Information Security Governance: Concepts, Security Management & Metrics

Study Notes www.SlideShare.net/OxfordCambridge
Page 1 sur 100
Information Security Governance:
#1: Concepts, Information Security Management
and Metrics.
Study Notes [beta].
+W Series - Technology Skills For Women.1
1 Men are allowed to read too, if they wish, as the language style and the document format are universal.

Information Security Governance: Concepts, Security Management and Metrics
______________________________________________________________________________
Study Notes www.SlideShare.net/OxfordCambridge Page 2 of 100
1. About “+W Series - Technology Skills for Women”
Study Notes in the field of technology are put together under this category for the
following reasons:
 To encourage girls and ladies, who wish to do so, to stand up and look over the fence
into technology related topics.
 With no apprehension or fear.
 And perhaps consider embracing a career move into a technological path.
 Or simply to broaden their general knowledge; after all IT is already in most aspects of
everyday life.
 No matter the ground for the decision, their skills, their professional strengths, and their
contribution can only be something positive for any technological fields.
Enjoy!

______________________________________________________________________________
2. About this Publication
2.1. Overview
The goal of information security governance is to establish and maintain a framework to
provide assurance that information security strategies are aligned with the business
objectives and consistent with applicable laws and regulations.
Therefore, this publication looks at the role of information security governance in an
organization, the need for senior management support for all policies and procedures
that are put in place.
This publication is the first of three publication dealing with the concepts of the first job
practice area, information security governance.
In this publication, you will discover the importance of information security governance in
an organization and the tasks within this practice area. It will also help you identify the
senior management responsibilities related to information security governance.
Additionally, this publication will highlight the information security business model and
the relationship between senior management and the information security manager.
Finally, it will describe information security governance metrics and highlight their need
for measuring information security activities.
2.2. Learning Objectives
 Identify the tasks within the information security governance job practice area.
 Recognize the outcomes of information security governance.
 Recognize the difference between corporate governance and information security
governance.
 Identify senior management roles with their corresponding responsibilities.
 Identify the elements of the information security business model.
 Recognize the interconnections between the elements of the information security
business model.
 Identify the optimal reporting relationship between senior management and the
information security manager.
 Understand reports about information security within an organization.
 Identify the goal of converging security-related functions.
 Identify categories of key goal indicators.

______________________________________________________________________________
2.3. Keywords
Information security governance framework, information security components,
information security culture, information security behavior, COBIT, ISO 17799,
Information Technology governance, Information Security governance, Information
Security, Risk management, Corporate governance, IT audit, Business information risk,
Information security governance, Information security, Information security
management, Operational management, Compliance management, Information,
systems, security, governance, behavioral aspects, End-user security behaviors,
behaviours Security, policy compliance.

______________________________________________________________________________
3. Table des matières
1. About “+W Series - Technology Skills for Women”..................................................................2
2. About this Publication ...........................................................................................................3
2.1. Overview ....................................................................................................................................... 3
2.2. Learning Objectives ....................................................................................................................... 3
2.3. Keywords....................................................................................................................................... 4
4. Foreword ..............................................................................................................................6
5. Information Security Governance Concepts............................................................................8
5.1. Introduction to Information Security Governance......................................................................... 8
5.2. Senior Management and Information Security Governance........................................................ 19
5.3. Business Model for Information Security..................................................................................... 24
5.4. Practicing Information Security Governance Concepts ................................................................ 31
6. Information Security Management and Metrics...................................................................36
6.1. Corporate Support for Information Security................................................................................ 36
6.2. Information Security Convergence .............................................................................................. 42
6.3. Information Security Governance Metrics................................................................................... 46
6.4. Practicing Information Security Responsibilities.......................................................................... 50
7. Principles of Effective Information Security Governance.......................................................53
8. Tasks and Knowledge Statements........................................................................................55
8.1. Key Tasks and Knowledge Statements......................................................................................... 55
8.2. Key Concepts of Knowledge Statements...................................................................................... 56
9. Knowledge of a CISO: Definitions of Key Security Concepts...................................................59
10. Relationship Between Information Security Governance Outcomes and Management
Responsibilities ..........................................................................................................................61
11. References.......................................................................................................................63
13. Answers to Quizzes ..........................................................................................................77

______________________________________________________________________________
4. Foreword
In today's business environment, companies and individuals are increasingly adopting
the Internet, portable storage media, and wireless technologies for accessing, storing,
and sharing information. The use of technology has made access to information easy
and affordable, but it has also caused an increase in problems such as theft, damage,
and misuse of information. Besides damaging the reputation of an organization, these
threats can also lead to major financial losses in business. So it's extremely important
for an organization to safeguard its critical information by using information security.
Information security is about protecting verbal, written, electronic, published, and other
forms of information that involve people and technology. This protection needs to exist
regardless of whether the information is being read, generated, processed, stored, or
transferred.
The objective of information security is to ensure the safety of information, including its
confidentiality, accessibility, and integrity. Information should be protected from loss,
misuse, unauthorized access, and destruction during its life cycle or the time it is being
used in an organization.
Information security differs from IT security. IT security focuses on technology and the
provision of secure IT services. It is usually carried out at the level of the chief
information officer or CIO.

______________________________________________________________________________
Information security operates at a higher level than IT security and focuses on protecting
data, information, and knowledge. The scope of information security covers the
advantages, threats, and processes associated with information. It is carried out at the
level of executive management and is supported by the board of directors.
For example, the information exchanged by two people in their office cafeteria would not
be part of IT security, but would be included in information security.
The importance of information security highlights the need for experts who can evaluate,
design, and manage an organization's information security structure.
The Certified Information Security Manager or CISM certification program supports this
need and helps you obtain essential information security management skills. The
curriculum of the CISM program includes four job practice areas.
You're currently studying the first course of the CISM curriculum - CISM 2012:
Information Security Governance (Part 1). This course is the first of three courses that
cover the concepts of the first job practice area, information security governance.
In this course, you'll learn about the importance of information security governance in an
organization and the tasks within this practice area. The course will also help you
recognize the senior management responsibilities related to information security
governance.
Additionally, this course will explain the information security business model and the
relationship between senior management and the information security manager.
Finally, the course covers information security governance metrics and highlights their
need for measuring information security activities.

______________________________________________________________________________
5. Information Security Governance Concepts
5.1. Introduction to Information Security Governance
After learning from this topic, you should be able to:
 Identify the tasks within the information security governance job practice area;
 Recognize the outcomes of information security governance.
5.1.1. Tasks
The first domain or job practice area of an information security manager (CISM) is
information security governance. This job practice area establishes and maintains a set
of policies and procedures to ensure information security strategies are aligned with
business goals and objectives.
It also defines the roles and responsibilities of the board of directors and executive
management with regards to information security and helps them perform the following
activities:
 Achieving the organization's information security goals and objectives;
 Formulating a strategic direction for information security activities;
 Ensuring the efficient utilization of information resources, and;
 Managing the risks related to information security.
The main objective of information security governance is to ensure that a CISM
understands two aspects of information security:
The basic requirements for successful information security governance:
 A CISM should have a clear understanding of the basic requirements for the
success of information security governance.
 For example, one requirement is that information security governance must be
aligned with the organization's goals and objectives, and must cover all physical,
operational, and technical processes.

