lecture 4 print - is governance_1

7/28/2019 Lecture 4 Print - Is Governance_1

1/15

1

What are information assets?

Documents

Files

Lecture 41

Increased dependency on information

The diffusion of technology and thecommodification of information transforms the

Dependence on information

importance to the traditionally importantresources of land, labor and capital

Peter Drucker, ManagementChallenges for the 21st Century

Role of information security crime hasincreased

Impacts of information assetexploitation

Loss of exclusive use

benefit only with company

Direct & indirect benefit of the exploitation to

Lecture 43

Time, energy, goodwill

To build new or replace information asset

Loss of confidentiality

Unauthorized access


2/15

2

Impacts of degradedinformation assets

http://news.bbc.co.uk/2/hi/business/375184.stm

Loss of integrity

Lecture 44

Corrupted or degraded data

Repair cost

Includes comprehensive audit after repair

Opportunity cost

Dimensions of security (1)

Confidentiality

Accessible only to those who have the rights

http://www.theage.com.au/news/national/2000

Lecture 45

- - - - - -bungle/2005/08/16/1123958033738.html#

Integrity

Correct up-to-date, accurate and verifiable

Availability

Accessible when required

Dimensions of security (2)

Compliance

Must meet external legal, governance andregulatory requirements

Lecture 46

u u

Behavior within organization

Countermeasures

How much of protection


3/15

3

Responsibility forinformation security

Majority of national critical infrastructures inthe developed world are controlled by theprivate sector

as o pro ec ng suc n ras ruc ure, cr cato survival is also the responsibility of thesame sector

Candidate for Board attention

Increased business regulation

Regulation is the response to bad

governance

public confidence needs to be rebuilt

a patchwork of laws

its growing too fast to manage successfully

How and on what level do we understand informationsecurity - (data, application,host, network, firewall,router, encryption, logging, back-up etc...)

We are looking at the problem from the bottom to thetop

Information security governance

Lecture 49

vulnerabilities.

Its not expensive, it is implementable, and it issimple

This is often called Information Security Governance


4/15

4

Sample discussion:Why IS Governance is important?

Management of IT is critical to business strategysuccess.

Best practices are crucial in effective information

governance

It enables a management framework to be

developed

(policy, internal controls and defined practices).

Best practices provide many benefits - service

efficiency gains; increased trust from third parties;places demands on service providers; & respect

from regulators.

Two major views

Information security as a structure

Centralised

Decentralised

y r or e era

Focuses on the locus of the decision

making authority within the organisation

Matrix of responsibilities


5/15

5

Key players

Role of the CISO

Positioning the CISO

Role of the Steering Committee

Influencers of org structure

Company size

Corporate organisational structure

Industry

Organisational culture

Steering committee

Scope

advise,

consult with, and

ma e recommen a ons o execu ve managemen

to ensure that information security is

acquired,

established,

operated and

maintained validly

Lecture 415


6/15

6

Steering committee cont.

AuthoritySeek information from

employee,

the external auditor and/or

an external art

Lecture 416

Initiate special investigations

Make final decision for information security

Approve information securityPolicy

Functions

Architecture

Budget

Projects

Activities

Delegate authority


SponsorshipPreferably CEO

Reporting

Lecture 417

repor s o or oar

Elected officers report to SC

CompositionChairman appropriate qualificationsMembers permanent/auxiliary

senior managers representing everybusiness function

Subcommittees

Minimum number


ActivitiesInformation Security Governance

set information security objectives and core principles

create clearly understood roles, responsibilities and decision

Lecture 418

ma ng rg

Oversee implementation of Information Security initiatives

assist to plan Information Security to best support theorganisation;

Measure Information Security Efforts

monitor organisational capabilities to sustain achievement ofobjectives (security maturity, compliance, residual risk,quality);

monitor outcomes against objectives

Create awareness of the need to protect information


7/15

7

Distinct roles

Oversight of the culture and approach to the use ofinformation security as a key business driver in theorganisation (boards governance role ininformation security)

Oversight of the culture, approach and projects in theorganisations information security department(managements go vernance role in informationsecurity)

The use of information security to support and enhancethe corporate governance of the organisation (e.g.SOX compliance, board intranets, etc.: informationsecuritys role in governance)

Adaptedfrom Whatis IT governance(BrownGovernance)

Two major views continued

Information security as a process

Structure of relationships and processes todevelop, direct and control IS/IT resources

,

Integral part of corporate governance asubset

Kakabadse &Kakabadse, 2001

Information securitygovernance components

Lecture 421

NIST SP800-100


8/15

8

Components fitting together

Lecture 422

Von Solms, 2009I nformationS ecurityGovernance

Components hierarchy

Lecture 423

Von Solms, 2009I nformationS ecurityGovernance

Core documents

OECD (1999). Principles of Corporate Governance

Board Briefing on IT Governance

Information Security Governance: Guidance for Boards

of Directors and Executive Management (ITGI)

Lecture 424

Information Security Management and Assurance: A

Call to Action for Corporate Governance (IIA)

