Information Security Governance Papers
| Paper Title | Maturity of Practice |
|---|---|
| The Abstract of The Paper |
Security's emergence as a governance and management concern is primarily taking place in the parts of the organization that provide and use IT. We currently see minimal attention paid to this topic during the early life cycle phases of software and system development, but increasing attention being paid during detailed design, coding, and testing.
However, as is the case for the entire Build Security In website, we believe that treating security as a governance and management concern, as a risk management concern, and as a project management concern at the earliest phases of the life cycle will produce more robust, less vulnerable software, resulting in a decline in the reactive, fire-fighting mode present in most IT and system operations and maintenance organizations. Indicators of Progress Consistent governance and management action across the organization is key. This includes attention and participation from business unit leaders, human resources, legal, audit, risk management, and finance, as well as IT and software and system development groups.1 Progress in executing some of these roles and actions is described in the following sections. Protecting Information One significant shift that is causing leaders to take note is the need to treat information, particularly consumer, customer, client, and employee information, with greater care, perhaps with the same care as money. Leaders understand the impact to their organizations' reputations if this is not done competently and breaches become public.2 Customers expect that organizations will protect their privacy and their information and are becoming more aware of the risk of identity theft based on unintended data disclosure. U.S. federal laws such as Sarbanes-Oxley for financial reports, along with state laws such as the California Database Protection Act for consumer data, help ensure this. The European Union’s Directive on the Protection of Personal Data 3 is even more comprehensive with respect to an organization’s legal duty and ethical responsibility to protect personal information. The credit card industry has been proactive in defining a standard for all merchants that accept and process credit card information. Through the efforts of American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International, the Payment Card Industry (PCI) Security Standards Council was founded and is the steward of the Payment Card Industry Data Security Standard (DSS) [PCI 2009a]. As stated on their website: The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. The key requirements of DSS include the following: Build and maintain a secure network. Protect cardholder data. Maintain a vulnerability management program. Implement strong access control measures. Regularly monitor and test networks. Maintain an information security policy. In addition, the PCI SSC has expanded their requirements for security with respect to payment applications in their Payment Application Data Security Standard [PCI 2009b] with the following requirements: Do not store sensitive authentication data after authorization (even if encrypted). Protect stored cardholder data. Provide secure authentication features. Log payment application activity. Develop secure payment applications (based on PCI DSS and industry best practices). Protect wireless transmissions. Test payment applications to address vulnerabilities. Facilitate secure network implementation. Never store cardholder data on a server connected to the Internet. Facilitate secure remote software updates. Facilitate secure remote access to payment applications. Encrypt sensitive traffic over public networks. Encrypt all non-console administrative access. Maintain documentation and training programs. |
| Web Link | https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/management/567-BSI.html |