Programs
InfoSec operations that are specifically managed as separate entities are called “programs.” An example would be a security education, training, and awareness (SETA) program or a risk management program. SETA programs provide critical information to employees to maintain or improve their current levels of security knowledge. Risk management programs include the identification, assessment, and control of risks to information assets. Other programs that may emerge include a physical security program, complete with fire protection, physical access, gates, and guards. Some organizations with specific regulations may have additional programs dedicated to client/customer privacy, awareness, and the like. Each organization will typically have several security programs that must be managed.
Protection
The protection function is executed via a set of risk management activities, as well as protection mechanisms, technologies, and tools. Each of these mechanisms or safeguards represents some aspect of the management of specific controls in the overall InfoSec plan.
People
People are the most critical link in the InfoSec program. This area encompasses security personnel (the professional information security employees), the security of personnel (the protection of employees and their information), and aspects of the SETA program mentioned earlier.
Projects
Whether an InfoSec manager is asked to roll out a new security training program or select and implement a new firewall, it is important that the process be managed as a project. The final element for thoroughgoing InfoSec management is the application of a project management discipline to all elements of the InfoSec program. Project management involves identifying and controlling the resources applied to the project, as well as measuring progress and adjusting the process as progress is made toward the goal.
Strategic planning sets the long-term direction to be taken by the organization and each of its component parts. Strategic planning should guide organizational efforts and focus resources toward specific, clearly defined goals. After an organization develops a general strategy, it generates an overall strategic plan by extending that general strategy into plans for major divisions. Each level of each division then translates those plan objectives into more specific objectives for the level below. To execute this broad strategy, the executive team must first define individual responsibilities. (The executive team is sometimes called the organization’s C-level, as in CEO, COO, CFO, CIO, and so on.)
Information Security Leadership
The leadership of the information security function that delivers strategic planning and corporate responsibility is best accomplished using an approach industry refers to as governance, risk management, and compliance (GRC). GRC seeks to integrate these three previously separate responsibilities into one holistic approach that can provide sound executive-level strategic planning and management of the InfoSec function. The subjects themselves are neither new nor unique to InfoSec; however, recognition of the need to integrate the three at the board or executive level is becoming increasingly important to practitioners in the field. Note that the management of risk is not limited to an organization’s information security. Although organizations increasingly seem to manage their risk challenges with an integrated InfoSec approach focused on GRC, many types of organizations face many types of risk and have developed specific strategies to manage them.
InfoSec objectives must be addressed at the highest levels of an organization’s management team in order to be effective and offer a sustainable approach. In organizations with formal boards of directors, the boards should be the basis for governance review and oversight. For organizations that have a parent organization, the executive management of the parent should be the basis. For organizations that don’t have either, this strategic oversight must stem from a formal governance board consisting of executive management from across the organization—usually the chief executive officer (CEO) or president and their immediate subordinate executives.
Just like governments, corporations and other organizations have guiding documents—corporate charters or partnership agreements—as well as appointed or elected leaders or officers, and planning and operating procedures. These elements in combination provide corporate governance.
When security programs are designed and managed as a technical specialty in the IT department, they are less likely to be effective. A broader view of InfoSec encompasses all of an organization’s information assets, including IT assets. These valuable commodities must be protected regardless of how the information is processed, stored, or transmitted, and with a thorough understanding of the risks and benefits.
Each operating unit within an organization also has controlling customs, processes, committees, and practices. The information security group’s leadership monitors and manages all organizational structures and processes that safeguard information. Information security governance then applies these principles and management structures to the information security function.
According to the Corporate Governance Task Force (CGTF), the organization should engage in a core set of activities suited to its needs to guide the development and implementation of the InfoSec governance program:
- Conduct an annual InfoSec evaluation, the results of which the CEO should review with staff and then report to the board of directors.
- Conduct periodic risk assessments of information assets as part of a risk management program.
- Implement policies and procedures based on risk assessments to secure information assets.
- Establish a security management structure to assign explicit individual roles, responsibilities, authority, and accountability.
- Develop plans and initiate actions to provide adequate InfoSec for networks, facilities, systems, and information.
- Treat InfoSec as an integral part of the system life cycle.
- Provide InfoSec awareness, training, and education to personnel.
- Conduct periodic testing and evaluation of the effectiveness of InfoSec policies and procedures.
- Create and execute a plan for remedial action to address any InfoSec inefficiencies.
- Develop and implement incident response procedures.
- Establish plans, procedures, and tests to provide continuity of operations.
- Use security best practices guidance, such as the ISO 27000 series, to measure InfoSec performance.
The CGTF framework defines the responsibilities of the board of directors and trustees, the senior organizational executive (for example, the CEO), executive team members, senior managers, and all employees and users.
- Establish organization-wide information security.
- Adopt a risk-based approach.
- Set the direction of investment decisions.
- Ensure conformance with internal and external requirements.
- Foster a security-positive environment.
- Review performance in relation to business outcomes.
The standard also promotes five governance processes, which should be adopted by the organization’s executive management and its governing board. These processes are illustrated in Figure 3-1 and described in the following list.
Evaluate—Review the status of current and projected progress toward organizational information security objectives and make a determination whether modifications of the program or its strategy are needed to keep on track with strategic goals.
Direct—The board of directors provides instruction for developing or implementing changes to the security program. This could include modification of available resources, structure of priorities of effort, adoption of policy, recommendations for the risk management program, or alteration to the organization’s risk tolerance.
Monitor—The review and assessment of organizational information security performance toward goals and objectives by the governing body. Monitoring is enabled by ongoing performance measurement.
Communicate—The interaction between the governing body and external stakeholders, where information on organizational efforts and recommendations for change are exchanged.
Assure—The assessment of organizational efforts by external entities like certification or accreditation groups, regulatory agencies, auditors, and other oversight entities, in an effort to validate organizational security governance, security programs, and strategies.
According to the Information Technology Governance Institute (ITGI), information security governance includes all of the accountabilities and methods undertaken by the board of directors and executive management to provide the following:
- Strategic direction.
- Establishment of objectives.
- Measurement of progress toward those objectives.
- Verification that risk management practices are appropriate.
- Validation that the organization’s assets are used properly.
Figure 3-2 illustrates the responsibilities of various people within an organization for information security governance.
Information Security Governance Outcomes
Effective communication among stakeholders is critical to the structures and processes used in governance at every level, and especially in information security governance. It requires the development of constructive relationships, a common language, and a commitment to the objectives of the organization.
The five goals of information security governance are as follows:
- Strategic alignment of information security with business strategy to support organizational objectives.
- Risk management by executing appropriate measures to manage and mitigate threats to information resources.
- Resource management by using information security knowledge and infrastructure efficiently and effectively.
- Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved
- Value delivery by optimizing information security investments in support of organizational objectives.
0 comments:
Post a Comment