Within IT governance, security is a key component. IT governance security activities should not be confused with IT security management. IT security and governance are, however, closely related. Within IT security includes risk management, determining what steps should be taken to avoid, mitigate, or otherwise manage information security risks. IT governance security activities create and manage a framework that guides how those decisions get made and who is authorized to make them, keeping a focus on achieving the organization’s business objectives.
An IT governance security framework should be used that defines the security policies, information security program, information security strategy, and IT governance security measures. These can then be used as a part of cybersecurity governance, which in turn is part of the overall IT security and governance approach.
What is Information Security Governance?
IT security governance is the system by which an organization directs and controls IT security. IT governance security activities define an accountability framework for managing security-related risks and providing oversight of the security management activities to ensure that these risks are adequately mitigated. While security management is responsible for implementing security controls and developing security strategies, IT governance security responsibilities include ensuring that these security strategies are aligned with business objectives and are compliant with any regulations and standards.
The benefits of undergoing IT governance security programs
Developing a good IT security and governance program can give you many benefits. The first is protecting the business and the critical assets of that business, including data and information. Implementing IT security and governance can also help to drive compliance with external requirements from regulators and contractual requirements with customers.
These programs can also help ensure that your operations’ various components have adequate governance over security, including security operations, change management, patch management, and configuration management. Good IT security and governance programs include technology, processes, and people.
IT governance security responsibilities
It is important for every organization to clearly define and assign responsibilities for IT security and governance. One useful approach for this is to use a layered approach, sometimes referred to as the “Three Lines of Defense.”
First Line of Defense:
The first line of defense is at the highest level in the organization. This is usually the organization’s board of directors and executive management, who have the highest level of IT governance security responsibilities. They are also fully accountable to shareholders and regulators for IT security and governance. Some organizations have now created the role of Chief Information Security Officer (CISO), who focuses on this level for all these activities.
The first line of defense is responsible for:
- Defining the IT strategy that provides a strategic context for all IT operations, including IT governance and security operations.
- Ensuring that the next level create a framework of controls for IT activities, including IT governance security activities.
- Ensuring that the next level implement the IT strategy.
This first line of defense is accountable for the successful implementation of the following artifacts:
- IT policy
- IT governance
- IT security
- IT compliance
- IT risk management
Second Line of Defense:
The second line of defense is made up of senior managers with IT responsibilities. They are responsible for:
- Creating a framework of controls for effective compliance
- Ensuring oversight of the performance, compliance, and risks related to the operation of IT, including IT security and governance.
- Establishing and operating appropriate IT governance bodies.
Third Line of Defense:
The third line of defense exists to provide an independent assessment of the security and governance activities. The responsibilities may be fulfilled by internal auditors or outsourced to external specialists. It is critical that this level has no involvement in the day-to-day IT governance and security operations, as that could affect their judgment. Hence this third line of defense is responsible for:
- Independently assuring compliance with the IT governance and security frameworks.
NIST IT governance
In 2013 US President Obama issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity. This called for the development of a voluntary risk-based cyber security framework that would provide a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to managing cyber security risks for critical infrastructure services.
Following this, a framework for an IT governance security related approach was developed in the US through an international partnership of small and large organizations, including owners and operators of the nation’s critical infrastructure, led by the National Institute of Standards and Technology (NIST). This framework was called the NIST Cybersecurity Framework, abbreviated to NSF.
NIST described IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls and provide assignment of responsibility, all aimed at managing risks.
Overview of the NIST IT governance CSF
The framework was designed to be used by individual organizations who undertake an assessment of the business risks they face to guide their use of the CSF in a cost-effective manner. The framework is divided into three parts: The Framework Core, Framework Implementation Tiers, and Framework Profiles:
The Framework Core provides a set of activities, outcomes, and references that detail approaches to aspects of cyber security. These are made up of five functions subdivided into 22 categories (outcome groups) and 98 subcategories (security controls).
Framework Implementation Tiers are used by an organization to clarify how it views cyber security risks and the degree of sophistication of its desired management approach to them.
A Framework Profile is a list of outcomes that an organization has chosen from a list of categories and subcategories based on its business needs and individual risk assessments.
The five Framework core functions are:
- Identify – Develop the organizational understanding to manage cyber security risk to systems, assets, data, and capabilities.
- Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect – Develop and implement the appropriate activities to identify the occurrence of a cyber security event.
- Respond – Develop and implement the appropriate activities to take action regarding a detected cyber security event.
- Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired because of a cyber security event.
Each function is divided into groups of cyber security outcomes that relate to particular activities. Examples include ‘Asset Management’, ‘Access Control’ and ‘Detection Processes’. Subcategories further divide a category into specific outcomes of activities. Examples include ‘External information systems are catalogued’, ‘Data-at-rest is protected’ and ‘Notifications from detection systems are investigated’.
For each subcategory, the CSF provides useful information resources that are built on specific sections of a number of different information governance and security standards, including ISO 27001, COBIT®, NIST SP 800-53, ISA 62443, and the Center for Internet Security’s 20 Critical Security Controls.
Where to go for more information
There are many useful information sources to help you develop your own program. Here are some of the most commonly used information security governance frameworks:
- National Institute for Security and Technology (NIST) publication 800-53.
- International Organization for Standardization (ISO) 27001.
- Control Objectives for Information and Related Technology (COBIT).
- The Health Information Portability and Accountability Act (HIPAA).
- The Payment Card Industry Data Security Standard (PCI DSS).
In addition, there is a useful publication called “IT governance an international guide to data security.” This comprehensive book is now in its 7th edition and provides guidance on implementing effective information security management. The publication also outlines global IT governance security best practices for organizations of all sizes and sectors and demonstrates how to:
- Protect and enhance your organization with an ISO 27001-compliant ISMS (information security management system).
- Design, develop and implement a robust governance system that covers all aspects of data protection and information security.
- Defend your organization against advanced, persistent cyber threats.
It also covers key topics such as risk assessment, asset management, controls, security, supplier relationships, and compliance. This latest edition reflects changes to international legislation, including the GDPR (General Data Protection Regulation) and updates to BS 7799-3 and the ISO/IEC 27000 family. IT Governance – An International Guide to Data Security and ISO27001/ISO27002, 7th Edition by Alan Calder and Steve Watkins is published by Kogan Page. ISBN13: 9780749496968
