Professional Documents
Culture Documents
Lecture 4
Dependence on information
Increased dependency on information
The diffusion of technology and the commodification of information transforms the role of information into a resource equal in importance to the traditionally important resources of land, labor and capital
Peter Drucker, Management Challenges for the 21st Century
Direct & indirect benefit of the exploitation to the perpetrator Time, energy, goodwill
To build new or replace information asset
Loss of confidentiality
Unauthorized access
Lecture 4
Repair cost
Includes comprehensive audit after repair
Opportunity cost
Lecture 4
Integrity
Correct up-to-date, accurate and verifiable
Availability
Accessible when required
5
Lecture 4
C lt re Culture
Behavior within organization
Countermeasures
How much of protection
Lecture 4
Lecture 4
Sample discussion:
Why IS Governance is important?
Management of IT is critical to business strategy success. Best practices are crucial in effective information governance It enables a management framework to be developed (policy, internal controls and defined practices). Best practices provide many benefits - service efficiency gains; increased trust from third parties; places demands on service providers; & respect from regulators.
Focuses on the locus of the decision making authority within the organisation
Matrix of responsibilities
Key players
Role of the CISO Positioning the CISO Role of the Steering Committee
Steering committee
Scope
advise, consult with, and make k recommendations d ti t to executive ti management t to ensure that information security is
acquired, established, operated and maintained validly
15
Lecture 4
Initiate special investigations Make final decision for information security Approve information security
Policy Functions Architecture Budget Projects Activities
16
Lecture 4
Delegate authority
Reporting
SC reports t to t CEO or B Board d Elected officers report to SC
Composition
Chairman Members appropriate qualifications permanent/auxiliary senior managers representing every business function
Lecture 4
17
Distinct roles
Oversight of the culture and approach to the use of information security as a key business driver in the organisation (boards governance role in information security) Oversight of the culture, approach and projects in the organisations information security department (managements governance role in information security) The use of information security to support and enhance the corporate governance of the organisation (e.g. SOX compliance, board intranets, etc.: information securitys role in governance)
Adapted from What is IT governance (Brown Governance)
21
Lecture 4
NIST SP800-100
22
Lecture 4
Von Solms, 2009 Information Security Governance
Components hierarchy
23
Lecture 4
Von Solms, 2009 Information Security Governance
Core documents
OECD (1999). Principles of Corporate Governance Board Briefing on IT Governance Information Security Governance: Guidance for Boards of Directors and Executive Management (ITGI) Information Security Management and Assurance: A Call to Action for Corporate Governance (IIA) Information Security Governance: Toward a Framework for Action (BSA) Information Security Governance, A Call to Action (CGTF)
Lecture 4
24
25
Lecture 4
26
Lecture 4
J Spears 5th Security Conference 2006 Las Vegas, Nevada
Definition (1)
If we accept that security governance is a sub-set of corporate or enterprise governance, then by extending the definitions above, it could include:
Security responsibilities and practices Strategies/objectives for security Risk assessment and management Resource management for security Compliance with legislation, regulations, security policies and rules Investor relations and communications activity (in relation to security)
This could end up as a never ending list of activities that define anything and everything to do with security. It gets even more complicated when you look at what is the scope of security does it cover information security, IT security, physical security, fraud, internal audit, compliance, insurance, etc etc etc.,
27
Lecture 4
Lack of definition
Definition (1 continued)
So let us put a stake in the ground: Our definition of Information Security Governance is the establishment and maintenance of the control environment to manage the risks relating to the confidentiality, integrity and availability of information and its supporting ti processes and d systems. t This is separate from: audit (ensuring that governance processes been properly established and are functioning) security operations (day-to-day performance of security administrative activities) security development (engineering of new IT or processes to meet security objectives)
28
Lecture 4
Moulton & Coles Computers & Security Volume 22, Issue 7, October 2003, Pages 580-584
Definition (2)
Whether information security governance is congruent with IT security governance is perhaps a matter of definition. The Information Systems Audit and Control A Association i ti (ISACA) published bli h d a d document. t Information Security Governance: Guidance for Boards of Directors and Executive Management, that makes no distinction. This author, however, views information security governance to be a superset with IT security governance a subset.
29
Lecture 4
Poore, EDPACS NOVEMBER 2005 VOL. XXXIII, NO. 5
Definition 2 (continued)
Information security deals with all aspects of information. IT security is concerned with security of information within the boundaries of the technology domain.
10
31
Lecture 4
Veiga & Eloff Information Systems Management, 24:361372, 2007
32
Lecture 4
Veiga & Eloff Information Systems Management, 24:361372, 2007
Definition (4)
Information Security Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprises resources are used responsibly.
ISACA
11
Definition (4 continued)
Tasks
Develop an information security strategy aligned with business goals and objectives. Align information security strategy with corporate governance. Develop e e op bus business ess cases jus justifying y g investment es e in information o a o security. Identify current and potential legal and regulatory requirements affecting information security. Identify drivers affecting the organization (for example, technology, business environment, risk tolerance, geographic location) and their impact on information security. Obtain senior management commitment to information security. Define roles and responsibilities for information security throughout the organization. Establish internal and external reporting and communication channels that support information security.
ISACA, CISM Review Manual, 2008
Common problems
Lack of thorough research Poor empirical evidence Mixing management activities Organisational structure Tone is authoritative without base Definitions differ Not integrated with corporate governance theory
35
Lecture 4
36
Lecture 4
Posthumus, von Solms Computers & Security Volume 23, Issue 8, December 2004, Pages 638-646
12
A proposed model
37
Lecture 4
38
Lecture 4
R von Solms Computers & Security Volume 25, Issue 6, September 2006, Pages 408-412
13
Ex xternal Role
Provide Accountability
Strategy Formulation
Internal Role
Approve and work with & through the CEO Monitoring Policy & Making Supervising
Past & Present Oriented
41
Lecture 4
Tricker, R.I., 1984, Corporate Governance, Gower, London
Future Oriented
42
Lecture 4
14
(setting goals) (deploying and manipulating) 3 organising 3. i i (h (how t to achieve hi goals) l ) 4. coordinating (working together for the goal) 5. leading (motivating employees) 6. controlling (monitoring activities)
2. resourcing
43
Lecture 4
15