Information Security Governance E-Book

Table of Contents

Cover

Title

Copyright

Acknowledgments

Introduction

Chapter 1: Governance Overview—How Do We Do It? What Do We Get Out of It?

1.1 WHAT IS IT?

1.2 BACK TO BASICS

1.3 ORIGINS OF GOVERNANCE

1.4 GOVERNANCE DEFINITION

1.5 INFORMATION SECURITY GOVERNANCE

1.6 SIX OUTCOMES OF EFFECTIVE SECURITY GOVERNANCE

1.7 DEFINING INFORMATION, DATA, AND KNOWLEDGE

1.8 VALUE OF INFORMATION

Chapter 2: Why Governance?

2.1 BENEFITS OF GOOD GOVERNANCE

2.2 A MANAGEMENT PROBLEM

Chapter 3: Legal and Regulatory Requirements

3.1 SECURITY GOVERNANCE AND REGULATION

Chapter 4: Roles and Responsibilities

4.1 THE BOARD OF DIRECTORS

4.2 EXECUTIVE MANAGEMENT

4.3 SECURITY STEERING COMMITTEE

4.4 THE CISO

Chapter 5: Strategic Metrics

5.1 GOVERNANCE OBJECTIVES

Chapter 6: Information Security Outcomes

6.1 DEFINING OUTCOMES

Chapter 7: Security Governance Objectives

7.1 SECURITY ARCHITECTURE

7.2 CobiT

7.3 CAPABILITY MATURITY MODEL

7.4 ISO/IEC 27001/27002

7.5 OTHER APPROACHES

Chapter 8: Risk Management Objectives

8.1 RISK MANAGEMENT RESPONSIBILITIES

8.2 MANAGING RISK APPROPRIATELY

8.3 DETERMINING RISK MANAGEMENT OBJECTIVES

Chapter 9: Current State

9.1 CURRENT STATE OF SECURITY

9.2 CURRENT STATE OF RISK MANAGEMENT

9.3 GAP ANALYSIS—UNMITIGATED RISK

Chapter 10: Developing a Security Strategy

10.1 FAILURES OF STRATEGY

10.2 ATTRIBUTES OF A GOOD SECURITY STRATEGY

10.3 STRATEGY RESOURCES

10.4 STRATEGY CONSTRAINTS

Chapter 11: Sample Strategy Development

11.1 THE PROCESS

Chapter 12: Implementing Strategy

12.1 ACTION PLAN INTERMEDIATE GOALS

12.2 ACTION PLAN METRICS

12.3 REENGINEERING

12.4 INADEQUATE PERFORMANCE

12.5 ELEMENTS OF STRATEGY

12.6 SUMMARY

Chapter 13: Security Program Development Metrics

13.1 INFORMATION SECURITY PROGRAM DEVELOPMENT METRICS

13.2 PROGRAM DEVELOPMENT OPERATIONAL METRICS

Chapter 14: Information Security Management Metrics

14.1 MANAGEMENT METRICS

14.2 SECURITY MANAGEMENT DECISION SUPPORT METRICS

14.3 CISO DECISIONS

14.4 INFORMATION SECURITY OPERATIONAL METRICS

Chapter 15: Incident Management and Response Metrics

15.1 INCIDENT MANAGEMENT DECISION SUPPORT METRICS

Chapter 16: Conclusion

Appendix A: SABSA Business Attributes and Metrics

Appendix B: Cultural Worldviews

Index

End User License Agreement

List of Tables

Chapter 2: Why Governance?

Table 2.1. Implementation of IT strategy by businesses

Chapter 3: Legal and Regulatory Requirements

Table 3.1. Regulatory compliance levels

Chapter 4: Roles and Responsibilities

Table 4.1. Basic information security responsibilities [1]

Chapter 6: Information Security Outcomes

Table 6.1. Layered security

Chapter 7: Security Governance Objectives

Table 7.1. The SABSA model for security architecture development

Table 7.2. CobiT high-level control objectives

Chapter 14: Information Security Management Metrics

Table 14.1. Breach losses from compromise of 33 companies*

List of Illustrations

Chapter 7: Security Governance Objectives

Figure 7.1. The SABSA Model.

Figure 7.2. The SABSA Matrix for security architecture development.