______________________________________________________________________________
The requirements for creating and executing an information security strategy:
 A CISM should know about the components required and the steps that must be
performed to create an information security strategy and develop its execution
plan.
 The information security strategy is created and executed through an information
security program.
 This program includes elements such as security policies and standards, roles and
responsibilities, training on security processes, monitoring of security aspects,
metrics, risk management, and audits.
5.1.2. Quizz – Tasks 1
Identify the statements that correctly define information security governance.
Options:
1. A set of policies and procedures that establishes a framework of information security strategies.
2. A set of rules for achieving the information security goals and objectives of trading partners.
3. A job practice area that defines the information security responsibilities of Service Desk employees.
4. A practice area that ensures efficient utilization of information resources.
Answer (see Endnotes) i
To meet your organization's information security objectives, you must be able to perform
certain tasks within the information security governance job practice area. The first four
of these tasks are as follows:
A- Establish and maintain an information security strategy in alignment with
organizational goals and objectives to guide the establishment and ongoing
management of the information security program
B- Establish and maintain an information security governance framework to guide
activities that support the information security strategy;
C- Integrate information security governance into corporate governance to ensure that
organizational goals and objectives are supported by the information security program;

______________________________________________________________________________
D- Establish and maintain information security policies to communicate management's
directives and guide the development of standards, procedures, and guidelines.
You need to perform five more tasks to establish an effective information security
governance structure:
1- Develop business cases to support investments in information security.
2- Identify internal and external influences to the organization – for example, technology,
business environment, risk tolerance, geographic location, and legal and regulatory
requirements – to ensure that these factors are addressed by the information security
strategy.
3- Obtain commitment from senior management and support from other stakeholders to
maximize the probability of successful implementation of the information security
strategy.
4- Define and communicate the roles and responsibilities of information security
throughout the organization to establish clear accountabilities and lines of authority.
5- Establish, monitor, evaluate, and report metrics – for example, key goal indicators
(KGIs), key performance indicators (KPIs), and key risk indicators (KRIs) – to provide
management with accurate information regarding the effectiveness of the information
security strategy.

______________________________________________________________________________
Each information security governance task typically maps to several knowledge
statements. These statements identify what an information security manager should
know in order to perform the associated tasks.
For example, to create an information security strategy that aligns to organizational
goals, you must have the knowledge of information security concepts and their
components, business goals and objectives, and the scope of governance.
The information security governance job practice area includes around 20 knowledge
statements (see section related to Tasks and Knowledge Statements).
5.1.3. Quizz – Tasks 2
Which tasks are included in the information security governance job practice area?
Options:
1. Design the business goals and objectives and get senior management to sign off on them.
2. Establish and maintain information security policies.
3. Define and communicate the roles and responsibilities of information security throughout the organization.
4. Minimize the organization's driving factors and their influence on information security.
5. Establish, monitor, evaluate, and report KGIs, KPIs, and KRIs.
Answer (see Endnotes) ii
5.1.4. Importance
The exponential growth of information technology has made information a key asset for
any business. In fact, for many organizations, like those involved in IT services,
information management is a source of business.
Organizations in all types of industries, such as textiles, banking services, and
telecommunications, rely heavily on information in digital form to conduct their business.

______________________________________________________________________________
According to a research by Brookings Institution, information and other intangible assets
comprise almost 80% of a company's market value. As a result, companies might
continue to exist after losing other assets such as people and equipment, but most of
them cannot bear the loss of crucial information.
As the dependency on information continues to increase, so does the potential for
criminal activity. For example, you might come across many instances of hacking and
cyber-attacks that attempt to steal or damage vital information. Apart from handling
these threats, a company also needs to ensure that its information adheres to all
relevant laws and regulations.
Considering all aspects related to information – dependency, threats, and adherence to
laws - it is necessary for an organization to address information security at the highest
level. Essentially, information security should be treated as a governance function at the
board level. The board of directors and senior management should be actively involved
in information security governance, and should be aware of their roles and
responsibilities in managing information security.
The main purpose of information security governance is to ensure the safety of
information, including its confidentiality, integrity, and availability. Information security
governance protects information from loss, misuse, unauthorized usage, and destruction
during its life cycle or the time it is being used in an organization.

______________________________________________________________________________
To implement information security governance effectively, it needs to be linked to the
goals and objectives of the organization. Additionally, it should completely protect the
information associated with all physical and technical operations. To do so, information
security governance requires strategic leadership and momentum. It also requires the
allocation of adequate resources and proper management of its activities.
Effective information security governance provides an organization with many benefits.
Some of the benefits include:
 Accountability for protecting information during important business activities:
Information security governance provides accountability for information protection during
important business activities. An example of such an activity is a merger of two
companies. During the merger, information security governance ensures that a person is
made responsible for recording and managing all critical information belonging to the
associated companies. This ensures that information is not lost or misused.
 Reduction in the impact of security incidents:
Information security governance reduces the impact of security incidents, thereby
reducing losses from such incidents and ensuring that such incidents are not disastrous.
For example, consider an IT company that has implemented information security
governance. When this company faces a high-level cyber-attack, all its information will
not be lost and it will be saved from complete destruction. This is because it has
predefined operations that quickly identify and control the attack.
 Reduction in risks to tolerable limits:
Information security governance reduces the risks associated with information security
to levels that can be defined and tolerated by the business. This is achieved by setting
up risk management processes and assessing risks periodically. A reduction in risks
ensures that the outcomes of business operations are as expected.

______________________________________________________________________________
Information security governance has more benefits for organizations:
 Protection from civil and legal liabilities:
Information security governance protects organizations from the growing possibility of
civil and legal liabilities. Such liabilities may arise because of incorrect information or a
failure to properly protect it. Information security governance eliminates both these
issues by implementing specific procedures that secure information.
 Enhancement of trust in customer relationships:
Information security governance helps you enhance customers' trust in your
organization and develop better customer relationships. When customers know that an
organization uses information security governance to protect its information, they can be
sure of the organization's capability to safeguard critical information.
 Assurance of policy compliance:
The basis of information security governance is a security policy. This policy includes
standards and guidelines that cover every aspect of information security. Implementing
a well-defined information security governance structure helps assure the stakeholders
of a business, such as management, employees, and customers that the organization's
information security procedures comply with its security policy.
 Protection of company reputation:
Information security governance helps protect a company's reputation and goodwill.
Consider a company that uses information security governance to safeguard its
information. As a result, people are assured that the company always provides correct
information that adheres to all legal and regulatory needs. People also know that any
incident related to information security will not have a major impact on the services
provided by the company. These aspects help the company to protect its reputation.
5.1.5. Quizz - Importance
Which statements demonstrate the importance of information security governance?
Options:

______________________________________________________________________________
1. It provides protection from civil and legal liabilities.
2. It reduces the impact of security-related incidents.
3. It eliminates risks in business operations.
4. It protects the confidentiality, integrity, and availability of information.
5. It assures conformance to security policy.
6. It protects physical and technical operations during important business activities.
Answer (see Endnotes) iii
5.1.6. Basic outcomes
In order to be effective, information security governance needs to provide six basic
outcomes:
 Strategic alignment.
 Value delivery.
 Risk management.
 Performance measurement.
 Resource management.
 Integration.
 Strategic alignment:
Strategic alignment means ensuring that the information security strategy meets
business goals and objectives. You can achieve strategic alignment by ensuring that
security solutions comply with business processes and cater to your company's
structure, governance style, technology, and culture.
You can also ensure that security requirements are derived from business requirements
that clearly specify the actions to be taken for organizational growth and the ways of
measuring the achievement of those actions.
Also, you can ensure that information security investment is in line with the business
strategy and the organization's profile of risks, threats, and vulnerabilities.
 Value delivery:
While strategic alignment ensures that the information security strategy is aligned with
organizational goals and objectives, value delivery indicates the optimal security
investments to support these goals and objectives.
To achieve value delivery, you need to have security practices that are directly related to
risks and their likely effects. By doing so, you can direct majority of your security efforts
toward the business areas that have the maximum impact on the organization and
provide the greatest benefits.
For example, in an IT company designing web sites, the web site development function
generates maximum revenue and is critical for the growth of the business. So the
company needs to prioritize the security of this section.

