IT governance and cybersecurity regulations

This discussion of IT governance and cybersecurity regulations is taken from my uOttawa PhD thesis (2020, pp. 39-57) Chapter 2 “Part 1: Information Security Risk Governance,” which covers the technical, theoretical, and regulatory context of ethical hacking applications in information security testing and IT governance at the organizational and national levels. The PhD thesis, titled Technoethics and sensemaking: Risk assessment and knowledge management of ethical hacking in a sociotechnical society, was completed at the School of Electrical Engineering and Computer Science (EECS), Faculty of Engineering, on the topic of ethical hacking sociotechnology (thesis advisory committee: uOttawa professors Rocci Luppicini, Liam Peyton, and Andre Vellino).

IT governance
Cybersecurity regulations

You may also be interested in Information security definition.

IT governance

Underlying various IA/IT security governance frameworks for information security governance such as ISO/IEC 27001 and PCI DSS are five strategies involving a risk-based approach to security management: Asset valuation, identifying threats, identifying vulnerabilities, risk profiling (measuring the risk), and risk mitigation (Cobb, 2019). This risk-based approach “allows an organization to correctly prioritize the vulnerabilities it’s identified and focus its efforts on the risks that are the most significant to its operations.” A risk-based security strategy “identifies the true risks to an organization’s most valuable assets and prioritizes spending to mitigate those risks to an acceptable level.” A risk-based information security strategy “enables an organization to develop more practical and realistic security goals and spend its resources in a more effective way. It also delivers compliance, not as an end in itself, but as natural consequence of a robust and optimized security posture” (Cobb, 2019).

Steps of the Information Security Risk-Based Management Approach (Adapted from Cobb, 2019)

Step	Key processes
Asset valuation	Determine what are the organization’s key information assets, where they are stored, and who owns them. When determining the value of assets, include “any business impact and costs associated with the confidentiality, integrity or availability of a compromised asset in an evaluation, such as lost revenue from an order-entry system going down or the reputational damage caused by a website being hacked.” This way of evaluating assets “ensures those that are most important to the day-to-day continuity of the organization are given the highest priority when it comes to security.”
Identifying threats	Identify who may want to steal or damage the organization’s key information (or mission critical) assets, why, and how they may do it. This includes “competitors, hostile nations, disgruntled employees or clients, terrorists and activists, as well as non-hostile threats, such as an untrained employee.” Also consider natural disasters such as floods and fire. Assign a threat level to each identified threat based on the likelihood of it occurring and the estimated impact/cost.
Identifying vulnerabilities	Automated vulnerability scanning tools are used by penetration testers to identify software and network vulnerabilities. Physical vulnerabilities may also need to be enumerated. Finally, there are “also vulnerabilities associated with employees, contractors and suppliers such as being susceptible to social engineering-based attacks.”
Risk profiling	Risk profiling begins after an organization’s assets, threats, and vulnerabilities have been identified. “Risk can be thought of as the likelihood that a threat will exploit a vulnerability resulting in a business impact.” Risk profiling “evaluates existing controls and safeguards and measures risk for each asset-threat-vulnerability and then assigns it a risk score. These scores are based on a combination of the threat level and the impact on the organization should the risk actually occur.”
Risk mitigation	“Once each risk has been assessed, a decision is made to treat, transfer, tolerate or terminate it. Each decision should be documented along with the reasons that led to the decision.” Once mitigation measures are implemented “carry out tests to simulate key threats to ensure the new security controls do actually mitigate the most dangerous risks.”

Several frameworks and tools exist to help with evaluating assets, threat levels, and risk scores. NIST’s Risk Management Framework is commonly used to quantify operational risk–to help “ensure that an enterprise understands the true risks to the key assets behind its day-to-day operations and how best to mitigate them” (Cobb, 2019). The Risk Management Framework (NIST SP 800-37) as a cybersecurity risk management framework within organizations integrates information security and risk management activities into the system development life cycle (the second step of the RMF is to select the appropriate subset of security controls from the control catalog in NIST SP 800-53). NIST’s RMF Revision 2 published in December of 2018 “takes a more holistic approach to the risk management process,” integrates privacy and adds RMF to SDLC. It also “includes information on aligning the RMF with NIST’s Cybersecurity Framework (CSF), supply chain and security engineering.” Most commonly deployed information security standards or frameworks in higher education are: NIST 800-53/FISMA (33%), NIST Cybersecurity Framework (32%), and NIST 800-171 (31%) (EDUCAUSE Almanac, 2019).

