This chapter is from the book 2.3 Security Governance ComponentsSP 800-100 lists the following key activities, or components that constitute effective security governances (refer to Figure 2.1): Strategic planning Organizational structure Establishment of roles and responsibilities -
Integration with the enterprise architecture Documentation of security objectives in policies and guidance
The following sections examine each of these components in turn. Strategic PlanningIt is useful for this discussion to define three hierarchically related aspects of strategic planning (see Figure 2.2): Enterprise strategic planning Information technology (IT) strategic planning Cybersecurity
or information security strategic planning
Enterprise strategic planning involves defining long-term goals and objectives for an organization (for example, business enterprise, government agency, or nonprofit organization) and the development of plans to achieve these goals and objectives. The management activity involved in enterprise strategic planning is described in the Strategic Management Group’s Strategic Planning Basics [SMG17] as an activity used to set
priorities, focus energy and resources, strengthen operations, ensure that employees and other stakeholders are working toward common goals, establish agreement around intended outcomes/results, and assess and adjust the organization’s direction in response to a changing environment. It involves the development of a strategic plan and the ongoing oversight of the implementation of that plan. strategic plan A document used to communicate,
within the organization, the organization’s goals, the actions needed to achieve those goals, and all the other critical elements developed during planning exercises.
IT strategic planning is the alignment of IT management and operation with enterprise strategic planning. The need to move beyond IT management and to ensure that the IT planning process is integrated with enterprise strategic planning follows from two strategic factors: mission necessity and enterprise
maturity [JUIZ15]. With many actors exploiting IT to maximize effectiveness, an organization must engage in strategic planning to ensure that investments in IT produce business value and that the assessment of risks is aligned with enterprise goals and objectives. This is a necessity to support the overall enterprise mission. Further, as the IT infrastructure develops and matures, meeting enterprise strategic goals is likely to involve new arrangements with outside providers, such as cloud
service providers, more use of mobile devices by employees and outside actors, and perhaps reliance on a variety of new hardware and software to develop Internet of Things (IoT) capability. These activities may create unintended barriers to flexibility and introduce new areas of risk. IT management must be guided by strategic planning to meet these challenges. One of the best-documented examples of IT strategic planning is the process used at Intel [HAYD08a, HAYD08b, PETE12]. It is worth
examining this model because it also serves as a model for security strategic planning. Intel’s IT strategic planning process comprises six phases, as shown in Figure 2.3. The six phases are as follows: Two- to five-year business and technology outlook: At the beginning of the year, the planning team takes as input an overall vision and mission statement developed at the enterprise level. During this phase, the team reviews the enterprise strategies,
technology trends, employee trends, and so on to better understand the future environment that will shape the IT organization and its deliverables. IT subject matter experts from throughout the organization are recruited to help define the major trends that may be critical in shaping the organization and its decision making in the next few years. Strategic deep dive: The team identifies a small number of high-impact areas that require more in-depth analysis to
inform the overall strategic planning process. Depending on circumstances at a given point in time, these may include IoT, social media trends, and changing regulatory compliance rules. Current-state assessment: The planning team analyzes the current state of all the IT-related systems and policies and compares these with the long-range outlook, paying special attention to the key drivers developed in the preceding phase. The result is a set of recommendations for
adjustments to IT’s focus areas and spending plans. Imperatives, roadmaps, and finances: The next phase is the development of a strategic plan for IT. The plan includes a discussion of strategic objectives and a budget and investment plan. The plan reflects IT’s highest-priority items and provides an outcome framework for defining success. Each item includes a roadmap that can influence budget and organization decisions in the upcoming year. Governance
process and decision making: Once the annual budget is approved, the information from the preceding phases is used to guide the governance process and the many decisions made across the organization to implement the strategic plan and one-year strategic objectives. These decisions include project chartering, supplier selection, sourcing, investment trade-off decisions, and so on. Regular reviews: Monthly reviews based on a wide variety of input help
ensure that the strategic plan and governance decisions are followed. This culminates in a year-end assessment. Reviews continue into the following year until a new strategic plan and new governance decisions provide input for modifying the review process.
