Versions Compared

Old Version 1

changes.mady.by.user Unknown User (dlwoodbe)

Saved on

compared with

New Version Current

changes.mady.by.user vvogel@educause.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

Information Security Governance

  • What is Information Security Governance and What it is Not
  • Why Information Security Governance is Needed
  • How to Govern Information Security

      ...

      ...

      ...

      ...

      ...

      ...

      ...

      Anchor
      what
      what

      What is Information Security Governance and What it is Not

      IT security governance is the system by which an organization directs and controls IT security (adapted from ISO 38500).   IT security governance should not be confused with IT security management.   IT security management is concerned with making decisions to mitigate risks; governance determines who is authorized to make decisions.   Governance specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks.   Management recommends security strategies.   Governance ensures that security strategies are aligned with business objectives and consistent with regulations.

      NIST describes IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.unmigrated-wiki-markup

      Enterprise security governance results from the duty of care owed by leadership towards fiduciary requirements.   This position is based on judicial rationale and reasonable standards of care \ [1\].   The five general governance areas are:

      1. Govern the operations of the organization and protect its critical assets
      2. Protect the organization's market share and stock price (perhaps not appropriate for education)
      3. Govern the conduct of employees (educational AUP and other policies that may apply to use of technology resources, data handling, etc.)
      4. Protect the reputation of the organization
      5. Ensure compliance requirements are met

      ...

      "Governing for enterprise security means viewing adequate security as a non-negotiable requirement of being in business." \ [1\]

      Governance: doing the right thing.

      ...

      Governance

      Management

      Oversight

      Implementation

      Authorizes decision rights

      Authorized to make decisions

      Enact policy

      Enforce policy

      Accountability

      Responsibility

      Strategic planning

      Project planning

      Resource allocation

      Resource utilization

      Wiki Markup*Characteristics of effective security governance* \ [1\]

      The eleven characteristics of effective security governance are critical for an effective enterprise information security information program.   They are:

      1. It is an institution-wide issue
      2. Leaders are accountable
      3. It is viewed as an institutional requirement (cost of doing business)
      4. It is risk-based
      5. Roles, responsibilities and segregation of duties are defined
      6. It is addressed and enforced in policy
      7. Adequate resources are committed
      8. Staff are aware and trained
      9. A development life cycle is required
      10. It is planned, managed, measureable and measured
      11. It is reviewed and audited

      Wiki Markup[Appendix A|#appendix-a] lists some excellent comparisons of effective and ineffective governance characteristics from the CERT GES \[1\].A lists some excellent comparisons of effective and ineffective governance characteristics from the CERT GES [1].

      The following principles describe preferred behavior to guide governance decision making [7 Wiki MarkupThe following principles describe preferred behavior to guide governance decision making \[7\].

      • Responsibility: Individuals and groups within the organization understand and accept their responsibilities in respect of both supply of, and demand for IT. Those with responsibility for actions also have the authority to perform those actions.
      • Strategy: The organization's business strategy takes into account the current and future capabilities of IT; the strategic plans for IT satisfy the current and ongoing needs of the organization's business strategy.
      • Acquisition: IT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision making. There is appropriate balance between benefits, opportunities, costs, and risks, in both the short term and the long term.
      • Performance: IT is fit for purpose in supporting the organization, providing the services, levels of service and service quality required to meet current and future business requirements.
      • Conformance: IT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented and enforced.
      • Human Behavior: IT policies, practices and decisions demonstrate respect for Human Behavior, including the current and evolving needs of all the 'people in the process'.

      Wiki MarkupListed below are challenges of ineffective governance \ [1\].   These challenges can be very useful in presenting rationale to leadership for implementing an effective institution security governance model.

      1. Understanding the implications of ubiquitous access and distributed information
      2. Appreciating the institution-wide nature of the security problem
      3. Overcoming the lack of a game plan
      4. Establishing the proper institutional structure and segregation of duties
      5. Understanding complex global legal compliance requirements and liability risks (the word global may or may not apply to education)
      6. Assessing security risks and the magnitude of harm to the institution
      7. Determining and justifying appropriate levels of resources and investment
      8. Dealing with the intangible nature of security
      9. Reconciling inconsistent deployment of security best practices and standards
      10. Overcoming difficulties in creating and sustaining a security-aware culture

      ...

