Governance is about the assignment of decision and input rights and the use of an accountability framework to encourage desirable behaviour in decision making. Information security governance is similar in nature to corporate and IT governance because there is overlapping functionality and goals between the three. All three work within an organizational structure of a company and have the same goals of helping to ensure that the company will survive and thrive.
The IT Governance Institute in its Board Briefing on IT Governance, 2nd Edition defines information security governance as “the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”
Information security governance consists of the leadership, organisational structures, processes/procedures, compliance enforcement, and technologies that ensure that the confidentiality, integrity, and availability of the organisation’s electronic assets are maintained at all times.
There are six basic outcomes of effective information security governance:
1. Strategic alignment: the security strategy has to align with business strategy to support the organisation’s objectives.
2. Risk management: the execution of appropriate measures to mitigate information security risks and reduce potential impacts on information resources to an acceptable level.
3. Value delivery: the optimization of information security investments in support of business objectives.
4. Resource management: the usage of information security knowledge and infrastructure efficiently and effectively to ensure that knowledge is captured and available, to document security processes and practices, and to develop security architecture(s) to define and utilize infrastructure resources efficiently.
5. Performance measurement: the monitoring and reporting on information security processes to ensure that objectives are achieved.
6. Integration: having all relevant assurance factors integrated to ensure that processes operate as intended from end to end.
Information security is a direct corporate governance responsibility and lies squarely on the shoulders of the Board of the company. Corporate governance consists of the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed. Information security governance is a subset of the organisation’s overall governance program.
To achieve effective information security governance management should establish and maintain a governance framework. It will generally consist of:
- a comprehensive security strategy linked with business objectives;
- security policies that address each aspect of strategy, controls and regulation;
- a complete set of standards for each policy to ensure that procedures and guidelines comply with policy;
- an effective security organizational structure with sufficient authority and adequate resources;
- an institutionalized metrics and monitoring processes to ensure compliance, provide feedback on effectiveness and provide the basis for appropriate management decisions.
This framework should provide the basis for the development of a cost-effective information security program that supports the organization’s business goals. An effective information security governance must support business goals and activities to be of value to the organization.
- Harris, S. Information Security Governance Guide. Search Security. Retrieved from http://searchsecurity.techtarget.com/tutorial/Information-Security-Governance-Guide
- Information Security Governance. Security Governance.net. Retrieved from http://www.securitygovernance.net/index.htm
- Stojakovic-Celustka, S. (2012). Effective Information Security Governance. SysAffairs: Information Systems Theory and Practice. Retrieved from http://sysaffairs.org/channels/security/17-effective-information-security-governance.html