What are information assets?

Documents Files Data storage devices

Lecture 4

Dependence on information
Increased dependency on information
The diffusion of technology and the commodification of information transforms the role of information into a resource equal in importance to the traditionally important resources of land, labor and capital
Peter Drucker, Management Challenges for the 21st Century

Role of information security crime has increased

Impacts of information asset exploitation

Loss of exclusive use
benefit only with company

Direct & indirect benefit of the exploitation to the perpetrator Time, energy, goodwill
To build new or replace information asset

Loss of confidentiality
Unauthorized access

Lecture 4

Impacts of degraded information assets

http://news.bbc.co.uk/2/hi/business/375184 .stm Loss of integrity
Corrupted or degraded data

Repair cost
Includes comprehensive audit after repair

Opportunity cost

Lecture 4

Dimensions of security (1)

Confidentiality
Accessible only to those who have the rights http://www.theage.com.au/news/national/2000 0 pages leaked in new police 0-pages-leaked-in-new-policebungle/2005/08/16/1123958033738.html#

Integrity
Correct up-to-date, accurate and verifiable

Availability
Accessible when required
5
Lecture 4

Dimensions of security (2)

Compliance
Must meet external legal, governance and regulatory requirements

C lt re Culture
Behavior within organization

Countermeasures
How much of protection

Lecture 4

Responsibility for information security

Majority of national critical infrastructures in the developed world are controlled by the private sector T k of Task f protecting t ti such hi infrastructure, f t t critical iti l to survival is also the responsibility of the same sector Candidate for Board attention

Increased business regulation

Regulation is the response to bad governance
public confidence needs to be rebuilt there is too much of it: compliance compliance overload overload a patchwork of laws its growing too fast to manage successfully

Information security governance

How and on what level do we understand information security - (data, application,host, network, firewall, router, encryption, logging, back-up etc...) We are looking at the problem from the bottom to the top Lets look at it from the top and not leave holes and vulnerabilities. Its not expensive, it is implementable, and it is simple This is often called Information Security Governance

Lecture 4

Sample discussion:
Why IS Governance is important?
Management of IT is critical to business strategy success. Best practices are crucial in effective information governance It enables a management framework to be developed (policy, internal controls and defined practices). Best practices provide many benefits - service efficiency gains; increased trust from third parties; places demands on service providers; & respect from regulators.

Two major views

Information security as a structure
Centralised Decentralised H b id or f Hybrid federal d l

Focuses on the locus of the decision making authority within the organisation

Matrix of responsibilities

Key players
Role of the CISO Positioning the CISO Role of the Steering Committee

Influencers of org structure

Company size Corporate organisational structure Industry Organisational maturity Organisational culture

Steering committee
Scope
advise, consult with, and make k recommendations d ti t to executive ti management t to ensure that information security is
acquired, established, operated and maintained validly

15

Lecture 4

Steering committee cont.

Authority
Seek information from
employee, the external auditor and/or any external party

Initiate special investigations Make final decision for information security Approve information security
Policy Functions Architecture Budget Projects Activities

16

Lecture 4

Delegate authority

Steering committee cont.

Sponsorship
Preferably CEO

Reporting
SC reports t to t CEO or B Board d Elected officers report to SC

Composition
Chairman Members appropriate qualifications permanent/auxiliary senior managers representing every business function
Lecture 4

17

Subcommittees Minimum number

Steering committee cont.

Activities
Information Security Governance set information security objectives and core principles create clearly understood roles, responsibilities and decision making ki right i ht Oversee implementation of Information Security initiatives assist to plan Information Security to best support the organisation; Measure Information Security Efforts monitor organisational capabilities to sustain achievement of objectives (security maturity, compliance, residual risk, quality); monitor outcomes against objectives Lecture 4 18 Create awareness of the need to protect information

Distinct roles
Oversight of the culture and approach to the use of information security as a key business driver in the organisation (boards governance role in information security) Oversight of the culture, approach and projects in the organisations information security department (managements governance role in information security) The use of information security to support and enhance the corporate governance of the organisation (e.g. SOX compliance, board intranets, etc.: information securitys role in governance)
Adapted from What is IT governance (Brown Governance)

Two major views continued

Information security as a process
Structure of relationships and processes to develop, direct and control IS/IT resources Mechanisms frameworks for managers Mechanisms, Integral part of corporate governance a subset

Kakabadse & Kakabadse, 2001

Information security governance components

21

Lecture 4
NIST SP800-100

Components fitting together

22

Lecture 4
Von Solms, 2009 Information Security Governance

Components hierarchy

23

Lecture 4
Von Solms, 2009 Information Security Governance

Core documents
OECD (1999). Principles of Corporate Governance Board Briefing on IT Governance Information Security Governance: Guidance for Boards of Directors and Executive Management (ITGI) Information Security Management and Assurance: A Call to Action for Corporate Governance (IIA) Information Security Governance: Toward a Framework for Action (BSA) Information Security Governance, A Call to Action (CGTF)
Lecture 4

24

Information security governance Issues

Problematic field Relatively new Still trying to find its identity Poorly defined

25

Lecture 4

26

Lecture 4
J Spears 5th Security Conference 2006 Las Vegas, Nevada

Definition (1)
If we accept that security governance is a sub-set of corporate or enterprise governance, then by extending the definitions above, it could include:
Security responsibilities and practices Strategies/objectives for security Risk assessment and management Resource management for security Compliance with legislation, regulations, security policies and rules Investor relations and communications activity (in relation to security)

This could end up as a never ending list of activities that define anything and everything to do with security. It gets even more complicated when you look at what is the scope of security does it cover information security, IT security, physical security, fraud, internal audit, compliance, insurance, etc etc etc.,
27
Lecture 4

No definition for informa ation security governance

Lack of definition

Definition (1 continued)
So let us put a stake in the ground: Our definition of Information Security Governance is the establishment and maintenance of the control environment to manage the risks relating to the confidentiality, integrity and availability of information and its supporting ti processes and d systems. t This is separate from: audit (ensuring that governance processes been properly established and are functioning) security operations (day-to-day performance of security administrative activities) security development (engineering of new IT or processes to meet security objectives)
28
Lecture 4
Moulton & Coles Computers & Security Volume 22, Issue 7, October 2003, Pages 580-584

Definition (2)
Whether information security governance is congruent with IT security governance is perhaps a matter of definition. The Information Systems Audit and Control A Association i ti (ISACA) published bli h d a d document. t Information Security Governance: Guidance for Boards of Directors and Executive Management, that makes no distinction. This author, however, views information security governance to be a superset with IT security governance a subset.
29
Lecture 4
Poore, EDPACS NOVEMBER 2005 VOL. XXXIII, NO. 5

Definition 2 (continued)
Information security deals with all aspects of information. IT security is concerned with security of information within the boundaries of the technology domain.

10

Definition (3) Governance framework

31

Lecture 4
Veiga & Eloff Information Systems Management, 24:361372, 2007

Details moving to management

32

Lecture 4
Veiga & Eloff Information Systems Management, 24:361372, 2007

Definition (4)
Information Security Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprises resources are used responsibly.

ISACA

11

Definition (4 continued)
Tasks
Develop an information security strategy aligned with business goals and objectives. Align information security strategy with corporate governance. Develop e e op bus business ess cases jus justifying y g investment es e in information o a o security. Identify current and potential legal and regulatory requirements affecting information security. Identify drivers affecting the organization (for example, technology, business environment, risk tolerance, geographic location) and their impact on information security. Obtain senior management commitment to information security. Define roles and responsibilities for information security throughout the organization. Establish internal and external reporting and communication channels that support information security.
ISACA, CISM Review Manual, 2008

Common problems
Lack of thorough research Poor empirical evidence Mixing management activities Organisational structure Tone is authoritative without base Definitions differ Not integrated with corporate governance theory
35
Lecture 4

Governance and management

36

Lecture 4
Posthumus, von Solms Computers & Security Volume 23, Issue 8, December 2004, Pages 638-646

12

A proposed model

37

Lecture 4

Detailed proposed model

38

Lecture 4
R von Solms Computers & Security Volume 25, Issue 6, September 2006, Pages 408-412

Governing for information security

Directing and controlling an organization to establish and sustain a culture of security in the organizations conduct (beliefs, behaviours, , capabilities, p , and actions). ) Governing for enterprise security means viewing adequate security as a nonnegotiable requirement of being in business.

Allen, J. H., 2005, Governing for Enterprise Security, CERT

13

Results of information security governance

Comprehensive Information Security Strategy Effective Security Organization Policies that address every aspect of strategy, control & regulation Process for monitoring of compliance Process for continuous evaluation

Overview of corporate governance

Compliance Roles Performance Roles

Ex xternal Role

Provide Accountability

Strategy Formulation

Internal Role

Approve and work with & through the CEO Monitoring Policy & Making Supervising
Past & Present Oriented
41
Lecture 4
Tricker, R.I., 1984, Corporate Governance, Gower, London

Future Oriented

Information security governance point of views

Direction setting Duty of care Risk control Resource provision Performance measurement Connection to management

42

Lecture 4

14

Information security management

1. planning

(setting goals) (deploying and manipulating) 3 organising 3. i i (h (how t to achieve hi goals) l ) 4. coordinating (working together for the goal) 5. leading (motivating employees) 6. controlling (monitoring activities)
2. resourcing

43

Lecture 4

15