This process can include a security strategic planning component, or planning can occur in a coordinated and parallel fashion in another team. Information security strategic planning is alignment of
information security management and operation with enterprise and IT strategic planning. The pervasive use and value of IT within organizations has resulted in an expanded notion of IT’s delivery of value to the organization to include mitigation of the organization’s risk [ZIA15]. Accordingly, IT security is a concern at all levels of an organization’s governance and decision-making processes, and information security strategic planning is an essential component of strategic planning. An
information security strategic plan should be embodied in a document that is approved by the appropriate executives and committees and is regularly reviewed. Table 2.1 suggests an outline for such a document. TABLE 2.1 Elements of a Strategic Plan Document
Section
| Description
| Definition
| Mission, vision, and objectives
| Defines the strategy for aligning the information security program with organizational goals and objectives, including the role of individual security projects in enabling specific strategic initiatives.
| Priorities
| Describes factors that determine strategy and the priorities of objectives.
| Success criteria
| Defines success criteria for the information security program. Includes risk management, resilience, and protection against adverse business impacts.
| Integration
| Strategy for integrating the security program with the organization’s business and IT strategy.
| Threat defense
| Describes how the security program will help the organization defend against security threats.
| Execution
| Operations plan
| An annual plan to achieve agreed objectives that involves agreeing on budgets, resources, tools, policies, and initiatives. This plan (a) can be used for monitoring progress and communicating with stakeholders and (b) ensures that information security is included from the outset in each relevant project.
| Monitoring plan
| This plan involves planning and maintaining a stakeholder feedback loop, measuring progress against objectives, and ensuring that strategic objectives remain valid and in line with business needs.
| Adjustment plan
| This plan involves ensuring that strategic objectives remain valid and in line with business needs as well as procedures to communicate the value.
| Review
| Review plan
| This plan describes procedures and individuals/committees involved in regular review of the information security strategy.
|
Organizational StructureThe organizational structure to deal with cybersecurity depends, in large part, on the size of the organization, its type (for example, government agency, business, nonprofit), and the organization’s degree of dependence on IT. But the essential security governance functions to be performed are in essence the same across organizations. Figure 2.4, which is based on a figure in X.1054, illustrates these basic functions within a
broader context. The basic security governance functions are as follows: Direct: Guiding security management from the point of view of enterprise strategies and risk management. This function involves developing an information security policy. Monitor: Monitoring the performance of security management with measurable indicators. Evaluate: Assessing and verifying the results of security
performance monitoring in order to ensure that objectives are met and to determine future changes to the ISMS and its management. Communicate: Reporting enterprise security status to stakeholders and evaluating stakeholder requirements.
This framework includes the governing cycle to direct, monitor, and evaluate the ISMS. The evaluation incorporates both the results of the monitoring and proposals from security management to dictate changes and
improvements. This cycle is in accordance with Requirement 4.4 in ISO 27001 that the organization shall establish, implement, maintain, and continually improve an ISMS. The evaluate function triggers communication with stakeholders in the form of a report, which can be issued annually, more frequently, or based on a security incident. As indicated in the Information Security Governance Framework [OHKI09], reporting to stakeholders serves two purposes: Accountability:
Reporting enables stakeholders to ensure that information security is being managed effectively, and it should include the following: Effect on corporate value: Reporting should disclose the following: Estimates of the costs and benefits of making an inventory of information assets. The
information security risk assessment process includes making a complete inventory of information assets. This inventory may support improved strategic management of the information assets, apart from security concerns, which may enhance corporate value. Estimates of the value of an inventory of information assets that is developed as a result of information security activities. The extent to which information security activities increase the brand value as well as
the trust of the customers and partners. The economic value of protected information assets. The amount by which the security implementation reduces the risk of damaging the information assets.
