Home > Articles

  • Print
  • + Share This
This chapter is from the book

2.5 Security Governance Evaluation

An ancient Roman saying asks “Who will guard the guards themselves?” Those who are responsible for enterprise governance and information security governance need to be open to evaluation of their efforts at governance. In a publicly held corporation, the board performs or commissions such evaluation, and in any organization, the auditing function illustrated in Figure 2.7 encompasses an assessment of the governance function.

Johnston and Hale’s article “Improved Security Through Information Security Governance” reports a useful set of metrics for evaluating security governance [JOHN09] (see Table 2.5).

TABLE 2.5 Indicators of Information Security Governance Effectiveness

Indicator Category


Executive management support

Executive management understands the relevance of information security to the organization

Executives promote effective information security governance

Executives actively support the information security program

Executives comply with all aspects of the information security program

Executive management understands their responsibility for information security

Executives understand the liability associated with not executing information security responsibilities

Business and information security relationship

Security investments are optimized to support business objectives

Business process owners actively support the information security program

Business process owners view security as an enabler

Business process owners are involved in evaluating security alternatives

Business process owners actively support the development of a security culture

Business process owners accept responsibility for information security

Business process owners are accountable for information security

Information protection

All information in use within the organization is identified

Information is classified according to criticality

Information is classified according to sensitivity

Information classifications are enforced

Information classifications are applied to information received from outside entities

Information classifications are applied to information provided to an outside entity

Ownership responsibilities for all information are assigned

Applications that process sensitive information are identified

Applications that support critical business processes are identified

Data retention standards are defined and enforced

The metrics fall into three categories:

  • Executive management support: This is a critical component for cybersecurity program success. If top executives exhibit an understanding of security issues and take an active role in promoting security, this influence is felt throughout the firm. Strong executive management security awareness and support promotes a culture of secure practices.

  • Business and information security relationship: An effective security governance program conveys a strong relationship between business goals and objectives and information security. When information security is incorporated into the enterprise planning process, employees tend to feel a greater responsibility for the security of their assets and view security not as an impediment but as an enabler.

  • Information protection: These indicators of security governance effectiveness deal with the pervasiveness and strength of information security mechanisms. These indicators reflect the degree of awareness of information security issues and the level of preparedness, enterprisewide, to deal with attacks.

The SGP mandates that an organization adopt a consistent and structured approach to information risk management to provide assurance that information risk is adequately addressed. A key element is that a structured technique be used at the governing body level, such as the ISF Business Impact Reference Table (BIRT), discussed in Chapter 3. The BIRT is used to document the maximum level of risk or harm that the organization is prepared to accept in any given situation and is used to inform any decisions about information risk throughout the organization.

Based on the risk appetite, the security strategy, security controls, and security assessment measures are developed.

  • + Share This
  • 🔖 Save To Your Account