2.2: Security Governance

Aligning Security with the Business

Security professionals must always remember that they perform a supporting service to the organization. While security is extremely important, it’s not the reason that the business exists. Every organization has its own mission. And security is one of many tools that help the organization achieve that mission.

Security Leader

Serves as the subject matter experts on issues of confidentiality, integrity and availability

Business Leader

Understands the mission, goals, and obiectives of the broader organization

Security leaders should think of themselves as wearing two different hats. Certainly, they are the subject matter experts in the organization on issues of confidentiality, integrity and availability. The organization will look to them for leadership in the protection of information assets, response to security incidents and other typical security functions.

At the same time, security leaders must also be business leaders who understand the primary mission of the organization, including both its strategic and tactical objectives. They must understand the short-term and long-term goals of the organization and be able to seamlessly switch between their hats, thinking as both security leaders and business leaders. The reason that wearing these two hats is so important, is that security controls can often be a barrier to the efficient operation of the business.

The challenge facing security professionals is that they must design a control environment that manages the risks facing the organization, but balances security against other business considerations. That can be a really difficult task, and it’s one that many security professionals struggle with.

Building a Business Case

  • Justify the Investment of Time and Money
  • Balance Security and Business Concerns
  • Achieve Confidentiality, Integrity, and Availability Goals

When proposing a new security control, security leaders need to present a business case that justifies the investment of time and money in the new control, as well as providing a solid basis for the impact on users. Approach these business cases as you would any other important security decision, keep the two models in mind, the security and business hats that you wear and the three goals of information security: Confidentiality, integrity and availability. Then spell out the investment required to implement the control and the expected return on that investment.

Administrative Tasks

Another situation where security leaders must wear the hat of a business leader, comes in the form of the many administrative tasks that fall to any leader in the business. Security professionals taking on management responsibilities will have to manage a budget, conduct performance reviews, counsel employees and contribute to the organization’s strategic planning processes. These non-security responsibilities are an important part of the information security professionals contributions to the broader organization, and they help maintain a solid connection to the rest of the business.

Organizational Processes

As a business function, information security must align itself with the many other functions taking place inside an organization.

Security Governance

  • Information Governance CommitteeIncludes senior leaders with oversight of information security and data governance functions.
  • Risk Management CommitteeConsisting of executives charged with managing all risks to the organization.
  • Board of DirectorsMost senior level of governance is typically an independent board of directors, board of trustees, or similar senior governing body with elected members.
No matter what the governance structure of the organization, security leaders must determine the best ways to fit information security into that process.

Intergrating Security Governance

  • Ensure governing bodies understand risks and controlsMaking sure that those responsible for the governance of the organization understand the security risks facing the organization and the controls put in place to manage those risks.
  • Inform governing bodies of security incidentsGoverning groups should also be informed of any security incidents that take place and rise to a serious level.
  • Provide audit reports to governing bodiesReview the results of audits performed at the organization that include security considerations.

Find a Security Governance Model

Corporate Acquisitions

Require Integration of Controls

A corporate process that requires security involvement comes from the acquisition of other companies. In some industries, it’s quite common for businesses to buy other businesses and then seek to quickly fold them into the parent company. Each acquisition presents a unique set of circumstances and security professionals from both organizations should get together to evaluate the security controls in place at each organization and figure out how to eliminate redundancies and ensure compatibility between systems. Now this can be a little tricky, especially when the staff at one organization fears that they may be laid off as a result of the acquisition. Threats to a team’s continued employment can have a very serious negative impact on productivity.

Corporate Divestitures

Require Separation of Controls

Similarly, companies sometimes undergo divestitures where they spin off a part of the business as a separate organization. In those cases, individuals staying with the divested company must ensure that the new organization has adequate security controls in place. Those staying with the parent company will need to ensure that all security ties are cut and that there isn’t any unintentional access left over for employees who leave with the divestiture.

Security Roles and Responsibilities

Security roles and responsibilities may differ between organizations but there are several common themes that exist across almost all businesses. The senior information security leader in an organization is commonly known as the Chief Information Security Officer or CISO. Now this title is also sometimes pronounced see-so. In some organizations, the CISO may have a different title such as Director of Information Security or Chief Security Officer. Another difference between organization lies in where the CISO reports. In some cases, the CISO reports to the Chief Information Officer, an organization’s most senior IT leader. In other cases, the CISO reports to a risk management or audit function, providing a degree of separation between the individual responsible for IT and the individual responsible for ensuring that IT has effective security controls. The CISO normally leads a team of information security professionals. The size of that team will vary depending upon the size of the organization, the nature of the business, and the specific responsibilities assigned to information security as opposed to other technology units. This may include security generalists with a broad background across all the domains of information security, and/or specialists who focus on particular areas such as incident response, network security, identity and access management, and security awareness. All of the members of an information security team must follow important guiding principles for their role. One of these is the principle of due care. Due care says that security professionals must fulfill the legal responsibilities of the organization as well as the professional standards of information security. They must exercise the reasonable level of care that would be expected of any security professional. The second principle is that of due diligence. Due diligence says that security professionals should take reasonable measures to investigate the risks associated with a situation. For example, if the organization is considering implementing a major new customer relationship management system, security professionals should use due diligence and investigate the security controls available with that system and ensure that they meet the organization’s security objectives.