The following sidebar provides an example of an information security report outline, from the Information Security Governance Framework [OHKI09]. This report structure is based on a study of private companies by the Japanese Ministry of Economics,
Trade and Industry. It gives an overall picture of the enterprise’s information security governance. Section 5, in particular, involves providing a status update, which should be in sufficient detail for stakeholders to determine whether information security activities are being carried out as planned. X.1054 provides an example of information security status report structure that includes the following detailed contents: Introduction Scope (strategy, policies,
standards), perimeter (geographic/organizational units), period covered (month/quarter/six months/year)
Overall status Updates (as appropriate and relevant) Progress toward achieving the information security strategy Elements completed/in-hand/planned Changes in information security management system ISMS policy revision,
organizational structure to implement ISMS (including assignment of responsibilities) Progress toward certification ISMS (re)certification, certified information security audits Budgeting/staffing/training Financial situation, headcount adequacy, information security qualifications Other information security activities Business continuity management involvement, awareness campaigns, internal/external audit
assistance
Significant issues (if any) Results of information security reviews Recommendations, management responses, action plans, target dates Progress in respect of major internal/external audit reports Recommendations, management responses, action plans, target dates Information security incidents Estimated impact, action plans, target dates Compliance (or
noncompliance) with related legislation and regulations Estimated impact, action plans, target dates
Decision(s) required (if any)
Such an outline is particularly useful for organizations that expect to enhance their reputation by emphasizing their security (for example, information and communications technology
businesses). Transparency of the organization’s approach to its security risk and appropriate disclosure is also effective at increasing trust. Common awareness can be shared among stakeholders through such activities. For example, public cloud service providers share considerable detail about the information security program and even go the extent of allowing customers to conduct audits and vulnerability testing with prior arrangement. Other service providers and organizations with business
customers traditionally did not provided this level of transparency. Finally, the assess function depicted in Figure 2.4 is performed by independent third-party auditors, commissioned by enterprise top management. Roles and ResponsibilitiesA key aspect of security governance is defining the roles and responsibilities of executives related to information security. Typically, these are C-level executives. Executive positions that play a role in security
governance include the following: C-level Chief level. Refers to high-ranking executives in an organization. Officers who hold C-level positions set the company’s strategy, make high-stakes decisions, and ensure that the day-to-day operations align with fulfilling the company’s strategic goals.
Chief executive officer (CEO): Responsible for the success or failure of the organization, overseeing the entire operation at
a high level. Chief operating officer (COO): Generally second in command to the CEO. Oversees the organization’s day-to-day operations on behalf of the CEO, creating the policies and strategies that govern operations. Chief information officer (CIO): In charge of IT strategy and the computer, network, and third-party (for example, cloud) systems required to support the enterprise’s objectives and goals. Chief
security officer (CSO) or chief information security officer (CISO): Tasked with ensuring data and systems security. In some larger enterprises, the two roles are separate, with a CSO responsible for physical security and a CISO in charge of digital security. Chief risk officer (CRO): Charged with assessing and mitigating significant competitive, regulatory, and technological threats to an enterprise’s capital and earnings. This role does
not exist in most enterprises. It is most often found in financial service organizations. In enterprises in which a CRO is not present, organizational risk decisions may be the responsibility of the CEO or board of directors. Chief privacy officer (CPO): Charged with developing and implementing policies designed to protect employee and customer data from unauthorized access.
Figure 2.5 shows an example of reporting relationships among these
roles for a large enterprise. In smaller organizations, a number of these roles may be assumed by a single individual. FIGURE 2.5 Possible Reporting Relationships for Security Governance Two breakdowns of responsibility are useful in showing how to structure security-related roles in an organization. Figure 2.6, based
on one in the Corporate Governance Task Force’s Information Security Governance: A Call to Action [CGTF04], shows a recommended assignment of roles and responsibilities. This useful report also provides a more detailed discussion of these roles as well as a list of recommendations for implementing effective security governance. FIGURE
