Security Governance Framework:

• IT security governance is the system by which an organization directs and controls IT security
(adapted from ISO 38500).
• IT security governance should not be confused with IT security management. IT security
management is concerned with making decisions to mitigate risks; governance determines
who is authorized to make decisions.
• Governance specifies the accountability framework and provides oversight to ensure that
risks are adequately mitigated, while management ensures that controls are implemented to
mitigate risks.
• Governance ensures that security strategies are aligned with business objectives and
consistent with regulations.
The five general governance areas:
• Govern the operations of the organization and protect its critical assets
• Protect the organization's market share and stock price (perhaps not appropriate for
education)
• Govern the conduct of employees (educational AUP and other policies that may apply to use
of technology resources, data handling, etc.)
• Protect the reputation of the organization
• Ensure compliance requirements are met
Security Governance Frameworks:
• 3 major frameworks,
• COSO (Committee of Sponsoring Organizations of the Treadway Commission)
• COBIT (Control Objectives for Information and Related Technology )
• ITIL (Information Technology Infrastructure Library)
Committee of Sponsoring Organizations of the Treadway Commission (COSO):
• In 1985, the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
developed a model for evaluating internal controls.
• This model has been adopted as the generally accepted framework for internal control.
• It is widely recognized as the definitive standard against which organizations measure the
effectiveness of their systems of internal control. 
• Internal Control: Internal controls are the mechanisms, rules, and procedures implemented
by a company to ensure the integrity of financial and accounting information, promote
accountability, and prevent fraud.
• The updated COSO principles, which supersedes the original 1992 framework, now explicitly
describes its principles rather than simply implying them, thus making it easier for
companies to apply the principles.
• These concepts shows relationship between people and process the effective control define
the principles which to implement them
• Internal control is the process and not a one-time activity.
• Internal control affected by people; it must be adopted through the organization and is not
simply a policy document that gets filled away.
• Internal control can provide only reasonable assurance. A control cannot be ensure success.
• Internal control are designed for the achievement of business objectives.
Control Environment
• Exercise integrity and ethical values.
• Make a commitment to competence.
• Use the board of directors and audit committee.
 • Facilitate management’s philosophy and operating style.
• Create organizational structure.
• Issue assignment of authority and responsibility.
• Utilize human resources policies and procedures.
Risk Assessment
• Create companywide objectives.
• Incorporate process-level objectives.
• Perform risk identification and analysis.
• Manage change.
Control Activities
• Follow policies and procedures.
• Improve security (application and network).
• Conduct application change management.
• Plan business continuity/backups.
• Perform outsourcing.
Information and Communication
• Measure quality of information.
• Measure effectiveness of communication.
Monitoring
• Perform ongoing monitoring.
• Conduct separate evaluations.
• Report deficiencies.

Control Objectives for Information and Related Technology (COBIT):

 COBIT stands for Control Objectives for Information and Related Technology
 A framework created by the ISACA (Information Systems Audit and Control Association) for
IT governance and management
 Supports managers and allows balancing technical issues, business risks and control
requirements
 Ensures quality, control and reliability of information systems in organization
 Provides various maturity models and metrics that measure the achievement while
identifying associated business responsibilities of IT processes
 Main focus on four specific domains:
 Planning and Organization
 Delivering and Support
 Acquiring and Implementation
 Monitoring and Evaluation
 Used by all organizations whose primary responsibilities happen to be business processes
and related technologies
 Helps in increasing the sensibility of IT processes to a great extent
 Helps organizing the objectives of IT governance and bringing in the best practices in IT
processes and domains, while linking business requirements
 Used by both the government departments, federal departments and other private
commercial organizations
Components of COBIT:

 Control objectives:
  Provides a complete list of requirements that has been considered by the
management for effective IT business control
 Process descriptions:
 Acts as a common language for every individual of the organization
 Include planning, building, running and monitoring of all IT processes
 Maturity models:
 Accesses the maturity and the capability of every process while addressing the gaps
 Management Guidelines:
 Helps in better assigning responsibilities, measuring performances, agreeing on
common objectives and illustrate better interrelationships with every other process
Domain and process of COBIT: Plan and Organize: The Planning and Organization domain covers the
use of information & technology and how best it can be used in a company to help achieve the
company’s goals and objectives.

