Course Introduction and Security Basics
Governance, Compliance and Risk
The course is part of these learning paths
In the last decade the nature and complexity of security attacks have increased tremendously. From simple attacks, which focused on hacking exposed web pages; we have evolved to stealthy attacks, which focus on the hacker staying hidden for years on end inside the victim’s network with the sole purpose of stealing data. To make matters worse, more and more companies have started to store their data in the cloud, thereby transferring part of the responsibility of securing that data to the cloud service provider. Therefore these days the cloud service is entrusted with the task of providing adequate security to the data and services that it provides to customers. While making a decision to move to the cloud, the two main metrics that enterprises look at tend to be cost and security risk.
About the Author
Vish Chidambaram is an Award-winning Enterprise Security Leader with 18+ years of experience skilled in areas spanning Automation, Security Operation Analytics and Reporting, Threat Management Life cycle, Agile/DevOps environments, SaaS/Cloud security, Business Development/Consulting, Program Management and more. Most Recently Vish was the CISO at Rubicon Project, which is a SaaS based ad marketplace where he was responsible for securing a high performance SaaS platform with 40billion transactiions per day. He pioneered the integration of security in DevOps, by using automation, orchestration and machine learning tools He is passionate about teaching security and believes staying current is particularly relevant in the security industry. He also mentors security professionals and advises them thru career transitions. and details can be found at datacoreacademy.com or writing to firstname.lastname@example.org His linked in page is https://www.linkedin.com/in/vish-chidambaram/
Now let's look at some data. Companies that adopt Cloud grow 20 percent faster. 16 percent of the data in the Cloud is sensitive. 37 percent of the data in the Cloud is shared. 90 percent of the companies have at least one insider threat per month. 76 percent of the companies have at least one compromised account per month. 55 percent of the companies have at least one privileged user threat per month. The average organization uses over 100 Cloud services.
Let's first answer the question what is information security? NIST, the National Institute for Standards and Technology, defines security as follows: A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form a part of the enterprise's risk management approach. Risk to the use of information systems is further broken up into risks to confidentiality, risks to integrity, and risks to availability. So basically, all that we are trying to do in securing organizations, can be broken down into these three basic concepts: Confidentiality, integrity, availability. Also referred to in short as CIA.
Now let's look at the challenges in implementing security. The implementation of security is plagued by a clash between functionality, resources, and interoperability. Putting in a rigid security system in place will increase cost, result in some functionality being deemed as too risky, and prevent applications from connecting to one another freely. For example, an application that deals with confidential information can only communicate with applications that use encrypted channels of communication and are at the same level of security as itself. A company might roll out changes to its code five times a day and it may not be possible to do a security scan of the code for each of these releases as these need significant manpower and time. A good security events monitoring system could easily cost anywhere upwards of one million dollars and could cost another one million per year to maintain and run. So while everyone agrees that security is important, there are significant challenges that arise in its implementation. So what companies need to do is to be wise and prudent while deciding on their security framework. There are a lot of frameworks available today that companies can use in designing their security ecosystem. In this course, we will base our discussions on frameworks like NIST, ISO 27001, and OWASP, which is the Open Web Application Security Project, as these are the most widely used and frequently updated frameworks.
So this brings to focus a key term in our course description, namely security governance. Security governance includes the activities performed by an organization for the development, implementation, monitoring and auditing, and continuous improvement of the Information Security risk Management System. Most organizations use a security framework, like ISO 27001, to double up their customized version of security governance. This is because different companies have different risk appetites.
Let's talk about risk appetite of the organization. This is a concept that is very important to what a company does with regards to its security. A company might decide that it does not care about being hacked since it has very little confidential information. Then there are companies that decide that they are going to be very paranoid about their security, say, defense contractors. This attitude towards security sets the tone for all that is to follow. Companies with lower risk appetite will be ready to spend millions on security and will not compromise security for speed and functionality and will invest in a strict implementation of the security frameworks, such as IS0 27001. This sets the tone for all your work. It is wise to be aware of the risk appetite of the company you work for before designing t
he framework. The framework that is finally produced is referred to as the Information Security Management System, or ISMS for short. An ISMS is a framework of policies and procedures that includes all legal, physical, and technical controls involved in an organization's information risk management process.