Figure 7.3. SABSA framework for security management.

Figure 7.4. The SABSA development process.

Figure 7.5. The SABSA life cycle.

Figure 7.6. SABSA business security attributes.

Figure 7.7. PDCA model applied to ISMS.

Chapter 8: Risk Management Objectives

Figure 8.1.

Chapter 10: Developing a Security Strategy

Figure 10.1. SABSA Matrix

Guide

Cover

Table of Contents

Begin Reading

Pages

C1

iii

iv

v

xi

xiii

xiv

xv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

127

128

129

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

161

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

181

182

183

185

186

187

188

189

e1

INFORMATION SECURITY GOVERNANCE

A Practical Development and Implementation Approach

Copyright © 2009 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008 or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic format. For information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Brotby, W. Krag.

Information security governance : a practical development and implementation approach / Krag Brotby.

p. cm. — (Wiley series in systems engineering and management)

Includes bibliographical references and index.

ISBN 978-0-470-13118-3 (cloth)

1. Data protection. 2. Computer security—Management. 3. Information technology—Security

measures. I. Title.

HF5548.37.B76 2009

658.4'78—dc22

2009007434

Acknowledgments

A debt of gratitude is acknowledged to my wife, Melody, who graciously accepted many late night hours in assembling this work. Also acknowledged are those who have supported this effort by giving their time to advise, review, and comment on this exposition, including ISACA associates of notable competence Bruce Wilkins, Gary Barnes, and Ron Hale; other professionals including Charles Neal, formerly of the FBI, and Adam Hunt, currently with Inland Revenue in New Zealand. Thanks are also due to John Sherwood and David Lynas from the United Kingdom for their assistance and support with the SABSA architectural material in this work. And finally, appreciation is due to my unusually helpful and cooperative publisher and staff in bringing this hopefully illuminating work to light.

K. B.

Introduction

For most organizations, reliance on information and the systems that process, transport, and store it, has become absolute. In many organizations, information is the business. Actionable information is the basis of knowledge and as Peter Drucker stated over a decade ago, “Knowledge is fast becoming the sole factor of productivity, sidelining both capital and labor.”*

This notion is buttressed by recent studies showing that over 90% of organizations that lose their information assets do not survive. Research also shows that currently, information assets and other intangibles comprise more than 80% of the value of the typical organization.

Yet, even as this realization has belatedly started to reach executive management and the boardroom in recent years, organizations are plagued by evermore spectacular security failures and losses continue to mount. This is despite a dramatic a rise in overall spending on a variety of security- or assurance-related functions and national governments imposing a host of increasingly restrictive regulations.

This host of new security-related regulations has in turn led to a proliferation of the number and types of “assurance” functions. Until recently, for example, “privacy” officers were unheard of, as were “compliance” officers. Now, they and others, such as the Chief Information Security Officer, are commonplace. It should be noted that all assurance functions are an aspect of what is arbitrarily labeled “security” and, indeed, what is called “security” is invariably an assurance function. In turn, both are elements of risk management.

Not only has the diversity of “assurance” functions increased, the requirements for these activities in many of an organization’s other operations are now the norm. Examples include the HIPAA “privacy assurance” functions generally handled by Human Resources, or SOX disclosure compliance as a purview of Finance.

For many larger organizations, a list of assurance-related functions might include:

Risk management

BCP/DR

Project office

Legal

Compliance

CIO

CISO

IT security

CSO

CTO

Insurance

Training/awareness

Quality control/assurance

Audit

HR

Privacy

Combined, these assurance functions constitute a considerable percentage of an organizations’ operating budget. Yet, ironically, this increase in assurance functions has in many organizations led to a decrease in “safety” or security. This is a consequence of increasingly fragmenting assurance functions into numerous vertical “stovepipes” only coincidentally related to each other and to the organization’s primary business objectives. This, despite the fact that all of these activities serve fundamentally only one common purpose: the preservation of the organization and its ability to continue to operate and generate revenue.

To compound the problem, these functions invariably have different reporting structures, often exist in relative isolation, speak different languages, and more often than not operate at cross purposes. Typically, they have evolved over a period of time, usually in response to either a crisis du jour or to mounting external regulatory pressures. Their evolution has often involved arbitrary factors unrelated to improving security functionality, efficiency, or effectiveness.