      Outcomes of effective information security governance should include: \ [4\]

      • Strategic alignment of information security with institutional objectives
      • Risk management - identify, manage, and mitigate risks
      • Resource management
      • Performance measurement  measurement - defining, reporting, and using information security governance metrics
      • Value delivery by optimizing information security investment

      Wiki Markup*Defining the Information Security Program (so as to define what needs to be governed)* \ [1\]

      Activities of an information security program directly support/trace to an institutional risk management plan. In other words, the information security program is targeted to managing institutional risk. An effective information security program requires the development and maintenance of:

      ...

      Information Security Program hierarchical relationships           

      • Institutional Risk Management Plan is supported by

      ...

      • Institutional Security Strategy is supported by

      ...

      • Institutional Security Plan is supported by

          ...

            • Academic and administrative unit security plans

          ...

            • System security plans

          ...

            • Policies and procedures

          ...

            • System architecture

          Some colleges and universities employ risk managers and some do not. Of those institutions that do employ a risk manager, there are few that appear to have an institution-level risk management plan.

          The reference to an information security program serving as a business plan for securing digital assets is a simple yet effective communication technique.

          Wiki Markup*Information Security Governance Best Practices* \ [5\]

          • Information security activities should be governed based on relevant requirements, including laws, regulations, and organizational policies.
          • Senior managers should be actively involved in establishing information security governance framework and the act of governing the agency's implementation of information security.
            Information security responsibilities must be assigned and carried out by appropriately trained individuals.
          • Individuals responsible for information security within the agency should be held accountable for their actions or lack of actions.
          • Information security priorities should be communicated to stakeholders of all levels within an organization to ensure a successful implementation of an information security program.
          • Information security activities must be integrated into other management activities of the enterprise, including strategic planning, capital planning, and enterprise architecture.
          • Information security organization structure should be appropriate for the organization it supports and should evolve with the organization, if the organization undergoes change.
          • Information security managers should continuously monitor the performance of the security program/effort for which they are responsible, using available tools and information.
          • Information discovered through monitoring should be used as an input into management decisions about priorities and funding allocation to effect the improvement of security posture and the overall performance of the organization.

          ...

          Why Information Security Governance is Needed

          Wiki Markup*Why is IT governance important* \ [3\]

          • Financial payoffs
          • IT is expensive
          • IT is pervasive
          • New technologies
          • IT governance is critical to learning about IT value
          • Not just technical - integration and buy-in from business leaders is needed for success
          • Senior executives have limited bandwidth, especially at large institutions, so they can't do it all
          • Governance patterns depend on desired behaviors
            • Top revenue growth - decentralized to promote customer responsiveness and innovation
            • Profit - centralized to promote sharing, reuse and efficient asset utilization
            • Multiple performance goals - blended centralized and decentralized governance

          ...

          *Directors could be held accountable for breaches of* \ [7\]:

          • security standards;
          • privacy legislation;
          • spam legislation;
          • trade practices legislation;
          • intellectual property rights, including software licensing agreements;
          • record keeping requirements;
          • environmental legislation and regulations;
          • health and safety legislation;
          • accessibility legislation;
          • social responsibility standards.

          ...

          *Benefits of information security governance* \ [4\]

          • Increased predictability and reduced uncertainty of business operations
          • Protection from the potential for civil and legal liability
          • Structure to optimize the allocation of resources
          • Assurance of security policy compliance
          • Foundation for effective risk management.
          • A level of assurance that critical decisions are not based on faulty information
          • Accountability for safeguarding information

          Wiki Markup*Question to engage institutional leaders * \ [4\]

          Thought provoking questions that institutional leaders can ask (and should be able to answer) to determine the state of their security governance efforts.

          ...