______________________________________________________________________________
You can also ensure that the information security strategy provides a complete solution
to cover the organization, such as its processes and technology. These solutions should
be standards-based, structured, formalized, and easily accessible.
Additionally, you can build an organizational understanding that information security is
not an event, but a process that needs constant improvement.
 Risk management:
Another outcome of information security governance is risk management that involves
reducing risks and their likely effects on information to an acceptable limit. As a part of
risk management, you can develop a common understanding of the organization's
profile of risks, threats, and vulnerabilities. This goes together with an awareness of risk
exposure and its possible effects on business operations. Based on these effects, you
can set priorities for risk management.
Risk management helps you mitigate risks, but it can't eliminate risks completely. Those
risks that may not be completely eliminated are called residual risks, and can be
accepted based on their potential impact. You can also implement a risk mitigation
strategy to lower the effects of residual risks to an acceptable level.
5.1.7. Quizz - Basic outcomes 1
What are the outcomes of successful implementation of information security governance in an
organization?
Options:
1. Organization-wide understanding that information security is an event.

______________________________________________________________________________
2. Acceptance of residual risks based on an understanding of their likely effects.
3. Alignment of the information security strategy with organizational goals.
4. Minimal investment in information security to sustain business objectives.
Answer (see Endnotes) iv
 Performance measurement:
In addition to managing risks, it's important that information security processes are
monitored, and that the associated results are reported to ensure that organizational
goals are met. This monitoring and reporting is called performance measurement and
requires a set of definite and approved metrics that are in line with business objectives.
These metrics should provide adequate information for effective decision-making at
various levels in the organization, namely strategic, operational, and management.
Some examples of these metrics are the number and type of security incidents, the
number of systems not meeting security requirements, and the number and type of
access violations.
Apart from metrics, there should be a proper measurement process that detects flaws in
security procedures and determines the progress made in resolving security issues.
External assessments and audits can also be conducted to obtain assurance about
security processes.
 Resource management:
Besides measuring the performance of information security processes, it is essential to
make effective use of information security infrastructure and knowledge, which is called
resource management.
The primary goals of resource management include:
 Keeping a record of security practices and processes.
 Acquiring knowledge and making it accessible.
 Building a security architecture that identifies and uses infrastructure resources
properly.
 Integration:
Developing an effective information security governance structure helps you to integrate
significant assurance functions to make sure that information security processes work as
expected.
To achieve this integration, you first need to identify the different assurance functions in
the organization. Some examples of these functions are internal and external audits,
quality assurance, IT security, and legal departments.
You then need to establish official relations with the various assurance functions and
bring them together to achieve complete security. You also need to make sure that there
is an overlap between the roles and responsibilities of the assurance functions.
For example, the IT team may be responsible for carrying out a weekly audit of all IT-
related software on user systems, while the internal audit team may be responsible for
carrying out a random monthly or bimonthly check of authorized applications installed on
user systems. So both teams perform the same responsibility, but at different times. This
helps build a double-security layer because there are two teams checking authorized
applications on user systems.

______________________________________________________________________________
You also need to plan, implement, and manage information security in a systematic way
that takes into account the assurance functions.
Linkage between IT and IS must be built from the strategy level up to ensure the
objectives are achieved.
5.1.8. Quizz - Basic outcomes 2
Identify the desired outcomes of information security governance.
Options:
1. It should provide additional assurance about security processes through external assessments.
2. It should ensure that the assurance functions in an organization are independent of each other.
3. It should ensure the effective use of information security infrastructure and knowledge.
4. It should provide metrics for measuring the achievement of business objectives.
Answer (see Endnotes) v
5.1.9. Summary
Information security governance is a set of procedures and duties performed by the
executive management and board of directors. It involves achieving information security
objectives and giving planned direction.
It also ensures that the organization's information resources are used efficiently and
security risks are managed in the proper manner.
Effective information security governance provides many benefits, such as
accountability for protecting information during important business activities, reducing
the impact of security incidents, and reducing risks to tolerable levels.
Effective information security governance provides six basic outcomes - strategic
alignment, value delivery, risk management, performance measurement, resource
management, and integration.

______________________________________________________________________________
5.2. Senior Management and Information Security Governance
After going through this topic, you should be able to:
 Recognize the difference between corporate governance and information security
governance.
 Match senior management roles with their corresponding responsibilities related to
information security governance.
5.2.1. Corporate and IS governance
Increasing risks to information warrant the need to make information security an
important part of an organization's governance structure. Information security
governance is a complex task that requires strategic direction, resource allocation,
identification of roles and responsibilities, and process monitoring. Information security
governance should also address legal and regulatory standards of due care.
All these requirements can be fulfilled only when senior management, including the
board of directors and executive management, provide support for information security
governance.
The board of directors should make information security governance an integral part of
corporate governance and ensure proper use of information by employees,
stakeholders, and customers. The executive management should ensure the effective
implementation of the information security governance structure.
The board of directors and executive management should also ensure that information
security governance aligns with business goals and objectives. The level of this
alignment determines the success of information security governance in protecting
information that is critical for the existence and growth of the business.
Also, business goals and objectives define the strategic direction of the organization. An
understanding of this strategic direction helps in linking information security governance
to corporate governance.
Corporate governance is a set of procedures and duties performed by the board of
directors and executive management to direct and control the organization. Corporate
governance helps the board of directors to:
 Ensure that business objectives are met.
 Provide strategic direction for business activities.
 Verify the efficient use of the organization's resources, and.
 Ensure proper handling of business risks.
While corporate governance deals with performance and control at all levels of the
organization, information security governance is a subset of corporate governance.
Information security governance is concerned with the policies and controls related to
protecting information in the organization. It helps you to:
 Ensure that information security objectives are achieved.
 Provide strategic direction for information security activities.
 Ensure the efficient use of information resources, and.
 Manage information security risks.
Corporate governance deals with issues that involve transparency in business
operations. These include timely and accurate disclosure of financial information,

______________________________________________________________________________
adherence to industry standards and regulations, protection of stakeholder rights, social
responsibility, and ethical business practices. If an organization uses unfair trade
practices or fails to comply with regulations, it can lead to public litigation and damage to
the organization's goodwill.
Consider an organization that is required to perform regular financial audits. If the
organization does not follow audit procedures, it might report incorrect financial
information to stakeholders, which is a corporate governance issue.
Information security governance, on the other hand, deals with security activities and
mitigating risks to organizational information. This includes storage, transfer, security,
and accessibility of information.
For example, business data lying unattended on an employee's table, a user gaining
unauthorized access to a computer, virus attacks, and tailgating are information security
governance issues.
To ensure the effectiveness of information security governance, the executive
management should develop a security governance framework. This framework can
then be used to create and manage an extensive and cost-effective information security
program that meets business objectives. The general components of the information
security governance framework are:
 Security strategy:
The framework should have an extensive security strategy that is aligned with business
objectives. The security strategy must take into account the scope, processes,
technology, and structure of the organization.
 Security policies:
The framework must define the security policies that are to be used to implement the
security strategy. These policies should cover all aspects of the strategy, controls, and
regulation to ensure that all information is secure.
 Standards:
The framework needs to implement a set of standards to ensure that security
procedures conform to the security policies.
 Security organizational structure:
In order to avoid conflict, the framework should create a security organizational structure
that clearly specifies the roles and responsibilities of each stakeholder. The structure
should also include sufficient authority and resources for the roles involved.
 Metrics and monitoring processes:
Structured metrics and monitoring processes are required in the framework to make
sure that the security policies are being followed. These processes also give reports
about the efficiency of the policies and help the management in decision-making.
The information security governance framework is a part of an organization's overall
governance framework. The governance framework includes corporate governance that
drives everything in the organization and mitigates risks using a risk management
strategy. This strategy includes IT and information security that exist as two related but
separate functions. IT focuses on physical security, policies, and procedures, whereas
information security is mainly concerned with controls. Regardless of the focus, all
aspects of the governance framework need to be aligned with the overall business
goals.

______________________________________________________________________________
5.2.2. Quizz - Corporate and IS governance
Which examples are related to information security governance?
Options:
1. An organization is facing negative public perception created by the media.
2. A project manager is unable to access important files associated with a project.
3. The stakeholders of a company are complaining that their interests are being compromised.
4. The assessment ratings of employees, which are meant to be confidential, are disclosed.
Answer (see Endnotes) vi
5.2.3. Senior management responsibilities
Information security governance is one of the primary responsibilities of the board of
directors and executive management. However, they alone cannot manage all the tasks
associated with protecting information. So there are other roles involved in information
security governance, namely the steering committee and the chief information security
officer or CISO.
The board of directors or senior management are responsible for including information
security governance in the corporate governance framework. They should be committed
to the cause of information security and provide strategic direction and momentum to it.
Board members should also have complete knowledge of their organization's critical
information assets. To identify these assets and the associated security risks, the board
members can conduct a risk assessment and business impact analysis. This data can
help the board members establish adequate monitoring and control procedures for the
authorized use and protection of assets.
To further contribute to the effectiveness of information security governance, board
members should review and approve the security policy, metrics, and monitoring
processes. They should also allocate sufficient resources for information security, assign
its responsibility to a committee, and find out ways of determining its success.
Board members should also follow security measures. This encourages all employees in
the organization to follow these measures. Board members can ensure that employees
not conforming to the security measures are provided with appropriate training and
awareness programs.
In addition to the board of directors, the members of executive management play an
important role in information security governance. They implement information security
governance effectively and identify strategic information security objectives. To complete
these tasks successfully, executives provide leadership and continuous support to the
people involved in implementing information security.
To help build and execute an effective information security strategy, executives ensure
the integration of the strategy with different business processes and obtain cooperation
from the process owners. The success of this integration determines the level to which
information security activities comply with business objectives. This compliance further
decides the efficiency of the information security program in providing a definite,
expected, and acceptable level of information protection.

______________________________________________________________________________
Another group associated with information security governance is the steering
committee. This committee consists of senior representatives of departments that are
directly or indirectly affected by information security policies.
For example, according to an organization's information security policy, financial records
need to be secure. This requirement directly affects the finance department. So some
people from this department need to be part of the steering committee.
The steering committee aims to involve all stakeholders influenced by security aspects.
The committee helps to achieve organizational consent over priorities related to
information security. The committee also works toward establishing a culture that is
positive for the success of information security. Additionally, the committee acts as a
communication channel between the senior management and the employees. It ensures
that the information security program continually complies with the business goals and
objectives.
5.2.4. Quizz - Senior management responsibilities 1
What are the responsibilities of the board of directors with respect to information security?
Options:
1. Involve all stakeholders influenced by security considerations.
2. Integrate information security governance with corporate governance.
3. Review and approve the security policy.
4. Act as a communication channel between the senior management and employees.
Answer (see Endnotes) vii
Another key role linked with information security governance is the CISO. Organizations
may have different names for the CISO, for example, the chief security officer or CSO,
the chief information officer, also known as CIO, or the chief financial officer, also known
as CFO. In some companies, the chief executive officer or CEO might also perform the
role of the CISO.
The power and duties of a CISO may differ from one company to another. However, the
general range of the role starts from the CISO reporting to the CEO, and ends at the
system administrators having additional responsibility for information security and
reporting to the IT manager or CIO.
The usual responsibilities of a CISO include developing an information security strategy
and getting it approved by senior management. The CISO also ensures the commitment
of senior management at all stages of information security governance. Additionally, the
CISO establishes reporting and communication channels in the whole organization to
make sure that information security governance is effective. The CISO should also be
aware of the financial and budgeting processes and ensure that the information security
program is cost effective.
The board of directors, executive management, and CISO have specific responsibilities
that map to the outcomes of effective information security governance.
To achieve strategic alignment, the board of directors should provide direction for
ensuring clear mapping of the information security strategy with business objectives.
The executive management must lay the foundation for this mapping by establishing
relevant processes. The CISO needs to create the security strategy and ensure

______________________________________________________________________________
continuous mapping of this strategy with business objectives by coordinating with
process owners. The CISO should also supervise the security program and the plans
associated with it.
Another outcome of information security governance is value delivery. For this outcome,
the board of directors needs to ensure optimal security investments by monitoring the
expenditure in security operations. The executive members should consider the security
policies and procedures and conduct business case studies for them. The CISO must
ensure that information security resources are used in an efficient way by continuously
supervising them.
In addition to ensuring value delivery, the senior management needs to reduce security
risks, which is called risk management.
To achieve this outcome, the board members identify the threats and vulnerabilities of
information security and their impact on the organization. They also supervise a security
policy for risks and make sure that all people and processes in the organization adhere
to this policy. The executive management performs continuous checks for adherence to
the risk policy. It also ascertains that risk management is a part of all actions performed
at all levels in the organization. The CISO creates policies and procedures for reducing
risks, implements the risk policy, and makes sure that different sections of the
organization evaluate potential risks and their impacts on business.
The senior management also needs to attain another outcome of information security
governance, which is resource management. For this outcome, the board members
ensure effective use of knowledge and information security resources by supervising the
policy for them. The executive members establish processes to attain knowledge and
metrics for measuring efficient utilization of resources. The CISO builds these metrics
and finds out ways of acquiring and distributing knowledge.
Besides managing resources, it's important to measure the performance of security
processes in an organization. To do this, the board of directors must implement a
system that gives them regular reports about the effectiveness of security processes.
The executive managers need to supervise the security actions and gather metrics for
measuring the efficiency of these actions. The CISO should examine the security
actions and provide appropriate guidance. The CISO should also create and execute
methods for supervising security actions and gathering metrics.
The last outcome of information security governance is process assurance. This
outcome requires the board of directors to ensure proper coordination of assurance
functions by supervising the relevant policy. The executive members supervise all
assurance functions and the plans for coordinating the activities of these functions. The
CISO interacts with all assurance providers and ensures that there are no
misunderstandings or gaps in the integration activity.
5.2.5. Quizz- Senior management responsibilities 2
Match each senior management role with the associated responsibility concerning information security
governance.
Options:
A. Board of directors.
B. Executive management.
C. Steering committee.
D. CISO.

______________________________________________________________________________
Targets:
1. Achieves organizational consensus over priorities related to information security.
2. Sets up reporting and communication channels in the whole organization.
3. Establishes processes for integrating security with business objectives.
4. Identifies information assets that need protection.
Answer (see Endnotes) viii
5.2.6. Summary
Information security governance is a board-level activity and is an integral part of
corporate governance.
Corporate governance is a set of procedures and duties performed by the board of
directors and executive management to direct and control the organization. Information
security governance involves implementing and managing information security.
For information security governance to be effective, the board of directors or senior
management must be actively involved in it. The executive management must
implement information security governance. The steering committee needs to ensure
the involvement of all stakeholders influenced by security considerations, and the CISO
should design and develop the information security strategy.
5.3. Business Model for Information Security
 Identify the elements of the information security business mode
 Recognize the interconnections between the elements of the information security
business model.

