Versions Compared

Old Version 6

changes.mady.by.user vvogel@educause.edu

Saved on

compared with

New Version 7

changes.mady.by.user vvogel@educause.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

NIST describes IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.

Wiki MarkupEnterprise security governance results from the duty of care owed by leadership towards fiduciary requirements. This position is based on judicial rationale and reasonable standards of care \ [1\]. The five general governance areas are:

  1. Govern the operations of the organization and protect its critical assets
  2. Protect the organization's market share and stock price (perhaps not appropriate for education)
  3. Govern the conduct of employees (educational AUP and other policies that may apply to use of technology resources, data handling, etc.)
  4. Protect the reputation of the organization
  5. Ensure compliance requirements are met

Wiki Markup"Governing for enterprise security means viewing adequate security as a non-negotiable requirement of being in business." \ [1\]

Governance: doing the right thing.

...

Governance

Management

Oversight

Implementation

Authorizes decision rights

Authorized to make decisions

Enact policy

Enforce policy

Accountability

Responsibility

Strategic planning

Project planning

Resource allocation

Resource utilization

Wiki Markup*Characteristics of effective security governance* \ [1\]

The eleven characteristics of effective security governance are critical for an effective enterprise information security information program. They are:

  1. It is an institution-wide issue
  2. Leaders are accountable
  3. It is viewed as an institutional requirement (cost of doing business)
  4. It is risk-based
  5. Roles, responsibilities and segregation of duties are defined
  6. It is addressed and enforced in policy
  7. Adequate resources are committed
  8. Staff are aware and trained
  9. A development life cycle is required
  10. It is planned, managed, measureable and measured
  11. It is reviewed and audited

...

[Appendix A|#appendix-a] lists some excellent comparisons of effective and ineffective governance characteristics from the CERT GES \[[1\].unmigrated-wiki-markup

The following principles describe preferred behavior to guide governance decision making \ [7\].

  • Responsibility: Individuals and groups within the organization understand and accept their responsibilities in respect of both supply of, and demand for IT. Those with responsibility for actions also have the authority to perform those actions.
  • Strategy: The organization's business strategy takes into account the current and future capabilities of IT; the strategic plans for IT satisfy the current and ongoing needs of the organization's business strategy.
  • Acquisition: IT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision making. There is appropriate balance between benefits, opportunities, costs, and risks, in both the short term and the long term.
  • Performance: IT is fit for purpose in supporting the organization, providing the services, levels of service and service quality required to meet current and future business requirements.
  • Conformance: IT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented and enforced.
  • Human Behavior: IT policies, practices and decisions demonstrate respect for Human Behavior, including the current and evolving needs of all the 'people in the process'.

...

Listed below are challenges of ineffective governance \ [1\]. These challenges can be very useful in presenting rationale to leadership for implementing an effective institution security governance model.

  1. Understanding the implications of ubiquitous access and distributed information
  2. Appreciating the institution-wide nature of the security problem
  3. Overcoming the lack of a game plan
  4. Establishing the proper institutional structure and segregation of duties
  5. Understanding complex global legal compliance requirements and liability risks (the word global may or may not apply to education)
  6. Assessing security risks and the magnitude of harm to the institution
  7. Determining and justifying appropriate levels of resources and investment
  8. Dealing with the intangible nature of security
  9. Reconciling inconsistent deployment of security best practices and standards
  10. Overcoming difficulties in creating and sustaining a security-aware culture

...

Outcomes of effective information security governance should include: \ [4\]

  • Strategic alignment of information security with institutional objectives
  • Risk management - identify, manage, and mitigate risks
  • Resource management
  • Performance measurement - defining, reporting, and using information security governance metrics
  • Value delivery by optimizing information security investment

Wiki Markup*Defining the Information Security Program (so as to define what needs to be governed)* \ [1\]

Activities of an information security program directly support/trace to an institutional risk management plan. In other words, the information security program is targeted to managing institutional risk. An effective information security program requires the development and maintenance of:

...

