Unit 1 P1 Information Security Governance
Information Security Governance
Percy A. Grisby II
Computer Ethics
March 7, 2015
Professor Sonya M. Dennis
Information Security Governance can be defined specifically as the methods and processes that an organization or business will utilize as a means of controlling their IT Security Management program. There is an important distinction which needs to be made however as governance should be considered as separate from IT Security Management as a discipline that is based around the need to identify and control risks. Governance is based around the need to ensure that relevant and approved people are authorized to take the necessary and appropriate actions as well as make the required decisions based on any …show more content…
particular situation or series of events that may occur. In order to ensure this can happen in the context of an organization it is important that a framework is defined and created which will outline the necessary accountability requirements. In addition, this will also take into consideration the need to comply with legislatory or regulatory requirements depending on the type of business concerned. Across all of these aspects will be the need to assign responsibility to certain individuals and departments within the organization (NIST, 2006), and this would include the following five tasks:
Governance of business operations and protection of their critical assets;
Protection of the business’ market share and value where applicable;
Governance of employee conduct and overall responsibility of acceptable use policies that are implemented;
Protection of the business’ reputation;
Assurance that all compliance requirements are met and maintained accordingly.
Each of these areas would be an intrinsic element of Information Security that is managed across all parts of the organization with Security Governance being used to ascertain that those responsibilities, which are allocated, will be performed in an appropriate manner. The way in which Information Security Governance is set out and implemented will be broadly representative of the organization’s culture. Alongside other Information Security concerns Governance should be considered as being an organization-wide issue with all managers and leaders being accountable as a result. Irrespective of any cost that may be incurred through the implementation and management of appropriate governance this should be seen as representative of mandatory business requirements and also considered in terms of the cost, which may be incurred, should issues be presented which could otherwise have been resolved through Governance programs.
The way in which Governance is implemented will relate to an understanding of those risks that are apparent and the way in which the roles and responsibilities of individuals are defined from a security perspective. While it is necessary for individuals to possess appropriate permissions to be able to fulfil these roles there should also be an accompanying outline of how segregation of duties is achieved. This should all form a central part of necessary Information Security documentation as a matter of policy (IT Governance Institute, 2006).
Furthermore, the organization should undertake to ensure that all necessary resources, equipment, and training are available to all employees so that there is a maximum awareness of security and governance across the organization. The process of determining the on-going practical nature of this would be incorporated into regular reviews, with feedback being used to determine if there are specific issues. This type of process would be indicative of the way in which security policies themselves are regularly reviewed.
Once a security program that is suitable comprehensive in nature has been created and put into operation, ensuring that governance exists as a fundamental element, then it should be possible to define the specific achievements and outcomes that the organization could expect to experience (Chew, Swanson, Stine, & Nadya Bartol, 2008):
Responsibility – both groups and individuals will be assigned specific responsibilities which will be clearly understood, along with relevant authority for actions which they are expected to perform;
Strategy – strategic business objectives will take into consideration the requirement for IT security and ensure this remains a core concept;
Acquisition – all procurement operations and purchasing decisions will be made in an open and transparent fashion, having evaluated all relevant information;
Performance – the organization and its support resources will be able to meet on-going and future requirements;
Conformance – both business and regulatory requirements will be met through the Information Systems and Security policies in place;
Human Behavior – there is ample scope by which people will be involved throughout the overall process.
To ensure that each of these objectives can be reached and supported in an on-going fashion, there are a variety of diverse methods and best practices that should be utilized to facilitate their delivery:
Requirement
The activities of an organization should be based on how relevant they are, not only to business requirements and security considerations, but also to the legal, compliance, and auditing requirements, which exist and will differ between each type of organization.
Involvement The active involvement of senior managers and leaders should be highly visible in implementing the necessary framework and security program to ensure governance can easily be monitored and maintained. This should extend to the allocation of roles and responsibilities that will require all of those involved in such areas to be appropriately trained and qualified.
Accountability
Irrespective of their actual position, any individual who assumes responsibility in these areas will be considered to be accountable for their actions.
Communication
It is critical that the varying priorities of the organization with regards to Information Security will be communicated to all organizational stakeholders and across all parts of the
organization.
Activities
Management activities should always consider the appropriate security and governance policies, particularly with regards to long-term strategic planning. It is vital that these activities consider need to continue supporting security and governance requirements in the coming years.
Monitoring
Monitoring should be considered as the need to continually review and revise governance procedures to ensure they remain appropriate. A monitoring program should produce dedicated outputs and identify priorities going forward.
In addition to ensuring that these best practices are followed on a regular basis, there is also a considerable advantage that can be achieved through the adherence to a set of guiding principles, which will be able to verify the appropriate security and governance solution for example. There may be certain elements which need to be revised or refined depending on the type of organization but the overall principles can be considered as per the below:
Maintain a stable and robust security environment;
Establish Governance arrangement;
Identify Governance resources;
Document Governance arrangement;
Procure and/or train Governance resources;
Define Roles & Responsibilities;
Establish Roles & Responsibilities;
Secure all necessary formal approvals from executive stakeholders.
By following these guiding principles which can be used across multiple meetings and communications it will allow for the organization to develop, adapt, and deliver a comprehensive range of information and security requirements which will serve to maintain them as required.
