...
The eleven characteristics of effective security governance are critical for an effective enterprise information security information program. They are:
- It is an institution-wide issue
- Leaders are accountable
- It is viewed as an institutional requirement (cost of doing business)
- It is risk-based
- Roles, responsibilities and segregation of duties are defined
- It is addressed and enforced in policy
- Adequate resources are committed
- Staff are aware and trained
- A development life cycle is required
- It is planned, managed, measureable and measured
- It is reviewed and audited
...
| Wiki Markup |
|---|
Listed below are challenges of ineffective governance \[1\]. These challenges can be very useful in presenting rationale to leadership for implementing an effective institution security governance model. |
...
- Strategic alignment of information security with institutional objectives
- Risk management - identify, manage, and mitigate risks
- Resource management
- Performance measurement measurement - defining, reporting, and using information security governance metrics
- Value delivery by optimizing information security investment
...
Information Security Program hierarchical relationships
- Institutional Risk Management Plan is supported by
...
- Institutional Security Strategy is supported by
...
- Institutional Security Plan is supported by
...
- Academic and administrative unit security plans
...
- System security plans
...
- Policies and procedures
...
- System architecture
Some colleges and universities employ risk managers and some do not. Of those institutions that do employ a risk manager, there are few that appear to have an institution-level risk management plan.
...
| Wiki Markup |
|---|
*Question to engage institutional leaders * \[4\] |
Thought provoking questions that institutional leaders can ask (and should be able to answer) to determine the state of their security governance efforts.
...
- Questions for directors/trustees
- Does the board understand the institution's dependence on information?
- Does the institution recognize the value and importance of information?
- Does the institution have a security strategy?
- Does the board understand the institution's potential liabilities in the event of regulatory non-compliance?
- Questions for managers
- How is the board kept informed of information security issues? When was the last briefing made to the board on security risks and status of security improvements?
- Has someone been appointed to be responsible for developing, implementing and managing the information security program, and is he/she held accountable?
- Are security roles and responsibilities clearly defined and communicated?
- Is there a CISO or other officer with sufficient authority and resources to accomplish security objectives?
...
| Wiki Markup |
|---|
The ISO position is evolving from a primary technical position to one that combines both technical and managerial functions. Today IT security is an institutional imperative with critical policy and operational aspects with attention dedicated from the CIO, general counsel, internal auditor and executive leadership. While the list of tasks for the ISO continues to grow, unfortunately the authority and challenges to that authority of the role are often institutionally handled with senior administrators, legal counsel or law enforcement. The ISO must rely on institutional policy and legal compliance in order to effectively control IT security. Building a relationship and consensus with many groups on campus is a key to having security policy compliance. One progressive step is the growing recognition of department managers to accept responsibility for their data and its protection. Shifting the role of the ISO from compliance dictator to offering assistance realizes the concept of security as a service \[22\]. |
| Wiki Markup |
|---|
The ISO position is limited usually where the number of staff positions limits the ability to assign exclusive roles to individuals and thus dedicating a single entity to enterprise-wide information security. Larger organizations, usually with enrollments over 8,000, recognize security as a top administrative concern and have either created an ISO position or delegated this responsibility to the CIO. However the shift from security being IT's responsibility to being everyone's responsibility seems to have a greater impact on whether an appointment has been given those specific objectives. The identification of the responsibility is clear; less clear is the manner in which it should be addressed. As this profession gradually changes and increases in visibility (unfortunately through continued breaches, incidents and responses), the need for individuals with the experience of managing these episodes will evidence themselves. As the number of skilled professionals entering this field multiplies, the hope is that the role will be better defined with the proper authority given \[22\]. |
| Wiki Markup |
|---|
Governance frameworks, COBIT, ITIL, the ISO 17799 information security management standard, and the ISO 9000 quality management standard - are used in the IT governance processes and structures. ITIL and ISO 17799 are the most common frameworks in use. \[23\] |
...
| Wiki Markup |
|---|
Unplanned and uncoordinated localization of authority poses great challenges for institution-wide compliance with security, copyright, privacy, identity and other regulation. It makes it awkward for CIOs to account well for the breadth and depth of overall IT activity, and it can be inefficient. Localization of authority in some areas is critical. The question is not "to centralize or not to decentralize" but where to centralize (or not) and how to harmonize institutional efforts and investments in IT. \[23\] |
...
- Centralized maintain budget control and ensure implementation and monitoring of information security controls.
- Decentralized have policy and oversight responsibilities and budget responsibilities for their departmental security program not the operating unit information security program. Reporting structures are different as well.
- Governance structures can be hybrid, with a combination of characteristics from both centralized and decentralized.
...
| Wiki Markup |
|---|
Weill and Ross use political archetypes in _IT Governance_ \[3\] to describes people or groups who have decision rights. |
- Business monarchy: Senior business executives make IT decisions
- IT monarchy: IT executives make IT decisions
- Feudal: Business unit leaders make IT decisions to optimize local needs, but does not facilitate enterprise decision-making.
- Federal: Coordinated IT decision-making between the center and the business units.
- IT duopoly: IT executives and one other group (such as senior executives or business units) make IT decisions.
- Anarchy: Individual users or small groups make IT decisions . Anarchy is expensive, difficult to support and rare, but sometimes used when very rapid customer responsiveness is needed.
...
- Monarchies work well when profit is a priority.
- Feudal or business monarchy arrangements might work best when growth is a priority.
- Federal arrangements can work well for input into all IT decisions. Avoid federal arrangement for all decisions since it's difficult to balance the center with the business unit needs.
- Duopoly arrangements work well for IT principles, investment decisions and buiness business application needs. Duopolies also work best when asset utilization is a priority.
...
| Wiki Markup |
|---|
The ISO or CISO is an emerging profession with highly-motivated individuals seeking their own professional development through membership in organizations, participation in training where they can find it and constant sharing of ideas and advice with others both internally and externally to their organization. There does not seem to be a clearly defined path for this new subfield within IT. The vast majority of those in an ISO/CISO position held previous positions in IT and came from higher education backgrounds. Institutions appear to be recruiting security officers from IT managerial ranks. Often these folks started with very strong technical experience and have now developed skills in business process analysis, thus moving away from hands-on activities \[22\]. |
...
| Wiki Markup |
|---|
CERT GES \[1\] offesroffers more detail on selected roles and responsibilities in the following documents. |
...
|
|
|---|---|
Chief Executive Officer | - Oversee overall corporate security posture (accountable to the Board) |
Chief Security Officer | - Set security policies, procedures, program and training |
Mid-Level Manager | - Compliance |
Enterprise staff/employees | - Implemement Implement policies |
...
Information security policy is an aggregate of directives, rules, and practices that prescribes how an organization manages, protects, and distributes information. Information security policy is an essential component of information security governance---without the policy, governance has no substance and rules to enforce.
...
| Wiki Markup |
|---|
IT and data within higher education information systems are becoming increasingly regulated and scrutinized. This regulation ranges from pressures for disclosure and transparency to pressures for privacy. These pressures accent the need for common approaches, common solutions, and consistent high-quality data. \[23\] |
...
The following resources provide more information about asset management.
- The Asset Management (ISO 8) section of the Information Security Guide
- NIST FIPS 199 provides an in-depth description of a process for categorizing information and information systems
- The Asset Definition and Management Process Area of CERT's Resiliency Management Model provides comprehensive coverage of asset management
...