Information Security Governance Papers
| Paper Title | Information Security Governance Challenges and Keys to Success |
|---|---|
| The Abstract of The Paper |
There are many diverse, and sometimes conflicting, priorities an organization must account for in meeting information security governance requirements. These criteria present challenges an organization is likely to face in its efforts to establish information security governance.
Some of the most common challenges include: •Balancing extensive requirements originating from multiple governing bodies. Several different governing and oversight bodies establish governance and information security requirements for the federal government. While these requirements are seldom contradictory, they are not always complementary, and organizations may be faced with the challenge of implementing different compliance measures and monitoring these measures for reporting purposes. •Balancing legislation and agency-specific policy. Agencies may have more stringent requirements that go beyond those required by information security legislation, regulation, and directives. •Maintaining currency. Governance standards and guidance evolve to support different requirements, and new legislation is frequently introduced. •Prioritizing available funding according to requirements. Increased competition for limited federal budgets and resources requires that agencies allocate available funding toward their highest-priority information security investments. Information security governance provides a framework for establishing and maintaining an information security program that will evolve with the organization it supports. The following list is a summary of good information security governance practices that are critical for ensuring the security of enterprise information assets: •Information security activities should be governed based on relevant requirements, including laws, regulations, and organizational policies. •Senior managers should be actively involved in establishing information security governance framework and the act of governing the agency’s implementation of information security. •Information security responsibilities must be assigned and carried out by appropriately trained individuals. •Individuals responsible for information security within the agency should be held accountable for their actions or lack of actions. •Information security priorities should be communicated to stakeholders of all levels within an organization to ensure a successful implementation of an information security program. •Information security activities must be integrated into other management activities of the enterprise, including strategic planning, capital planning, and enterprise architecture. •Information security organization structure should be appropriate for the organization it supports and should evolve with the organization, if the organization undergoes change. •Information security managers should continuously monitor the performance of the security program/effort for which they are responsible, using available tools and information. •Information discovered through monitoring should be used as an input into management decisions about priorities and funding allocation to effect the improvement of security posture and the overall performance of the organization." |
| Web Link | http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf |