Importance of Information Security Governance
In simple terms, governance can be defined as a set of rules to direct, monitor, and control an organization's activities. Governance can be implemented in the form of policies, standards, and procedures. The information security governance model is primarily impacted by the complexity of an organization's structure. An organization's structure includes its objectives, vision, mission and strategy, different function units, different product lines, hierarchy, and leadership structure. A review of organizational structure helps the security manager to understand the roles and responsibilities of information security governance, as discussed in the next section.
Information is one of the most important assets for any organization and its governance is mandated by various laws and regulations. For these reasons, information security governance is of critical importance.
Desired Outcomes of Good Information Security Governance
A well-structured information security governance model aims to achieve the following outcomes:
- To ensure that security initiatives are aligned with the business strategy and that they support organizational objectives
- To optimize security investments and ensure the high-value delivery of business processes
- To monitor the security processes to ensure that security objectives are achieved
- To integrate and align the activities of all assurance functions for effective and efficient security measures
- To ensure that residual risks are well within acceptable limits. This gives comfort to the management
Responsibility for Information Security Governance
The responsibility for information security governance primarily resides with the board of directors, senior management, and the steering committee. They are required to make security an important part of governance by monitoring its key aspects. Information security governance is a subset of enterprise governance.
Senior management is responsible for ensuring that security aspects are integrated with business processes. The involvement of senior management and the steering committee in discussions and the approval of security projects indicates that the management is committed to aspects relating to security.
Generally, a steering committee consists of senior officials from different departments. The role of an information security steering committee is to provide oversight of the organization's security environment.
Steps for Establishing Governance
Governance is effective if it is established in a structured manner. A CISM aspirant should understand the following steps for establishing security governance:
- First, determine the objectives of the information security program. Most often, these objectives are derived from risk management and the acceptable level of risk that the organization is willing to take. For example, an objective for a bank may be that their system should always be available for customers – that is, there should be zero downtime. In this manner, information security objectives must align with and be guided by the organization's business objectives.
- Next, the information security manager develops a strategy and a set of requirements based on these objectives. The security manager is required to conduct a gap analysis and identify the best strategy to move to the desired state of security from its current state of security. The desired state of security is also termed the security objectives. This gap analysis becomes the basis for the strategy.
- The final step is to create the road map and identify specific actionable steps to achieve the security objectives. The security manager needs to consider various factors, such as time limits, resource availability, security budget, and laws and regulations.
These specific actions are implemented by way of security policies, standards, and procedures.
Governance Framework
A governance framework is a structure or outline that supports the implementation of information security strategies. It provides the best practices for a structured security program. Frameworks are flexible structures that any organization can adopt as per their environment and requirements. COBIT and ISO 27001 are both examples of widely accepted and implemented frameworks for security governance.
As information security governance is a subset of the overall enterprise governance of an organization, the same framework should be used for both enterprise governance and information security governance. This ensures better integration between the two.
Top-Down and Bottom-Up Approaches
There are two possible approaches to governance: top-down and bottom-up.
In a top-down approach, policies, procedures, and goals are reviewed and approved by senior management, hence policies and procedures are directly aligned with business objectives.
A bottom-up approach may not directly address management priorities. In a bottom-up approach, operational level risks are given more importance.
Key Aspects from the CISM Exam Perspective
The following are some key aspects from the exam perspective:
Question |
Possible Answer |
Which approach (that is, top-down or bottom-up) is more effective for governance? |
The effectiveness of governance is best ensured by a top-down approach. In a top-down approach, policies, procedures, and goals are set by senior management and hence policies and procedures are directly aligned with business objectives. A bottom-up approach may not directly address management priorities. The effectiveness of governance is best ensured by a top-down approach. |
What are the most important aspects of an information security strategy from a senior management perspective? |
Business priorities, objectives, and goals. |
What is a governance framework? |
A governance framework is a structure that provides the outline to support processes and methods. |
A Note on the Practice Questions
Throughout this book, and within the CISM certification exam itself, more than one of the answers may address the problem posed by the question. For that reason, it is very important to carefully read the question and ensure you pick the answer that represents the most important element of the solution.