As these specialized assurance functions have developed, national or global associations have formed to promote the specialty. One outcome of this “specialty”-centric perspective has been to widen the divide between elements of what should arguably be a continuous “assurance” process, seamlessly dovetailed and aligned with the business.

So what is the way forward? It has become increasingly clear that the solution lies in elevating the governance of the typical myriad assurance functions to the highest levels of the organization. Then, as with other critical, expensive organizational activities, an assurance governance framework must be developed that will integrate these functions under a common strategy tightly aligned with and supporting business objectives.

Alternatively, for most organizations, failure to implement effective information security governance will result in the continued chaotic, increasingly expensive, and marginally effective firefighting mode of operation typical of most security departments today. Tactical point solutions will continue to be deployed, and effective administration of security and integration of assurance functions will have no impetus and remain merely a concept in the typically fragmented multitude of “assurance-” and security-related stovepipes. Allocation of security resources is likely to remain haphazard and unrelated to risks and impacts as well as to cost-effectiveness. Breaches and losses will continue to grow and regulatory compliance will be more costly to address. It is clear that senior management will increasingly be seen as responsible and legally liable for failing the requirements of due care and diligence. Customers will demand greater care and, failing to get it, will vote with their feet, and the correlation between security, customer satisfaction, and business success will become increasingly obvious and reflected in share value.

Against this backdrop, this book provides a practical basis and the tools for developing a business case for information security (or assurance) governance, developing and implementing a strategy to increasingly integrate assurance functions over time, improving security, lowering costs, reducing losses, and helping to ensure the preservation of the organization and its ability to operate.

Chapters 1 through 6 provide the background, rationale, and basis for developing governance. Chapters 7 through 14 provide the tools and an approach to developing a governance implementation strategy.

Developing a strategy for governance implementation will, at a high level, consist of the following steps:

1. Define and enumerate the desired outcomes for the information security program

2. Determine the objectives necessary to achieve those outcomes

3. Describe the attributes and characteristics of the desired state of security

4. Describe the attributes and characteristics of the current state of security

5. Perform a comprehensive gap analysis of the requirements to move from the current state to the desired state of security

6. Determine available resources and constraints

7. Develop a strategy and roadmap to address the gaps, using available resources within existing constraints

8. Develop control objectives and controls in support of strategy

9. Create metrics and monitoring processes to:

Measure progress and guide implementation

Provide management and operational information for decision support

*

Drucker, Peter;

Management Challenges for the 21st Century, Harpers Business

, 1993.

Chapter 1Governance Overview—How Do We Do It? What Do We Get Out of It?

1.1 WHAT IS IT?

Governance is simply the act of governing. The Oxford English Dictionary defines it as “The act or manner of governing, of exercising control or authority over the actions of subjects; a system of regulations.”

The relevance of governance to security is not altogether obvious and most managers are still in the dark about the subject. Information security is often seen as fundamentally a technical exercise, purely the purview of information technology (IT). In these cases, the information security manager generally reports directly or indirectly to the CIO but in some cases may report to the CFO or, unfortunately, even to Operations.

In recent years, there has also been an increase in the number of senior risk managers, or CROs, and, in some cases, Information Security reports through that office. Although these organizational structures often work reasonably well in practice, provided the purview of security is primarily technical and the manager is educated in the subject and has considerable influence, in many cases they do not work well and, in any event, these reporting arrangements are fundamentally and structurally deficient. This contention is often subject to considerable controversy even among security professionals. However, analysis of the wide range of activities that must be managed for security to be effective and study of the best security management shows that it requires the scope and authority equivalent to that of any other senior manager. To be effective, security and other assurance activities are regulatory functions and cannot report to the regulated without creating an untenable structural conflict of interest. Maintaining a distinction between regulatory and operational functions is critical, as each has a very different focus and responsibility. The former is related to safety and the latter to performance, and it is not unusual for tension to exist between them.

Part of the reason that the requirement for separation of security from operational activities is not evident is that the definitions and objectives of security generally lack clarity. Asking the typical security manager what the meaning of security is will elicit the shop-worn response of “ensuring the confidentiality, integrity, and availability of information assets.” Pointing out that that is what it is supposed to do, that is its mission, and not what it is, generally elicits a blank stare. Probing further into the objectives of security will usually result in the same answer.

