Information Security Governance
Goals
- Describe the key concepts and terms associated with information security governance
- Describe the goals of different information security governance documents
- Describe the different types of policies that can be used to govern information security
What is Information Security Governance
Information security governance (ISG) refers to executive management’s responsibility to provide strategic direction, oversight, and accountability for the security of its data and information technology (IT) resources.
- must align its information security goals to its business needs
Information Security Governance Planning
3 Types of Business Planning
- Strategic planning
- focuses on preparing new approaches and planning for new products, technologies, or processes
- lays groundwork for new business directions
- long-term planning
- Tactical planning
- allows organizations to be responsive to market conditions
- short to medium-term planning
- less than 6 months in length
- Operational planning
- focuses on the normal operations of an organization
- day-to-day planning
Planning for Information Security
- When planning for information security, the organization must think about:
- Information needs
- how it uses data to meet its business goals
- how information security can support this
- Regulatory requirements
- must know its regulatory landscape
- must know the data protection laws
- Risk management
- must adopt a risk management approach
- must know the information security risks that it faces
- prioritize that risk and decide how it will respond
- Security failures
- must consider the impact of a security breach, malware-infected IT resources, or unavailable data
- Information needs
Common Information Security Governance Roles
- Typical ISG roles:
- Board of directors
- Chief information officer
- Chief information security officer
- Information security manager
Information Security Governance and Management
- ISG and ISM are not the same
- the differences are not clear
- some organizations refer to them interchangeably
- Information security governance makes sure that security is used to support business goals
- information security management is the visible part of ISG activities, the day-to-day security operations
| Information Security Governance | Information Security Management |
|---|---|
| Strategic and tactical | Tactical and operational |
| Creates policies and strategy | Implements policies and strategy |
| Ultimate compliance authority and oversight | Day-to-day management and authority |
| BOD, CIO, CISO | CISO and information security managers |
Information Security Governance Documents
- ISG documents form the basis of its information security program
- use policies, standards, guidelines, and procedures to create their security program
- typically referred to as ISG documents or just policies
Policies
A formal policy is executive management’s high-level statement of information security direction and goals.
- state compliance expectations
- vary among organizations
Elements of Policies
- Policy statement
- States the expected behavior, actions, or outcomes
- clear statement of permitted or forbidden actions
- Policy exclusions
- Lists situations or people who are not covered by the policy
- Policy rationale
- States the reason why the policy exists
- includes the legal or regulatory reasons
- may be in response to information security threats
- Policy definitions
- Defines terms that have special meaning
- Who is affected by the policy
- States the people, units, or departments affected by the policy
- Who must follow the policy
- Lists who must follow the policy as part of their job responsibilities, or if some people have special policy responsibilities because of their job duties
- Compliance language
- States how the organization will enforce the policy
- what happens to units and employees who fail to follow the policy
Standards
Standards support high-level policies and state the activities and actions needed to meet policy goals.
- more specific than policies
- may require employees to take (or refrain from) certain actions
- are technology neutral
- refer to the safeguards and controls an organization should use
Procedures
Procedures are step-by-step checklists that explain “how” to meet security goals or conduct security-related activities.
- often tailor their procedures to a certain type of technology
- usually only address single tasks
- Information security managers usually create procedures
Guidelines
- guidelines are most flexible type of ISG document
- can issue guidelines to:
- give information security advice
- Educate employees about security threats and how to respond
Creating Information Security Policies
- ISG documents must:
- be easy to understand
- have a well-defined scope
- be regularly reviewed
- be communicated to all employees
Policy Development Process
- Development
- Stakeholder review
- Management approval
- Communication to employees
- Documentation of compliance or exceptions
- Continued awareness activities
- Maintenance and review
Recommended Information Security Policies
- Acceptable Use Policy (AUP)
- Anti-harassment Policies
- Workplace Privacy and Monitoring Policies
- Data Retention Policies
- Data Destruction Policies
- Intellectual Property Policies
- Authentication and Password Policies
- Security Awareness and Training Policies