Please also note, as ISACA recommends only those with "technical expertise and experience in IS/IT security and control" seek CISM certification, that this book assumes some prior experience in the field. With that in mind, you will face some questions intended to test your expected pre-existing knowledge. Do not worry if you do not get these questions right the first time; full explanations are given after every question to help you fill any gaps in your understanding.
Note
You can find the answer key and explanations for all practice and revision questions for this chapter under the section Chapter 1: Enterprise Governance of the solution set titled Answers to Practice Questions located at the end of the book.
Practice Question Set 1
- An information security manager has been asked to determine the effectiveness of the information security governance model. Which of the following will help them decide whether the information security governance model is effective?
- Security projects are discussed and approved by a steering committee
- Security training is mandatory for all executive-level employees
- Security training module is available on the intranet for all employees
- Patches are tested before deployment
- An information security manager is reviewing the information security governance model. The information security governance model is primarily impacted by:
- The number of workstations
- The geographical spread of business units
- The complexity of the organizational structure
- The information security budget
- Which of the following is the first step in implementing information security governance?
- Employee training
- The development of security policies
- The development of security architecture
- The availability of an incident management team
- Which of the following factors primarily drives information security governance?
- Technology requirements
- Compliance requirements
- The business strategy
- Financial constraints
- Which of the following is the responsibility of the information security governance steering committee?
- To manage the information security team
- To design content for security training
- To prioritize information security projects
- To provide access to critical systems
- Which of the following is the first step of information security governance?
- To design security procedures and guidelines
- To develop a security baseline
- To define the security strategy
- To develop security policies
- Which of the following is the most important factor for an information security governance program?
- To align with the organization's business strategy
- To derive from a globally accepted risk management framework
- be able to address regulatory compliance
- To promote a risk-aware culture
- Effective governance is best indicated by:
- An approved security architecture
- Certification from an international body
- Frequent audits
- An established risk management program
- Which of the following is the effectiveness of governance best ensured by?
- The use of a bottom-up approach
- Initiatives by the IT department
- Compliance-oriented approach
- The use of a top-down approach
- What is the prime responsibility of the information security manager in the implementation of security governance?
- To design and develop the security strategy
- To allocate a budget for the security strategy
- To review and approve the security strategy
- To train the end users
- What is the most important factor when developing information security governance?
- To comply with industry benchmarks
- To comply with the security budget
- To obtain a consensus from business functions
- To align with organizational goals
- What is the most effective way to build an information security governance program?
- To align the requirements of the business with an information security framework
- To understand the objectives of the business units
- To address regulatory requirements
- To arrange security training for all managers
- What is the main objective of information security governance?
- To ensure the adequate protection of information assets
- To provide assurance to the management about information security
- To support complex IT infrastructure
- To optimize the security strategy to support the business objectives
- The security manager notices inconsistencies in the system configuration. What is the most likely reason for this?
- Documented procedures are not available
- Ineffective governance
- Inadequate training
- Inappropriate standards
- What is an information security framework best described as?
- A framework that provides detailed processes and methods
- A framework that provides required outputs
- A framework that provides structure and guidance
- A framework that provides programming inputs
- What is the main reason for integrating information security governance into business activities?
- To allow the optimum utilization of security resources
- To standardize processes
- To support operational processes
- To address operational risks
- Which of the following is the most important attribute of an effective information security governance framework?
- A well-defined organizational structure with necessary resources and defined responsibilities
- The availability of the organization's policies and guidelines
- Business objectives supporting the information security strategy
- Security guidelines supporting regulatory requirements
- What is the most effective method to use to develop an information security program?
- A standard
- A framework
- A process
- A model