2.6 Security Governance Roles and Responsibilities Example The Business Software Alliance’s Information Security Governance: Toward a Framework for Action [BSA03] proposes a governance framework based on three categories (see Table 2.2): Governance/business drivers: What am I required to do? What should I do? Roles and responsibilities: How do I accomplish my objectives? Metrics/audit:
How effectively do I achieve my objectives? What adjustments do I need to make? TABLE 2.2 Information Security Governance Responsibilities
Governance/Business Drivers
| Roles and Responsibilities
| Metrics/Audit
| Corporate Executive
| Legislation, ROI
| Provide oversight and coordination of policies Provide oversight of business unit compliance Ensure compliance reporting Monitor actions to enforce accountability
| Financial reporting, monetizing losses, conforming to policies
| Business Unit Head
| Standards, policies, budgets
| Provide information security protection commensurate with the risk and business impact Provide security training Develop the controls environment and activities Report on effectiveness of policies, procedures, and practices
| Policy violations, misuse of assets, internal control violations
| Senior Manager
| Standards, audit results
| Provide security for information and systems Periodic assessments of assets and their associated risks Determine level of security appropriate Implement policies and procedures to cost-effectively reduce risk to acceptable levels Perform periodic testing of security and controls
| Risk assessment and impact analysis, control environment activities, remedial actions, policy and procedure compliance, security and control test results
| CIO/CISO
| Security policies, security operations, and resources
| Develop, maintain, and ensure compliance with the program Designate a security officer with primary duties and training Develop required policies to support the security program and business-unit-specific needs Assist senior managers with their security responsibilities Conduct security awareness training
| Security awareness effectiveness, incident response and impact analysis, security program effectiveness, information integrity, effects on information processing
|
Integration with Enterprise ArchitectureA key element of security governance is the development of an information security architecture. This architecture provides information on how security capabilities (for example, identity and access management) are placed and used in the enterprise architecture. It allocates security requirements and controls to common services or infrastructures. It also
provides a foundation for achieving risk-appropriate information system security, determining what circumstances and which security controls apply to information systems. information security architecture An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security systems, personnel, and organizational sub-units, showing their alignment with the enterprise’s
mission and strategic plans. architecture The way in which the component parts of an entity are arranged, organized, and managed. enterprise architecture The systems, infrastructure, operations, and management of all information technology throughout an enterprise. The architecture is typically organized as high-level internally compatible representations of organizational business models, data, applications, and
information technology infrastructure.
Over the past 20 years, a number of enterprise architecture models have been developed and adopted by various organizations. Two widely used governance resources for developing an information security architecture as part of an enterprise architecture are The Open Group Architecture Framework (TOGAF) [TOG11] and the Federal Enterprise Architecture Framework (FEAF) [OMB13]. The FEAF is the most comprehensive of all the
enterprise architectures in use [SESS07], and this section provides an overview of it. Although developed for use by U.S. federal agencies, the FEAF is used effectively as a governance tool by other government organizations, private enterprises, nonprofit groups, and other organizations. The FEAF provides the following: A perspective on how enterprise architectures are viewed in terms of sub-architecture domains Six reference models for describing different
perspectives of the enterprise architecture A process for creating an enterprise architecture A transitional process for migrating from a pre-enterprise architecture to a post-enterprise architecture paradigm A taxonomy for cataloging assets that fall within the purview of the enterprise architecture An approach to measuring the success of using the enterprise architecture to drive business value
The sub-architecture
domains represent specific areas of the overall framework. The domains provided a standardized language and framework for describing and analyzing investments and operations. Each domain is defined in terms of a set of artifacts, which are essentially items of documentation that describe part or all of an architecture. [EAPA17] describes three levels of artifacts: High-level artifacts: These document strategic plans and objectives, typically in the form of
policy statements and diagrams. Mid-level artifacts: These document organizational procedures and operations, such as services, supply chain elements, information flows, and IT and network architecture. Typical artifacts at this level are narrative description, flowcharts, spreadsheets, and diagrams. Low-level EA artifacts: These document the specific resources, such as applications, interfaces, data dictionaries, hardware, and
security controls. Typical artifacts at this level are detailed technical specifications and diagrams.
