2.5 Security Governance Evaluation
An ancient Roman saying asks “Who will guard the guards themselves?” Those who are responsible for enterprise governance and information security governance need to be open to evaluation of their efforts at governance. In a publicly held corporation, the board performs or commissions such evaluation, and in any organization, the auditing function illustrated in Figure 2.7 encompasses an assessment of the governance function.
Johnston and Hale’s article “Improved Security Through Information Security Governance” reports a useful set of metrics for evaluating security governance [JOHN09] (see Table 2.5).
TABLE 2.5 Indicators of Information Security Governance Effectiveness
Executive management support
Executive management understands the relevance of information security to the organization
Executives promote effective information security governance
Executives actively support the information security program
Executives comply with all aspects of the information security program
Executive management understands their responsibility for information security
Executives understand the liability associated with not executing information security responsibilities
Business and information security relationship
Security investments are optimized to support business objectives
Business process owners actively support the information security program
Business process owners view security as an enabler
Business process owners are involved in evaluating security alternatives
Business process owners actively support the development of a security culture
Business process owners accept responsibility for information security
Business process owners are accountable for information security
All information in use within the organization is identified
Information is classified according to criticality
Information is classified according to sensitivity
Information classifications are enforced
Information classifications are applied to information received from outside entities
Information classifications are applied to information provided to an outside entity
Ownership responsibilities for all information are assigned
Applications that process sensitive information are identified
Applications that support critical business processes are identified
Data retention standards are defined and enforced
The metrics fall into three categories:
Executive management support: This is a critical component for cybersecurity program success. If top executives exhibit an understanding of security issues and take an active role in promoting security, this influence is felt throughout the firm. Strong executive management security awareness and support promotes a culture of secure practices.
Business and information security relationship: An effective security governance program conveys a strong relationship between business goals and objectives and information security. When information security is incorporated into the enterprise planning process, employees tend to feel a greater responsibility for the security of their assets and view security not as an impediment but as an enabler.
Information protection: These indicators of security governance effectiveness deal with the pervasiveness and strength of information security mechanisms. These indicators reflect the degree of awareness of information security issues and the level of preparedness, enterprisewide, to deal with attacks.
The SGP mandates that an organization adopt a consistent and structured approach to information risk management to provide assurance that information risk is adequately addressed. A key element is that a structured technique be used at the governing body level, such as the ISF Business Impact Reference Table (BIRT), discussed in Chapter 3. The BIRT is used to document the maximum level of risk or harm that the organization is prepared to accept in any given situation and is used to inform any decisions about information risk throughout the organization.
Based on the risk appetite, the security strategy, security controls, and security assessment measures are developed.