Control Frameworks

Security professionals have a wide variety of responsibilities and they typically oversee the design, implementation and management of many different controls that protect confidentiality, integrity and availability. It’s important to make sure that these controls provide adequate levels of protection and cover many different risks. It’s quite a challenge to build a comprehensive security program. And fortunately, security professionals in an organization don’t have to start with a blank piece of paper when they design their security programs. They can use security control frameworks to help ensure that they’re covering all the bases and building controls that protect the organization against many foreseeable risks. There are many different control frameworks, covering information security. We’ll take a look at a few of the most common ones. The Control Objectives for Information Technology, or COBIT, is a security control framework developed by the Information Systems Audit and Control Association. This framework is very often used by auditors and it has a strong focus on linking business goals with the functions of information security. COBIT is a very detailed document. It covers six different principles, meeting stakeholder needs, enabling a holistic approach, creating a dynamic governance system, separating governance from management, tailoring the governance system to enterprise needs and covering the enterprise end to end. COBIT also contains implementation guidance to help organizations who are trying to implement the framework in their enterprise. The International Organization for Standardization also publishes a series of control frameworks, covering security and privacy issues. The first of these, ISO 27001, covers information security management systems. It provides generalized control objectives that organizations might strive to achieve. ISO 27001 is a very commonly used standard as many organizations follow ISO standards for a variety of their business functions. ISO 27002 provides additional detail, going beyond control objectives and describing the specific controls that organizations might use to achieve their goals. ISO 27701 provides guidance for managing privacy rather than security controls. Now, when you see an ISO standard mentioned, be sure to look at the number carefully. It’s easy to confuse ISO 27001, which covers security, with ISO 27701, which covers privacy. Finally, ISO 31000 provides guidance for risk management programs. Government agencies and contractors have a standard all their own. The National Institute for Standards And Technology publishes a document called the Security and Privacy Controls for Federal Information Systems and Organizations. It’s known as NIST Special Publication 800-53 or more commonly, just NIST 800-53. While this standard is mandatory for federal government agencies, many other organizations use this standard as well. Let’s take a look at the detailed contents of NIST 800-53. It contains over 400 pages of information about building a security program for government agencies and other organizations. If we take just a quick look at the table of contents, you’ll see that after the introduction, this publication goes through the fundamentals of information security, talking about multi-tiered risk management, security control structures, baselines and designations, the use of external service providers and how to assess assurance and trustworthiness for information systems. It then goes into the process of implementing security and privacy controls, talking about selecting an appropriate security control baseline and then tailoring that baseline to the specific needs of the organization, creating overlays and documenting the control selection process for both new development and legacy systems. NIST also publishes a Cybersecurity Framework that’s free for anyone to use. The goal of this framework is to provide a common language for understanding, managing and describing cybersecurity risks. With this common language, organizations can have more productive conversations among themselves and with external partners, such as auditors and government agencies. The framework is also designed to help organizations identify and prioritize the actions they might take to reduce cybersecurity risk and to manage any residual risk. Having a framework also helps organizations align their security actions across control types. Now, that said, the framework may mean different things to different people and that’s okay. Some organizations may undertake the exercise of mapping all of their controls to the framework and building their next generation security program with the NIST Cybersecurity Framework in mind. Others may simply use the CSF as a reference to help identify whether they’ve missed any critical security controls. You can find the NIST Cybersecurity Framework on the web. It’s a free download from the NIST website. Let’s go ahead and take a look at the Cybersecurity Framework. Here’s a high-level look at the framework. It consists of five different functions. Identify, protect, detect, respond and recover. Now, these are in very, very broad terms the things that we do in cybersecurity. The framework then divides those functions into categories. They’re not shown here on the screen yet. We’ll take a look at those in a moment. Then each of these categories is divided into subcategories and then the framework provides references that have detail about each one of those subcategories. As you can see, it’s really just a framework where you can start plugging in the things that you’re going to do to achieve each of the core cybersecurity functions. Here’s a look at a little more detail about the framework. We’re now taking the functions and expanding it into the categories. So we have five functions, which are divided into 22 total categories. So for example, for the identify function, the Cybersecurity Framework gives six categories: asset management, business environment, governance, risk assessment, risk management strategy, and supply chain risk management. The framework then goes into a much higher level of detail when you start breaking out the subcategories. So in the asset management category of the identify function, we have subcategories that talk about things like an inventory of physical devices and systems, an inventory of software platforms and applications, mapping organizational communication and data flows and so on. As you can see, we’re getting into the real details of security here and there are quite a few references to the other standards for each one of these subcategories for people who are looking for more detail on how you might go about achieving these goals. Now, remember, what you’re looking at here is the detail for one category of one function. Remember that there are five different functions and 22 total categories. So this Cybersecurity Framework winds up being a lengthy document. Security control frameworks like this one play an important role in cybersecurity. While most organizations don’t follow them letter for letter, these frameworks do provide a useful tool for designing appropriate controls for any organization.

← 9.5: Cloud Computing
2.3: Compliance and Ethics →