          • Questions for directors/trustees
            • Does the board understand the institution's dependence on information?
            • Does the institution recognize the value and importance of information?
            • Does the institution have a security strategy?
            • Does the board understand the institution's potential liabilities in the event of regulatory non-compliance?
          • Questions for managers
            • How is the board kept informed of information security issues?   When was the last briefing made to the board on security risks and status of security improvements?
            • Has someone been appointed to be responsible for developing, implementing and managing the information security program, and is he/she held accountable?
            • Are security roles and responsibilities clearly defined and communicated?
            • Is there a CISO or other officer with sufficient authority and resources to accomplish security objectives?

          ...

          How to Govern Information Security

          ...

          The ISO position is evolving from a primary technical position to one that combines both technical and managerial functions.   Today IT security is an institutional imperative with critical policy and operational aspects with attention dedicated from the CIO, general counsel, internal auditor and executive leadership.   While the list of tasks for the ISO continues to grow, unfortunately the authority and challenges to that authority of the role are often institutionally handled with senior administrators, legal counsel or law enforcement. The ISO must rely on institutional policy and legal compliance in order to effectively control IT security.   Building a relationship and consensus with many groups on campus is a key to having security policy compliance.  One progressive step is the growing recognition of department managers to accept responsibility for their data and its protection. Shifting the role of the ISO from compliance dictator to offering assistance realizes the concept of security as a service \[22\].

          Wiki Markup
          The ISO position is limited usually where the number of staff positions limits the ability to assign exclusive roles to individuals and thus dedicating a single entity to enterprise-wide information security.  Larger organizations, usually with enrollments over 8,000, recognize security as a top administrative concern and have either created an ISO position or delegated this responsibility to the CIO.  However the shift from security being IT's responsibility to being everyone's responsibility seems to have a greater impact on whether an appointment has been given those specific objectives.  The identification of the responsibility is clear; less clear is the manner in which it should be addressed.  As this profession gradually changes and increases in visibility (unfortunately through continued breaches, incidents and responses), the need for individuals with the experience of managing these episodes will evidence themselves.  As the number of skilled professionals entering this field multiplies, the hope is that the role will be better defined with the proper authority given \[22\].

          Building a relationship and consensus with many groups on campus is a key to having security policy compliance. One progressive step is the growing recognition of department managers to accept responsibility for their data and its protection. Shifting the role of the ISO from compliance dictator to offering assistance realizes the concept of security as a service [22].

          The ISO position is limited usually where the number of staff positions limits the ability to assign exclusive roles to individuals and thus dedicating a single entity to enterprise-wide information security. Larger organizations, usually with enrollments over 8,000, recognize security as a top administrative concern and have either created an ISO position or delegated this responsibility to the CIO. However the shift from security being IT's responsibility to being everyone's responsibility seems to have a greater impact on whether an appointment has been given those specific objectives. The identification of the responsibility is clear; less clear is the manner in which it should be addressed. As this profession gradually changes and increases in visibility (unfortunately through continued breaches, incidents and responses), the need for individuals with the experience of managing these episodes will evidence themselves. As the number of skilled professionals entering this field multiplies, the hope is that the role will be better defined with the proper authority given [22].

          Governance frameworks, COBIT, ITIL, the ISO 17799 information security management standard, and the ISO 9000 quality management standard - are used in the IT governance processes and structures. ITIL and ISO 17799 are the most common frameworks in use. [23 Wiki MarkupGovernance frameworks, COBIT, ITIL, the ISO 17799 information security management standard, and the ISO 9000 quality management  standard - are used in the IT governance processes and structures.  ITIL and ISO 17799 are the most common frameworks in use. \[23\]

          Anchor
          org
          org

          Organizational Structure

          ...

          Unplanned and uncoordinated localization of authority poses great challenges for institution-wide compliance with security, copyright, privacy, identity and other regulation.   It makes it awkward for CIOs to account well for the breadth and depth of overall IT activity, and it can be inefficient.   Localization of authority in some areas is critical.   The question is not "to centralize or not to decentralize" but where to centralize (or not) and how to harmonize institutional efforts and investments in IT. \ [23\]unmigrated-wiki-markup

          IT governance-related committees include \ [23\]:

          • Top-level IT steering committee for oversight of major IT policies and initiatives
          • IT advisory committees for administration and teaching and learning
          • IT initiative specific committees for items like enterprise resource planning, security or business continuity

          Governance structures depend on desired outcomes

          Wiki MarkupCERT GES \ [3\] desribes structure based on desired outcomes.