Acquire and Implement (AI): It covers identifying IT requirements, acquiring the technology, and
implementing it within the company’s current business processes.

Delivery and Support (DS): It focuses on the delivery aspects of the information technology.

Monitor and Evaluate (ME): The Monitoring and Evaluation domain deals with a company’s strategy
in assessing the needs of the company and whether or not the current IT system still meets the
objectives for which it was designed and the controls necessary to comply with regulatory
requirements.

COBIT Majority model:

Level 0 - Non-existent
• The process is not existent at all.
Level 1 - Initial/Ad Hoc
• No standardized processes are in place.
Level 2 - Repeatable but Intuitive
• Procedures are followed but there is still a high degree of reliance on the knowledge of
individuals.
Level 3 - Defined Process
• Procedures are standardized but not sophisticated enough.
Level 4 - Managed and Measurable
• The compliance with required procedures is measured and significant errors are detected.
Level 5 – Optimized
• A refinement of processes to a good level of practice took place and variances are constantly
reduced.

ITIL security management (Information Technology Infrastructure Library)

• ITIL security management is based on the ISO 27001 standard. "ISO/IEC 27001:2005 covers
all types of organizations (e.g. commercial enterprises, government agencies, not-for profit
organizations).
• The Primary objective of ITIL Information Security Management Process (ITIL ISM) is to
align IT security with business security and ensure that information security is effectively
managed in all service and IT Service Management activities.
• It also ensures the confidentiality, integrity, availability, and role-based accessibility of an
organization’s assets, information, data and IT Services are maintained.

5 Stages of the ITIL-V3:

• Service Strategy: The Service Strategy phase of the Service Lifecycle provides guidance on
how to design, develop, and implement IT Service Management. 
• Service Design: The Service Design phase of the Service Lifecycle provides guidance on how
to design and develop services and IT Service Management processes that will support the
service strategies already developed. 
• Service Transition: The Service Transition phase of the Service Lifecycle teaches IT
professionals and their business associates to manage changes in a productive manner. 
• Service Operation: The Service Operation phase of the Service Lifecycle provides guidance
on the practical aspects of day-to-day business operations. The goal is for the IT department
to keep things running smoothly, reliably, efficiently and cost-effectively.
• Continual Service Improvement:Even if nothing changes in an organization, there is always
room for development and improvement in IT services. Continual assessment is the key to
understanding where improvements can be made.
ISO:

• ISO (International Organization for Standardization) is the world's largest developer and

publisher of International Standards.
• ISO is a network of the national standards institutes of 160 countries, one member per
country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system.
• ISO is a non-governmental organization that forms a bridge between the public and private
sectors. On the one hand, many of its member institutes are part of the governmental
structure of their countries, or are mandated by their government. On the other hand, other
members have their roots uniquely in the private sector, having been set up by national
partnerships of industry associations.
• Therefore, ISO enables a consensus to be reached on solutions that meet both the
requirements of business and the broader needs of society
ISO 27x:
ISO (the International Organization for Standardization) and IEC (the International
Electrotechnical Commission) form the specialized system for worldwide standardization.
National bodies that are members of ISO or IEC participate in the development of International
Standards through technical committees established by the respective organization to deal with
particular fields of technical activity. ISO and IEC technical committees collaborate in fields of
mutual interest.
Other international organizations, governmental and non-governmental, in liaison with ISO and
IEC, also take part in the work. In the field of information technology, ISO and IEC have
established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives,
Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft
International Standards adopted by the joint technical committee are circulated to national
bodies for voting. Publication as an International Standard requires approval by at least 75 % of
the national bodies casting a vote.
JTC-1:
• ISO 27000 Series is developed by JTC1-SC27
• Certification is given for ISO 27001 Only
• There are a number of supporting standards and best practices….

