South Africa is trying to communicate to one of the hosts in India & traffic exit from your Perimeter router via the Internet.
  • Also assume this host in South Africa is using some form of an encryption algorithm which is allowed in South Africa, India but “not” in “Singapore.” Because different country may have different laws regarding the transmission of data or encryption standard.
  • Considering the nature of the IP packet flow, this traffic stream may take many many different routes – let us assume in this case via Singapore.
  • In this case, your end to end host communication is violating the Law of Singapore;
  • Hence, if there are chances to break a foreign national’s data laws; we must control data flow to avoid violations & this must be included in “Risk Management.”
  • The solution of such a problem could be to use Pinned Path(Avoiding flow via Singapore) in WAN Technologies: MPLS, Frame Relay, ATM.

Laws, Regulations, Compliance

Every country follows some kind of Legal system. Below figure shows different types of Legal system.

Since CISSP discuss more on U.S. Laws and Regulation; hence we will restrict our-self to U.S. only. We can observe that the U.S. follow “Common Legal System”.
As an IT professional / Security professional; we understand that Laws and regulations have a significant impact on “How we work & behave day to day”. Hence below picture depicts some of the essential laws as covered by CISSP course content.

Over the last decade, the regulatory environment governing information security has grown increasingly complex. Organisations may find themselves subject to a wide variety of below laws

  1. Computer Crime Laws
  2. Intellectual Property Law
  3. Software Licensing Law
  4. Import/Export Law
  5. Privacy Law

Also, some regulations imposed by regulatory agencies or contractual obligations such as PCI-DSS, which could be a mandate to run your Business efficiently. Refer to below screenshot to know more details about PCI-DSS.

There could be other regulatory compliance such as
Auditing – For gathering shreds of evidence, finding the weakness in a system
Reporting – In case there is a “Breach.”
Metrics – To identify the effectiveness of your control & trend identification.

Personnel Security

Every country follows some kind of Legal So, Who is the Weakest element in the Security Realm – “Human.”
Who is the biggest culprit in the Security Realm – “Human.”

No matter what controls have been deployed in any environment; Human will always discover a way to avoid/circumvent/disable it.

Image a situation if that Human belongs to your own, i.e. Employee. In such a case; Employee becomes your biggest Threat. Therefore it is vital to take Humanity of Users in account while Designing and deploying security solutions for your environment. Hence, anything which gives extra power & privileges to the employee is considered to be the most significant security risk for an Organization.

Refer to below mindmap which explains the complete details in the Realm of Personnel Security. System. Below figure shows different types of Legal system.