The following is an excerpt from the Official (ISC)2 Guide to the CISSP CBK, fourth edition, edited by Adam Gordon, CISSP-ISSAP, ISSMP, SSCP. This section from Domain 1 outlines how to build an IT security governance program that reinforces communication, collaboration and support between business leaders and security professionals.
Increased corporate governance requirements have caused companies to examine their internal control structures more closely to ensure that controls are in place and operating effectively.
Organizations are increasingly competing in the global marketplace, which is governed by multiple laws and supported by various best practices (i.e., NIST, ITIL, ISO 27000, COSO and COBIT). Appropriate information technology investment decisions must be made that are in alignment with the mission of the business. Information technology is no longer a back-office accounting function in most businesses, but rather it is a core operational necessity for the business, which must have the proper visibility to the board of directors and management’s attention and oversight of the program.
This dependence on information technology mandates ensuring the proper alignment and understanding of the potential risks to the business. Substantial investments are made in these technologies (which must be appropriately managed), company reputations are at risk if insecure systems are deployed or found to be operating, and the trust in the systems needs to be demonstrated to all parties involved, including the shareholders, employees, business partners and customers. IT security governance provides the mechanisms for the board of directors and management to have the proper oversight to manage the risk to the enterprise to an acceptable level.
The intent of IT security governance is to guarantee that the appropriate information security activities are being performed to ensure that the risks are appropriately reduced, the information security investments are appropriately directed, and that executive management has visibility into the program and is asking the appropriate questions to determine the effectiveness of the program.
The IT Governance Institute (ITGI), in their publication entitled Board Briefing on IT Governance, second edition, defines IT governance as being "the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization's strategies and objectives."
IT Governance Institute recommendations
The ITGI proposes that IT security governance should be considered a part of IT governance and that the board of directors should:
- Be informed about information security
- Set direction to drive policy and strategy
- Provide resources to security efforts
- Assign management responsibilities
- Set priorities
- Support changes required
- Define cultural values related to risk assessment
- Obtain assurance from internal or external auditors
- Insist that security investments are made measurable and reported on for program effectiveness
Additionally, the ITGI suggests that the management should:
- Write security policies with business input
- Ensure that roles and responsibilities are defined and clearly understood
- Identify threats and vulnerabilities
- Implement security infrastructures and control frameworks (standards, guidelines, baselines, and procedures)
- Ensure that policy is approved by the governing body
- Establish priorities and implement security projects in a timely manner
- Monitor breaches
- Conduct periodic reviews and tests
- Reinforce awareness education as critical
- Build security into the systems development life cycle
The security professional needs to work in partnership with management in order to ensure that these goals are achieved. These concepts are further delineated throughout this chapter.
Goals, mission and objectives
IT security governance practices protect the assets of the organization through the implementation of physical, administrative, managerial, technical and operational controls. Information assets must be managed appropriately to reduce the risk of loss to confidentiality, integrity or availability. Just as financial assets are managed through finance departments, human assets (people) are managed and cared for by the human resources department and so are associated codes of conduct and employment policies and practices. Failure to protect information assets from loss, destruction or unexpected alteration can result in significant losses of productivity, reputation or financial loss. Information and the systems supporting the mission of an organization are assets that must be protected by the security professional.
IT security governance validates that appropriate policies, procedures, standards and guidelines are implemented to ensure business operations are conducted within acceptable level of risk. Security exists to support and enable the vision, mission, and business objectives of the organization. Effective IT security governance requires judgment based upon the risk tolerance of the organization, the costs to implement the security controls and the benefit to the business. Although attaining 100% security of information is an admirable goal, in practice this is unrealistic. Even if this goal were attainable through an effective security program that includes all the best security practices for managing risk and a budget that would support all of the activities, it would not be long before a new vulnerability or exploit was discovered that could place the information at risk. As a result, a well-structured and managed program must be proactive and ongoing.
Effective IT security governance
Because most organizations are in a competitive environment that requires continuous product innovation and reduction of administrative costs, funding information security at the “100% security level” is cost-prohibitive and impracticable for the organization. Therefore, effective IT security governance requires risk management that includes a strong understanding of the business objectives of the organization, senior management’s tolerance for risk, the costs of the various security alternatives and, subsequently, the due diligence to match the appropriate security controls to the business initiatives. The security professionals who lead the information security program are relied upon for their knowledge of security and risk management principles. Senior management ultimately makes the final decision on the level of security expenditures and the risk it is willing to accept.
Security professionals should view their role as risk advisors to the organization, as they should not be the final decision makers when it comes to risk management. There may be situations where a risk is viewed as low, and, therefore, senior management is willing to take a risk due to reasons that the security professional may not understand or be aware of. For example, the decision to accept operating in a regional office without a sprinkler system may be appropriate if the company has been operating in that office for 10 years without a fire and management has undisclosed plans to relocate the office within the next six months.
Alternatively, there may be government mandates to comply with new regulations or audit findings that have a higher priority. Senior management must weigh all of the risks to the business, and choosing whether to implement specific security controls represents one of those risk management activities. This is why security professionals must be effective at communicating risks and possible security solutions. There will always be residual risk accepted by an organization, and effective IT security governance will minimize this risk to a level that fits within the organization’s risk tolerance or risk profile.
IT security governance is the glue that ensures that the risks are identified and an adequate control environment is established to mitigate the risks. Security management ensures the interrelationships among assessing risk, implementing policies and controls in response to the risks, promoting awareness of the expectations, monitoring the effectiveness of the controls, and using this knowledge as input to the next risk assessment. These relationships are shown in below.
CISSP® is a registered mark of (ISC)².
Tips on creating a cybersecurity plan for the enterprise
Build a solid information security culture in the organization
Best practices for measuring a business’ information security assessment