______________________________________________________________________________
5.3.1. Elements of the model
A basic outcome of information security governance is the integration of key business
processes to achieve complete security. Organizations can achieve this integration by
using the governance, risk management, and compliance approach, also known as the
GRC approach.
GRC covers many interconnected activities of an organization, such as incident
management, enterprise risk management or ERM, operational risk, internal audits,
compliance programs, and several other activities.
GRC consists of three processes:
 Governance:
Governance is the process that senior management can use to direct and control an
organization. It involves developing methods to ensure that all employees of the
organization adhere to its policies, standards, and procedures.
 Risk management:
Risk management helps you create and implement methods for mitigating risks. Using
this process, you can establish the organization's risk tolerance, recognize potential
risks and their impact on business operations, and decide the priority for mitigating the
risks based on business goals and risk tolerance.
 Compliance:
Compliance is the process using which you can supervise the controls and methods that
ensure adherence to an organization's policies, standards, and procedures.
All of the three GRC processes are interdependent and influence one another. For
example, risk management identifies risks that can be mitigated only by improving
governance and compliance. Similarly, when new governance methods are introduced,
the compliance process needs to be updated to ensure their supervision. So it's
important that these processes work together with a common goal, which means that
they should be integrated.
To integrate the GRC processes effectively, an organization needs to establish
governance before implementing risk management and enforcing compliance. This

______________________________________________________________________________
integration is vital for the success of any area in which GRC is used, including
information security governance.
In addition to GRC, information security governance uses systems theory to manage
security in an organization.
Systems theory can be defined as a network of processes, people, technologies,
relationships, events, reactions, and results that interact with each other to achieve one
common goal. By analyzing these interactions, an information security manager can
understand the working of a system in an organization and control any risks to it.
The basic idea of this theory is that you can understand a system properly only by
considering it as one whole unit and not just as a collection of some parts. Studying one
part of a system can help you understand its remaining parts.
Systems theory brings a number of benefits to information security governance. It
enables information security managers to clearly define a security system in terms of
what is included in it and what is not. This helps in planning and implementing security
solutions and enables stakeholders to understand the importance of security.
Systems theory also helps information security managers understand the impact that a
change in one part of the security system has on the other parts. This helps them
effectively handle security issues in complicated and dynamic environments.
Additionally, the theory makes it possible for information security managers to adapt to
changes in strategic directions and operations, team up with different sections of the
organization, and handle the impact of external issues.
Based on systems theory, there exists an information security business model that helps
you understand complex relationships in an organization to effectively manage
information security. This model consists of four elements that are linked with six
dynamic interconnections. These elements and connections set the limit for information
security and define its response to changes inside and outside the organization.
The four-elements of the model are:
 Organization design and strategy.
 People.
 Process.
 Technology.

______________________________________________________________________________
An organization represents a group of people, processes, and assets that have distinct
roles and work with each other to achieve a common objective.
Every organization has a strategy that determines its direction with regards to its internal
and external factors. The strategy identifies the goals and objectives to be attained and
the values and missions to be followed.
The way in which an organization implements its strategy is called its design. To design
the organizational strategy, you need resources such as knowledge, people, processes,
and equipment.
Another key element of the information security business model consists of an
organization's people or human resources. The human resources are the primary users
of the organization's assets and are also involved in implementing the organizational
strategy. As a result, most security issues concern them.
As an information security manager, you need to address security issues by considering
the values, culture, and behavior of the people inside and outside the organization.
Outside the organization, the actions of suppliers, customers, media, and stakeholders
influence its activities. The information security manager should consider this external
influence when developing an information security governance structure.
For example, the information security manager of a bank can develop guidelines on how
its customers can maintain the security of their account information. Similarly, a car
manufacturing company's security manager can define what information can be
disclosed when inviting quotations from suppliers.
Inside the organization, the information security manager needs to interact with legal
and human resource divisions to deal with various employee-related security issues:
 Employment:
The information security manager should ensure that the security issues related to
employment are fully addressed by the organization. For example, the organization
should define employees' access rights to applications, ensure that the employees are
trained on the information security aspects, and enforce restriction of movement within
the organization.
 Recruitment:
It is the responsibility of an information security manager to safeguard information
related to recruitment. This information can be in the form of interview results,
descriptions of roles and responsibilities, and details of the background checks of
selected candidates.
 Termination:
The information security manager must protect information associated with termination
of employees. The manager should ensure that data related to termination is kept
confidential and unauthorized users are not allowed access to it. After termination, all
access rights of the user should be revoked.
Every organization requires processes to ensure that its human resources perform their
tasks using an established set of procedures. The process element comprises formal
and informal methods of doing things, and it also acts as a link for all the dynamic
interconnections.

______________________________________________________________________________
Setting up processes helps an organization to define the roles and responsibilities of
each resource and identify and control risks to information. Processes also ensure that
information is available when required and protected from unauthorized access.
To make its processes effective, an organization needs to:
 Ensure that they conform to its policy and business needs.
 Ensure that they can be modified according to changing requirements.
 Conduct their regular reviews for continual improvement.
 Keep their detailed records and share them with authorized personnel.
To ensure an effective and efficient implementation of organizational processes, you
need technology. Technology is an integral element of an organization's information
security business model. It consists of all the applications, tools, and infrastructure
required to meet business goals.
Many organizations consider technology to be an effective method for managing risks to
information security. This can be true to some extent because technology can mitigate
some risks, but it also keeps evolving and has its own risks. So it is not advisable to
completely depend on technology to ensure information security.
Technology is influenced by the people using it and the culture of the organization in
which it is used. Some people do not trust it, some find it difficult to use, and some
believe it reduces their performance. Information security managers must be aware of
these possibilities and take steps to limit this occurrence.
For example, an organization's Service Desk staff may not want to use a new
application to log customer complaints. In such a case, the information security manager
must ensure that the staff are provided detailed information about how the application
will make their work simpler and enable them to work faster. The manager should also
arrange proper training on the application for the staff so that they find it easy to use.
5.3.2. Quizz - Elements of the model ix
Which element of the information security business model represents the formal and informal ways of
doing things?
Options:
1. Organization.
2. People.
3. Process.
4. Technology.
Answer (see Endnotes)
5.3.3. Interconnections between elements
The elements of the information security business model are linked through six dynamic
interconnections to ensure that each element aligns with business goals and objectives.
The six interconnections are:

______________________________________________________________________________
 Governance.
 Culture.
 Enablement and support.
 Emergence.
 Human factors.
 Architecture.
The governance interconnection links the organization and process elements. Its basic
aim is to direct and control an organization by providing strategic guidance, ensuring
that objectives are achieved, managing risks, and monitoring the efficient use of
resources.
Governance specifies the operational limit of an organization and is executed using
processes. It checks performance, defines actions, ensures compliance, and helps the
organization adapt to changing business conditions.
For example, an organization that is fully committed to information security and has
established processes to identify and manage security risks is likely to face less security
incidents. On the other hand, an organization that doesn't have a defined information
security governance structure is more vulnerable to theft, damage, or misuse of
information.
If governance connects an organization and its processes, culture links the organization
to its people. Culture represents the way people behave, what they assume and believe,
their opinions, and how they do things. Culture is present in different parts of the society,
such as families, organizations, and countries. It is formed from both internal and
external aspects and is continuously evolving. Culture develops as a set of shared
behaviors when a group of people respond to the same experience in a similar manner.
It's essential to understand the culture of an organization because it affects and is
affected by the organizational patterns. Culture also has an impact on the way in which
people understand and use information within the organization.
Another dynamic interconnection in the information security business model is
enablement and support. This interconnection links the technology and process
elements. It involves creating security policies, guidelines, and standards that support
business needs. These policies, guidelines, and standards should support changes in
organizational objectives and should lessen or remove conflicts between people.
To ensure that employees adhere to the security policies, controls, and procedures, you
need to make them simple to use. You also need to add clarity to the security measures
to assure users that their work efficiency will not be affected by these measures.
5.3.4. Quizz - Interconnections between elements 1
Match the elements of the information security business model with their dynamic interconnections. You
may use each element more than once.
Options:
A. Organization.
B. Process.
C. People.
D. Technology.