According to EDUCAUSE, a U.S. based nonprofit association that helps higher education elevate the impact of IT, with community of over 100,000 members spanning 45 countries, information security was the number one IT governance issue in 2016. The top higher education information security risks that were a priority for IT in 2016 were 1) phishing and social engineering; 2) end-user awareness, training, and education; 3) limited resources for the information security program (i.e., too much work and not enough time or people); and 4) addressing regulatory requirements (Grama & Vogel, 2017).

Information Security Risk in Higher Education (Adapted from EDUCAUSE, 2019)

1) Phishing and Social Engineering	“Over the past two decades, phishing scams have become more sophisticated and harder to detect.” While traditional phishing messages “sought access to an end user’s institutional access credentials (e.g., username and password),” today “ransomware and threats of extortion are common in phishing messages, leaving end users to wonder if they have to actually pay the ransom.”
2) End-User Awareness, Training, and Education	End-user awareness, training, and education “is critical as campuses combat persistent threats and try to make faculty, students, and staff more aware of the current risks.” While “the majority of U.S. institutions (74%) require information security training for faculty and staff, those programs tend to be leanly staffed with small budgets.”
3) Limited Resources for the Information Security Program	The 2015 EDUCAUSE Core Data Service survey covering all US higher education institutions showed that about 2 percent of total central IT spending is allocated for information security and that there is 0.1 central IT information security FTEs per 1,000 institutional FTEs (full time equivalents). About 55% of surveyed respondents said the security awareness budget for 2016 was less than 5K; and about 25% said they do not know; 15% said between 5-25k; and 7% said between 25-50k; and less than 1% said between 50 and 100K. “With limited resources, higher education institutions must be creative and collaborative in addressing information security awareness needs.”
4) Addressing Regulatory Requirements	The regulatory environment impacting higher education IT systems is complex. Data protection in higher education IT systems is governed by a patchwork of different federal and/or state laws rather than by one national data protection law. Student data are traditionally protected by the Family Educational Rights and Privacy Act of 1974 (FERPA) “although some types of student data, when it is held in healthcare IT systems, may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).” In addition, some types of student and institutional employee financial data may be protected by the Gramm Leach Bliley Act (GLBA). State laws may have data-breach notification requirements, and contractual agreements may have their own list of security technological controls that must be implemented and validated in IT systems. (Grama & Vogel, 2017)

A cybersecurity policy provides guidance for the protection of information assets, IT assets, and infrastructures. A cybersecurity risk governance policy identifies stakeholders, assets and threats, and procedures to assess vulnerabilities and risks and procedures to mitigate risks and manage incidents. Stakeholders should be identified at all levels in the business hierarchy, which may include businesses, services, groups, or feature teams. In addition, external stakeholders such as customers, governments, and investors should be identified. An information security policy is based on a combination of appropriate legislation, such as FISMA; applicable standards, such as NIST Federal Information Processing Standards (FIPS); and internal compliance requirements. Information security policy is an essential component of information security governance.

IT governance policies tell administrators, users and operators how to use information technology to ensure information security within organizations. Information security policies aggregate directives, rules, and practices that prescribe how an organization manages, protects, and distributes information. An organization’s information security policies are typically high-level policies covering a large number of security controls. An information security policy at the institutional level should address the fundamentals of the institution’s information security governance structure, including information security roles and responsibilities, rules of behavior that users are expected to follow, and minimum repercussions for noncompliance. Further, organizational policies should include an access control policy outlining the access available to employees in regards to an organization’s data and information systems (e.g., based on NIST’s Access Control and Implementation Guides); an incident response policy, remote access policy, email and communication policy, and disaster recovery policy.

IT governance frameworks are used to create value for organizations by streamlining or structuring activities so as to meet certain performance and regulatory requirements related to risk governance by aligning strategic goals with operations. IT governance is a framework “that provides a structure for organizations to ensure that IT investments support business objectives.” IT governance emphasizes a strategic alignment between IT activities and business goals, value creation, and performance management. NIST describes IT governance as “the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.” ISO 38500 IT governance standard Corporate Governance of Information Technology defines IT Governance as three activities: Evaluate, Direct, and Monitor. While in the business world the definition of IT governance has been focused on managing performance and creating value, in the academic world the focus has been on “specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT” (Weill & Ross, 2004). Benefits of information security governance include 1) Increased predictability and reduced uncertainty of business operations; 2) Protection from the potential for civil and legal liability; 3) Structure to optimize the allocation of resources/prioritize risks; 4) Assurance of security policy compliance; 5) Foundation for effective risk management; and 6) Accountability for safeguarding information (EDUCASUE, 2019).