The reference to an information security program serving as a business plan for securing digital assets is a simple yet effective communication technique.

Wiki Markup*Information Security Governance Best Practices* \ [5\]

  • Information security activities should be governed based on relevant requirements, including laws, regulations, and organizational policies.
  • Senior managers should be actively involved in establishing information security governance framework and the act of governing the agency's implementation of information security.
    Information security responsibilities must be assigned and carried out by appropriately trained individuals.
  • Individuals responsible for information security within the agency should be held accountable for their actions or lack of actions.
  • Information security priorities should be communicated to stakeholders of all levels within an organization to ensure a successful implementation of an information security program.
  • Information security activities must be integrated into other management activities of the enterprise, including strategic planning, capital planning, and enterprise architecture.
  • Information security organization structure should be appropriate for the organization it supports and should evolve with the organization, if the organization undergoes change.
  • Information security managers should continuously monitor the performance of the security program/effort for which they are responsible, using available tools and information.
  • Information discovered through monitoring should be used as an input into management decisions about priorities and funding allocation to effect the improvement of security posture and the overall performance of the organization.

...

Why Information Security Governance is Needed

...

*Why is IT governance important* \ [3\]

  • Financial payoffs
  • IT is expensive
  • IT is pervasive
  • New technologies
  • IT governance is critical to learning about IT value
  • Not just technical - integration and buy-in from business leaders is needed for success
  • Senior executives have limited bandwidth, especially at large institutions, so they can't do it all
  • Governance patterns depend on desired behaviors
    • Top revenue growth - decentralized to promote customer responsiveness and innovation
    • Profit - centralized to promote sharing, reuse and efficient asset utilization
    • Multiple performance goals - blended centralized and decentralized governance

Wiki Markup*Directors could be held accountable for breaches of* \ [7\]:

  • security standards;
  • privacy legislation;
  • spam legislation;
  • trade practices legislation;
  • intellectual property rights, including software licensing agreements;
  • record keeping requirements;
  • environmental legislation and regulations;
  • health and safety legislation;
  • accessibility legislation;
  • social responsibility standards.

Wiki Markup*Benefits of information security governance* \ [4\]

  • Increased predictability and reduced uncertainty of business operations
  • Protection from the potential for civil and legal liability
  • Structure to optimize the allocation of resources
  • Assurance of security policy compliance
  • Foundation for effective risk management.
  • A level of assurance that critical decisions are not based on faulty information
  • Accountability for safeguarding information

...

*Question to engage institutional leaders* \ [4\]

Thought provoking questions that institutional leaders can ask (and should be able to answer) to determine the state of their security governance efforts.

...

How to Govern Information Security

Wiki MarkupThe ISO position is evolving from a primary technical position to one that combines both technical and managerial functions. Today IT security is an institutional imperative with critical policy and operational aspects with attention dedicated from the CIO, general counsel, internal auditor and executive leadership. While the list of tasks for the ISO continues to grow, unfortunately the authority and challenges to that authority of the role are often institutionally handled with senior administrators, legal counsel or law enforcement. The ISO must rely on institutional policy and legal compliance in order to effectively control IT security. Building a relationship and consensus with many groups on campus is a key to having security policy compliance. One progressive step is the growing recognition of department managers to accept responsibility for their data and its protection. Shifting the role of the ISO from compliance dictator to offering assistance realizes the concept of security as a service \ [22\].unmigrated-wiki-markup

The ISO position is limited usually where the number of staff positions limits the ability to assign exclusive roles to individuals and thus dedicating a single entity to enterprise-wide information security. Larger organizations, usually with enrollments over 8,000, recognize security as a top administrative concern and have either created an ISO position or delegated this responsibility to the CIO. However the shift from security being IT's responsibility to being everyone's responsibility seems to have a greater impact on whether an appointment has been given those specific objectives. The identification of the responsibility is clear; less clear is the manner in which it should be addressed. As this profession gradually changes and increases in visibility (unfortunately through continued breaches, incidents and responses), the need for individuals with the experience of managing these episodes will evidence themselves. As the number of skilled professionals entering this field multiplies, the hope is that the role will be better defined with the proper authority given \ [22\].unmigrated-wiki-markup

