We covered information security management concepts such as information security governance, information security regulations, risk management and information security frameworks such as NIST 800/53, ISO 27001, COBIT, SOC2 and Governance risk and compliance. This was part of TryHackMe Governance and compliance room which is part of security engineer track.

Get COMPTIA Security+ Exam Notes

Information Security Governance

Information security governance represents an organization’s established structure, policies, methods, and guidelines designed to guarantee the privacy, reliability, and accessibility of its information assets. Given the escalating complexity of cyber threats, the significance of information security governance is continually growing. It is essential for risk management, safeguarding confidential data from unauthorized intrusion, and adhering to pertinent regulations. Information security governance falls under the purview of top-tier management and includes the following processes:

  • Strategy: Developing and implementing a comprehensive information security strategy that aligns with the organization’s overall business objectives.
  • Policies and procedures: Preparing policies and procedures that govern the use and protection of information assets.
  • Risk management: Conduct risk assessments to identify potential threats to the organization’s information assets and implement risk mitigation measures.
  • Performance measurement: Establishing metrics and key performance indicators (KPIs) to measure the effectiveness of the information security governance program.
  • Compliance: Ensuring compliance with relevant regulations and industry best practices.

Information Security Regulation

Governance and regulation are closely linked in the information security paradigm but have distinct meanings. Information security regulation refers to legal and regulatory frameworks that govern the use and protection of information assets. Regulations are designed to protect sensitive data from unauthorized access, theft, and misuse. Compliance with regulations is typically mandatory and enforced by government agencies or other regulatory bodies. Examples of information security regulations/standards include the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), Personal Information Protection and Electronic Documents Act (PIPEDA), and many more.

Information Security Frameworks
The information security framework provides a comprehensive set of documents that outline the organization’s approach to information security and governs how security is implemented, managed, and enforced within the organization. This mainly includes:
  • Policies: A formal statement that outlines an organization’s goals, principles, and guidelines for achieving specific objectives.
  • Standards: A document establishing specific requirements or specifications for a particular process, product, or service.
  • Guidelines: A document that provides recommendations and best practices (non-mandatory) for achieving specific goals or objectives.
  • Procedures: Set of specific steps for undertaking a particular task or process.
  • Baselines: A set of minimum security standards or requirements that an organization or system must meet.
Developing Governance Documents
Here are some generalized steps used to develop policies, standards, guidelines, etc.
  • Identify the scope and purpose:  Determine what the document will cover and why it is needed. For example, a password policy might be required to ensure robust and secure user passwords. In contrast, a baseline might be required to establish a minimum level of security for all systems.
  • Research and review: Research relevant laws, regulations, industry standards, and best practices to ensure your document is comprehensive and up-to-date. Review existing policies, procedures, and other documents to avoid duplicating efforts or contradicting existing guidance.
  • Draft the document: Develop an outline and start drafting the document, following best practices for writing clear and concise policies, procedures, standards, guidelines, and baselines. Ensure the document is specific, actionable, and aligned with the organisation’s goals and values.
  • Review and approval: Have the document reviewed by stakeholders, such as subject matter experts, legal and compliance teams, and senior management. Incorporate their feedback and ensure the document aligns with organisational goals and values. Obtain final approval from appropriate stakeholders.
  • Implementation and communication: Communicate the document to all relevant employees and stakeholders, and ensure they understand their roles and responsibilities in implementing it. Develop training and awareness programs to ensure the document is understood and followed.
  • Review and update: Periodically review and update the document to ensure it remains relevant and practical. Monitor compliance and adjust the document based on feedback and changes in the threat landscape or regulatory environment.
Explanation through Real-world Scenarios

We will go through some real-world scenarios to fully understand the steps to develop these documents.

Preparing a Password Policy
  • Define password requirements: Minimum length, complexity, and expiration.
  • Define password usage guidelines: Specify how passwords should be used, such as requiring unique passwords for each account, prohibiting the sharing of passwords, and prohibiting default passwords.
  • Define password storage and transmission guidelines: Using encryption for password storage and requiring secure connections for password transmission.
  • Define password change and reset guidelines: How often passwords should be changed etc.
  • Communicate the policy: Communicate the password policy to all relevant employees and stakeholders, and ensure that they understand the requirements and guidelines. Develop training and awareness programs to ensure that employees follow the policy.
  • Monitor compliance: Monitor compliance with the password policy and adjust the policy as needed based on feedback and changes in the threat landscape or regulatory environment.
Making an Incident Response Procedure
  • Define incident types: Unauthorised access, malware infections, or data breaches.
  • Define incident response roles and responsibilities: Identify the stakeholders,  such as incident response team members, IT personnel, legal and compliance teams, and senior management.
  • Detailed Steps: Develop step-by-step procedures for responding to each type of incident,  including initial response steps, such as containing the incident and preserving evidence; analysis and investigation steps, such as identifying the root cause and assessing the impact; response and recovery steps, such as mitigating the incident, reporting and restoring normal operations.
  • Report the incident to management and document the incident response process for future reference.
  • Communicate the incident response procedures.
  • Review and update the incident response procedures.

Organizations only sometimes need to make a standard, frameworks, or baselines; instead, they follow and use already made documents related to their field or discipline, as the financial sector may follow PCI-DSS and GLBA; healthcare may follow HIPPA, etc. There are numerous factors upon which we decide which standard framework of baseline checklist should be used; these include regulatory requirements primarily related to the particular geographical areas, scope, objectives, available resources, and many more.

Room Answers

The term used for legal and regulatory frameworks that govern the use and protection of information assets is called?

Health Insurance Portability and Accountability Act (HIPAA) targets which domain for data protection?

The step that involves periodic evaluation of policies and making changes as per stakeholder’s input is called?

A set of specific steps for undertaking a particular task or process is called?

What is the component in the GRC framework involved in identifying, assessing, and prioritising risks to the organisation?

Is it important to monitor and measure the performance of a developed policy?  (yea/nay)

What is the maximum fine for Tier 1 users as per GDPR (in terms of percentage)?

In terms of PCI DSS, what does CHD stand for?

Per NIST 800-53, in which control category does the media protection lie?

Per NIST 800-53, in which control category does the incident response lie?

Which phase (name) of NIST 800-53 compliance best practices results in correlating identified assets and permissions?

Which ISO/IEC 27001 component involves selecting and implementing controls to reduce the identified risks to an acceptable level?

In SOC 2 generic controls, which control shows that the system remains available?

Click the View Site button at the top of the task to launch the static site in split view. What is the flag after completing the exercise?

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles