Information Security Governance: A Practical Development and Implementation Approach
By Krag Brotby
()
About this ebook
With monotonous regularity, headlines announce ever more spectacular failures of information security and mounting losses. The succession of corporate debacles and dramatic control failures in recent years underscores the necessity for information security to be tightly integrated into the fabric of every organization. The protection of an organization's most valuable asset information can no longer be relegated to low-level technical personnel, but must be considered an essential element of corporate governance that is critical to organizational success and survival.
Written by an industry expert, Information Security Governance is the first book-length treatment of this important topic, providing readers with a step-by-step approach to developing and managing an effective information security program. Beginning with a general overview of governance, the book covers:
-
The business case for information security
-
Defining roles and responsibilities
-
Developing strategic metrics
-
Determining information security outcomes
-
Setting security governance objectives
-
Establishing risk management objectives
-
Developing a cost-effective security strategy
-
A sample strategy development
-
The steps for implementing an effective strategy
-
Developing meaningful security program development metrics
-
Designing relevant information security management metrics
-
Defining incident management and response metrics
Complemented with action plans and sample policies that demonstrate to readers how to put these ideas into practice, Information Security Governance is indispensable reading for any professional who is involved in information security and assurance.
Related to Information Security Governance
Titles in the series (33)
Tech Mining: Exploiting New Technologies for Competitive Advantage Rating: 5 out of 5 stars5/5Verification and Validation for Quality of UML 2.0 Models Rating: 0 out of 5 stars0 ratingsHolistic Management: Managing What Matters for Company Success Rating: 0 out of 5 stars0 ratingsManaging Complex Systems: Thinking Outside the Box Rating: 0 out of 5 stars0 ratingsLean Enterprise Systems: Using IT for Continuous Improvement Rating: 0 out of 5 stars0 ratingsEnterprise Transformation: Understanding and Enabling Fundamental Change Rating: 0 out of 5 stars0 ratingsSecurity Risk Management Body of Knowledge Rating: 0 out of 5 stars0 ratingsSystem of Systems Engineering: Innovations for the 21st Century Rating: 0 out of 5 stars0 ratingsSmart Data: Enterprise Performance Optimization Strategy Rating: 0 out of 5 stars0 ratingsArchitecting Resilient Systems: Accident Avoidance and Survival and Recovery from Disruptions Rating: 0 out of 5 stars0 ratingsStimulating Innovation in Products and Services: With Function Analysis and Mapping Rating: 0 out of 5 stars0 ratingsPeople and Organizations: Explorations of Human-Centered Design Rating: 0 out of 5 stars0 ratingsDecision Making in Systems Engineering and Management Rating: 0 out of 5 stars0 ratingsThe Global Manufacturing Revolution: Product-Process-Business Integration and Reconfigurable Systems Rating: 0 out of 5 stars0 ratingsLean for Systems Engineering with Lean Enablers for Systems Engineering Rating: 0 out of 5 stars0 ratingsSystems Engineering Principles and Practice Rating: 3 out of 5 stars3/5Strategies to the Prediction, Mitigation and Management of Product Obsolescence Rating: 0 out of 5 stars0 ratingsOperations and Production Systems with Multiple Objectives Rating: 0 out of 5 stars0 ratingsConcept-Oriented Research and Development in Information Technology Rating: 0 out of 5 stars0 ratingsInformation Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsForensic Systems Engineering: Evaluating Operations by Discovery Rating: 0 out of 5 stars0 ratingsSystem Engineering Management Rating: 5 out of 5 stars5/5Reliability, Maintainability, and Supportability: Best Practices for Systems Engineers Rating: 0 out of 5 stars0 ratingsModel-Based System Architecture Rating: 0 out of 5 stars0 ratingsPractical Creativity and Innovation in Systems Engineering Rating: 0 out of 5 stars0 ratings
Related ebooks
Business Practical Security Rating: 0 out of 5 stars0 ratingsInformation Security for Small and Midsized Businesses Rating: 0 out of 5 stars0 ratingsStart-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit Rating: 0 out of 5 stars0 ratings8 Steps to Better Security: A Simple Cyber Resilience Guide for Business Rating: 0 out of 5 stars0 ratingsCertified Cybersecurity Compliance Professional Rating: 5 out of 5 stars5/5The CISO Evolution: Business Knowledge for Cybersecurity Executives Rating: 0 out of 5 stars0 ratingsAuthorizing Official Handbook: for Risk Management Framework (RMF) Rating: 0 out of 5 stars0 ratingsInfosec Management Fundamentals Rating: 5 out of 5 stars5/5The Case for ISO27001:2013 Rating: 1 out of 5 stars1/5Asset Security: CISSP, #2 Rating: 0 out of 5 stars0 ratingsApplication Security in the ISO27001 Environment Rating: 0 out of 5 stars0 ratingsFight Fire with Fire: Proactive Cybersecurity Strategies for Today's Leaders Rating: 0 out of 5 stars0 ratings(ISC)2 CCSP Certified Cloud Security Professional Official Study Guide Rating: 0 out of 5 stars0 ratingsThe Official (ISC)2 CCSP CBK Reference Rating: 0 out of 5 stars0 ratingsHardening by Auditing: A Handbook for Measurably and Immediately Iimrpving the Security Management of Any Organization Rating: 0 out of 5 stars0 ratingsSecurity Leader Insights for Effective Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsThe Chief Information Security Officer: Insights, tools and survival skills Rating: 1 out of 5 stars1/5(ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests Rating: 0 out of 5 stars0 ratingsCyber Intelligence-Driven Risk: How to Build and Use Cyber Intelligence for Business Risk Decisions Rating: 0 out of 5 stars0 ratingsRisk Assessment for Asset Owners Rating: 4 out of 5 stars4/5Information Security Auditor: Careers in information security Rating: 0 out of 5 stars0 ratingsInformation Security Breaches: Avoidance and Treatment based on ISO27001 Rating: 0 out of 5 stars0 ratingsCISA Certified Information Systems Auditor Study Guide Rating: 5 out of 5 stars5/5Building an Effective Cybersecurity Program, 2nd Edition Rating: 0 out of 5 stars0 ratingsBuilding Effective Cybersecurity Programs: A Security Manager’s Handbook Rating: 4 out of 5 stars4/5Security Architect: Careers in information security Rating: 4 out of 5 stars4/5Risk Management and Information Systems Control Rating: 5 out of 5 stars5/5The Cybersecurity Maturity Model Certification (CMMC) – A pocket guide Rating: 0 out of 5 stars0 ratingsData Breach Preparation and Response: Breaches are Certain, Impact is Not Rating: 0 out of 5 stars0 ratings
Security For You
IAPP CIPP / US Certified Information Privacy Professional Study Guide Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Certification Study Guide, Fourth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Hacking For Dummies Rating: 4 out of 5 stars4/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsHow to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5CompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsWindows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry Rating: 4 out of 5 stars4/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5Ultimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5CompTIA CySA+ Cybersecurity Analyst Certification Passport (Exam CS0-002) Rating: 5 out of 5 stars5/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsCompTIA CySA+ Practice Tests: Exam CS0-002 Rating: 0 out of 5 stars0 ratingsSocial Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5Practical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Apple Card and Apple Pay: A Ridiculously Simple Guide to Mobile Payments Rating: 0 out of 5 stars0 ratingsBlockchain Basics: A Non-Technical Introduction in 25 Steps Rating: 5 out of 5 stars5/5
Reviews for Information Security Governance
0 ratings0 reviews
Book preview
Information Security Governance - Krag Brotby
Introduction
For most organizations, reliance on information and the systems that process, transport, and store it, has become absolute. In many organizations, information is the business. Actionable information is the basis of knowledge and as Peter Drucker stated over a decade ago, Knowledge is fast becoming the sole factor of productivity, sidelining both capital and labor.
*
This notion is buttressed by recent studies showing that over 90% of organizations that lose their information assets do not survive. Research also shows that currently, information assets and other intangibles comprise more than 80% of the value of the typical organization.
Yet, even as this realization has belatedly started to reach executive management and the boardroom in recent years, organizations are plagued by evermore spectacular security failures and losses continue to mount. This is despite a dramatic a rise in overall spending on a variety of security- or assurance-related functions and national governments imposing a host of increasingly restrictive regulations.
This host of new security-related regulations has in turn led to a proliferation of the number and types of assurance
functions. Until recently, for example, privacy
officers were unheard of, as were compliance
officers. Now, they and others, such as the Chief Information Security Officer, are commonplace. It should be noted that all assurance functions are an aspect of what is arbitrarily labeled security
and, indeed, what is called security
is invariably an assurance function. In turn, both are elements of risk management.
Not only has the diversity of assurance
functions increased, the requirements for these activities in many of an organization’s other operations are now the norm. Examples include the HIPAA privacy assurance
functions generally handled by Human Resources, or SOX disclosure compliance as a purview of Finance.
For many larger organizations, a list of assurance-related functions might include:
Risk management
BCP/DR
Project office
Legal
Compliance
CIO
CISO
IT security
CSO
CTO
Insurance
Training/awareness
Quality control/assurance
Audit
HR
Privacy
Combined, these assurance functions constitute a considerable percentage of an organizations’ operating budget. Yet, ironically, this increase in assurance functions has in many organizations led to a decrease in safety
or security. This is a consequence of increasingly fragmenting assurance functions into numerous vertical stovepipes
only coincidentally related to each other and to the organization’s primary business objectives. This, despite the fact that all of these activities serve fundamentally only one common purpose: the preservation of the organization and its ability to continue to operate and generate revenue.
To compound the problem, these functions invariably have different reporting structures, often exist in relative isolation, speak different languages, and more often than not operate at cross purposes. Typically, they have evolved over a period of time, usually in response to either a crisis du jour or to mounting external regulatory pressures. Their evolution has often involved arbitrary factors unrelated to improving security functionality, efficiency, or effectiveness.
As these specialized assurance functions have developed, national or global associations have formed to promote the specialty. One outcome of this specialty
-centric perspective has been to widen the divide between elements of what should arguably be a continuous assurance
process, seamlessly dovetailed and aligned with the business.
So what is the way forward? It has become increasingly clear that the solution lies in elevating the governance of the typical myriad assurance functions to the highest levels of the organization. Then, as with other critical, expensive organizational activities, an assurance governance framework must be developed that will integrate these functions under a common strategy tightly aligned with and supporting business objectives.
Alternatively, for most organizations, failure to implement effective information security governance will result in the continued chaotic, increasingly expensive, and marginally effective firefighting mode of operation typical of most security departments today. Tactical point solutions will continue to be deployed, and effective administration of security and integration of assurance functions will have no impetus and remain merely a concept in the typically fragmented multitude of assurance-
and security-related stovepipes. Allocation of security resources is likely to remain haphazard and unrelated to risks and impacts as well as to cost-effectiveness. Breaches and losses will continue to grow and regulatory compliance will be more costly to address. It is clear that senior management will increasingly be seen as responsible and legally liable for failing the requirements of due care and diligence. Customers will demand greater care and, failing to get it, will vote with their feet, and the correlation between security, customer satisfaction, and business success will become increasingly obvious and reflected in share value.
Against this backdrop, this book provides a practical basis and the tools for developing a business case for information security (or assurance) governance, developing and implementing a strategy to increasingly integrate assurance functions over time, improving security, lowering costs, reducing losses, and helping to ensure the preservation of the organization and its ability to operate.
Chapters 1 through 6 provide the background, rationale, and basis for developing governance. Chapters 7 through 14 provide the tools and an approach to developing a governance implementation strategy.
Developing a strategy for governance implementation will, at a high level, consist of the following steps:
1. Define and enumerate the desired outcomes for the information security program
2. Determine the objectives necessary to achieve those outcomes
3. Describe the attributes and characteristics of the desired state of security
4. Describe the attributes and characteristics of the current state of security
5. Perform a comprehensive gap analysis of the requirements to move from the current state to the desired state of security
6. Determine available resources and constraints
7. Develop a strategy and roadmap to address the gaps, using available resources within existing constraints
8. Develop control objectives and controls in support of strategy
9. Create metrics and monitoring processes to:
Measure progress and guide implementation
Provide management and operational information for decision support
*Drucker, Peter; Management Challenges for the 21st Century, Harpers Business, 1993.
Chapter 1
Governance Overview—How Do We Do It? What Do We Get Out of It?
1.1 WHAT IS IT?
Governance is simply the act of governing. The Oxford English Dictionary defines it as The act or manner of governing, of exercising control or authority over the actions of subjects; a system of regulations.
The relevance of governance to security is not altogether obvious and most managers are still in the dark about the subject. Information security is often seen as fundamentally a technical exercise, purely the purview of information technology (IT). In these cases, the information security manager generally reports directly or indirectly to the CIO but in some cases may report to the CFO or, unfortunately, even to Operations.
In recent years, there has also been an increase in the number of senior risk managers, or CROs, and, in some cases, Information Security reports through that office. Although these organizational structures often work reasonably well in practice, provided the purview of security is primarily technical and the manager is educated in the subject and has considerable influence, in many cases they do not work well and, in any event, these reporting arrangements are fundamentally and structurally deficient. This contention is often subject to considerable controversy even among security professionals. However, analysis of the wide range of activities that must be managed for security to be effective and study of the best security management shows that it requires the scope and authority equivalent to that of any other senior manager. To be effective, security and other assurance activities are regulatory functions and cannot report to the regulated without creating an untenable structural conflict of interest. Maintaining a distinction between regulatory and operational functions is critical, as each has a very different focus and responsibility. The former is related to safety and the latter to performance, and it is not unusual for tension to exist between them.