Information Security Governance: Toward aFramework for Action (BSA)

Information Security Governance, A Call to Action

(CGTF)


9/15

9

Information security governance Issues

Problematic field

Relatively new

Still trying to find its identity

Poorly defined

Lecture 425

Lack of definition

ationsecuritygovernance

Lecture 426

J Spears 5thSecurityConference 2006Las Vegas, Nevada

Nodefinitionforinform

Definition (1)

If we accept that security governance is a sub-set ofcorporate or enterprise governance, then by extending thedefinitions above, it could include:

Security responsibilities and practicesStrategies/objectives for securityRisk assessmentand mana ement

Lecture 427

Resource management for securityCompliance with legislation, regulations, security policies and

rulesInvestor relations and communications activity (in relation to

security)

This could end up as a never ending list of activities thatdefine anything and everything to do with security. It getseven more complicated when you look at what is the scopeof security does it cover information security, IT security,physical security, fraud, internal audit, compliance,insurance, etc etcetc.,


10/15

10

Definition (1 continued)

So let us put a stake in the ground: Our definition ofInformation Security Governance is

the establishment and maintenance of the controlenvironment to manage the risks relating to theconfidentiality, integrity and availability of information and itssupportng processes an systems.

This is separate from:

audit (ensuring that governance processes beenproperly established and are functioning)

security operations (day-to-day performance of securityadministrative activities)

security development (engineering of new IT orprocesses to meet security objectives)

Lecture 428

Moulton & Coles Computers & Security Volume22, Issue 7, October 2003, Pages 580-584

Definition (2)

Whether information security governance iscongruent with IT security governance isperhaps a matter of definition. TheInformation Systems Audit and Control

Lecture 429

Assoc aton ISACA pu s e a ocument.Information Security Governance: Guidance

for Boards of Directors and ExecutiveManagement, that makes no distinction.This author, however, views informationsecurity governance to be a superset withIT security governance a subset.

Poore, EDPACS NOVEMBER 2005 VOL. XXXIII, NO. 5

Information security deals with all aspectsof information.

Definition 2 (continued)

IT security is concerned with security ofinformation within the boundaries of thetechnology domain.


11/15

11

Definition (3)Governance framework

Lecture 431

Veiga & Eloff Information Systems Management, 24:361372, 2007

Details moving tomanagement

Lecture 432

Veiga & Eloff Information Systems Management, 24:361372, 2007

Definition (4)

Information Security Governance is the set ofresponsibilities and practices exercised by the

goal of providing strategic direction, ensuringthat objectives are achieved, ascertaining thatrisks are managed appropriately and verifyingthat the enterprises resources are usedresponsibly.

ISACA


12/15

12

Tasks

Develop an information security strategy aligned with businessgoals and objectives.

Align information security strategy with corporate governance.Develo business cases ustif in investment in information

Definition (4 continued)

security.Identify current and potential legal and regulatory requirements

affecting information security.Identify drivers affecting the organization (for example, technology,

business environment, risk tolerance, geographic location) andtheir impact on information security.

Obtain senior management commitment to information security.Define roles and responsibilities for information security throughout

the organization.Establish internal and external reporting and communication

channels that support information security.

ISACA, CISM ReviewManual, 2008

Common problems

Lack of thorough research

Poor empirical evidence

Mixing management activities

Lecture 435

Organisational structure

Tone is authoritative without base

Definitions differ

Not integrated with corporate governancetheory

Governance and management

Lecture 436

Posthumus, von Solms Computers & Security Volume23, Issue 8, December2004, Pages 638-646


13/15

13

A proposed model

Lecture 437

Detailed proposed model

Lecture 438R von SolmsComputers & Security Volume25, Issue

6, September2006, Pages 408-412

Governing for informationsecurity

Directing and controlling an organization toestablish and sustain a culture of security inthe organizations conduct (beliefs,behaviours, ca abilities, and actions .

Governing for enterprise security meansviewing adequate security as a non-negotiable requirement of being inbusiness.

Allen, J. H., 2005, Governing for Enterprise Security, CERT


14/15

14

Results of informationsecurity governance

Comprehensive Information Security Strategy

Effective Security Organization

Policies that address ever as ectof stratecontrol & regulation

Process for monitoring of compliance

Process for continuous evaluation

ProvideAccountability

StrategyFormulation

Compliance Roles Performance Roles

ternalRole

Overview of corporategovernance

Lecture 441

Monitoring&

Supervising

PolicyMaking

Ex

InternalRole

Past & Present Oriented Future Oriented

Approve and workwith & through the CEO

Tricker, R.I., 1984,CorporateGovernance, Gower, London

Information securitygovernance point of views

Direction setting

Duty of care

Risk control

Resource provision

Performance measurement

Connection to management

Lecture 442


15/15

Information security management

1. planning (setting goals)

2. resourcing (deploying and manipulating)

43

. organs ng ow o ac eve goas

4. coordinating (working together for the goal)

5. leading (motivating employees)

6. controlling (monitoring activities)

Lecture 4