Information Security Governance Papers
| Paper Title | Lack of progress is due in part to the absence of a governance framework |
|---|---|
| The Abstract of The Paper |
With such a broad consensus on the kinds of measures that need to be taken to secure our
information systems, why haven’t we made more progress? The conclusion of the BSA task
force is that we are still missing a vital piece of the puzzle -- an information security governance
framework that private industry can readily adopt. Governance entails the systematic oversight
and execution of information security functions. As a result, it operationalizes the information
security effort. By themselves, recommended practices – no matter how strong the consensus is
for them – are not enough; they must be married with an information security governance
framework that assures effective implementation. What many of the reports on information
security overlook is that a well-developed information security governance framework already exists
in the form of the Federal Information Security Management Act (FISMA). This framework was
developed for the Federal government. While overly detailed for the private sector, its principles
can be applied to all organizations. It is especially good at defining the people and process
aspects of information security governance, which is exactly where many of the reports on this
topic fall short.
Purpose of a Governance Framework A governance framework is important because it provides a roadmap for the implementation, evaluation and improvement of information security practices. An organization that builds such a framework can use it to articulate goals and drive ownership of them, evaluate information security over time, and determine the need for additional measures. One of the most important features of a governance framework is that it defines the roles of different members of an organization. By specifying who does what, it allows organizations to assign specific tasks and responsibilities. A common element in almost all security best practices is the need for the support of senior management, but few documents clarify how that support is to be given. Fortunately, FISMA does. Adapting the FISMA management framework to the private sector provides the missing link to industry’s information security efforts. FISMA divides management functions into four categories, which, translated into business terms, are the following: 1) CEO, 2) business unit heads, 3) senior managers, and 4) the CIO/CISO. The security governance role of each is described below: The CEO (or most senior executives who report to the board of directors) has responsibility for ! Oversight and coordination of policies 6 ! Oversight of business unit compliance ! Compliance reporting ! Actions to enforce accountability The business unit head (or executives with bottom-line responsibilities) has responsibility for ! Providing information security protection commensurate with the risk and business impact ! Providing security training ! Developing the controls environment and activities ! Reporting on effectiveness of policies, procedures and practices The senior manager (those reporting to the business units heads) has responsibility for ! Providing security for information and systems ! Periodically assessing assets and their associated risks ! Determining appropriate levels of security for the information in their systems ! Implementing policies and procedures to cost-effectively reduce risk to acceptable levels ! Periodically testing security and controls The CIO and/or CISO (or most senior manager with IT security responsibilities) has responsibility for ! Developing, maintaining, and ensuring compliance to the security program ! Designating a security officer with primary duties and training in IT security ! Developing the required policies to support the security program and business unit specific needs ! Developing the information use and categorization plan ! Assisting senior managers with their security responsibilities ! Conducting security awareness program The Components of a Security Governance Framework FISMA also specifies the core components required in a security program, as do many other documents, including ISO/IEC 17799. To be effective, however, each information security program must be tailored to the needs of the individual business and industry in which it operates. What is needed is a framework that specifies what corporate executives, business unit heads, senior managers, and CIOs/CISOs should do; that identifies business drivers, clarifies roles and responsibilities, recognizes commonalities and defines metrics; and that is flexible enough to apply to different business models. We have provided the beginnings of such a framework below in a brief but comprehensive chart. (See below.) The horizontal axis identifies different management levels. The vertical axis identifies the business drivers, responsibilities, and metrics. It is important to note that the first and third criteria on the vertical axis (Governance/Business Drivers and Metrics/Audit) are specific to individual businesses and will change according to individual business and industry needs. For example, the governance and business drivers for the financial sector will likely differ from those of the health care industry as will the metrics used to calibrate their results. By contrast, the middle item (roles and responsibilities) is common to almost all businesses and thus can be widely applied. The task force identified that considerable additional work is needed to develop useful metrics that enable managers to quantify the return on investments in information security and the effectiveness of information security programs and measures. Several public and private sector organizations are investigating this field. The task force looks forward to the products of those efforts. |
| Web Link | http://www.bsa.org/country/Research%20and%20Statistics/~/media/BD05BC8FF0F04CBD9D76460B4BED0E67.ashx |