Rules that run the organisation = Governance. ISG includes the element required to provide the Senior Management assurance that its direction and intent are reflected in the security posture of the organisation.
Information security governance objective is to `establish and/or maintain an information security strategy in alignment with organisation goals and objectives to guide the establishment and/or ongoing management of the information security program`.
The outcomes that senior management wants from the information security program defines the security governance building block and are often defined in terms of risks management and acceptable levels of risk.
It is a subset of corporate governance, and must be consistent with the enterprise’s governance. It provides strategic direction for security activities and ensures that objectives are achieved.
- Strategic Alignment: Align
Business securityto support organisational objectives.
- Risk Management: Executing appropriate measures to mitigate
riskand reduce potential impacts on information resources to an acceptable level.
- Value delivery: Optimising
security investmentsin support of business objectives.
- Resource Optimisation
- Performance measurement: Monitoring and Reporting.
- Assurance process integration: It operates as intended.
A governance framework will consist of
- A comprehensive security strategy intrinsically linked with business objectives
- Governing security policies that clearly expresses the managements intent and addresses each aspect of strategy, controls and regulation
- A complete set of standards for each policy to ensure that people, procedures, practices and technologies comply with policy requirement and sets appropriate baselines for the enterprise.
- An effective organisational structure, with sufficient authority and adequate resources, void of conflict of interest.
- Defined workflows and structures that assist in defining responsibilities and accountability for information security governance.
- Institutionalised metrics and monitoring processes to ensure compliance, provide feedback on control effectiveness and provide the basis for appropriate management decision.
Who defines the want?
Senior Management and Business unit leaders.
Who defines the Strategy
Information security manager defines the security program. ISM does GAP analysis to identify how to go from the current state to the desired state which becomes the basis of strategy.
Security Strategy: Desired State of the Enterprise
It is based on the outcomes set by the senior management.
What is SS?
A security strategy will define the approach of achieving the security program outcomes management wants. It is a statement of how security aligns with and supports business objectives, and it provides the basis for good security governance.
They are statement of managements intent and direction at a high level.
To address viable threats to the organisation, prioritised by the likelihood of occurrence and their potential impact on the business. The strictest policies apply to the areas of greatest business value.
How we want the things to be or rather how it should be defines a standard. They define the boundaries for people, process, procedure, and technologies to maintain compliance with policies and support the achievement of the organisations goal and objectives. There can be several standards for the same policy based on the classification level e.g for Information – Confidential, Private, Public. Collectively standards are combined with other controls to create security baseline.
Guidelines are usually the desires of the organisation.
Lowest level of acceptable risk. Standards along with controls create a baseline.
Objective of procedure is to work as intended step by step. It should be unambiguous and should meet the applicable standards and therefore comply with policy.