______________________________________________________________________________
Targets:
1. Governance.
2. Culture.
3. Enablement and support.
Answer (see Endnotes) x
One more interconnection in the information security business model is emergence that
links the people and process elements. It indicates patterns in the life of an organization
that emerge and develop without any clear reason, and have results that are difficult to
foresee and control. One probable solution for these patterns is to consider emergent
issues in the system design life cycle, risk management, and change control. Other
solutions include aligning these patterns with process improvement and feedback loops.
Consider this example. While performing routine tasks, an organization's information
security manager realizes that the information associated with some old projects is
missing. The manager tries to find the cause of this loss and its immediate results but is
unable to reach any conclusion.
After some time, the customer requests a change in those old projects. The organization
accepts the request but has to ask the customer to provide all project-related
information. In this way, the emergent issue of information loss causes a decline in the
organization's reputation.
The emergence interconnection links people with processes, and people are linked with
technology through the human factors interconnection that indicates the interaction and
gap between these elements. Human factors include age, cultural experience, and work
experience. Because of these factors, people might not adhere to security policies.
For example, consider a young employee who does not have any work experience and
has joined a large organization that has security policies. This person might not
understand the importance of these policies immediately and might be careless in
following them.
People might also not understand technology, or simply refuse to use it. This rejection
can pose security problems such as damage, loss, theft, leakage, and misuse of
information.
For example, consider that the employees of a newly formed company have been
instructed to install antivirus software on their computers to prevent virus attacks. Some
employees do not install the software as they do not understand how to install it. This
can lead to a virus attack on their computers, destroying all data. So it becomes
essential to provide training to all employees on the relevant technologies.
Technology is not only linked with people, but also with the organization where it is
used. The architecture interconnection establishes this link. This interconnection
includes an organization's policies, processes, people, and technology that compose the
security practices. To understand the need for information security and create a security
architecture, it's important to first have a strong business information architecture in
place.
The security architecture of an organization ensures regular and cost-effective security
in different business lines. It also enables the organization to determine security
investments in a proactive manner. The security architecture also defines the placement
of security controls and their relationships with the complete IT architecture. So an

______________________________________________________________________________
organization can implement total protection from threats in the architecture
interconnection.
5.3.5. Quizz - Interconnections between elements 2
Match each element of the information security business model to its dynamic interconnections. You
may use each element more than once.
Options:
A. Technology.
B. People.
C. Organization.
D. Process.
Targets:
1. Emergence.
2. Human factors.
3. Architecture.
Answer (see Endnotes) xi
5.3.6. Summary
An organization can integrate its key business processes by using GRC that comprises
governance, risk management, and compliance. Governance must be established
before implementing risk management and enforcing compliance for effective
information security.
Apart from GRC, information security makes use of the systems theory that enables
information security managers to clearly define and develop security models.
Based on the systems theory, there is an information security business model that helps
you understand complex relationships in an organization for managing security
effectively. This model is made up of four elements that are linked with six dynamic
interconnections. The elements are organization, people, process, and technology. The
dynamic interconnections are governance, culture, enablement and support,
emergence, human factors, and architecture.
5.4. Practicing Information Security Governance Concepts
 Recognize key concepts related to information security governance.
5.4.1. Exercise overview

______________________________________________________________________________
In this exercise, you're required to recognize the key concepts of information security
governance, the management roles associated with it, and the business model for
implementing it.
This involves the following tasks:
identifying the need for information security governance
recognizing management responsibilities related to information security governance
identifying the elements and their interconnections in the information security business
model.
5.4.2. Identifying need
5.4.2.1. Quizz - Identifying need 1
What is information security governance?
Options:
1. A set of guidelines that ensures elimination of all information security risks.
2. A set of procedures performed to meet business goals of the organization.
3. A job practice area that works toward protecting all physical and technical operations.
4. A collection of rules that ensures efficient use of information security resources.
5. A domain that requires strategic direction from senior management.
Answer (see Endnotes) xii
5.4.2.2. Quizz - Identifying need 2
As a Certified Information Security Manager or CISM, you need to strengthen information security in
your organization. So you plan to develop an information security governance structure. Which
statements will you use to justify the need for information security governance to the senior
management?
Options:
1. It enhances trust in customer relationships.
2. It provides complete safety from all security-related incidents.
3. It provides protection from civil and legal liabilities.
4. It protects an organization's reputation.
5. It requires minimum investment for protecting information.
Answer (see Endnotes) xiii
5.4.2.3. Quizz- Identifying need 3
Match the outcomes of effective information security governance with their descriptions.

______________________________________________________________________________
Options:
A. Strategic alignment.
B. Resource management.
C. Integration.
D. Value delivery.
Targets:
1. Helps build an understanding that information security is a process.
2. Ensures that security solutions comply with business processes.
3. Takes the assurance functions into account while implementing information security.
4. Keeps a record of security practices and processes.
Answer (see Endnotes) xiv
5.4.3. Recognizing management roles
5.4.3.1. Quizz - Recognizing management roles 1
Match each security example with the applicable governance process. You can select each process
more than once.
Options:
A. The HR records of some employees are missing.
B. A company is earning a bad name for not following environmental regulations.
C. An employee can access all the data stored on the computers of other employees.
D. An organization is making a loss because of mismanagement of funds.
Targets:
1. Corporate governance.
2. Information security governance.
Answer (see Endnotes) xv
5.4.3.2. Quizz- Recognizing management roles 2
Don has been appointed as the chief information security officer or CISO in an organization. What tasks
should he perform to ensure proper information security governance?
Options:
1. Review and approve the security policy, metrics, and monitoring processes.
2. Create an information security strategy.
3. Ensure that the information security program is cost effective.

______________________________________________________________________________
4. Ensure the involvement of all stakeholders influenced by security considerations.
5. Supervise all assurance functions and integration plans.
Answer (see Endnotes) xvi
5.4.3.3. Quizz- Recognizing management roles 3
A company's board of directors has created a steering committee to ensure the proper functioning of
information security governance. What would be the key responsibility of this steering committee?
Options:
1. Provide strategic direction for demonstrable alignment.
2. Ensure that risk and business impact assessments are performed.
3. Ensure that roles and responsibilities include risk management in all tasks.
4. Attain organizational consent over priorities related to information security.
Answer (see Endnotes) xvii
5.4.4. Identifying elements & interconnections
5.4.4.1. Quizz - Identifying elements & interconnections 1
Which statements are correct regarding the governance, risk management, and compliance or the GRC
approach?
Options:
1. Compliance involves developing methods to ensure adherence to standards, policies, and procedures.
2. An organization should establish risk management before setting up governance and compliance.
3. All three processes in the approach are interdependent and influence one another.
4. The approach covers interconnected activities of an organization.
Answer (see Endnotes) xviii
5.4.4.2. Quizz- Identifying elements & interconnections 2
Which element of the information security business model helps create a strategy to identify goals and
values and develop a design to implement the strategy?
The information security business model contains four elements that are connected together with six
dynamic interconnections. The first and second elements are interconnected with governance. The
second and third elements are connected through emergence, and the second and fourth elements are
connected through enablement and support. The first and third elements are connected with culture, and

______________________________________________________________________________
the first and fourth elements are connected using architecture. The third element uses human factors to
connect to the fourth element.
Options:
1. Organization design and strategy.
2. People.
3. Process.
4. Technology.
Answer (see Endnotes) xix
5.4.4.3. Quizz- Identifying elements & interconnections 3
Which dynamic interconnection indicates patterns in an organization's life that develop without any
obvious reason and have results that are difficult to foresee and control?
The information security business model contains four elements that are connected together with six
dynamic interconnections. The organization element is linked to the people, process, and technology
elements with three different interconnections. The process element is connected to the people and
technology elements using two more interconnections. There is also an interconnection between the
people and technology elements.
Options:
1. Emergence.
2. Governance.
3. Culture.
4. Enablement and support.
5. Human factors.
6. Architecture.
Answer (see Endnotes) xx