The lack of clarity about what security should specifically provide, how much of it is enough, and knowing when that has been achieved poses a problem and contributes to the confusion over the appropriate organizational structure for security. Lacking clear objectives, a definition of success, and metrics about when it has been achieved begs the question, What does a security manager actually do? How is the manager to know when he or she is managing appropriately? What is his or her performance based on? How does anyone know?

In other words, as in any other business endeavor, we manage for defined objectives, for outcomes. Objectives define intent and direction. Performance is based on achieving the objectives. Metrics determine whether or not objectives are being achieved.

1.2 BACK TO BASICS

If there is a lack of clarity looking ahead, reverting to basics may help shed light on the subject. Security fundamentally means safety, or the absence of danger. So in fact, IT or information security is an assurance function, that is, it provides a level of assurance of the safety of IT or information. Of course, it must be recognized that the safety of an organization’s information assets typically goes a considerable distance beyond the purview of IT.

IT is by definition technology centric. IT security is by definition the security related to the technology. From a business or management perspective, or, indeed, from a high-level architectural viewpoint, IT is simply a set of mechanisms to process, transport, and store data. Whether this is done by automated machinery or by human processes is not relevant to the value or usefulness of the resultant activities. It should be obvious, therefore, that IT security cannot address the broader issue of information “safety.”

Information security (IS) goes further in that it is information centric and is concerned with the “payload,” not the method by which it is handled. Studies have clearly shown that the risks of compromise are often greater from the theft of paper than from IT systems being hacked. The loss of sensitive and protected information is five times greater from the theft or loss of laptops and backup tapes than it is from being hacked. These are issues typically outside the scope of IT security. The fact that the information on these purloined laptops or tapes is infrequently encrypted is not a technology problem either; it is a governance and, therefore, a management problem.

To address the issues of “safety,” the scope of information security governance must be considerably broader than either IT security or IS. It must endeavor to initiate a process to integrate the host of functions that in the typical organization are related to the “safety” of the organization. A number of these were mentioned in the Introduction, including:

Risk management

BCP/DR

Project office

Legal

Compliance

CIO

CISO

IT security

CSO

CTO

CRO

Insurance

Training/awareness

Quality control/assurance

Audit

To this list we can add privacy and, perhaps more importantly, facilities. Why facilities? Consider the risks to information “safety” that can occur as a function of how the facility operates: the physical security issues, access controls, fire protection, earthquake safety, air-conditioning, power, telephone, and so on. Yet, risk assessments in most organizations frequently do not consider these elements.

The advantage of using the term “organizational safety” and considering the elements required to “preserve” the organization is that the task of security management becomes clearer. It also becomes obvious that many of the other “assurance” functions that deal with aspects of “safety” must be somehow integrated into the governance framework. It also becomes clear that most attempts to determine risk are woefully inadequate in that they fail to consider the broad array of threats and vulnerabilities that lie beyond IT and, indeed, beyond IS as well.

1.3 ORIGINS OF GOVERNANCE

It may be helpful to consider how the whole issue of governance arose to begin with to understand its relevance to information security. The first instance of the appearance of corporate governance seems to be due to economist and Noble laureate Milton Friedman, who contended that “Corporate Governance is to conduct the business in accordance with owner or shareholders’ desires, while conforming to the basic rules of the society embodied in law and ethical custom.” This definition was based on his views and the economic concept of market value maximization that underpins shareholder capitalism.

The basis for modern corporate governance is probably a result of the Watergate scandal in the United States during the 1970s, which involved then President Nixon ordering a burglary of the opposition party’s headquarters. The ensuing investigations by U.S. regulatory and legislative bodies highlighted organizational control failures that allowed major corporations to make illegal political contributions and to bribe government officials. This led to passage of the U.S. Foreign and Corrupt Practices Act of 1977 that contained specific provisions regarding the establishment, maintenance, and review of systems of internal control

In 1979, the U.S. Securities and Exchange Commission proposed mandatory reporting on internal financial controls. Then, in 1985, after the savings and loan collapse in the United States as a result of aggressive lending, corruption, and poor bookkeeping, among other things, the Treadway Commission was formed to identify main causes of misrepresentation in financial reports and make recommendations. The 1987 Treadway Report highlighted the need for proper control environments, independent audit committees, and objective internal audit functions. It suggested that companies report on the effectiveness of internal controls and that sponsoring organizations develop an integrated set of internal control criteria.

This was followed by the Committee of Sponsoring Organizations (COSO), which was formed and developed the 1992 report stipulating a control framework that was endorsed and refined in four subsequent U.K. reports: Cadbury, Rutteman, Hampel, and Turnbull.

Scandals and corporate collapses in the United Kingdom in the late 1980s and early 1990s led the government to recognize that existing legislation and self-regulation were not working. Companies such as Polly Peck, British & Commonwealth, BCCI, and Robert Maxwell’s Mirror Group News International in United Kingdom were some of the high-profile victims of the irrational exuberance of the 1980s and were determined to be primarily a result of poor business practices.

In 1991, the Cadbury Committee drafted a code of practices defining and applying internal controls to limit exposure to financial loss.

Subsequent to the most spectacular failures in recent times of Enron, Worldcom, and numerous other companies in the United States, the draconian Sarbanes–Oxley Act of 2002 required financial disclosure, testing of controls and attestation of their effectiveness, board-level financial oversight, and a number of other stringent control requirements.

In January 2005, the Bank of England, the Treasury, and the Financial Services Authority in the United Kingdom published a joint paper on supervisory convergence addressing many of the same issues as Sarbanes–Oxley.

Currently, the global revolution in high-profile governance regulation has resulted in the following, among others:

Financial Services Authority (U.K.)

Combined Code–Turnbull, Smith, Higgs (U.K.)

Sarbanes–Oxley (U.S.)

OECD Principles of Corporate Governance 1999 (G7)

Russian “Code of Corporate Governance” 2002

World Bank Governance Code of Best Practices (global)

BASEL II Accords (global financial organizations)

HIPPA (medical, U.S.)

Corporations Act 2001 (Australia)

1.4 GOVERNANCE DEFINITION

The Information Security Audit and Control Association (ISACA), a global organization originally formed in the late 1960s as an association of IT auditors and now comprising over 70,000 security professionals states that governance is:

The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly.

The Organization for Economic Cooperation and Development (OECD) Principles states that governance should include the “structure through which the objectives of the enterprise are set, and the means of attaining those objectives and monitoring performance are determined . . .” [1].

Further reading of this definition finds that it includes:

Organizational structure

Strategy (and design)

Policy and corresponding standards and procedures

Strategic and operational plans

Awareness and training

Risk management

Controls and countermeasures

Audits, monitoring, and metrics

Other assurance activities

1.5 INFORMATION SECURITY GOVERNANCE

Obviously, information security has to address the standard notions of security, which include:

Confidentiality

—Information is disclosed only to authorized entities

Integrity

—Information has not been subject to unauthorized modification

Availability

—Information can be accessed by those that need it when they need it

Accountability and Nonrepudiation

are also required for digital commerce.

But to address the broader issue of “safety,” the notion of preservation must also be considered:

It is no longer enough to communicate to the world of stakeholders why we exist and what constitutes success, we must also communicate how we are going to protect our existence. [2]

This suggests two specific recommendations for steps to be taken:

Develop a strategy for

preservation

alongside a strategy for progress.

Create a clearly articulated purpose and preservation statement.

1.6 SIX OUTCOMES OF EFFECTIVE SECURITY GOVERNANCE

Extensive research and analysis by ISACA [3] has determined that effective information security governance should result in six outcomes, including:

Strategic alignment

—aligning security activities with business strategy to support organizational objectives

Risk management

—executing appropriate measures to manage risks and potential impacts to an acceptable level

Business process assurance/convergence

—integrating all relevant assurance processes to maximize the effectiveness and efficiency of security activities

Value delivery

—optimizing investments in support of business objectives

Resource management

—using organizational resources efficiently and effectively

Performance measurement

—monitoring and reporting on security processes to ensure that business objectives are achieved

Defining the specifics of these outcomes for an organization will result in determining governance objectives. A thorough analysis of each of the six will provide a basis for clarifying the requirements and expectations of information security, and, subsequently, the sort of structure and activities needed to achieve those outcomes.

1.7 DEFINING INFORMATION, DATA, AND KNOWLEDGE

Many of the terms used in IS and IT have lost their precise meaning and are often used interchangeably. For the purposes of gaining clarity on the subject of information security governance, it is useful to define the terms. The admonition of more than fifty years ago that “A man’s judgment cannot be better than the information on which he has based it” [4] is still valid.

Data is the raw material of information. Information, in turn, may be defined as data endowed with relevance and purpose. Knowledge is created from information. Knowledge is, in turn, captured, transported, and stored as organized information. Knowledge is created from actionable information. Peter Drucker recognized the emerging importance of knowledge more than a decade ago, stating, “Knowledge is fast becoming the sole factor of productivity, sidelining both capital and labor” [5].

1.8 VALUE OF INFORMATION

It may be that the very nature of information and the knowledge based on it is so ubiquitous and transparent that we generally fail to recognize its true value and our utter dependence on it. It is, however, abundantly clear that information is the one asset organizations cannot afford to lose; their very existence depends on it.

Information, the substance of knowledge, is essential to the operation of all organizations and may comprise a significant proportion of the value as well.

Companies may survive the loss of virtually all other assets including people, facilities, and equipment, but few can continue with the loss of their information, i.e., accounting information, operations and process knowledge and information, customer data, etc. [6]

Studies have shown that the information residing in an organization is, in most instances, the single most critical asset. This is demonstrated by an investigation performed by Texas A&M University which showed that [7]:

93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster.

50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately.

This and other studies of the consequences of loss of information, such as occurred in 1993 to a number of the businesses in the World Trade Center in New York that had all their information stored in the data center in the basement, which was destroyed by a truck bomb, substantiate the dire consequences to organizations that lose use of their information.

Another marker for the value of information beyond survival is a recent study by the Brookings Institution that found that typically, an organization’s information and other intangible assets account for more than 80% of its market value [8].

REFERENCES

1. OECD 99, Principles of Corporate Governance, 2004.

2. Kiely, L. and T. Benzel, Systemic Security Management, Libertas Press, 2006.

3. Information Security And Control Association, 2008 CISM Review Manual.

4. Chomsky, D., “The Mechanisms of Management Control at the New York Times,” Media, Culture & Society, Vol. 21, No. 5, 579–599, 1999.

5. Drucker, P., Management Challenges for the 21st Century, Butterworth-Heinemann Ltd., Oxford, 1999.

6. Brotby, K., Information Security Governance: A Guide for Boards of Directors and Senior Management, IT Governance Institute, 2006.

7. Moskal, E., “Business Continuity Management Post 9/11 Disaster Recovery Methodology,” Disaster Recovery Journal, Vol. 19, Issue 2, 2006.

8. Osterlund, A., “Decoding Intangibles,” CFO Magazine, April 2001.

Chapter 2Why Governance?

Information security is not only a technical issue, but also a business and governance challenge that involves risk management, reporting, and accountability. Effective security requires the active engagement of executive management to assess emerging threats and provide strong cyber security leadership. The term penned to describe executive management’s engagement is corporate governance. Corporate governance consists of the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed. Information security governance is a subset of organizations’ overall governance program. Risk management, reporting, and accountability are central features of these policies and internal controls. [1]

Can a business case be convincingly made to implement information security governance or is it simply another needless layer of complexity designed to boost security department budgets? Although there are relatively few studies, the conclusions provide strong support for the necessity. Combined with the continuing growth of preventable cybercrime, mounting losses, and the all-too-common chaotic, unintegrated state of information security also suggests that there is simply no other rational approach to achieving effective enterprise-wide security given the complexity, breadth, and the sheer number of “moving parts.”

One of the more interesting and significant recent studies by the Aberdeen Group found that “Firms operating at best-in-class (security) levels are lowering financial losses to less than one percent of revenue, whereas other organizations are experiencing loss rates that exceed five percent” [2].

To the extent that the research proves accurate, this dramatic finding would appear to make any organization not practicing “best-in-class” security bordering on sheer recklessness and its management utterly failing its responsibilities. For any organization, the results of this study, suggesting that they might lower security-related losses by more than 80%, would seem to make a compelling case for effective security governance to drive “best-in-class” security.

