lecture 4 print - is governance_1
TRANSCRIPT
-
7/28/2019 Lecture 4 Print - Is Governance_1
1/15
1
What are information assets?
Documents
Files
Lecture 41
Increased dependency on information
The diffusion of technology and thecommodification of information transforms the
Dependence on information
importance to the traditionally importantresources of land, labor and capital
Peter Drucker, ManagementChallenges for the 21st Century
Role of information security crime hasincreased
Impacts of information assetexploitation
Loss of exclusive use
benefit only with company
Direct & indirect benefit of the exploitation to
Lecture 43
Time, energy, goodwill
To build new or replace information asset
Loss of confidentiality
Unauthorized access
-
7/28/2019 Lecture 4 Print - Is Governance_1
2/15
2
Impacts of degradedinformation assets
http://news.bbc.co.uk/2/hi/business/375184.stm
Loss of integrity
Lecture 44
Corrupted or degraded data
Repair cost
Includes comprehensive audit after repair
Opportunity cost
Dimensions of security (1)
Confidentiality
Accessible only to those who have the rights
http://www.theage.com.au/news/national/2000
Lecture 45
- - - - - -bungle/2005/08/16/1123958033738.html#
Integrity
Correct up-to-date, accurate and verifiable
Availability
Accessible when required
Dimensions of security (2)
Compliance
Must meet external legal, governance andregulatory requirements
Lecture 46
u u
Behavior within organization
Countermeasures
How much of protection
-
7/28/2019 Lecture 4 Print - Is Governance_1
3/15
3
Responsibility forinformation security
Majority of national critical infrastructures inthe developed world are controlled by theprivate sector
as o pro ec ng suc n ras ruc ure, cr cato survival is also the responsibility of thesame sector
Candidate for Board attention
Increased business regulation
Regulation is the response to bad
governance
public confidence needs to be rebuilt
a patchwork of laws
its growing too fast to manage successfully
How and on what level do we understand informationsecurity - (data, application,host, network, firewall,router, encryption, logging, back-up etc...)
We are looking at the problem from the bottom to thetop
Information security governance
Lecture 49
vulnerabilities.
Its not expensive, it is implementable, and it issimple
This is often called Information Security Governance
-
7/28/2019 Lecture 4 Print - Is Governance_1
4/15
4
Sample discussion:Why IS Governance is important?
Management of IT is critical to business strategysuccess.
Best practices are crucial in effective information
governance
It enables a management framework to be
developed
(policy, internal controls and defined practices).
Best practices provide many benefits - service
efficiency gains; increased trust from third parties;places demands on service providers; & respect
from regulators.
Two major views
Information security as a structure
Centralised
Decentralised
y r or e era
Focuses on the locus of the decision
making authority within the organisation
Matrix of responsibilities
-
7/28/2019 Lecture 4 Print - Is Governance_1
5/15
5
Key players
Role of the CISO
Positioning the CISO
Role of the Steering Committee
Influencers of org structure
Company size
Corporate organisational structure
Industry
Organisational culture
Steering committee
Scope
advise,
consult with, and
ma e recommen a ons o execu ve managemen
to ensure that information security is
acquired,
established,
operated and
maintained validly
Lecture 415
-
7/28/2019 Lecture 4 Print - Is Governance_1
6/15
6
Steering committee cont.
AuthoritySeek information from
employee,
the external auditor and/or
an external art
Lecture 416
Initiate special investigations
Make final decision for information security
Approve information securityPolicy
Functions
Architecture
Budget
Projects
Activities
Delegate authority
Steering committee cont.
SponsorshipPreferably CEO
Reporting
Lecture 417
repor s o or oar
Elected officers report to SC
CompositionChairman appropriate qualificationsMembers permanent/auxiliary
senior managers representing everybusiness function
Subcommittees
Minimum number
Steering committee cont.
ActivitiesInformation Security Governance
set information security objectives and core principles
create clearly understood roles, responsibilities and decision
Lecture 418
ma ng rg
Oversee implementation of Information Security initiatives
assist to plan Information Security to best support theorganisation;
Measure Information Security Efforts
monitor organisational capabilities to sustain achievement ofobjectives (security maturity, compliance, residual risk,quality);
monitor outcomes against objectives
Create awareness of the need to protect information
-
7/28/2019 Lecture 4 Print - Is Governance_1
7/15
7
Distinct roles
Oversight of the culture and approach to the use ofinformation security as a key business driver in theorganisation (boards governance role ininformation security)
Oversight of the culture, approach and projects in theorganisations information security department(managements go vernance role in informationsecurity)
The use of information security to support and enhancethe corporate governance of the organisation (e.g.SOX compliance, board intranets, etc.: informationsecuritys role in governance)
Adaptedfrom Whatis IT governance(BrownGovernance)
Two major views continued
Information security as a process
Structure of relationships and processes todevelop, direct and control IS/IT resources
,
Integral part of corporate governance asubset
Kakabadse &Kakabadse, 2001
Information securitygovernance components
Lecture 421
NIST SP800-100
-
7/28/2019 Lecture 4 Print - Is Governance_1
8/15
8
Components fitting together
Lecture 422
Von Solms, 2009I nformationS ecurityGovernance
Components hierarchy
Lecture 423
Von Solms, 2009I nformationS ecurityGovernance
Core documents
OECD (1999). Principles of Corporate Governance
Board Briefing on IT Governance
Information Security Governance: Guidance for Boards
of Directors and Executive Management (ITGI)
Lecture 424
Information Security Management and Assurance: A
Call to Action for Corporate Governance (IIA)
Information Security Governance: Toward aFramework for Action (BSA)
Information Security Governance, A Call to Action
(CGTF)
-
7/28/2019 Lecture 4 Print - Is Governance_1
9/15
9
Information security governance Issues
Problematic field
Relatively new
Still trying to find its identity
Poorly defined
Lecture 425
Lack of definition
ationsecuritygovernance
Lecture 426
J Spears 5thSecurityConference 2006Las Vegas, Nevada
Nodefinitionforinform
Definition (1)
If we accept that security governance is a sub-set ofcorporate or enterprise governance, then by extending thedefinitions above, it could include:
Security responsibilities and practicesStrategies/objectives for securityRisk assessmentand mana ement
Lecture 427
Resource management for securityCompliance with legislation, regulations, security policies and
rulesInvestor relations and communications activity (in relation to
security)
This could end up as a never ending list of activities thatdefine anything and everything to do with security. It getseven more complicated when you look at what is the scopeof security does it cover information security, IT security,physical security, fraud, internal audit, compliance,insurance, etc etcetc.,
-
7/28/2019 Lecture 4 Print - Is Governance_1
10/15
10
Definition (1 continued)
So let us put a stake in the ground: Our definition ofInformation Security Governance is
the establishment and maintenance of the controlenvironment to manage the risks relating to theconfidentiality, integrity and availability of information and itssupportng processes an systems.