Part of the reason that the requirement for separation of security from operational activities is not evident is that the definitions and objectives of security generally lack clarity. Asking the typical security manager what the meaning of security is will elicit the shop-worn response of ensuring the confidentiality, integrity, and availability of information assets.
Pointing out that that is what it is supposed to do, that is its mission, and not what it is, generally elicits a blank stare. Probing further into the objectives of security will usually result in the same answer.
The lack of clarity about what security should specifically provide, how much of it is enough, and knowing when that has been achieved poses a problem and contributes to the confusion over the appropriate organizational structure for security. Lacking clear objectives, a definition of success, and metrics about when it has been achieved begs the question, What does a security manager actually do? How is the manager to know when he or she is managing appropriately? What is his or her performance based on? How does anyone know?
In other words, as in any other business endeavor, we manage for defined objectives, for outcomes. Objectives define intent and direction. Performance is based on achieving the objectives. Metrics determine whether or not objectives are being achieved.
1.2 BACK TO BASICS
If there is a lack of clarity looking ahead, reverting to basics may help shed light on the subject. Security fundamentally means safety, or the absence of danger. So in fact, IT or information security is an assurance function, that is, it provides a level of assurance of the safety of IT or information. Of course, it must be recognized that the safety of an organization’s information assets typically goes a considerable distance beyond the purview of IT.
IT is by definition technology centric. IT security is by definition the security related to the technology. From a business or management perspective, or, indeed, from a high-level architectural viewpoint, IT is simply a set of mechanisms to process, transport, and store data. Whether this is done by automated machinery or by human processes is not relevant to the value or usefulness of the resultant activities. It should be obvious, therefore, that IT security cannot address the broader issue of information safety.
Information security (IS) goes further in that it is information centric and is concerned with the payload,
not the method by which it is handled. Studies have clearly shown that the risks of compromise are often greater from the theft of paper than from IT systems being hacked. The loss of sensitive and protected information is five times greater from the theft or loss of laptops and backup tapes than it is from being hacked. These are issues typically outside the scope of IT security. The fact that the information on these purloined laptops or tapes is infrequently encrypted is not a technology problem either; it is a governance and, therefore, a management problem.
To address the issues of safety,
the scope of information security governance must be considerably broader than either IT security or IS. It must endeavor to initiate a process to integrate the host of functions that in the typical organization are related to the safety
of the organization. A number of these were mentioned in the Introduction, including:
Risk management
BCP/DR
Project office
Legal
Compliance
CIO
CISO
IT security
CSO
CTO
CRO
Insurance
Training/awareness
Quality control/assurance
Audit
To this list we can add privacy and, perhaps more importantly, facilities. Why facilities? Consider the risks to information safety
that can occur as a function of how the facility operates: the physical security issues, access controls, fire protection, earthquake safety, air-conditioning, power, telephone, and so on. Yet, risk assessments in most organizations frequently do not consider these elements.
The advantage of using the term organizational safety
and considering the elements required to preserve
the organization is that the task of security management becomes clearer. It also becomes obvious that many of the other assurance
functions that deal with aspects of safety
must be somehow integrated into the governance framework. It also becomes clear that most attempts to determine risk are woefully inadequate in that they fail to consider the broad array of threats and vulnerabilities that lie beyond IT and, indeed, beyond IS as well.
1.3 ORIGINS OF GOVERNANCE
It may be helpful to consider how the whole issue of governance arose to begin with to understand its relevance to information security. The first instance of the appearance of corporate governance seems to be due to economist and Noble laureate Milton Friedman, who contended that Corporate Governance is to conduct the business in accordance with owner or shareholders’ desires, while conforming to the basic rules of the society embodied in law and ethical custom.
This definition was based on his views and the economic concept of market value maximization that underpins shareholder capitalism.
The basis for modern corporate governance is probably a result of the Watergate scandal in the United States during the 1970s, which involved then President Nixon ordering a burglary of the opposition party’s headquarters. The ensuing investigations by U.S. regulatory and legislative bodies highlighted organizational control failures that allowed major corporations to make illegal political contributions and to bribe government officials. This led to passage of the U.S. Foreign and Corrupt Practices Act of 1977 that contained specific provisions regarding the establishment, maintenance, and review of systems of internal control
In 1979, the U.S. Securities and Exchange Commission proposed mandatory reporting on internal financial controls. Then, in 1985, after the savings and loan collapse in the United States as a result of aggressive lending, corruption, and poor bookkeeping, among other things, the Treadway Commission was formed to identify main causes of misrepresentation in financial reports and make recommendations. The 1987 Treadway Report highlighted the need for proper control environments, independent audit committees, and objective internal audit functions. It suggested that companies report on the effectiveness of internal controls and that sponsoring organizations develop an integrated set of internal control criteria.