ISO 27001:

• ISO/IEC 27000, Information security management systems — Overview and vocabulary

• ISO/IEC 27001:2005, Information security management systems Requirements
• ISO/IEC 27002:2005, Code of practice for information security management
• ISO/IEC 27003, Information security management system implementation guidance
• ISO/IEC 27004, Information security management — Measurement
• ISO/IEC 27005:2008, Information security risk management
• ISO/IEC 27006:2007, Requirements for bodies providing audit and certification of
information security management systems
• ISO/IEC 27007, Guidelines for information security management systems auditing
• ISO/IEC 27011, Information security management guidelines for telecommunications
organizations basedon ISO/IEC 27002

What is ISO 27001 about ?

“….This International Standard has been prepared to provide a model for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving an Information
Security Management System (ISMS)…..”
“…The design and implementation of an organization’s ISMS is influenced by their needs and
objectives, security requirements, the processes employed and the size and structure of the
organization.
These and their supporting systems are expected to change over time.
It is expected that an ISMS implementation will be scaled in accordance with the needs of the
organization…”
Difference to other Security Standards:
PCI DSS Payment Card Industry Data Security Standard
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and
enhance cardholder data security and facilitate the broad adoption of consistent data
security measures globally. PCI DSS provides a baseline of technical and operational
requirements designed to protect cardholder data. …
11.4 Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic
at the perimeter of the cardholder data environment as well as at critical points inside of the
cardholder data environment, and alert personnel to suspected compromises.
Keep all intrusion-detection and prevention engines, baselines, and signatures up-to-date.
Supporting ISO 27x Standards:

• ISO 27030 - ISO 27050

27033 Part 1- 6, Network Security
27035 Part 1 – 2 Incident Response
27044 Guide to SIEM
Typical ISO 27001 certification process:

• Definition of Scope (ISMS)

• Gap analysis
• Risk assessment
• Implementation design
• Implementation ( to include awareness training )
• Simulation Audit
• Audit
ISO27001 2005 vs. 2013

NIST:

• The National Institute of Standards and Technology is a non-regulatory government agency

that develops technology, metrics, and standards to drive innovation and economic
competitiveness at U.S.-based organizations in the science and technology industry. As part
of this effort, NIST produces standards and guidelines to help federal agencies meet the
requirements of the Federal Information Security Management Act (FISMA). NIST also assists
those agencies in protecting their information and information systems through cost-
effective programs.
• Specifically, NIST develops Federal Information Processing Standards (FIPS) in congruence
with FISMA. The Secretary of Commerce approves FIPS, with which federal agencies must
comply – federal agencies may not waive the use of the standards. NIST also provides
guidance documents and recommendations through its Special Publications (SP) 800-series.
The Office of Management and Budget (OMB) policies require that agencies must comply
with NIST guidance, unless they are national security programs and systems.
• NIST guidance provides the set of standards for recommended security controls for
information systems at federal agencies.
• These standards are endorsed by the government, and companies comply with NIST
standards because they encompass security best practices controls across a range of
industries – an example of a widely adopted NIST standard is the NIST Cybersecurity
Framework.
• In many cases, complying with NIST guidelines and recommendations will help federal
agencies ensure compliance with other regulations, such as HIPAA, FISMA, or SOX.
NIST has outlined nine steps toward FISMA compliance:
• Categorize the data and information you need to protect
• Develop a baseline for the minimum controls required to protect that information
• Conduct risk assessments to refine your baseline controls>
• Document your baseline controls in a written security plan
• >Roll out security controls to your information systems
• Once implemented, monitor performance to measure the efficacy of security controls
• Determine agency-level risk based on your assessment of security controls
• Authorize the information system for processing
• Continuously monitor your security controls

CIS benchmarks:

• The Center for Internet Security is a nonprofit entity whose mission is to 'identify, develop,
validate, promote, and sustain best practice solutions for cyber defense.'
• It draws on the expertise of cybersecurity and IT professionals from government, business,
and academia from around the world. To develop standards and best practices, including CIS
benchmarks, controls, and hardened images, they follow a consensus decision-making
model.
• CIS benchmarks are configuration baselines and best practices for securely configuring a
system. Each of the guidance recommendations references one or more CIS controls that
were developed to help organizations improve their cyberdefense capabilities.
CIS benchmarks provide two levels of security settings:
• Level 1 recommends essential basic security requirements that can be configured on any
system and should cause little or no interruption of service or reduced functionality.
• Level 2 recommends security settings for environments requiring greater security that could
result in some reduced functionality.
NSA (National Security Agency)

• The National Security Agency (NSA) is a national-level intelligence agency of the United
States Department of Defense, under the authority of the Director of National Intelligence.
• The NSA is responsible for global monitoring, collection, and processing of information and
data for foreign and domestic intelligence and counterintelligence purposes, specializing in a
discipline known as signals intelligence (SIGINT).
• The NSA is also tasked with the protection of U.S. communications networks and
information systems.
DISA (The Defence Information Security Agency)

• The Defense Information Systems Agency (DISA), known as the Defense Communications
Agency (DCA) until 1991, is a United States Department of Defense (DoD) combat support
agency composed of military, federal civilians, and contractors.
• DISA provides information technology (IT) and communications support to the President,
Vice President, Secretary of Defense, the military services, the combatant commands, and
any individual or system contributing to the defense of the United States.
SANS (Sys Admin, Audit and Network Security)

• The SANS Institute (officially the Escal Institute of Advanced Technologies) is a private U.S.
for-profit company founded in 1989 that specializes in information security, cybersecurity
training, and selling certificates.
• Topics available for training include cyber and network defenses, penetration testing,
incident response, digital forensics, and auditing.
• The information security courses are developed through a consensus process involving
administrators, security managers, and information security professionals.
 • The courses cover security fundamentals and technical aspects of information security. The
institute has been recognized for its training programs and certification programs.
ISACA(Information System Audit and control Association)
• ISACA is an international professional association focused on IT governance.
• ISACA originated in United States in 1967, when a group of individuals working on auditing controls in
computer systems started to become increasingly critical of the operations of their organizations.
They identified a need for a centralized source of information and guidance in the field. In 1969,
Stuart Tyrnauer, an employee of the (later) Douglas Aircraft Company, incorporated the group as the
EDP Auditors Association (EDPAA).
• Tyrnauer served as the body's founding chairman for the first three years. In 1976 the association
formed an education foundation to undertake large-scale research efforts to expand the knowledge
of and value accorded to the fields of governance and control of information technology.
• The association became the Information Systems Audit and Control Association in 1994.
• By 2008 the organization had dropped its long title and branded itself as ISACA.
• In March 2016, ISACA bought the CMMI Institute who is behind the Capability Maturity Model
Integration.
• In January 2020, ISACA updated refreshed its look and digital presence, introducing a new logo
IEEE Standards: IEEE is a standardized activity in network and information security space and in Anti-malware
technology like encryption, fixed and removable devices hardcopy devices as well as application of these
technologies in Grid computing.

ISO 17799: ISO/ IEC 17799: 2005 establishes guidelines ad general principles for initiating , implementing,
maintaining and improving information security management in organization.
ISO 17799 – 10 domains

• Information security policy;

• Information security Infrastructure;
• asset management;
• Personal security;
• physical and environmental security;
• communications and operations management;
• access control;
• System development and maintenance
• business continuity management;
• compliance.
Security Standard Organization
• ICANN (Internet corporation for assigned names and numbers)
• ISO (International Organization for standards)
• CCITT(Consultative committee for Telephone and Telegraphy)
• ANSI (American National Standard Institute)
• IEEE ( Institute for Electronics and Electrical Engineers)
• EIA (Electronics Industries Association)
• NIST (National Institute of Standards and Technology)
• W3C (The World Wide Web Consortium)