The study involved a number of companies of various sizes, but extrapolating from an organization with $500 million U.S. in revenues, a reduction of losses from $25 million (5%) to $5 million (1%) annually would fund substantial security efforts and probably leave some money left over.

The question that arises then is what constitutes “best-in-class” security? Some would suggest that it means adherence to so-called “best practices” that are the cornerstone of ITIL. In some cases, however, best practices may be appropriate; in other cases, they may excessive or insufficient. A persuasive argument can be made that “best practices” is merely a substitute for a lack of real knowledge. That is to say, one size will not fit all, and with good planning and effective metrics, adequate and sufficient practices are a far more cost-effective approach. In any event, practices of any sort, whether best or not, must be managed in an integrated manner consistent with supporting business objectives to be of any significant value to an organization.

Although it may not be possible to provide a specific set of precise specifications to define “best in class” or “appropriate” level, there are several internationally recognized and accepted gauges and standards available to assess what that entails. The attributes and characteristics defined in the CobiT version of Capability Maturity Model (CMM) Level 4 paints a clear picture and would fulfill the requirement for most organizations. It states:

4—Managed and Measurable

The assessment of risk is a standard procedure and exceptions to following the procedure would be noticed by IT management. It is likely that IT risk management is a defined management function with senior level responsibility. Senior management and IT management have determined the levels of risk that the organization will tolerate and have standard measures for risk/return ratios.

Responsibilities for Information security are clearly assigned, managed and enforced. Information security risk and impact analysis is consistently performed. Security policies and practices are completed with specific security baselines. Security awareness briefings have become mandatory. User identification, authentication and authorization are standardized. Security certification of staff is established. Intrusion testing is a standard and formalized process leading to improvements. Cost/benefit analysis, supporting the implementation of security measures, is increasingly being utilized. Information security processes are coordinated with the overall organization security function. Information security reporting is linked to business objectives.

Responsibilities and standards for continuous service are enforced. System redundancy practices, including use of high-availability components, are consistently deployed. [3]

Although it is somewhat imprecise and subjective, CMM is an integral part of CobiT [3] and provides a straightforward intuitive approach that most find easy to apply.

A more detailed and specific approach is provided by the ISO/IEC 27002 Code of Practice and the 27001 Standard that specifies comprehensive requirements for governance, implementation, metrics, controls, and compliance.

High-level governance requirements are also set forth comprehensively in FISMA documentation pursuant to the U.S. Federal Information Security Management Act.

Whichever approach is utilized, the objective is to achieve “best-in-class” security through good governance, which, in summary, will ensure:

Assignment of roles and responsibilities

Periodic assessments of risks and impact analysis

Classification and assignment of ownership of information assets

Adequate, effective, and tested controls

Integration of security in all organizational processes

Implementation of processes to monitor security elements

Effective identity and access management for users and suppliers of information

Meaningful metrics

Education of all users, including management and board members, of information security requirements

Training as needed in the operation of security processes

Development and testing of plans for continuing the business in case of interruption or disaster

2.1 BENEFITS OF GOOD GOVERNANCE

A number of identifiable benefits will devolve from implementing effective information security governance, depending on the current state of security and particulars of the organization. The following subsections discuss be some of the more direct and obvious benefits but there are likely to be other, less obvious ones. For example, embarking on a program to implement governance as detailed in the following pages is likely to improve the awareness and commitment of management and result in a better “tone at the top.” This in turn may initiate a culture more conducive to security.

2.1.1 Aligning Security with Business Objectives

Although it seems an obvious requirement, the majority of organizations globally do not have a program or process to align IT strategy, much less security activities, with the objectives of the business. This was vividly highlighted by the 2006 Global State of Information Security Governance study of more than seven thousand organizations by the IT Governance Institute [4]. It revealed that processes to align IT strategy with business strategy had only been implemented by 16% of the respondents. Another 12% indicated that they were in the process of implementing a program to address the issue. The remaining 72% of organizations did not know what guided their IT and security activities (Table 2.1).

Table 2.1. Implementation of IT strategy by businesses

Haveimplemented

Implementingnow

Consideringimplementing

Notconsidering

IT strategy alignment with business strategy

16%

12%

21%