8.3 Execution of the group study - first session
8.3.2 Types of lessons learned and rules of mapping
Depending on their relation with the goals, the lessons learned have been divided into different types. Recall the definition of four different types of the lessons learned and the rules to decide the mapping that we have developed in Chapter 6,
Types of lessons learned and rules of mapping
Starting from the bottom-level goals in the goal structure, (Type I) if a lesson learned is related exclusively to a bottom-level goal, it is defined as Type I. Then this lesson learned should be mapped to this bottom-level goal. (Type II) If a lesson learned is related to more than one bottom-level goals in the goal structure, it is defined as Type II. Then this lesson learned should be mapped to the nearest parent goal where those bottom-level goals share the same parent goal. (Type III) If a lesson learned is related to none of the bottom-level goal, go up to check other goals, check and decide whether it is related to a higher level goal in the structure. If yes, it is defined as Type III, this lesson learned should be mapped to this related goal. This indicates a probably missing aspect of a higher level goal. (Type IV) If a lesson learned is related to none of the goals in the goal structure, it is defined as Type IV, then a new goal named “(Stan- dard non-existent)” should be created to link this lessons learned to the top goal. This indicates a missing aspect of the whole security management guidelines or standards.
Below are the examples of lessons learned Type I, II, III and IV that are cited from the real world security incidents used in our industrial evaluation. In particular, exam- ples of Type I, III and IV are cited from Figure 8.1; example of Type II is cited from Figure 8.3. The goals (security requirements) for those cases are from the GB/T22239.
In the following examples, different types of lessons learned have been mapped to dif- ferent levels of security requirements of GB/T22239.
8.3. EXECUTION OF THE GROUP STUDY - FIRST SESSION 136
Type I
Lesson learned(Figure 8.1)
Sensitive Information: Use encryption, or other effective tool, to protect personally identifiable information stored on removable storage.
Security Requirement bottom level(From GB/T22239) ...
8.1.5.2.a Use encryption or other protective measures for system data management, information identification, and the transmit of critical business data.
8.1.5.2.b Use encryption or other protective measures for system data management, information identification, and the storage of critical business data.
8.1.5.2.c Provide dedicated communication protocol or secure communications protocol services for important communications channels. Avoid destruction of data confidentiality from the general protocol-based attacks.
...
Decision on Mapping
The lesson learned is found to be exclusively related to bottom level security goal 8.1.5.2.b, therefore, it should map to 8.1.5.2.b. It indicates if this lesson learned is ignored, the goal 8.1.5.2.b. would be affected.
Type II
Lesson learned(Figure 8.3)
Security Training: Establish and execute security training programs by following the security standard.
Security Requirement bottom level - 1
8.2.3.4 Security awareness education and training.
Security Requirement bottom level
8.2.3.4.a Security awareness training, position related technical and security skills needs to be educated to all staff.
8.3. EXECUTION OF THE GROUP STUDY - FIRST SESSION 137
8.2.3.4.b Security responsibility and punitive measures need to be documented and informed to the responsible staff. Disciplinary actions need to be taken to people vio- lating security policies.
8.2.3.4.c Security education and training needs to be documented regularly. Train- ing including basic security knowledge, position operational procedure needs to be designed for different positions.
8.2.3.4.d Security education and training needs to be examined, and the results are placed on file.
...
Decision on Mapping
The lesson learned is found to be related to all of the listed bottom-level goals, therefore, it should map to their parent goal 8.2.3.4. It indicates if this lesson learned is ignored, the goal 8.2.3.4 or its sub-goals would be affected.
Type III
Lesson learned(Figure 8.1)
Position Description: Re-evaluate and correct position sensitivity levels.
Security Requirement bottom level - 1 8.2.2.1 Position description (G4)
Security Requirement bottom level
8.2.2.1.a Establish functions management structure for information security man- agement. Establish the job role for security officer, security management in charge of all aspects of security management and define the responsibility of each position.
8.2.2.1.b Establish the job role for system administrators, network administrators, security administrators and define the responsibility of each position.
8.2.2.1.c Established information security management committee or leadership team, led by the highest leadership of the unit in charge of the appointment or grant.
8.2.2.1.d Develop clear institutional responsibilities of various departments and po- sitions, division of labor and skill requirements.
8.3. EXECUTION OF THE GROUP STUDY - FIRST SESSION 138
Decision on Mapping
The lesson is found to be related to none of the bottom-level goals, e.g. 8.2.2.1.a..., however it is related to a higher level goal 8.2.2.1. This lesson should be mapped to 8.2.2.1. It indicates this lesson is probably missing from the goal 8.2.2.1.
Type IV
Lesson learned(Figure 8.1)
Risk Analysis: Develop and issue Government-wide risk analysis criteria.
New Security Requirement
(Standard non-existent): Government-wide risk analysis criteria is addressed.
Decision on Mapping
The lesson learned is found to be related to none of the security requirements of GB/T22239, a new goal, Standard non-existent, should be created addressing this rec- ommendation. It indicates this lesson learned is probably missing from GB/T22239.