Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Enterprise Cloud Security and Governance

You're reading from   Enterprise Cloud Security and Governance Efficiently set data protection and privacy principles

Arrow left icon
Product type Paperback
Published in Dec 2017
Publisher Packt
ISBN-13 9781788299558
Length 410 pages
Edition 1st Edition
Tools
Arrow right icon
Author (1):
Arrow left icon
Zeal Vora Zeal Vora
Author Profile Icon Zeal Vora
Zeal Vora
Arrow right icon
View More author details
Toc

Table of Contents (11) Chapters Close

Preface 1. The Fundamentals of Cloud Security FREE CHAPTER 2. Defense in Depth Approach 3. Designing Defensive Network Infrastructure 4. Server Hardening 5. Cryptography Network Security 6. Automation in Security 7. Vulnerability, Pentest, and Patch Management 8. Security Logging and Monitoring 9. First Responder 10. Best Practices

Policies and governance in cloud

Governance is basically a set of rules and policies through which an organization is directed and controlled so that it is focused towards its goals.

As an overview, if the management is about running the business, governance is about seeing that it runs properly. Before we move further, we need to understand it with a few use cases; otherwise, it will just remain theoretical concepts.

Let's understand this with an example. Small Corp. has started to deal with delivery services. There are three deliveries that are currently pending. Let's look into the management and governance perspective:

  • Management:
    • Matt will pick up the first and second deliveries at 8 am and deliver them by 11 am
    • Alen will pick up the third deliver it by afternoon 3 pm and deliver by 7 pm
  • Governance:
    • Are all the deliveries being delivered on time?
    • Is everything being done is perfect as per as legal and regulatory laws?

When we speak about information security governance, the board members of the organization should be briefed about it and should:

  • Be informed about the current information security readiness in organization
  • Set direction to add policies and strategies, and to make sure that security is a part of new policies
  • Provide resources for security efforts
  • Obtain assurance from internal as well as external auditors
  • Assign management responsibilities

Let's look into some of the real-world use cases that may be part.

In one of the organizations that I have worked with, although the security posture was good, the board members used to stress and get the audit done by external auditors. So, the external auditors used to come and check every control. Their firewall admin used to sit with our firewall admin and look into individual rules and so on.

All that the board members wanted to hear from the external auditor was: all OK or bad?

When we speak about briefing board members or the CEO about information security governance, it is important to speak their language.

Let's say, a firewall admin cannot say that there are advanced persistent threats and for this, we need next-generation firewalls. They might fire him even though he might be the best firewall admin in the organization.

Thus, the representative must speak their language, and thus CISO, CIO, or others should represent the current security threats, current preparedness level, and future plans for which the board can approve new budgets and discuss further:

  • It is the responsibility of the senior executives to respond to the concerns raised by the information security expert
  • In order to effectively exercise enterprise governance, the board and senior executives must have a clear vision of what is expected from the information security program
  • IT security governance is different from that of IT security management as security management is more focused on how to mitigate the risks associated to security, and governance is more concerned about who in the organization is authorized and responsible for making decisions:

Governance

Management

Overseeing the operations

Deals with the implementation aspect

Making policies

Enforcing policies

Allocating the resources

Utilizing of the resources

Strategic

Tactical

  • Nowadays, increased corporate governance requirements have caused organizations to look into their internal controls more closely to ensure that the required controls are in place and are operating effectively.

Let's understand this with an example. John is a new CISO and has joined Medium Corp.. After joining, John realized that most things that the organization had been doing were incomplete. At the end of the year, when the auditor came, more than half of the things didn't work, backups were failing, audit trails were not being recorded across many servers, and so on.

So, John decided to implement the NIST Cybersecurity Framework, and as an overview, if you follow the industry standards frameworks such as NIST, you can be sure that your organization is in great shape with respect to security.

You have been reading a chapter from
Enterprise Cloud Security and Governance
Published in: Dec 2017
Publisher: Packt
ISBN-13: 9781788299558
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image