The FEAF describes six domains: Strategy Business Data and information Enabling applications Host and infrastructure Security
Corresponding to the six domains are six reference models that describe the artifacts in the corresponding domains (see Table 2.3). TABLE 2.3
Enterprise Architecture Reference Models
Reference Model
| Elements
| Goals/Benefits
| Performance reference model
| Goals, measurement areas, measurement categories
| Improved organizational performance and governance, cost benefits
| Business reference model
| Mission sectors, functions, services
| Organization transformation, analysis, design, and reengineering
| Data reference model
| Domain, subject, topic
| Data quality/reuse, information sharing, Agile development
| Application reference model
| System, component, interface
| Application portfolio management, cost benefits
| Infrastructure reference model
| Platform, facility, network
| Asset management standardization, cost benefits
| Security reference model
| Purpose, risk, control
| Secure business/IT environment
|
The following description provides further detail of the reference models (RMs): Performance reference model (PRM): Defines standard ways of describing the value delivered by enterprise architectures, linked to the strategy domain. An example of a PRM artifact for this domain is a SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis report that presents the strengths, weaknesses/limitations, opportunities, and threats involved
in a project or in a business venture, including risks and impacts. Business reference model (BRM): Describes an organization through a taxonomy of common mission and support service areas. The BRM provides guidance in defining functions and services in various mission sectors of the enterprise and is linked to the business services domain. An example of a BRM artifact for this domain is a use-case narrative and diagram that describes a set of possible sequences
of interactions between systems and users in a particular environment and related to a particular goal. Data reference model (DRM): Facilitates discovery of existing data holdings residing in silos and enables understanding the meaning of the data, how to access it, and how to leverage it to support performance results. The DRM is linked to the data and information domain. An example of a DRM artifact for this domain is a data dictionary, which is a centralized
repository of information about data such as name, type, range of values, source, and authorization for access for each data element in the organization’s files and databases. Application reference model (ARM): Categorizes the system- and application-related standards and technologies that support the delivery of service capabilities. The ARM provides guidance in developing a uniform scheme for documenting system, components, and interfaces and for managing
application portfolios. It is linked to the enabling applications domain. An example of an ARM artifact for this domain is a system/application evolution diagram. This artifact documents the planned incremental steps toward migrating a suite of systems and/or applications to a more efficient suite, or toward evolving a current system or application to a future implementation. Infrastructure reference model (IRM): Categorizes the network- or cloud-related standards
and technologies to support and enable the delivery of voice, data, video, and mobile service components and capabilities. The ARM provides guidance in developing a uniform scheme for documenting platform, facility, and network elements and managing assets. It is linked to the host infrastructure domain. An example of an IRM artifact for this domain is a hosting concept of operations, which presents the high-level functional architecture, organization, roles, responsibilities, processes,
metrics, and strategic plan for hosting and use of hosting services. Other artifacts provide detailed documentation of infrastructure elements. Security reference model (SRM): Provides a common language and methodology for discussing security and privacy in the context of the organization’s business and performance goals. The SRM provides guidance in risk-adjusted security/privacy protection and in the design and implementation of security controls. It is linked
to the security domain. An example of an SRM artifact for this domain is a continuous monitoring plan, which describes the organization’s process of monitoring and analyzing the security controls and reporting on their effectiveness.
Figure 2.7 illustrates the interactions among the reference models. These reference models operate on four categories of assets: Organization assets: These assets include investments, programs, processes,
applications, infrastructures, and individuals. Business capabilities: A business capability represents the ability of an organization to perform an activity that results in an outcome of value. A business capability can be viewed as an assembly of organization assets for a specific purpose. Data assets: Data assets include databases, files, and other data resources available to the organization. IT
assets: IT assets include devices, peripherals, systems, applications, and IT capital investments.
Figure 2.8 shows in more detail the interaction between the security reference model and the other reference models. FIGURE 2.8 Interactions Between the Security Reference Model and Other Reference Models
An enterprise architecture is a powerful methodology for enabling enterprise and security governance, and it should be viewed as an essential element of governance. Policies and GuidanceNIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, defines an information security policy as an aggregate of directives, rules, and practices that prescribes how an organization manages, protects, and distributes information. It is an
essential component of security governance, providing a concrete expression of the security goals and objectives of the organization. The policies, together with guidance documents on the implementation of the policies, are put into practice through the appropriate selection of controls to mitigate identified risks. The policies and guidance need to cover information security roles and responsibilities, a baseline of required security controls, and guidelines for rules of behavior for all users
of data and IT assets.
What is the role of security governance?
Security governance is a process for overseeing the cybersecurity teams who are responsible for mitigating business risks. Security governance leaders make the decisions that allow risks to be prioritized so that security efforts are focused on business priorities rather than their own.
What are the three main goals of security governance risk management and compliance?
Confidentiality, Integrity, and Availability.
The Five Goals of Information Security Governance
Protect business investments by securing business continuity in case of security breaches or other cybersecurity events. Protect the value of your business and its reputation. Monitor staff and define security measures to assure business needs have the highest priority.
What is policy in security policy and governance?
A security policy is a document that states in writing how a company plans to protect its physical and information technology (IT) assets. Security policies are living documents that are continuously updated and changing as technologies, vulnerabilities and security requirements change.
|