This was followed by the Committee of Sponsoring Organizations (COSO), which was formed and developed the 1992 report stipulating a control framework that was endorsed and refined in four subsequent U.K. reports: Cadbury, Rutteman, Hampel, and Turnbull.
Scandals and corporate collapses in the United Kingdom in the late 1980s and early 1990s led the government to recognize that existing legislation and self-regulation were not working. Companies such as Polly Peck, British & Commonwealth, BCCI, and Robert Maxwell’s Mirror Group News International in United Kingdom were some of the high-profile victims of the irrational exuberance of the 1980s and were determined to be primarily a result of poor business practices.
In 1991, the Cadbury Committee drafted a code of practices defining and applying internal controls to limit exposure to financial loss.
Subsequent to the most spectacular failures in recent times of Enron, Worldcom, and numerous other companies in the United States, the draconian Sarbanes–Oxley Act of 2002 required financial disclosure, testing of controls and attestation of their effectiveness, board-level financial oversight, and a number of other stringent control requirements.
In January 2005, the Bank of England, the Treasury, and the Financial Services Authority in the United Kingdom published a joint paper on supervisory convergence addressing many of the same issues as Sarbanes–Oxley.
Currently, the global revolution in high-profile governance regulation has resulted in the following, among others:
Financial Services Authority (U.K.)
Combined Code–Turnbull, Smith, Higgs (U.K.)
Sarbanes–Oxley (U.S.)
OECD Principles of Corporate Governance 1999 (G7)
Russian Code of Corporate Governance
2002
World Bank Governance Code of Best Practices (global)
BASEL II Accords (global financial organizations)
HIPPA (medical, U.S.)
Corporations Act 2001 (Australia)
1.4 GOVERNANCE DEFINITION
The Information Security Audit and Control Association (ISACA), a global organization originally formed in the late 1960s as an association of IT auditors and now comprising over 70,000 security professionals states that governance is:
The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly.
The Organization for Economic Cooperation and Development (OECD) Principles states that governance should include the "structure through which the objectives of the enterprise are set, and the means of attaining those objectives and monitoring performance are determined . . ." [1].
Further reading of this definition finds that it includes:
Organizational structure
Strategy (and design)
Policy and corresponding standards and procedures
Strategic and operational plans
Awareness and training
Risk management
Controls and countermeasures
Audits, monitoring, and metrics
Other assurance activities
1.5 INFORMATION SECURITY GOVERNANCE
Obviously, information security has to address the standard notions of security, which include:
Confidentiality—Information is disclosed only to authorized entities
Integrity—Information has not been subject to unauthorized modification
Availability—Information can be accessed by those that need it when they need it
Accountability and Nonrepudiation are also required for digital commerce.
But to address the broader issue of safety,
the notion of preservation must also be considered:
It is no longer enough to communicate to the world of stakeholders why we exist and what constitutes success, we must also communicate how we are going to protect our existence. [2]
This suggests two specific recommendations for steps to be taken:
Develop a strategy for preservation alongside a strategy for progress.
Create a clearly articulated purpose and preservation statement.
1.6 SIX OUTCOMES OF EFFECTIVE SECURITY GOVERNANCE
Extensive research and analysis by ISACA [3] has determined that effective information security governance should result in six outcomes, including:
Strategic alignment—aligning security activities with business strategy to support organizational objectives
Risk management—executing appropriate measures to manage risks and potential impacts to an acceptable level
Business process assurance/convergence—integrating all relevant assurance processes to maximize the effectiveness and efficiency of security activities
Value delivery—optimizing investments in support of business objectives
Resource management—using organizational resources efficiently and effectively
Performance measurement—monitoring and reporting on security processes to ensure that business objectives are achieved
Defining the specifics of these outcomes for an organization will result in determining governance objectives. A thorough analysis of each of the six will provide a basis for clarifying the requirements and expectations of information security, and, subsequently, the sort of structure and activities needed to achieve those outcomes.
1.7 DEFINING INFORMATION, DATA, AND KNOWLEDGE
Many of the terms used in IS and IT have