          • Top revenue growth - decentralized to promote customer responsiveness and innovation
          • Profit - centralized to promote sharing, reuse and efficient asset utilization
          • Multiple performance goals - blended centralized and decentralized

          Information Security Governance Structures

          Wiki MarkupThe NIST Security Handbook \ [5\] states that governance is highly dependent on the overall organization structure.

          • Centralized maintain budget control and ensure implementation and monitoring of information security controls.
          • Decentralized have policy and oversight responsibilities and budget responsibilities for their departmental security program not the operating unit information security program.   Reporting structures are different as well.
          • Governance structures can be hybrid, with a combination of characteristics from both centralized and decentralized.

          Political Archetypes

          Wiki MarkupWeill and Ross use political archetypes in _IT Governance_ \ [3\] to describes people or groups who have decision rights.

          • Business monarchy:   Senior business executives make IT decisions
          • IT monarchy:   IT executives make IT decisions
          • Feudal:   Business unit leaders make IT decisions to optimize local needs, but does not facilitate enterprise decision-making.
          • Federal:   Coordinated IT decision-making between the center and the business units.
          • IT duopoly:   IT executives and one other group (such as senior executives or business units) make IT decisions.
          • Anarchy:   Individual users or small groups make IT decisions Anarchy is expensive, difficult to support and rare, but sometimes used when very rapid customer responsiveness is needed.

          ...

          • needed.

          Different types of decisions might use different archetypes \ [3\].

          Decisions

          IT Principles

          IT Architecture

          IT Infrastructure

          Business Applications

          IT Investment

          Archetypes

           

           

           

           


          Business Monarchy


          (minus)

          (minus)

           

          (plus)

          IT Monarchy

           

          (plus)

          (plus)

          (minus)

          (minus)

          Feudal

          (minus)

          (minus)

          (minus)

           

          (minus)

          Federal

           

          (minus)

          (minus)

          (plus)

          (plus)

          IT Duopoly

          (plus)

           

           

          (plus)

          (plus)

          Anarchy

          (minus)

          (minus)

          (minus)

          (minus)

          (minus)

          Don't know

          (minus)

          (minus)

          (minus)

          (minus)

          (minus)

          ...

          *What Governance Arrangements Work Best* \ [3\]

          • Monarchies work well when profit is a priority.
          • Feudal or business monarchy arrangements might work best when growth is a priority.
          • Federal arrangements can work well for input into all IT decisions.   Avoid federal arrangement for all decisions since it's difficult to balance the center with the business unit needs.
          • Duopoly arrangements work well for IT principles, investment decisions and buiness business application needs.   Duopolies also work best when asset utilization is a priority.

          ...

          Roles and Responsibilities

          ...

          The ISO or CISO is an emerging profession with highly-motivated individuals seeking their own professional development through membership in organizations, participation in training where they can find it and constant sharing of ideas and advice with others both internally and externally to their organization.   There does not seem to be a clearly defined path for this new subfield within IT.   The vast majority of those in an ISO/CISO position held previous positions in IT and came from higher education backgrounds.   Institutions appear to be recruiting security officers from IT managerial ranks.   Often these folks started with very strong technical experience and have now developed skills in business process analysis, thus moving away from hands-on activities \ [22\].unmigrated-wiki-markup

          In addition to certifications, ISOs find the following "soft skills" beneficial \ [22\].

          • Reputation building
          • Campus-wide coordination and communication
          • Collaboration
          • Campus-wide profiles

          ...

          • Senior leader of the institution
          • Deans, Department Chairs and Directors
          • IT managers
          • Auditors
          • Attorneys
          • Human Resources
          • Faculty
          • Staff
          • Students

          ...

