Scribd
Upload
52 views4 pages

(A) Init, STR, Repr .

DVCVCVCB

Uploaded by

VIKRAM KUMAR
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
52 views4 pages

(A) Init, STR, Repr .

DVCVCVCB

Uploaded by

VIKRAM KUMAR
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Information Security Governance

Information security governance (ISG) is both a technical and a business issue. Senior

management must take measures to address information security concerns to all levels of the

organization to have an effective ISG in place. Organizations use ISG to meet business goals

and the CIA triad security goals. This report begins with the ISG and management tasks that

senior management needs to address. Next, the outcomes and the items to deliver to the

organization through the information security program. Then, a list of five best practices for

implementing and managing an information security governance program. Last, a checklist of

items that needs to be addressed by senior management.

Information Security Governance and Management Tasks

Senior management is responsible for providing the strategic direction, oversight, and

accountability for the security of the organization’s data and IT resources. To determine the

strategic direction of the ISG, senior management can begin with ISG planning. First, the

organization must determine the information needs such as how data is used tomeet business

goals. Second, determine the regulatory requirements landscape of the organization. What laws

govern the protection of data, for example. Third, perform risk management strategy to

determine possible security risks. Fourth, consider the information security failures that could

negatively impact the organization and the implications security failures pose to the company

(Grama, pg. 375). The IT Governance Institute recommends senior management establish and

maintain an ISG framework to “guide the development and maintenance of a comprehensive

information security program” (pg. 19). Additionally, senior management must be committed to

the ISG and must promote good security practices and policy compliance within the

organization. Also, senior management must approve policies and supply monitoring and

metrics coupled with reporting and trend analysis (IT Governance, pg. 22). Finally, senior
INFORMATION SECURITY GOVERNANCE 2

management is responsible for protecting the interests of the stakeholders so they must be able to

understand and manage risks to the business (IT Governance, pg. 22).

Outcomes and Items DeliveredThrough the Information Security Program

The major goal of the information security program is to minimize adverse impacts on the

organization to an acceptable level of risk. Additionally, according to IT Governance Institute

(pg. 30-31), an ISG program should accomplish five outcomes: Strategic Alignment; Risk

Management; Resource Management; Performance Measurement; Value Delivery. ISG

documents to be delivered include policies, procedures, standards, and guidelines. These

documents are the foundation of the information security program and demonstrate the security

posture of the organization. For example, an acceptable use policy is one basic policy widely

used by organizations to identify how employees are to use company IT resources.

Five Best Practices for Implementing and Managing an ISG Program

According to the SANS Institute, the five best practices for implementing and managing an

effective ISG program include: perform periodic risk assessment; document an entity-wide

security program plan; establish a security management structure and assign security

responsibilities; define security-related personnel policies; monitor the ISG’s effectiveness using

benchmarks as guidelines then make adjustments as needed (pg. 2).

Risk Assessmentthree components to determine risk are threat assessment, vulnerability

assessment, and asset identification. Perform an initial review of security risks and continually

assess the security plan for new threats and vulnerabilities.

Document Entity-wide Security Plandetermine security management structure and personnel

responsibilities. IT Governance Institute recommends asking “who is ultimately responsible for

the security of the system”; typically, a minimum of five key players make up the management
INFORMATION SECURITY GOVERNANCE 3

structure (pg. 9). Does the organization need a CISO or a CIO? If so, then what are their

responsibilities? Also, perform annual performance reviews to rate personnel on their security

posture and offer incentives and bonuses.

Security Related Personnel Policiescoordination with the organization as a whole can control

the personnel security. These policy controls include performing background checks,

reinvestigations, nondisclosure agreements, mandatory vacations and rotate shifts, termination

and transfer procedures, and perform employee job-specific training and security training.

Monitor Effectiveness and Make Changesstart with the NIST 800-26 Self-Questionnaire to

assess the status of the organizations security posture. Next, perform vulnerability scans on

systems and technical controls. Also, perform operational and technical control checks. Finally,

perform compliance reviews and audit finding reviews (IT Governance, pg. 14).

Priorities and Needed Resources Checklist

ISG development and implementation is a strategic process that requires involvement from

stakeholders, BOD, senior management, technical staff and applies to the entire organization. To

recap, the following is a checklist of the priorities that senior management must address to create

and implement an effective ISG program:

 Risk management methodology

 Determine security management structure

 Develop comprehensive security strategy that aligns with business and IT goals

 Develop policies and procedures

 Monitor security policy for effectiveness and make changes as needed


INFORMATION SECURITY GOVERNANCE 4

References

Grama, Joanna L. (08/2010). Legal Issues in Information Security, 1st Edition. [VitalSource
Bookshelf Online]. Retrieved from https://bookshelf.vitalsource.com/#/books/
9781449683689/.

IT Governance Institute. (2006). Information Security Governance: Guidance for Boards of


Directors and Executive Management. Retrieved from https://blackboard.strayer.edu/
bbcswebdav/institution/CIS/324/1142/Week9/Week9_Assignment_Information-Security-
Govenance-for-Board-of-Directors-and-Executive-Management_res_Eng_0510.pdf.

SANS Institute InfoSec Reading Room. (2002). Implementing an Effective IT Security Program.
Retrieved from https://www.sans.org/reading-room/whitepapers/bestprac/implementing-
effective-security-program-80.

You might also like