ISG: Information security governance

Rules that run the organisation = Governance. ISG includes the element required to provide the Senior Management assurance that its direction and intent are reflected in the security posture of the organisation.

Policies + Standards + Procedures = Governance

Information security governance objective is to `establish and/or maintain an information security strategy in alignment with organisation goals and objectives to guide the establishment and/or ongoing management of the information security program`.

The outcomes that senior management wants from the information security program defines the security governance building block and are often defined in terms of risks management and acceptable levels of risk.

It is a subset of corporate governance, and must be consistent with the enterprise’s governance. It provides strategic direction for security activities and ensures that objectives are achieved.

Strategic Alignment: Align Information security to Business security to support organisational objectives.
Risk Management: Executing appropriate measures to mitigate risk and reduce potential impacts on information resources to an acceptable level.
Value delivery: Optimising security investments in support of business objectives.
Resource Optimisation
Performance measurement: Monitoring and Reporting.
Assurance process integration: It operates as intended.

A governance framework will consist of

A comprehensive security strategy intrinsically linked with business objectives
Governing security policies that clearly expresses the managements intent and addresses each aspect of strategy, controls and regulation
A complete set of standards for each policy to ensure that people, procedures, practices and technologies comply with policy requirement and sets appropriate baselines for the enterprise.
An effective organisational structure, with sufficient authority and adequate resources, void of conflict of interest.
Defined workflows and structures that assist in defining responsibilities and accountability for information security governance.
Institutionalised metrics and monitoring processes to ensure compliance, provide feedback on control effectiveness and provide the basis for appropriate management decision.

Who defines the want?

Senior Management and Business unit leaders.

Who defines the Strategy

Information security manager defines the security program. ISM does GAP analysis to identify how to go from the current state to the desired state which becomes the basis of strategy.

Security Strategy: Desired State of the Enterprise

It is based on the outcomes set by the senior management.

What is SS?

A security strategy will define the approach of achieving the security program outcomes management wants. It is a statement of how security aligns with and supports business objectives, and it provides the basis for good security governance.

Policy

They are statement of managements intent and direction at a high level.

Security Policy

To address viable threats to the organisation, prioritised by the likelihood of occurrence and their potential impact on the business. The strictest policies apply to the areas of greatest business value.

Standard

How we want the things to be or rather how it should be defines a standard. They define the boundaries for people, process, procedure, and technologies to maintain compliance with policies and support the achievement of the organisations goal and objectives. There can be several standards for the same policy based on the classification level e.g for Information – Confidential, Private, Public. Collectively standards are combined with other controls to create security baseline.

Guideline

Guidelines are usually the desires of the organisation.

Baseline

Lowest level of acceptable risk. Standards along with controls create a baseline.

Procedure

Objective of procedure is to work as intended step by step. It should be unambiguous and should meet the applicable standards and therefore comply with policy.

A business case is used to capture the business reasoning for initiating a project or a task.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.