          Primary ISO responsibilities \ [22\]

          • Development and enforcement of security policies and procedures
          • Risk management
          • Security awareness program
          • Incident management and forensics
          • Business continuity
          • Disaster recovery

          Wiki MarkupSupportive functions of an ISO \ [22\]

          • Application and system security
          • Network security
          • Access control
          • Authentication and authorization
          • Identity management

          Decision-Making Structuresunmigrated-wiki-markupStructures

          Weill and Ross \ [3\] describe organizational units and roles responsible for making IT decisions, such as committees, executive teams, and business/IT relationship managers.

          • Executive or senior management committees
          • IT leadership committee
          • Process teams with IT members
          • Business/IT relationship managers
          • IT council of IT and business executives
          • Architecture committee
          • Capital improvement committee

          Wiki Markup*Who should be concerned with information security governance?* \ [4\]

          • Board of directors/trustees - The board has fundamental responsibility to protect the interests of the organization.
          • Executives - This group develops strategies and ensures integration with and cooperation of business unit managers and process owners
          • Steering committee - This group includes representation across the organization and is responsible for ensuring that stakeholders concerns are addressed.
          • CISO

          Wiki Markup*What should the board of directors/trustees and senior executives be doing?* \ [4\]

          • Understand why information security needs to be governed
            • Address risks and threats
            • Protect the organization's reputation
            • Ensure coordination and cooperation among business units
          • Take board level action
            • Become informed about information security
            • Set direction (e.g., drive policy and strategy)
            • Provide resources
            • Assign responsibilities
            • Set priorities
          • Take senior level action
            • Provide oversight for the development of a security framework
            • Policy development
            • Assign roles and responsibilities
            • Implement
            • Monitor
            • Ensure awareness and training

          Roles and Responsibilities for an Institution-Wide Security Program

          Wiki MarkupThe CERT framework \ [1\] assumes a board risk committee (or equivalent) at the highest governance level.

          There are nine groups of personnel involved in developing and sustaining an effective institution-wide security program.

          ...

          Explanations and examples of each role or team are provided in more detail in Article 2. The matrix in Table 2 of this document could be used to assist in building an institution-wide security program for higher education.unmigrated-wiki-markup

          CERT GES \ [1\] offesr offers more detail on selected roles and responsibilities in the following documents.

          ...

          *Summary Roles and responsibilities* \ [2\]

           

           

          Chief Executive Officer

          - Oversee overall corporate security posture (accountable to the Board)
          - Brief Board, customers and public

          Chief Security Officer
          Chief Information Officer
          Chief Risk Officer
          Department/Agency Head

          - Set security policies, procedures, program and training
          - Incident management
          - Responsible for independent annual audit coordination
          - Compliance

          Mid-Level Manager

          - Compliance
          - Comunicate Communicate policies and program (training)

          Enterprise staff/employees

          - Implemement Implement policies
          - Report vulnerabilities and breaches

          Wiki Markup*To Whom Does the ISO Report \ [25\]*

           

          2007

          2008

          2009

          2010

          Percent Change

          Chief Information Officer

          38

          34

          32

          23

          -39%

          Board of Directors

          21

          24

          28

          32

          +52%

          Chief Executive Officer

          32

          34

          35

          36

          +13%

          Chief Financial Officer

          11

          11

          13

          15

          +36%

          Chief Operating Officer

          9

          10

          12

          15

          +67%

          Chief Privacy Officer

          8

          8

          14

          17

          +113%

          Wiki Markup[Appendix B|#appendix-b] lists descriptions of information security roles and responsibilities from the NIST Security Handbook \ [5\].

          <Also see CERT EBK, http://www.us-cert.gov/ITSecurityEBK/ >

          Anchor
          strategy
          strategy

          ...

          Strategic

          ...

          Planning

          ...

          [5

          ...

          ]

          Strategic Plans, annual performance plans and annual program performance reports equal the recurring cycle of reporting, planning and execution.

          ...

          The plans must be revisited when major changes happen including legislation, regulations, directives, agency mission priorities, emerging information security issues.

          Anchor
          policy
          policy

          Policy

          ...

