- Organizational or corporate governance has existed since time immemorial to ensure the efficient running via control structures.
- Since information security has become an integral part of every organization, it is absolutely necessary for a governance structure to be in place.
- Information security must also be properly aligned with the mission of the organization.
- Information security governance provides a platform for upper management and the board of directors (BOD) to exercise their oversight on enterprise risk management to required acceptable level.
- The intent of governance is to provide some guarantee that certain appropriate mechanisms are in place to reduce risks (please note that risk cannot be completely eliminated).
- Executive management must be fully committed to provide the investments required for any information security activities.
- The IT Governance Institute (ITGI) defines IT governance as being “the responsibility of the board of directors and executive management”.
- The ITGI also proposes that information security governance must be considered part of IT governance and that the BOD should:
- Be informed about security
- Set direction to drive policy and strategy
- Provide resources to security efforts
- Assign management responsibilities
- Set priorities
- Support changes required
- Define cultural values related to risk assessment
- Obtain assurance from internal and external auditors
- Insists that security investments are made measurable and reported on for program effectiveness.
- In addition, the ITGI suggests that the management should:
- Write security policies with business input
- Ensure that roles and responsibilities are clearly defined and understood
- Identify threats and vulnerabilities
- Implement security infrastructures and control frameworks (standards, guidelines, baselines, and procedures)
- Ensure that policy is approved by the governing body
- Establish priorities and implement security projects in a timely manner
- Monitor breaches
- Conduct periodic reviews and tests
- Reinforce awareness education as critical
- Build security into the systems development life cycle.
Security Governance:
- Goals, Mission, and Objectives of the Organization
- Information security must support and enable the vision, mission and the business objective of the organization.
- Must ensure the interrelationships among risk assessment, policy implementation, response controls, promoting awareness, monitoring effectiveness, etc., etc.
- Organizational Processes
- Acquisitions and mergers
- Divestitures and spinoffs
- Governance committees
- Security Roles and Responsibilities
- Today’s organizational structure
- Role of the Information Security Officer
- Communicate risks to executive management
- Information Security Strategies
- Strategic planning – Long term (3 to 5 years) and must be aligned with business objectives.
- Tactical planning – Short term ( 6 to 18 months) used to achieve specific goals. May consist of multiple projects.
- Operational and project planning – Specific plans with milestones, dates, and accountabilities provide communication and direction for project completion.
To Become Certified For CISSP Please Visit This Link;