______________________________________________________________________________
6. Information Security Management and Metrics
6.1. Corporate Support for Information Security
 Identify the optimal reporting relationship between senior management and the
information security manager.
 Label examples of reports about information security according to their intended
recipients within an organization.
6.1.1. Optimal reporting relationship
The increasing use of information technology to access, process, store, and share
information has brought several benefits and opportunities for organizations around the
world. It has helped organizations increase their profit margins, reduce costs, provide
better customer services, and streamline operations.
However, the use of information technology has also made information vulnerable to
misuse and damage. As a result, a growing number of organizations are recognizing the
need to protect information assets. Information security activities like background
checks, user awareness, security controls, and regular audits help ensure security. To
manage all such activities, organizations employ dedicated information security
managers who have the expertise to manage information assets and the IT systems that
support these assets.
Information security managers act as process owners for all ongoing activities that help
an organization protect the confidentiality, integrity, and availability of its information
assets.
They perform several responsibilities:
 Design, develop, and implement information security policies and procedures.
 Monitor compliance of policies and procedures by all stakeholders in the organization.
 Promote activities that help create information security awareness within the
organization.
 Meet legal and regulatory requirements.
 Obtain senior management commitment to information security initiatives.
Different organizations have information security managers at different levels in their
reporting hierarchy. Almost 35% of information security managers report to chief
executive officers or CEOs, 32% to chief information officers, also known as CIOs, and
28% to a board of directors.
Depending upon the reporting hierarchy, different organizations can have different titles
for the information security manager role.
For example, the title could be chief security officer, also known as CSO, or chief
information security officer (CISO for short), who reports to the company's CEO. This
reporting structure is considered optimal because it allows direct interaction between the
information security manager and the CEO.
This structure leads to direct alignment of security objectives with business goals and
facilitates quick decision-making on critical information security issues. It also provides
greater authority to the information security manager who can now communicate directly
to senior management and easily obtain their commitment.

______________________________________________________________________________
Some international professional associations focused on IT security governance would
recommend the CISO report directly to the CEO.
And in practice, most organizations are increasingly allowing a direct reporting
relationship between the CISO and the CEO; some organizations still integrate the
information security manager's role with the IT manager. In this case, the IT manager is
responsible for both information security and IT operations. Also, the IT manager
typically reports to the company's CIO, instead of reporting directly to the CEO.
Although the structure in which the IT manager acts as information security manager
may be adequate for implementing security activities in the organization, it follows the
bottom-up approach to management. It is considered suboptimal because the
information security manager cannot interact directly with the CEO.
Also, the objectives of the information security manager often conflict with the IT
manager's goals. This is because security functions are completely regulatory and IT
functions are purely operational. Security functions are concerned with designing and
developing security policies and procedures that govern the IT operations. IT functions,
on the other hand, are concerned with putting these policies and procedures into
operation.
For example, the IT Department of a company may decide to outsource the
management of the online Service Desk to an external service provider. However, the IT
Department doesn't enter into an underpinning contract with the service provider neither
does it verify the security system of the service provider. As a result, there is a risk that
the information of the customers logging their issues in the Service Desk may be
compromised. So while the IT Department was trying to cut costs by outsourcing, it
ignored the security aspect emphasized by the security function because it was not a
part of IT operations.
In some organizations, the role of information security manager could be held part-time
by middle managers who have security responsibilities in addition to their main
responsibilities. This is another example of a reporting structure that follows a bottom-up
management approach and is not considered optimal.
In this structure, the middle manager reports to one of the senior managers in the
organization. Because information security is not the main responsibility of middle and
senior managers, it may not be taken seriously. Senior managers focus more on
reducing the operational costs and consider information security a hindrance to their
activities.
For example, the CTO, also known as chief technology officer, primarily focuses on
implementation and use of technology in business operations and may find that security
issues are interfering with the implementation of technology. So if the information
security manager role is held by the operations manager reporting to the CTO, the
reporting structure is considered suboptimal.
Due to these reasons, a bottom-up management approach to information security
activities is less likely to be successful.
Without senior management support, the information security programs are likely to fail.
So, the information security manager must convince senior management about the
benefits of information security. To obtain a desirable level of information security in the
organization, senior management should be committed to performing the following
activities:
 Considering information security a critical factor for meeting business goals and

______________________________________________________________________________
developing a security environment that meets those business goals.
 Identifying risks to information security and implementing appropriate controls.
 Obtaining the confidence of customers, stakeholders, and other third parties in the
information security structure of the organization.
 Ensuring that all stakeholders, including employees and senior management, are
accountable for managing information security.
 Overseeing effective implementation of corporate governance to meet industry
standards.
 Taking responsibility for effective implementation of information security.
Senior management can establish a commitment to information security initiatives by:
 Conducting a periodic review of information security programs.
 Getting involved in the design and development of high level information security
policies.
 Controlling and supervising information security at a high level.
 Specifying information security governance metrics and monitoring policies.
 Assigning the required resources for information security
6.1.2. Quizz - Optimal reporting relationship 1
Which reporting structure between the information security manager and senior management depicts an
optimal reporting relationship structure?
In the first structure, information security manager reports to the CEO. In the second structure,
information security manager reports to the CTO, who reports to the CEO. In the third structure,
information security manager reports to the IT manager, who reports to the CIO, and the CIO reports to
the CEO.
Options:
1. Information security manager reporting to the CEO.
2. Information security manager reporting to the CTO, who reports to the CEO.
3. Information security manager reporting to the IT manager, who reports to the CIO, and the CIO reports to the
CEO.
Answer (see Endnotes) xxi
To successfully implement information security in the organization, you first create a
security program. The aim of the security program is to inform senior management
about security objectives, schedules, estimated funds, resource requirements, and any
specific deliverables.

______________________________________________________________________________
However, the program may face resistance from senior management because of a lack
of understanding of security issues or apprehensions about costs incurred and benefits
accrued.
To gain senior management commitment to the security program, you need to educate
them about the benefits of information security. You can do this by creating a formal
presentation for them, covering the critical aspects of information security. This
presentation can educate senior management on how critical security is to continued
operations.
You can also involve senior management at the beginning of the security program and
explain to them how it affects every department and business processes in the
organization. You should also convince the management to allocate sufficient funds for
the security program. This can only happen if the management understands the security
plan and believes that the information security manager is their ally.
To convince senior management of the need for information security management, you
should create a business case that covers critical aspects of the business. You should
then apply these aspects to the formal presentation. This helps gain attention and
commitment from senior management.
To promote the acceptance of the formal presentation by senior management, you
should:
 Align the security and business objectives to help senior management use the security
standards, policies, and procedures effectively in their work.
 Determine the possible effects if some of the defined security objectives and regulatory
conformances fail.
 Describe the overhead involved in the security program to help senior management
assess the expenses of the program.
 Use financial or risk and benefit models, such as total cost of ownership and return on
investment, to assess the profits and expenses of the security program.
 Identify monitoring and auditing tools to measure the effectiveness of the security
program.
In addition to senior management, you need to convince employees about the benefits
of information security. This is necessary to ensure effective information security
management.
Senior management should set an example for employees by following all security
practices. This encourages employees to adhere to the security practices. For example,
if an organization has used biometric technology for employee identity verification,
senior management should have to undergo the same process.
As an information security manager, you can conduct training programs and spread
awareness about the benefits of information security by sending regular e-mails to
employees. You can also make security activities a part of their work and involve them
in the active implementation of information security.