          *Information Security Policy and Guidance* \ [5\]

          Information security policy is an aggregate of directives, rules, and practices that prescribes how an organization manages, protects, and distributes information.   Information security policy is an essential component of information security governance---without the policy, governance has no substance and rules to enforce.

          ...

          • Information security roles and responsibilities;
          • Statement of security controls baseline and rules for exceeding the baseline; and
          • Rules of behavior that agency users are expected to follow and minimum repercussions for noncompliance.

          Wiki MarkupCandidate policy topics at the governance level (which could be sections in existing, broader policies) may include: \ [1\]

          • Policy calling for a security strategy, an institution-wide security program, and governance of such a program
          • Code of conduct specifying what is meant by due diligence and standard of due care with respect to information security
          • Security ethics
          • Security risk specifying risk appetite, tolerance, scope and period of risk assessment, and ongoing risk management process
          • Social responsibility with respect to security
          • Business case specifying the decision making process for security investments
          • Security roles and responsibilities
          • Asset classification and inventory
          • Data protection
          • Asset access specifying access rights to categories of assets and how these are managed
          • Change management
          • Security standards
          • Business continuity
          • Disaster recovery
          • Managing external parties (vendors, suppliers)
          • Incident response
          • Security awareness, training, and education
          • Security measurement including measuring policy compliance and effectiveness
          • Adherence to policy, policy waivers and exceptions, and consequences of non-compliance

          Anchor
          compliance
          compliance

          Compliance

          ...

          IT and data within higher education information systems are becoming increasingly regulated and scrutinized. &nbsp; This regulation ranges from pressures for disclosure and transparency to pressures for privacy. &nbsp; These pressures accent the need for common approaches, common solutions, and consistent high-quality data. \ [23\]

          Wiki Markup*Challenges and Keys to success* \ [5\]

          • Balancing extensive requirement originating from multiple governing bodies.
          • Balancing legislation and agency specific policy.
          • Maintain currency
          • Prioritizing available funding according to requirements.

          Anchor
          risk
          risk

          Risk Management

          ...

          Higher education information systems continue to be subject to a large number of security threats. &nbsp; The ability to secure the gamut of intuitional IT resources and data has become a compelling and increasingly urgent need. \ [23\]

          Risk management is the ongoing process of identifying information security risks and implementing plans to address them.   Often, the number of assets potentially at risk exceeds the resources available to manage them. It is therefore extremely important to know where to apply available resources to mitigate risk in an efficient and cost-effective manner.   Risk assessmentis the part of the ongoing risk management process that assigns relative priorities for mitigation plans and implementation.   These sorts of decisions are institutional in nature (and not technical) and require a governance structure to address them.   Depending upon the governance model selected, the governance group may be able to make such institutional priority decisions itself or may make recommendations to even higher decision-making bodies. Please see the Risk Management Framework for a more complete description and a well-defined process outline.   See the Risk Management section in the EDUCAUSE Information Security Guide for more information.

          Asset inventories and asset ownership

          Wiki MarkupBefore an effective risk management problem can be established, critical assets must be identified, documented and tracked. &nbsp; Engaging senior administration to review asset value provides a good opportunity to get security on their agenda. \ [24\]

          The following resources provide more information about asset management.

          • The Asset and Data Management section of the EDUCAUSE Information Security Guide
          • NIST FIPS 199 provides an in-depth description of a process for categorizing information and information systems
          •  The The Asset Definition and Management Process Area of CERT's Resiliency Management Model provides comprehensive coverage of asset management

          ...

          IT products that are expensive or will have a significant impact on an institutions liability should be reviewed for IT security risks before purchase.   In large institutions, IT product acquisition provides an opportunity to evaluate centralization vs. proliferation of IT resources and the resulting impact on security.   Acquisition also serves as a good control point for information security evaluation before investments are made.   Contract language might be needed to protect the institution's data, especially with products known as 'software as a service' or SaaS.

          ...

          Measuring and Reporting Performance

          ...