Governance frameworks, COBIT, ITIL, the ISO 17799 information security management standard, and the ISO 9000 quality management standard - are used in the IT governance processes and structures. ITIL and ISO 17799 are the most common frameworks in use. \ [23\]

Anchor
org
org

Organizational Structure

Wiki MarkupUnplanned and uncoordinated localization of authority poses great challenges for institution-wide compliance with security, copyright, privacy, identity and other regulation. It makes it awkward for CIOs to account well for the breadth and depth of overall IT activity, and it can be inefficient. Localization of authority in some areas is critical. The question is not "to centralize or not to decentralize" but where to centralize (or not) and how to harmonize institutional efforts and investments in IT. \ [23\]unmigrated-wiki-markup

IT governance-related committees include \ [23\]:

  • Top-level IT steering committee for oversight of major IT policies and initiatives
  • IT advisory committees for administration and teaching and learning
  • IT initiative specific committees for items like enterprise resource planning, security or business continuity

Governance structures depend on desired outcomes

Wiki MarkupCERT GES \ [3\] desribes structure based on desired outcomes.

  • Top revenue growth - decentralized to promote customer responsiveness and innovation
  • Profit - centralized to promote sharing, reuse and efficient asset utilization
  • Multiple performance goals - blended centralized and decentralized

Information Security Governance Structuresunmigrated-wiki-markup

The NIST Security Handbook \ [5\] states that governance is highly dependent on the overall organization structure.

  • Centralized maintain budget control and ensure implementation and monitoring of information security controls.
  • Decentralized have policy and oversight responsibilities and budget responsibilities for their departmental security program not the operating unit information security program. Reporting structures are different as well.
  • Governance structures can be hybrid, with a combination of characteristics from both centralized and decentralized.

Political Archetypesunmigrated-wiki-markupArchetypes

Weill and Ross use political archetypes in _IT Governance_ \ [3\] to describes people or groups who have decision rights.

  • Business monarchy: Senior business executives make IT decisions
  • IT monarchy: IT executives make IT decisions
  • Feudal: Business unit leaders make IT decisions to optimize local needs, but does not facilitate enterprise decision-making.
  • Federal: Coordinated IT decision-making between the center and the business units.
  • IT duopoly: IT executives and one other group (such as senior executives or business units) make IT decisions.
  • Anarchy: Individual users or small groups make IT decisions Anarchy is expensive, difficult to support and rare, but sometimes used when very rapid customer responsiveness is needed.

...

Different types of decisions might use different archetypes \ [3\].

Decisions

IT Principles

IT Architecture

IT Infrastructure

Business Applications

IT Investment

Archetypes

 

 

 

 


Business Monarchy


(minus)

(minus)

 

(plus)

IT Monarchy

 

(plus)

(plus)

(minus)

(minus)

Feudal

(minus)

(minus)

(minus)

 

(minus)

Federal

 

(minus)

(minus)

(plus)

(plus)

IT Duopoly

(plus)

 

 

(plus)

(plus)

Anarchy

(minus)

(minus)

(minus)

(minus)

(minus)

Don't know

(minus)

(minus)

(minus)

(minus)

(minus)

Wiki Markup*What Governance Arrangements Work Best* \ [3\]

  • Monarchies work well when profit is a priority.
  • Feudal or business monarchy arrangements might work best when growth is a priority.
  • Federal arrangements can work well for input into all IT decisions. Avoid federal arrangement for all decisions since it's difficult to balance the center with the business unit needs.
  • Duopoly arrangements work well for IT principles, investment decisions and business application needs. Duopolies also work best when asset utilization is a priority.

...

Roles and Responsibilities

...