This is separate from:
audit (ensuring that governance processes beenproperly established and are functioning)
security operations (day-to-day performance of securityadministrative activities)
security development (engineering of new IT orprocesses to meet security objectives)
Lecture 428
Moulton & Coles Computers & Security Volume22, Issue 7, October 2003, Pages 580-584
Definition (2)
Whether information security governance iscongruent with IT security governance isperhaps a matter of definition. TheInformation Systems Audit and Control
Lecture 429
Assoc aton ISACA pu s e a ocument.Information Security Governance: Guidance
for Boards of Directors and ExecutiveManagement, that makes no distinction.This author, however, views informationsecurity governance to be a superset withIT security governance a subset.
Poore, EDPACS NOVEMBER 2005 VOL. XXXIII, NO. 5
Information security deals with all aspectsof information.
Definition 2 (continued)
IT security is concerned with security ofinformation within the boundaries of thetechnology domain.
-
7/28/2019 Lecture 4 Print - Is Governance_1
11/15
11
Definition (3)Governance framework
Lecture 431
Veiga & Eloff Information Systems Management, 24:361372, 2007
Details moving tomanagement
Lecture 432
Veiga & Eloff Information Systems Management, 24:361372, 2007
Definition (4)
Information Security Governance is the set ofresponsibilities and practices exercised by the
goal of providing strategic direction, ensuringthat objectives are achieved, ascertaining thatrisks are managed appropriately and verifyingthat the enterprises resources are usedresponsibly.
ISACA
-
7/28/2019 Lecture 4 Print - Is Governance_1
12/15
12
Tasks
Develop an information security strategy aligned with businessgoals and objectives.
Align information security strategy with corporate governance.Develo business cases ustif in investment in information
Definition (4 continued)
security.Identify current and potential legal and regulatory requirements
affecting information security.Identify drivers affecting the organization (for example, technology,
business environment, risk tolerance, geographic location) andtheir impact on information security.
Obtain senior management commitment to information security.Define roles and responsibilities for information security throughout
the organization.Establish internal and external reporting and communication
channels that support information security.
ISACA, CISM ReviewManual, 2008
Common problems
Lack of thorough research
Poor empirical evidence
Mixing management activities
Lecture 435
Organisational structure
Tone is authoritative without base
Definitions differ
Not integrated with corporate governancetheory
Governance and management
Lecture 436
Posthumus, von Solms Computers & Security Volume23, Issue 8, December2004, Pages 638-646
-
7/28/2019 Lecture 4 Print - Is Governance_1
13/15
13
A proposed model
Lecture 437
Detailed proposed model
Lecture 438R von SolmsComputers & Security Volume25, Issue
6, September2006, Pages 408-412
Governing for informationsecurity
Directing and controlling an organization toestablish and sustain a culture of security inthe organizations conduct (beliefs,behaviours, ca abilities, and actions .
Governing for enterprise security meansviewing adequate security as a non-negotiable requirement of being inbusiness.
Allen, J. H., 2005, Governing for Enterprise Security, CERT
-
7/28/2019 Lecture 4 Print - Is Governance_1
14/15
14
Results of informationsecurity governance
Comprehensive Information Security Strategy
Effective Security Organization
Policies that address ever as ectof stratecontrol & regulation
Process for monitoring of compliance
Process for continuous evaluation
ProvideAccountability
StrategyFormulation
Compliance Roles Performance Roles
ternalRole
Overview of corporategovernance
Lecture 441
Monitoring&
Supervising
PolicyMaking
Ex
InternalRole
Past & Present Oriented Future Oriented
Approve and workwith & through the CEO
Tricker, R.I., 1984,CorporateGovernance, Gower, London
Information securitygovernance point of views
Direction setting
Duty of care
Risk control
Resource provision
Performance measurement
Connection to management
Lecture 442
-
7/28/2019 Lecture 4 Print - Is Governance_1
15/15
Information security management
1. planning (setting goals)
2. resourcing (deploying and manipulating)
43
. organs ng ow o ac eve goas
4. coordinating (working together for the goal)
5. leading (motivating employees)
6. controlling (monitoring activities)
Lecture 4