          Performance \ [4\] measurement should be a system of measuring, monitoring and reporting information security governance metrics to ensure that institutional objectives are achieved. &nbsp; Development/maintenance of a security and control framework that consists of standards, measures, practices, and procedures is essential to the metric evaluation of the governance structure.

          A key metric is the adverse impacts of information security incidents experienced by the institution. An effective security program will show a trend of impact reduction. Quantitative measures can include trend analysis of impacts over time.

          Measuring, monitoring and reporting on information security processes ensure that institutional objectives are achieved.   Some example metrics might include:

          ...

          1. Characteristics of Effective Security Governance.   2007.   Julia Allen.
          2. Information Security Governance: A Call to Action.   2006.   Corporate Governance Task Force Report.
          3. IT Governance.   2004.   Peter Weill and Jeanne Ross.
          4. Information Security Governance:   Guidance for Boards of Directors and Executive Management.   2006.   ISACA.
          5. NIST Special Publication 800-100, Information Security Handbook: A Guide for Managers.   2006.
          6. Managing Enterprise Risk in Today's World of Sophisticated Threats: A Framework for Developing Broad-Based, Cost Effective Information Security Programs.   Don Ross.
          7. ISO/IEC 38500:   Corporate Governance of Information Technology.   2008.
          8. The IT Security Essential Body of Knowledge (EBK).   CERT.
          9. The Tower and the Cloud.   2008.   Richard N. Katz.
          10. E-Research is a Fad: Scholarship 2.0, Cyberinfrastructure, and IT Governance (a chapter from The Tower and the Cloud based on IT Governance by Weill and Ross).   2008.   Brad Wheeler.
          11. To Govern or Not to Govern.   2008.   Richard Power.
            1. Cylab Survey Reveals Gap in Board Governance of Cyber Security.   2008. Richard Power.
            2. Governance of Enterprise Security: Cylab 2008 Report.   2008.   Jody Westby and Richard Power.
          12. Information Security Governance Program Self-Assessment Tool.   20042013.   EDUCAUSE/Internet2 Higher Education Information Security Council (formerly the Security Task Force).
          13. Information Security Governance: Guidance for Boards of Directors and Executive Management.   2006.   IT Governance Institute.
          14. Information Security Handbook: A Guide for Managers (NIST Special Publication 800-100).   2006.   Pauline Bowen, Joan Hash and Mark Wilson.
          15. Information Security Governance: Standardizing the Practice of Security Governance.   2008.   Tammy Clark and Toby Sitko.
          16. Governing for Enterprise Security.   CERT.
            1. Governing for Enterprise Security: An Implementation Guide.   2007.   Jody Westby and Julia Allen.
            2. Characteristics of Effective Security Governance.   2007.   Julia Allen.
            3. Governing for Enterprise Security.   2005.   Julia Allen.
            4. Governing for Enterprise Security:   References.   2008.   CERT.
          17. Making Business-Based Security Investment Decisions - A Dashboard Approach.   2008.   Julia Allen.
          18. Institute of Internal Auditors report titled "Information Security Governance: What Directors Need to Know.   2001.   Institute of Internal Auditors.
          19. ISM3 Consortium.
            1. Maturity Model
            2. ISM3, ISO, Cobit and Parkerian Hexad Information Security Criteria Mapping
          20. Information Security Governance:   Motivations, Benefits and Outcomes.   2006.   John P. Pironti.   ISACA.
          21. Podcasts available from http://www.cert.org/podcast/#governing
            1. Getting Real About Security Governance
            2. The Legal Side of Global Security
            3. Why Leaders Should Care About Security
            4. Compliance vs. Buy-in
          22. The Career of the IT Security Officer in Higher Education.   2009.   Marilu Goodyear.
          23. Process and Politics: IT Governance in Higher Education.   2008.   Ronald Yanosky and Jack McGreddie. ECAR Research Study, Volume 5.
          24. The Pragmatic CSO: 12 Steps to Being a Security Master.   2007.   Mike Rothman.
          25. PricewaterhouseCoopers. 2010.

          ...

          (warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 34.0 Unported LicenseInternational License (CC BY-NC-SA 4.0).