The ISO or CISO is an emerging profession with highly-motivated individuals seeking their own professional development through membership in organizations, participation in training where they can find it and constant sharing of ideas and advice with others both internally and externally to their organization. There does not seem to be a clearly defined path for this new subfield within IT. The vast majority of those in an ISO/CISO position held previous positions in IT and came from higher education backgrounds. Institutions appear to be recruiting security officers from IT managerial ranks. Often these folks started with very strong technical experience and have now developed skills in business process analysis, thus moving away from hands-on activities \ [22\].

Wiki MarkupIn addition to certifications, ISOs find the following "soft skills" beneficial \ [22\].

  • Reputation building
  • Campus-wide coordination and communication
  • Collaboration
  • Campus-wide profiles

...

  • Senior leader of the institution
  • Deans, Department Chairs and Directors
  • IT managers
  • Auditors
  • Attorneys
  • Human Resources
  • Faculty
  • Staff
  • Students

Wiki MarkupPrimary ISO responsibilities \ [22\]

  • Development and enforcement of security policies and procedures
  • Risk management
  • Security awareness program
  • Incident management and forensics
  • Business continuity
  • Disaster recovery

Wiki MarkupSupportive functions of an ISO \ [22\]

  • Application and system security
  • Network security
  • Access control
  • Authentication and authorization
  • Identity management

Decision-Making Structuresunmigrated-wiki-markup

Weill and Ross \ [3\] describe organizational units and roles responsible for making IT decisions, such as committees, executive teams, and business/IT relationship managers.

  • Executive or senior management committees
  • IT leadership committee
  • Process teams with IT members
  • Business/IT relationship managers
  • IT council of IT and business executives
  • Architecture committee
  • Capital improvement committee

Wiki Markup*Who should be concerned with information security governance?* \ [4\]

  • Board of directors/trustees - The board has fundamental responsibility to protect the interests of the organization.
  • Executives - This group develops strategies and ensures integration with and cooperation of business unit managers and process owners
  • Steering committee - This group includes representation across the organization and is responsible for ensuring that stakeholders concerns are addressed.
  • CISO

...

*What should the board of directors/trustees and senior executives be doing?* \ [4\]

  • Understand why information security needs to be governed
    • Address risks and threats
    • Protect the organization's reputation
    • Ensure coordination and cooperation among business units
  • Take board level action
    • Become informed about information security
    • Set direction (e.g., drive policy and strategy)
    • Provide resources
    • Assign responsibilities
    • Set priorities
  • Take senior level action
    • Provide oversight for the development of a security framework
    • Policy development
    • Assign roles and responsibilities
    • Implement
    • Monitor
    • Ensure awareness and training

Roles and Responsibilities for an Institution-Wide Security Program

Wiki MarkupThe CERT framework \ [1\] assumes a board risk committee (or equivalent) at the highest governance level.

There are nine groups of personnel involved in developing and sustaining an effective institution-wide security program.

...

Explanations and examples of each role or team are provided in more detail in Article 2. The matrix in Table 2 of this document could be used to assist in building an institution-wide security program for higher education.

Wiki MarkupCERT GES \ [1\] offers more detail on selected roles and responsibilities in the following documents.

Wiki Markup*Summary Roles and responsibilities* \ [2\]

 

 

Chief Executive Officer

- Oversee overall corporate security posture (accountable to the Board)
- Brief Board, customers and public

Chief Security Officer
Chief Information Officer
Chief Risk Officer
Department/Agency Head

- Set security policies, procedures, program and training
- Incident management
- Responsible for independent annual audit coordination
- Compliance

Mid-Level Manager

- Compliance
- Communicate policies and program (training)

Enterprise staff/employees

- Implement policies
- Report vulnerabilities and breaches

...


*To Whom Does the ISO Report \ [25\]*

 

2007

2008

2009

2010

Percent Change

Chief Information Officer

38

34

32

23

-39%

Board of Directors

21

24

28

32

+52%

Chief Executive Officer

32

34

35

36

+13%

Chief Financial Officer

11

11

13

15

+36%

Chief Operating Officer

9

10

12

15

+67%

Chief Privacy Officer

8

8

14

17

+113%

Wiki Markup[Appendix B|#appendix-b] lists descriptions of information security roles and responsibilities from the NIST Security Handbook \ [5\].