______________________________________________________________________________
6.1.3. Quizz - Optimal reporting relationship 2
As an information security manager, which points should you follow to promote the acceptance of the
formal presentation by senior management?
Options:
1. Align the security and business objectives.
2. Specify the tools for calculating the expenses of the security program.
3. Identify the possible effects of failure of the defined security objectives.
4. Use financial or risk and benefit models.
5. Discuss measures to reduce the overhead involved in the security program.
Answer (see Endnotes) xxii
6.1.4. Communication and reporting channels
As an information security manager, you're responsible for ensuring that all
stakeholders, including senior management and employees, are aware of the existing
information security governance structure. You should also ensure that senior
management is provided with all information necessary for maintaining information
security in the organization. To do this, it is essential that you have a well-organized
reporting and communication channel in the organization.
A proper reporting and communication channel ensures that all stakeholders receive
necessary information. This information helps the stakeholders present their views on
the information security structure and improve the existing structure.
You can achieve a well-organized communication channel by creating a formal reporting
procedure and providing periodic reports to senior management on the performance of
information security management. These reports should correspond to formal
presentations that were used to obtain support and commitment from senior
management for the security program.
The periodic reports can include:
 A comparison between the pre-implementation and post-implementation result for
business impact analysis.
 The need for renewing security plans and approving all related expenses.
 The current state of enforcing security systems as per the approved security program.
 An analysis of performance data along with independent audit reports.
 A list of possible security vulnerabilities and potential threats associated with them
 Details of periodic activities to ensure alignment of security objectives with business
processes, goals, and environment.
 Data on security threats that have been identified and prevented to demonstrate the
importance of a security program.
Apart from formal reporting, regular reporting of information security is critical for the
smooth working of security programs. However, this reporting need not be very formal.

______________________________________________________________________________
This reporting can be done to groups that deal with specific security-related issues in the
organization. The groups are:
 Business process owners:
You should conduct regular meetings with business process owners to retain their
support in implementing the information security system. During this meeting, you can
discuss various issues, such as implementation of unique security systems for each
process. Also, business process owners should attend operational review meetings to
learn about the requirements and disputes related to the day-to-day operations.
 Senior management:
It's good to meet senior management periodically to understand their perspective of
business goals. During this meeting, you can discuss the financial aspects of the
security program. Additionally, you can attend business meetings with senior
management to learn about proposed business plans and objectives. Suppose you've
implemented a physical access control system. You can provide periodic reports to
senior management on the effectiveness of the system.
 Employees:
To help employees practice security in their routine tasks, you organize adequate
training programs for them. For instance, if your organization adopts a new security
standard, you can conduct a training program to inform employees about it. If a security
policy or plan is updated, employees must be notified. To get proper feedback on
employees practicing security, you assign information security governance coordinators
for each operational unit.
 Department heads, supervisors, and line managers:
It is important to develop awareness about security requirements and policy compliance
among the department heads, supervisors, and line managers who are delegated risk
management or security functions. You should help them understand their security
responsibilities to minimize conflicts in the event of failure of a risk management or
security function.
6.1.5. Quizz - Communication and reporting channels
You are the information security manager in an organization, and you informally report to specific groups
in the organization about information security. Match examples of reports about information security with
the relevant groups within the organization.
Options:
A. Reporting about training and education programs that help practice security in daily tasks.
B. Report on new security systems implemented for specific processes.
C. Reporting about the financial aspects of the security program.
D. Reporting security responsibilities of project managers.
Targets:
1. Senior management.
2. Business process owners.
3. Employees.
4. Line managers.

______________________________________________________________________________
Answer (see Endnotes) xxiii
6.1.6. Summary
To secure sensitive data and IT systems, every organization needs an information
security manager. Different organizations can have different titles for this role – CSO,
CISO, or information security manager. To have a successful security program in the
organization, you need to ensure that senior management is committed to the program.
To obtain senior management support, you can create a formal presentation covering
important aspects of information security. You can also use business cases to ensure
better understanding of information security. Additionally, you should ensure that
employees also support the security program.
After obtaining senior management commitment, you should provide periodic reports to
senior management about the current state of the information security program. To
ensure that all stakeholders are aware of information security programs, you should
create formal and informal information reporting structures for specific groups, including
senior management, employees, process owners, and other management.
6.2. Information Security Convergence
 Identify the goal of converging security-related functions.
6.2.1. Converging security-related functions
It is common in organizations that different security-related activities fall under different
types of security functions. For example, information security and physical security are
distinct security functions in an organization. When you combine these security functions
under a common head, the process is called security convergence.
Security convergence is the integration of the organization's assurance processes, such
as change management, risk management, human resources, audits, and compliance,
so that security is not segmented across various functions.
The main objective of security convergence is to reduce the gaps that result from the
segmentation of various security-related functions in an organization. These gaps arise
because the security functions are generally interdependent. For example, information
security is generally affected by the physical aspects or physical security of the
organization.
Suppose an organization has a strong access control, such as a biometric system and
guards, that don't let an intruder enter the building. This physical security measure
prevents unauthorized access to the building and safeguards the organization’s critical
data. So a breach in physical security may adversely affect information security.
But with advanced technologies, critical data can also be accessed remotely. So
physical security alone is not enough to secure information. Strong information security
also needs to be implemented to secure critical data or applications in the organization.
Although physical security and information security are interdependent, they do not have
common goals. Physical security functions may focus on authorizing physical access to
an organization, whereas information security functions may focus on securing network
or information data.

______________________________________________________________________________
If information and physical security work in isolation, security gaps are bound to arise.
For example, proper physical security measures may be taken for authorized physical
access to the building, but measures to prevent unauthorized remote access are not
taken. In this case, critical business data is still at stake. To avoid these gaps, physical
and information security need to work in close coordination. To ensure coordination
between all security functions, including physical and information security, you need to
implement security convergence.
Security convergence prevents any security overlaps across different functions. This
reduces the number of security functions, making it easier to follow and manage and
providing a streamlined security process. Security convergence also ensures well-
defined roles and responsibilities to reduce issues such as ineffective communication
and duplication of work.
Additionally, security convergence takes care of all assurance functions while
implementing a security strategy. This helps evaluate all phases of the business
process, irrespective of the assurance process used, and minimizes the gaps that result
from segmented security functions. It also aligns the security objectives to business
goals.
There are three organizations that strongly support convergence – ASIS, the Information
Systems Security Association (also known as ISSA), and the ISACA. These
organizations have established the Alliance for Enterprise Security Risk Management,
(sometimes called AESRM), to encourage security professionals to converge security
functions within their own organizations.
Security professionals merge security functions because several issues exist when
security is fragmented in the organization. These include:
 Focusing on specific risks associated with a particular area and ignoring the
interdependency of risks in the organization.
 Sub-optimizing the cost required to deal with the risks in the organization.
 Using different assurance processes and terminology in different reporting structures
in the organization.
 Introducing security gaps while aligning business goals with segmented security
functions.
Another reason to implement security convergence is the influence of several factors on
the operations of any organization. The following factors demonstrate the importance of
adopting security governance:
 Growing technologies are obscuring the boundaries between information and physical
security functions.
 Organizations are expanding at a fast pace that makes them complex.
 New compliance and regulatory authorities introducing complex compliance and
security guidelines.
 A risk-based approach is required to maximize resource utilization and minimize
security risks.
 An increase in the information-based and intangible assets requires security
convergence.

Information Security Governance: Concepts, Security Management & Metrics

Information Security Governance: Concepts, Security Management & Metrics

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Information Security Governance: Concepts, Security Management & Metrics

Semelhante a Information Security Governance: Concepts, Security Management & Metrics (20)

Mais de Marius FAILLOT DEVARRE

Mais de Marius FAILLOT DEVARRE (20)

Último

Último (20)

Information Security Governance: Concepts, Security Management & Metrics