ĐẠI HỌC FPT CẦN THƠ

IT Security Policy Enforcement

Chapter 14
 1. Organizational Support for
IT Security Policy Enforcement

Abuse of a company's technology can leave it at risk. Failure to follow

policies could lead to regulatory noncompliance. Failure to follow up and
resolve issues can result in lawsuits. These situations can lead to more
regulatory sanctions and expensive legal fees.

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 2

 Executive Management
Sponsorship

Executive management today is pulled in many directions. It's a fast-

paced life. To be effective, executives need to be surrounded by
employees with a strong sense of clarity, purpose, and action. Executive
support does not mean getting the authority to flog people into
submission

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 3

 Governance Versus
Management Organizational
Structure
Enforcement is most effective when it comes from the employees' own
leadership. Information security teams often do not enforce policies
directly. Security teams do not directly manage all employees and thus,
typically cannot "order" an employee to comply with policies.

How governance and management work together within the COBIT 5.0 framework.

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 4

 The Hierarchical Organizational
Approach to Security Policy
Implementation
The organization itself has a role in enforcing policies. This is typically
handled through gateway committees.

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 5

 Front-Line Managers' and
Supervisors' Responsibility and
Accountability
Once policies are established, management must figure out how to
implement them. This includes making the policies operational. For line
management that means the following:
Ensuring everyone on the front-line team is trained
Taking on role as the go-to person for questions
Applying the policies consistently
Gathering metrics on the policy effectiveness
Ensuring everyone follows the policy

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 6

 Grass-Roots Employees

Employees react to the environment around them. It's rare that a

worker comes to work with the intent not to follow a security policy.
However, when employees see coworkers ignoring policies without
consequences from managers and supervisors, they are more likely to
do the same.

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 7

 2. An Organization's Right
to Monitor User Actions and
Traffic
The prevailing legal view is that employers have the right to monitor
workers' activities on company computers. This right is not absolute. In
other words, it's important that an organization act in accordance with
its policies and the law. The policies must be clear and concise.

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 8

 3. Compliance Law:
Requirement or Risk
Management?
Security policies by their nature attempt to comply with all regulatory
requirements to be met by the organization.

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 9

 What Is Law and What Is Policy?

Organizations enforce policies and report on compliance. Organizations

generally do not internally enforce laws. In other words, security policies
are not a legal interpretation of the law. Security policies are
interpretations of legal requirements that lead to compliance.

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 10

 4. What Automated
Security Controls Can Be
Implemented Through Policy?
Automating as many security controls as possible is the best way to
ensure adoption, enforcement, and effectiveness. By far, this is the
preferred approach when possible. Automated controls work the same
way every time. That means controls are consistently applied and often
executed faster than humans can achieve.

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 11

 5. Legal Implications
of IT Security Policy Enforcement

Illustration of how data quickly expands

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 12

 6. Who Is Ultimately Accountable
for Risk, Threats, and
Vulnerabilities?
As a result, not all organizations are capable of holding their leaders
accountable. Accountability can come from external forces such as:
Public opinion—Can turn against a company, leading to a loss of trust
that damages or even destroys it
Shareholders—Vote and are active at the shareholder level
Regulators—Hold the organization accountable for violation of law
Courts—Hold executives personally accountable

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 13

 7. Best Practices for
IT Security Policy Enforcement

The information security team should develop a close relationship with

the legal team. They need to understand each other's processes and
priorities. Teams should communicate their roles and responsibilities to
one another. This helps them understand the various ways they can help
enforce policies.

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 14

 8. Case Studies and Examples
of Successful IT Security Policy
Enforcement
The following case studies discuss various enforcement problems with
IT security policies. The first two illustrate a lack of enforcement. This
lack of enforcement allowed data security breaches to occur. The third
talks about how a policy was effectively enforced.

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 15

 Private Sector Case Study

In October 2013, AvMed, a health insurer in Florida, settled a class-

action lawsuit. The company had reported the theft of two laptops in
2009 that contained the personal information of more than 1.2 million
customers. Neither laptop was encrypted…

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 16

 Public Sector Case Study No. 1

The U.S. Department of Education discovered on March 23, 2010, that

3.3 million records were stolen from one of its vendors. The vendor was
Educational Credit Management Corporation (ECMC), which processed
$11 billion in student loans. The records that were stolen included
personal data on individuals who received student loans. This included
names, addresses, Social Security numbers, and dates of birth…

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 17

 Public Sector Case Study No. 2

In July 2013, the United States Department of Energy system suffered a

data breach. It resulted in unauthorized access to more than 104,000
individual personal records. The records included Social Security
numbers, birthdates and locations, bank account numbers, and security
questions and answers…

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 18

 Chapter Summary

When you complete this chapter, you will be able to:

Describe the differences between governance and management processes
Explain what a pervasive control is
Describe the basic layers of controls within an organization to enforce policies
Explain the role of executive management and the chief information security
officer (CISO) in enforcement
Describe how monitoring can help policy enforcement
Explain the difference between automated and manual policy enforcement
Explain who is ultimately accountable for enforcement of security policies
Describe legal implications when enforcing policies
Describe best practices for enforcing policies

Chapter 14: IT Security Policy Enforcement - Huong Hoang Luong 19