<Also see CERT EBK, http://www.us-cert.gov/ITSecurityEBK/ >

Anchor
strategy
strategy

...

Strategic

...

Planning

...

[5

...

]

Strategic Plans, annual performance plans and annual program performance reports equal the recurring cycle of reporting, planning and execution.

...

The plans must be revisited when major changes happen including legislation, regulations, directives, agency mission priorities, emerging information security issues.

Anchor
policy
policy

Policy

...

*Information Security Policy and Guidance* \ [5\]

Information security policy is an aggregate of directives, rules, and practices that prescribes how an organization manages, protects, and distributes information. Information security policy is an essential component of information security governance---without the policy, governance has no substance and rules to enforce.

...

  • Information security roles and responsibilities;
  • Statement of security controls baseline and rules for exceeding the baseline; and
  • Rules of behavior that agency users are expected to follow and minimum repercussions for noncompliance.

Wiki MarkupCandidate policy topics at the governance level (which could be sections in existing, broader policies) may include: \ [1\]

  • Policy calling for a security strategy, an institution-wide security program, and governance of such a program
  • Code of conduct specifying what is meant by due diligence and standard of due care with respect to information security
  • Security ethics
  • Security risk specifying risk appetite, tolerance, scope and period of risk assessment, and ongoing risk management process
  • Social responsibility with respect to security
  • Business case specifying the decision making process for security investments
  • Security roles and responsibilities
  • Asset classification and inventory
  • Data protection
  • Asset access specifying access rights to categories of assets and how these are managed
  • Change management
  • Security standards
  • Business continuity
  • Disaster recovery
  • Managing external parties (vendors, suppliers)
  • Incident response
  • Security awareness, training, and education
  • Security measurement including measuring policy compliance and effectiveness
  • Adherence to policy, policy waivers and exceptions, and consequences of non-compliance

Anchor
compliance
compliance

Compliance

Wiki MarkupIT and data within higher education information systems are becoming increasingly regulated and scrutinized. This regulation ranges from pressures for disclosure and transparency to pressures for privacy. These pressures accent the need for common approaches, common solutions, and consistent high-quality data. \ [23\]

Wiki Markup*Challenges and Keys to success* \ [5\]

  • Balancing extensive requirement originating from multiple governing bodies.
  • Balancing legislation and agency specific policy.
  • Maintain currency
  • Prioritizing available funding according to requirements.

Anchor
risk
risk

Risk Management

...

Higher education information systems continue to be subject to a large number of security threats. The ability to secure the gamut of intuitional IT resources and data has become a compelling and increasingly urgent need. \ [23\]

Risk management is the ongoing process of identifying information security risks and implementing plans to address them. Often, the number of assets potentially at risk exceeds the resources available to manage them. It is therefore extremely important to know where to apply available resources to mitigate risk in an efficient and cost-effective manner. Risk assessmentis the part of the ongoing risk management process that assigns relative priorities for mitigation plans and implementation. These sorts of decisions are institutional in nature (and not technical) and require a governance structure to address them. Depending upon the governance model selected, the governance group may be able to make such institutional priority decisions itself or may make recommendations to even higher decision-making bodies. Please see the Risk Management Framework for a more complete description and a well-defined process outline. See the Risk Management section in the Information Security Guide for more information.

Asset inventories and asset ownership

Wiki MarkupBefore an effective risk management problem can be established, critical assets must be identified, documented and tracked. Engaging senior administration to review asset value provides a good opportunity to get security on their agenda. \ [24\]

The following resources provide more information about asset management.

...

Measuring and Reporting Performance

...

Performance \ [4\] measurement should be a system of measuring, monitoring and reporting information security governance metrics to ensure that institutional objectives are achieved. Development/maintenance of a security and control framework that consists of standards, measures, practices, and procedures is essential to the metric evaluation of the governance structure.

A key metric is the adverse impacts of information security incidents experienced by the institution. An effective security program will show a trend of impact reduction. Quantitative measures can include trend analysis of impacts over time.

...