Get started Bring yourself up to speed with our introductory content.

Information Security Governance Guide

This guide provides an introduction to what information security governance and a security program are, and examines how to deploy security policies within any environment.


Although governance and security programs are discussed in our industry, not many organizations or security professionals...

fully understand all that is involved with each and the relationship between these two concepts.

It is not enough to have some security policies and then just concentrate on securing your network. To integrate security within business processes, an organization needs to have a robust information security program that maps to its business drivers, legal and regulatory requirements, and threat profile. The following series provides an introduction to what information security governance and a security program are and how to get them deployed within any environment.

What is information security governance?

Information security governance is similar in nature to corporate and IT governance because there is overlapping functionality and goals between the three. All three work within an organizational structure of a company and have the same goals of helping to ensure that the company will survive and thrive – they just each have different focuses.

Corporate governance has to do with how the board of directors and executive management run and control a company. IT governance is how technology is used and managed so that it supports business needs. There are many professional and official sounding definitions of information security governance such as the following by the IT Governance Institute in its Board Briefing on IT Governance, 2nd Edition:

"Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly."

This definition is correct, but remains at a high level that is difficult to understand and implement. This definition is more like a strategic policy statement, and the real skill is to properly interpret and transform it into meaningful tactical and operational functions and practices.

Information security governance is all of the tools, personnel and business processes that ensure that security is carried out to meet an organization's specific needs. It requires organizational structure, roles and responsibilities, performance measurement, defined tasks and oversight mechanisms. This definition isn't much better, is it?

Let's compare two companies. Company A has an effective information security governance program in place and Company B does not. Now, to the untrained eye it would seem as though Company A and B are equal in their security practices because they both have security policies, procedures, standards, the same security technology controls (firewalls, IDS, identity management, etc.), and they both have security team runs by their security officers. You may think, "Man, these two companies are on the ball and are evolved in their security program." But if you look closer you will see the critical differences.

Company A Company B
Board members understand that information security is critical to the company and demand to be updated quarterly on security performance and breaches. Board members do not understand that information security is in their realm of responsibility, and focus solely on corporate governance and profits.
CEO, CFO, CIO and business unit managers participate in a risk management committee that meets each month, and information security is always one topic on the agenda to review. CEO, CFO, and business unit managers feel as though information security is the responsibility of the CIO, CISO and IT department and do not get involved.
Executive management set an acceptable risk level that is the basis for the company's security policies and all security activities. CISO found boiler plate security policies, inserted his company's name and had the CEO sign them.
Executive management holds business unit managers responsible for carrying out risk management activities for their specific business units. All security activity takes place within the security department, thus security works within a silo and is not integrated throughout the organization.
Critical business processes are documented along with the risks that are inherent at the different steps within the business processes. Business processes are not documented and not analyzed for potential risks that can affect operations, productivity and profitability.
Employees are held accountable for any security breaches they participate in, either maliciously or accidentally. Policies and standards are developed, but no enforcement or accountability practices have been envisioned or deployed.
Security products, managed services and consultants are purchased and deployed in an informed manner. They are also constantly reviewed to ensure they are cost effective. Security products, managed services and consultants are purchased and deployed without any real research or performance metrics to be able to determine their ROI or effectiveness. Company has a false sense of security because it is using products, consultants and/or managed services.
The organization is continuing to review its business processes, including security, with the goal of continue improvement. The organization does not analyze its performance for improvement, but continually marches forward and repeatedly makes the same mistakes.

Many organizations today have many of the pieces and parts to a security program (policies, standards, firewalls, security team, IDS, etc.) but the management is not truly involved, and security has not permeated throughout the organization. Instead these pieces and parts are the responsibility of a small security team that is charged with making sure that security happens properly throughout the whole company – which is close to impossible. If security was just a technology issue, then this security team could properly install, configure and maintain the products, and the company would get a gold star and pass the necessary audits with flying colors. But as a security professional, you need to understand that security must be implemented throughout the organization, and having several points of responsibility and accountability is critical. Information security governance is a coherent system of integrated security components (products, personnel, training, processes, policies, etc.) that exist to ensure that the organization survives and hopefully thrives.


  What is information security governance?
  Key elements when building an information security program
  Steps in the security program life cycle
  Developing a security program using SABSA and ISO 17799

About the author
Shon Harris, CISSP, MCSE, is the president of Logical Security, a security consultant, a former engineer in the Air Force's Information Warfare unit, an instructor and an author. She has authored two best selling CISSP books, was a contributing author to the book, Hacker's Challenge, and a co-author to the book Gray Hat Hacking. Shon was recognized as one of the top 25 women in the Information Security field by Information Security magazine. She is currently writing her third edition of her first book and developing a full security book series, which will be brought to the market this year.

This was last published in August 2006

Dig Deeper on Data security strategies and governance