Information security for a long time was considered as a purely technical domain. Hence, the focus was to define and manage security predominantly through the Information Technology department in many organizations. It was more like protecting only the Information systems, such as computers and networks.
Information exists in many forms and the levels of assurance required vary, based on their criticality, business requirements and from legal, regulatory compliance requirements. Hence, the focus has to be on protecting the information itself, which is essential and much broader in scope compared to focusing only on Information Technology.
Information is a business asset and valuable to organizations. Information has a lifecycle. It could be handled, processed, transported, stored, archived, or destroyed. At any stage during the lifecycle, the information can be compromised. A compromise can affect the CIA requirements of the information.
Information protection is a business responsibility. It involves governance challenges, such as risk management, reporting, and accountability. Hence, it requires the involvement of senior management and the board to provide a strategic oversight for implementing and ensuring continual effectiveness.
Strategy, goals, mission, and objectives
Aligning and integrating information security with enterprise governance and IT governance frameworks is the primary strategy for the senior management and the board. It includes the definition of the current state of security and establishing goals and objectives to align with the corporate mission.
For such a strategy, goals and objectives will include understanding protection requirements, which are based on the value of information, expected outcomes of the information security program, benefits that are quantifiable, and methods to integrate information security practices with organizational practices.
A corporate mission is based on the definition of the business, its core purpose, values and beliefs, standards, and behaviors. An information security mission defines security requirements, their purpose, focus on risk management, commitment to continual maintenance, and the improvement of the information security program. Hence, aligning information security mission with the corporate's mission is one of the primary strategies of security governance.
To support the information security strategy and to meet the goals and objectives, organizational processes need to be aligned to the mission. Such processes include defining the roles and responsibilities of the personnel involved with effective implementation and day-to-day management; establishing monitoring mechanisms that include reporting, review and approval processes, and ensuring that management support is available to such organizational processes.
Security roles and responsibilities
Information security is everyone's responsibility in any organization. Specific security roles and responsibilities are to be considered from the security governance perspective. Hence, the information security responsibilities of the board of directors/trustees, executives, steering committee, and chief information security officer are important at management level.
To support the information security strategy and the mission, control frameworks are established by the organization. Such frameworks contain controls under three broad categories, namely, management, administrative, and technical.
Management controls are characterized by stating the views of the management and their position in particular topics, such as information security.
For example, the Information security policy is a management control, wherein the management states its intent, support, and direction for security.
While a policy is a high-level document that provides the intent of the management, administrative controls are to implement such policies.
For example, procedures, guidelines, and standards are administrative controls that support the policies. These are covered later in this chapter.
Information is stored and processed predominantly in IT systems. Hence, technical controls are established to support management and administrative controls in the information systems.
Firewall, intrusion detection systems, antivirus, and so on, are some examples of technical controls.
Due diligence and due care
It is important that intent and management support to information security programs is visible across the organization to investors and customers. Hence, an organization should demonstrate due diligence and due care pertaining to information security processes and activities.
Understanding risk and estimating the same, in view of the organizations' mission, prevailing threats, vulnerabilities, and attacks, and legal, regulatory compliance, form a part of the due diligence process by the management.
Implementing security governance by way of organizational processes, defining roles and responsibilities, establishing risk management processes, and monitoring effectiveness of the information security controls are due care activities by the management.