Governance, risk and compliance (GRC) is an IT governance model or framework for managing an organization’s overall governance, enterprise risk management and compliance with various regulations. GRC offers a structured approach to aligning IT activities with business goals while effectively managing risk and meeting compliance requirements. GRC is a top-level framework for coordinating technical solutions, business cooperation and buy-in, and meeting regulatory requirements. It should be very similar to a business plan. Organizations consult frameworks for guidance in developing and refining their GRC policy rather than creating one from scratch. “Frameworks and standards provide building blocks that organizations can tailor to their environment. According to Grama, COBIT, COSO and ITIL are the big players in many different industries.” Key IT governance frameworks include:

•ITIL: Customizable framework designed around documents and processes to deliver an IT governance/life-cycle framework
•COBIT 5: Governance and management of enterprise IT
•COSO: Guidance on governance and operational performance through internal control
•CMMI: Delivering value by building capability in people and processes
•ISO/IEC 38500:2015: International standard of governance for corporate information technology
•IT Governance: Developing a Successful Governance Strategy (ISACA)

Table 7: IT Security Governance and IT Security Management (Adapted from Educause.edu)

IT Security Governance (doing the right thing)	IT Security Management (doing things right)
Oversight–to ensure that risks are adequately mitigated	Implementation–ensures that controls are implemented to mitigate risks
Authorizes decision rights	Authorized to make decisions to mitigate risks
Enact policy (setting a course)	Enforce policy (steering)
Accountability–specifies the accountability framework	Responsibility
Strategic planning–ensures that security strategies are aligned with business objectives and consistent with regulations	Project planning–recommends security strategies
Resource allocation	Resource utilization

Cybersecurity regulations

Canada’s most visible commitments to cybersecurity governance include Canada cybersecurity strategy 2010, Canadian Cyber Incident Response Centre (CCIRC), Counter-terrorism Strategy, RCMP Cybercrime Strategy 2015, National Strategy for Critical Infrastructure, and Action Plan for Critical Infrastructure (2014-2017). Relevant US regulations that govern ethical hacking include, the guidelines, standards, and laws that govern ethical hacking include FISMA, the Electronics Communications Privacy Act, PATRIOT Act, Privacy Act of 1974, Cyber Intelligence Sharing and Protection Act (CISPA), Consumer Data Security and Notification Act, and Computer Security Act of 1987. Further, the Health Insurance Portability and Accountability Act (HIPAA) has five key subsections: Electronic Transaction and Code Sets, Privacy Rule, Security Rule, National Identifier Requirements, and Enforcement (Walker, 2017).

Important cybersecurity regulations and standards

	International Standards	National or Regional Standards	Organizational Standards or Guidelines
IT Security Management	ISO 13335, ISO 13569, ISO 17799, ISO 27001, ISO 27002	BS 7799-2, NIST Standards	ACSI-33, COBIT Security Baseline, ENV12924, ISF Standard of Good Practice, SAS 70
IT Governance	ISO 38500:2008	COSO Internal Control -Integrated Framework	COBIT, ITIL, BITS
Compliance		Sarbanes-Oxley Act, Privacy Act, Trade Practices Act	Basel II, FFIEC Handbook, Gramm-Leach-Bliley Act, BSA, FACTA, GISRA, CA Bill 1386, PCI DSS, FISMA
Privacy		Directive 95/46- European Union, ETS no. 108 – Council of Europe, PIPEDA -Canada, Privacy Act 1988 -Australia, Specter-Leahy Personal Data Privacy and Security Act 2005 – USA, Personal Information Protection Act No. 57 – Japan
Risk Management	ISO 27005	AS/NZS 4360, COSO Enterprise Risk Management, MoR, NIST Standard 800-30
Security Metrics	ISO 27004	NIST Standards	Web Security Threat Classification, ISECOM, CVSS
Security Evaluation	ISO 15408, ISO 27001	NIST Standards -FIPS, NSA IAM / IEM	PCI DSS
Security Testing		NIST SP 800-115 Technical Guide to Information Security Testing and Assessment	OWASP Testing Guide (v4), OSSTMM, CHECK, ISACA, ISSAF, CREST