2.2 Security Governance Principles and Desired Outcomes
Before getting into the details of security governance, an overview of principles and desired outcomes provides useful context.
X.1054 provides concepts and guidance on principles and processes for information security governance, by which organizations evaluate, direct, and monitor the management of information security. X.1054 lays out as a key objective of information security governance the alignment of information security objectives and strategy with overall business objectives and strategy. X.1054 lists six principles for achieving this objective:
Establish organizationwide information security. Information security, or cybersecurity, concerns should permeate the organization’s structure and functions. Management at all levels should ensure that information security is integrated with information technology (IT) and other activities. Top-level management should ensure that information security serves overall business objectives and should establish responsibility and accountability throughout the organization.
information technology (IT)
Applied computer systems, both hardware and software, and often including networking and telecommunications, usually in the context of a business or other enterprise. IT is often the name of the part of an enterprise that deals with all things electronic.
Adopt a risk-based approach. Security governance, including allocation of resources and budgets, should be based on the risk appetite of an organization, considering loss of competitive advantage, compliance and liability risks, operational disruptions, reputational harm, and financial loss.
Set the direction of investment decisions. Information security investments are intended to support organizational objectives. Security governance entails ensuring that information security is integrated with existing organization processes for capital and operational expenditure, for legal and regulatory compliance, and for risk reporting.
Ensure conformance with internal and external requirements. External requirements include mandatory legislation and regulations, standards leading to certification, and contractual requirements. Internal requirements comprise broader organizational goals and objectives. Independent security audits are the accepted means of determining and monitoring conformance.
Foster a security-positive environment for all stakeholders. Security governance should be responsive to stakeholder expectations, keeping in mind that various stakeholders can have different values and needs. The governing body should take the lead in promoting a positive information security culture, which includes requiring and supporting security education, training, and awareness programs.
A person, a group, or an organization that has interest or concern in an organization. Stakeholders can affect or can be affected by the organization’s actions, objectives, and policies. Some examples of stakeholders are creditors, directors, employees, government (and its agencies), owners (shareholders), suppliers, unions, and the community from which the business draws its resources.
Review performance in relation to business outcomes. From a governance perspective, security performance encompasses not just effectiveness and efficiency but also impact on overall business goals and objectives. Governance executives should mandate reviews of a performance measurement program for monitoring, audit, and improvement that links information security performance to business performance.
Adherence to these principles is essential to the success of information security in the long term. How these principles are to be satisfied and who is responsible and accountable depend on the nature of the organization.
The IT Governance Institute defines five basic outcomes of information security governance that lead to successful integration of information security with the organization’s mission [ITGI06]:
Strategic alignment: The support of strategic organizational objectives requires that information security strategy and policy be aligned with business strategy.
Risk management: The principal driving force for information security governance is risk management, which involves mitigating risks and reducing or preventing potential impact on information resources.
Resource management: The resources expended on information security (e.g., personnel time and money) are somewhat open ended and a key goal of information security governance is to align information security budgets with overall enterprise requirements.
Value delivery: Not only should resources expended on information security be constrained within overall enterprise resource objectives, but also information security investments need to be managed to achieve optimum value.
Performance measurement: The enterprise needs metric against which to judge information security policy to ensure that organizational objectives are achieved.
It is worthwhile to keep these outcomes in mind throughout the discussion in the remainder of the chapter.