Information Security Governance Papers
| Paper Title | There is already broad consensus on the actions necessary to remedy the problem |
|---|---|
| The Abstract of The Paper |
A thorough review and analysis of the existing literature leads to three conclusions:
• First, remarkable convergence exists across the documents regarding recommended security practices. There is a broad consensus among the experts as to what kinds of measures should be undertaken by organizations. • Second, no single document provides the necessary governance framework for information security. The existing guidance is either too detailed or not actionable in a comprehensive manner from the top to bottom of an organization. • Third, ISO/IEC 17799 and FISMA provide a good substantive basis for creating such a framework. However, the current version of ISO 17799 is overly detailed for CEO consumption and application, and FISMA, as written, is too detailed and governmentspecific to be applied uniformly across all organizations. Various initiatives, both in the private sector and in government, have addressed the issue of security program management. These initiatives describe proposed management structures, give security checklists, offer best practices, and, in the case of government – legislation. Because the ultimate goal of BSA’s analysis of IT security governance documents and activities was to identify or develop a governance framework without duplicating existing work, a key component of the project was the completion of a survey of existing governance and framework documents. The first part of the effort was the identification of those documents that address the need for a framework for IT security governance in public and private sector enterprises. Indeed, many worthwhile and comprehensive documents emerged during this phase of the project. Publications included in the study are listed in Appendix 1. Once this body of literature was identified, criteria were developed to assess the applicability and coverage of each document. The analysis was seeded with two primary “reference” documents – the international standard ISO/IEC 17799 Code of Practice for Information Security Management and the newly minted Federal Information Security Management Act (FISMA). Additionally, the National Institute of Standards and Technology’s (NIST) Special Publication on Generally Accepted System Security Principles and Practices (GSSP) was also used as a baseline for the analysis. These sources were selected as reference documents because of their comprehensive coverage of the subject matter and their level of general acceptance in the IT security community. The ISO standard is a benchmark recognized internationally and used by multiple industries, from finance to healthcare, to define IT security effectiveness. This document serves as the baseline reference for the people-operational, people-tactical, process-operational, process-tactical, technology-operational, technology-tactical, and technology-strategic dimensions of the matrix. The ISO standard is extremely detailed at the operational level yet is vague about senior management responsibilities. 4 FISMA contains high-level management guidance that assigns responsibility at appropriate levels for specific aspects of an organization’s information security program. FISMA is used as the baseline reference for the people-strategic and process-strategic dimensions of the matrix. While it is too detailed and government-specific to be directly applied to private sector organizations, it provides a useful benchmark at the strategic level. The NIST document, an anchor in most government security programs, was used in concert with the other baseline references. The contents and recommended practices proposed by these publications were examined in detail. The analysis can be conceptually depicted by a three-by-three matrix having the dimensions of people-process-technology and operational-tactical-strategic. The people-process-technology side of the matrix refers to type: people (who), process (how), and technology (what). The operational-tactical-strategic side of the matrix refers to the extent of the strategic nature of recommendations: operational (daily), tactical (review/follow-up), and strategic (annual reviews, establishing policies, organizational view). Operational Tactical Strategic People Ref = ISO 17799 Ref = ISO 17799 Ref = FISMA Process Ref = ISO 17799 Ref = ISO 17799 Ref = FISMA Technology Ref = ISO 17799 Ref = ISO 17799 Ref = ISO 17799 Table 3. IT Security Governance Document Analysis Nearly 20 information security initiatives were reviewed. The documents were analyzed using a set of comparative criteria. These criteria included scope, comprehensiveness, level of detail, intended audience, acceptance, impact, transparency, inclusiveness of the development process, the type of sponsoring organization, and the maturity of the effort. The documents examined fall into three categories: (1) Information Security as a Fundamental Governance Issue; (2) Organizing for Information Security—Essential Program Components; and (3) Governance Documents Under Development. The first category of documents, “Information Security as a Fundamental Governance Issue,” reflects the initiative of the Critical Infrastructure Assurance Office (CIAO), then of the Department of Commerce, to frame IT security as a significant management challenge for public and private sector organizations. Beginning in 1999, the CIAO, in association with a variety of groups (such as the National Association of Corporate Directors (NACD), the Institute of Internal Auditors (IIA), the IT Governance Institute, and others), instituted a program intended to frame IT security as a fundamental governance issue. Several documents stressing this theme were prepared and widely circulated. In 2000, the CIAO, in association with the NACD and the IIA, sponsored a White House conference on the subject. The White House conference was subsequently followed by a series of “summit conferences” and focus group meetings held throughout the country. In 2002, the federal government built on this work by creating the National Strategy to Secure Cyberspace, which states: “The cyber security of large enterprises can be improved through strong management to ensure that best practices and efficient technology are being employed…” (page 39) When viewed in their entirety, the documents represent an important landmark in the evolution of the IT security governance problem. They are very strong on identifying the IT security problem 5 and the need to address this as a fundamental management challenge. But these documents do not provide the necessary framework for the establishment and operation of an enterprise-wide IT security program. The second category of documents, “Organizing for Information Security,” is focused on the practical aspects of actually implementing an organizational IT information security program. These documents present valuable insights into what programmatic elements should be included in such a program. Each publication represents an important contribution to the evolving field of information security. Several other efforts to develop guidance are being undertaken by various public and private sector groups. It is hoped that these forthcoming efforts will also build upon the foundations established by previous efforts and will provide a further impetus for convergence among all parties as to the appropriate framework for organizational IT security governance. |
| Web Link | http://www.bsa.org/country/Research%20and%20Statistics/~/media/BD05BC8FF0F04CBD9D76460B4BED0E67.ashx |