References
Chew, E., Swanson, M., Stine, K., & Nadya Bartol, A. B. (2008, July). Performance Measurement Guide for Information Security. Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf
IT Governance Institute. (2006). Information Security Governance: Guidance for Boards of Directors and Executive Management. Retrieved from Information Systems Audit and Control Association: http://www.isaca.org/Knowledge-Center/Research/Documents/InfoSecGuidanceDirectorsExecMgt.pdf
NIST. (2006, October). Information Security Handbook: A Guide for Managers. Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf
Percy A. Grisby II
Computer Ethics
March 7, 2015
Professor Sonya M. Dennis
Information Security Governance can be defined specifically as the methods and processes that an organization or business will utilize as a means of controlling their IT Security Management program. There is an important distinction which needs to be made however as governance should be considered as separate from IT Security Management as a discipline that is based around the need to identify and control risks. Governance is based around the need to ensure that relevant and approved people are authorized to take the necessary and appropriate actions as well as make the required decisions based on any …show more content…
particular situation or series of events that may occur. In order to ensure this can happen in the context of an organization it is important that a framework is defined and created which will outline the necessary accountability requirements. In addition, this will also take into consideration the need to comply with legislatory or regulatory requirements depending on the type of business concerned. Across all of these aspects will be the need to assign responsibility to certain individuals and departments within the organization (NIST, 2006), and this would include the following five tasks:
Governance of business operations and protection of their critical assets;
Protection of the business’ market share and value where applicable;
Governance of employee conduct and overall responsibility of acceptable use policies that are implemented;
Protection of the business’ reputation;
Assurance that all compliance requirements are met and maintained accordingly.
Each of these areas would be an intrinsic element of Information Security that is managed across all parts of the organization with Security Governance being used to ascertain that those responsibilities, which are allocated, will be performed in an appropriate manner. The way in which Information Security Governance is set out and implemented will be broadly representative of the organization’s culture. Alongside other Information Security concerns Governance should be considered as being an organization-wide issue with all managers and leaders being accountable as a result. Irrespective of any cost that may be incurred through the implementation and management of appropriate governance this should be seen as representative of mandatory business requirements and also considered in terms of the cost, which may be incurred, should issues be presented which could otherwise have been resolved through Governance programs.
The way in which Governance is implemented will relate to an understanding of those risks that are apparent and the way in which the roles and responsibilities of individuals are defined from a security perspective. While it is necessary for individuals to possess appropriate permissions to be able to fulfil these roles there should also be an accompanying outline of how segregation of duties is achieved. This should all form a central part of necessary Information Security documentation as a matter of policy (IT Governance Institute, 2006).
Furthermore, the organization should undertake to ensure that all necessary resources, equipment, and training are available to all employees so that there is a maximum awareness of security and governance across the organization. The process of determining the on-going practical nature of this would be incorporated into regular reviews, with feedback being used to determine if there are specific issues. This type of process would be indicative of the way in which security policies themselves are regularly reviewed.
Once a security program that is suitable comprehensive in nature has been created and put into operation, ensuring that governance exists as a fundamental element, then it should be possible to define the specific achievements and outcomes that the organization could expect to experience (Chew, Swanson, Stine, & Nadya Bartol, 2008):
Responsibility – both groups and individuals will be assigned specific responsibilities which will be clearly understood, along with relevant authority for actions which they are expected to perform;
Strategy – strategic business objectives will take into consideration the requirement for IT security and ensure this remains a core concept;
Acquisition – all procurement operations and purchasing decisions will be made in an open and transparent fashion, having evaluated all relevant information;
Performance – the organization and its support resources will be able to meet on-going and future requirements;
Conformance – both business and regulatory requirements will be met through the Information Systems and Security policies in place;
Human Behavior – there is ample scope by which people will be involved throughout the overall process.
To ensure that each of these objectives can be reached and supported in an on-going fashion, there are a variety of diverse methods and best practices that should be utilized to facilitate their delivery:
Requirement
The activities of an organization should be based on how relevant they are, not only to business requirements and security considerations, but also to the legal, compliance, and auditing requirements, which exist and will differ between each type of organization.
Involvement The active involvement of senior managers and leaders should be highly visible in implementing the necessary framework and security program to ensure governance can easily be monitored and maintained. This should extend to the allocation of roles and responsibilities that will require all of those involved in such areas to be appropriately trained and qualified.
Accountability
Irrespective of their actual position, any individual who assumes responsibility in these areas will be considered to be accountable for their actions.
Communication
It is critical that the varying priorities of the organization with regards to Information Security will be communicated to all organizational stakeholders and across all parts of the
organization.
Activities
Management activities should always consider the appropriate security and governance policies, particularly with regards to long-term strategic planning. It is vital that these activities consider need to continue supporting security and governance requirements in the coming years.
Monitoring
Monitoring should be considered as the need to continually review and revise governance procedures to ensure they remain appropriate. A monitoring program should produce dedicated outputs and identify priorities going forward.
In addition to ensuring that these best practices are followed on a regular basis, there is also a considerable advantage that can be achieved through the adherence to a set of guiding principles, which will be able to verify the appropriate security and governance solution for example. There may be certain elements which need to be revised or refined depending on the type of organization but the overall principles can be considered as per the below:
Maintain a stable and robust security environment;
Establish Governance arrangement;
Identify Governance resources;
Document Governance arrangement;
Procure and/or train Governance resources;
Define Roles & Responsibilities;
Establish Roles & Responsibilities;
Secure all necessary formal approvals from executive stakeholders.
By following these guiding principles which can be used across multiple meetings and communications it will allow for the organization to develop, adapt, and deliver a comprehensive range of information and security requirements which will serve to maintain them as required.
References
Chew, E., Swanson, M., Stine, K., & Nadya Bartol, A. B. (2008, July). Performance Measurement Guide for Information Security. Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf
IT Governance Institute. (2006). Information Security Governance: Guidance for Boards of Directors and Executive Management. Retrieved from Information Systems Audit and Control Association: http://www.isaca.org/Knowledge-Center/Research/Documents/InfoSecGuidanceDirectorsExecMgt.pdf
NIST. (2006, October). Information Security Handbook: A Guide for Managers. Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf