Effective IT Security Governance


Published on

This paper describes how a continuous improvement IT Security Governance process provides effective planning and decision making capabilities for a cybersecurity program. Governance can be thought of “doing the right things” while management is “doing things right”. IT Security Governance focuses on doing the right things to protect organizations and agencies.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Effective IT Security Governance

  1. 1. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012 Effective IT Security Governance Leo de Sousa – IST 725 AbstractThis paper describes how a continuous improvement IT Security Governance process provideseffective planning and decision making capabilities for a cybersecurity program. Governancecan be thought of “doing the right things” while management is “doing things right”. IT SecurityGovernance focuses on doing the right things to protect organizations and agencies. OperationalSecurity focuses on doing things right and relies on IT Security Governance to direct thoseactions. As organizations and agencies look to save costs, reach more customers and implementefficiencies, they are turning more and more to digital technology solutions. While the reach andautomation capabilities of information technology solutions and architectures are vast, they alsoexpose organizations and agencies to risks from cybercrime, cyberattacks, and breaches of legalregulations, loss of corporate information and protection of personal and confidentialinformation. Topics covered in this paper are (a) Key Definitions, (b) Introduction to IT SecurityGovernance, (c) IT Security Governance Capabilities, (d) Effective Approaches to Planning andDecision Making using IT Security Governance Capabilities and (e) Conclusion. After readingthis paper, the reader should have a clear understanding of the concepts of IT SecurityGovernance, the capabilities of IT Security Governance, and the uses of those capabilities toeffectively plan and make decisions for an overall, continuously improving cybersecurityprogram. Key DefinitionsCyberattack – is an attempt to undermine or compromise the function of a computer-basedsystem, or attempt to track the online movements of individuals without their permission.(wiseGEEK, 2011)Cybercrime – generally defined as a criminal offence involving a computer as the object of thecrime (hacking, phishing, spamming), or as the tool used to commit a material component of theoffence (child pornography, hate crimes, computer fraud). (Foreign Affairs and InternationalTrade Canada, 2011)Cybersecurity – term used by the US Federal government which requires assigning clear andunambiguous authority and responsibility for security, holding officials accountable for fulfillingthose responsibilities and integrating security requirements into budget and capital planningprocesses. (IT Governance Institute, 2006, p. 22)Information Security Governance – is captured in the Security Architecture Framework and isused “to define security strategies, policies, standards and guidelines for the enterprise from anorganizational viewpoint.” (Bernard & Ho, 2007, p. 11)Leo de Sousa Page 1
  2. 2. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012Integrated Governance Framework – is part of an integrated “governance structure thatincludes strategic planning, enterprise architecture, program management, capital planning,security and workforce planning.” (Bernard S. A., 2005, p. 33) IntroductionIT Security Governance is one of several organizational governing processes that includeEnterprise Architecture, IT Governance, Project Governance and Corporate Governance. It hasstrong alignment to enterprise risk management initiatives and programs. Successfulorganizations use corporate governance to direct and guide the successful operations of thecompany. IT Governance guides investments in technology that are aligned to the business’goals and strategy. Project Governance is used to rank and prioritize project proposals, soinvestments in projects are aligned to business strategy. The IT Governance Institute definesInformation Security Governance as “Security Governance is the set of responsibilities andpractices exercised by the board and executive management with the goal of providing strategicdirection, ensuring that objectives are achieved, ascertaining that risks are managed appropriatelyand verifying that the enterprise’s resources are used responsibly.” (Harris, 2006) Taking a topdown approach with executive direction and support is a key success factor to establish a cultureof security into organizations and agencies.Every organization and agency faces the challenge of balancing employee empowerment byproviding access to information with enterprise risk management and compliance. As more andmore organizations and agencies move their services into a digital environment, they are facedwith significant challenges dealing with new corporate risks to information, business processesand privacy. The use of web-based applications, online payment systems and collaborationbased information management systems introduce new information technology architectures that,if not properly protected, expose the company to the risk of cyberattacks and informationsecurity breaches. Recently, the downturn in the global economy is forcing organizations andagencies to cut operational costs and improve their processes. In most cases, this means cuttingtheir budgets and investments, which can put IT Security efforts in jeopardy due to lack offunding. These high levels of budget cuts are rippling through companies and organizationsimpacting the resources available for IT security. “The $2.1 trillion debt-cap pact that Congresspassed Tuesday could hurt economic and national security as agencies postpone plans to investin cybersecurity technology and hire more network specialists due to uncertainty over potentialprogram cuts, computer security advisers say.” (Sternstein, 2011)There are five IT Security Governance areas that have evolved from case law and are tied to thefiduciary duties of executives, board members and officers: 1) Govern the operations of theorganization and protect its critical assets, 2) Protect the organization’s market share and stockprice, 3) Govern the conduct of employees, 4) Protect the reputation of the organization and 5)Ensure compliance requirements are met. (Allen & Westby, 2007, p. 1)In this constrained environment, IT Security Governance becomes a strategic practice ensuringthat the appropriate security capabilities are available and adequately funded to maintain andcontinually improve an effective cybersecurity program for organizations and agencies.Leo de Sousa Page 2
  3. 3. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012 IT Security Governance CapabilitiesIT Security Governance relies on a set of core capabilities that enable organizations to provideoversight, authorize decisions and create and enable policy. These capabilities supportaccountability, strategic planning and resource allocation for IT Security programs in anorganization. To successfully deploy IT Security Governance capabilities, organizations andagencies need to consider organizational strategy, culture and structure as well as complianceand risk management policies. These capabilities need to be implemented in a top downapproach with the responsibility for success sitting with the Board of Directors and the ExecutiveCommittee.Bernard and Ho describe IT Security Governance capabilities at a high level as “to definesecurity strategies, policies, standards and guidelines for the enterprise from an organizationalviewpoint.” (Bernard & Ho, 2007, p. 11) The Carnegie Mellon Software Engineering Institutepublished a paper “Governing Enterprise Security Implementation Guide” which provides amore detailed approach of IT Security Governance Capabilities including responsibilities andartifacts. The capabilities are grouped into the following four high level categories andsubcategories: (Allen & Westby, 2007)Governance Category Governance Sub CategoriesStructure and Tone • Establish a Governance Structure(Deming – Plan – design or revise business • Assign Roles and responsibilities,process components to improve results) Indicating Lines of Responsibility • Develop Top-Level PoliciesAssets and Responsibilities • Inventory Digital Assets(Deming – Do – implement the plan and • Develop and Update Systemmeasure its performance) Descriptions • Establish and Update Ownership and Custody of Assets • Designate Security Responsibilities and Segregation of DutiesCompliance • Determine and Update Compliance(Deming – Check – assess the measurements Requirementsand report the results to decision makers) • Map Assets to Table of Authorities • Map and Analyze Data Flows • Map Cybercrime and Security Breach Notification Laws and Cross-Border Cooperation with Law Enforcement to Data Flows • Conduct Privacy Impact Assessments and Privacy AuditsAssessments and Strategy • Conduct Threat, Vulnerability, and(Deming – Act – decide on the changes needed Risk Assessments (including Systemto improve the process) C&As) • Determine Operational CriteriaLeo de Sousa Page 3
  4. 4. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012 • Develop and Update Security Inputs to the Risk Management Plan • Develop and Update Enterprise Security Strategy (ESS)Interestingly, the implementation guide proposed by Allen and Westby follows the continuousimprovement approach of W. Edwards Deming. (Balanced Scorecard Institute, 1998) Byimplementing the four major categories in the order specified, organizations and agenciesestablish accountability and responsibility at the most senior levels of their organization structurewith a focus that these activities are part of a continuous improvement process. Effective Approaches to Cybersecurity Planning and Decision MakingIT Security Governance delivers the key capabilities to facilitate planning and decision makingfor enterprise risk management and strategic planning in a cybersecurity program. This sectionexplores the GES major categories using a higher education example and shows how they areessential to support the planning and decision making of a cybersecurity program with a focus oncontinuous improvement.Structure and Tone (Deming – Plan)There are 3 main activities in this category: Establish a Governance Structure, Assign Roles andresponsibilities, Indicating Lines of Responsibility and Develop Top-Level Policies. The focusof these three activities is to clearly establish a top down, organization-wide approach to ITSecurity. At the British Columbia Institute of Technology (BCIT), our top level governancegroup is the Audit and Finance Committee of the Board of Governors. The committee reportsquarterly to the Board of Governors and has overall responsibility for Enterprise RiskManagement including IT Security Governance. In 2008, we created the Information SecurityAdvisory Council (ISAC) to implement IT Security Governance. This governance committeeconsists of the Chief Information Officer, Director of Safety and Security, Manager, InstitutionalRecords Management, Director of Finance and the Information Security Officer. The ISACsponsors audits, PCI-DSS implementation, copyright policy and compliance training. Thiscommittee also has responsibility for the Security architecture domain in our EA practice. TheISAC created two top level policies: 3501 – Acceptable Use of Information Technology and3502 - Information Security. (British Columbia Institute of Technology, 2009) These policiesand the ISAC are the backplane for IT Security Governance in BCIT’s Enterprise Architectureand fit with Deming’s Plan step. (de Sousa, 2007)Assets and Responsibilities (Deming – Do)There are four main activities in this category: Inventory Digital Assets, Develop and UpdateSystem Descriptions, Establish and Update Ownership and Custody of Assets and DesignateSecurity Responsibilities and Segregation of Duties. There is a requirement of the BCIT 3502 –Information Security policy to inventory systems and establish system ownership for the purposeLeo de Sousa Page 4
  5. 5. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012of designing security access. (British Columbia Institute of Technology, 2009) This process isessential to determine who gets access to secure systems and defining access controls for theBCIT community. These activities fit with Deming’s Do step for continual improvement.Compliance (Deming – Check)There are five main activities in this category: Determine and Update Compliance Requirements,Map Assets to Table of Authorities, Map and Analyze Data Flows, Map Cybercrime andSecurity Breach Notification Laws and Cross-Border Cooperation with Law Enforcement toData Flows and Conduct Privacy Impact Assessments and Privacy Audits. Each year mostorganizations go through a financial audit. At BCIT, a component of the annual financial audit isan IT security audit. The auditors look at our IT systems and particularly the protections andsecurity around financial transactions. With each audit there are recommendations for improvingour treatment of secure transactions and access controls. These recommendations fit withDeming’s Check step and enable our organization to continually improve our IT Securityprogram.Assessment and Strategy (Deming – Act)There are four main activities in this category: Conduct Threat, Vulnerability, and RiskAssessments (including System C&As), Determine Operational Criteria, Develop and UpdateSecurity Inputs to the Risk Management Plan and Develop and Update Enterprise SecurityStrategy (ESS). Each year, BCIT proactively conducts vulnerability assessments and externalpenetration tests which lead to changes in our security practices. Placing emphasis on activelytesting our IT Security Governance framework fits with Deming’s Act process for continualimprovement. ConclusionIT Security Governance is a strategic practice that ensures appropriate security capabilities areavailable and adequately funded to maintain effective cybersecurity program planning anddecision making. Organizations and agencies that invest in IT Security Governance are able tomanage the use of their assets securely, manage enterprise risk internally and externally and helpensure the ongoing viability of their operations.Information Security Governance is part of an integrated “governance structure that includesstrategic planning, enterprise architecture, program management, capital planning, security andworkforce planning.” (Bernard S. A., 2005, p. 33) Information Security Governance is capturedin the Security Architecture Framework and is used “to define security strategies, policies,standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho,2007, p. 11)By taking W. Edwards Deming’s Plan-Do-Check-Act continuous improvement model as theguiding principle for IT Security Governance, organizations and agencies will benefit from aconsistent cybersecurity program focusing on secure business management and operations.Leo de Sousa Page 5
  6. 6. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012 ReferencesAllen, J. H., & Westby, J. R. (2007). Governing for Enterprise Security (GES) Implementation Guide. Pittsburgh: Software Engineering Institute, Carnegie Mellon.Balanced Scorecard Institute. (1998). The Deming Cycle. Retrieved from Balanced Scorecard Institute: http://www.balancedscorecard.org/TheDemingCycle/tabid/112/Default.aspxBernard, S. A. (2005). An Introduction to Enterprise Architecture 2nd Edition. Bloomington, IL: AuthorHouse.Bernard, S., & Ho, S. M. (2007, Oct 29). Enterprise Architecture as Context and Method for Implementing Information Security and Data Privacy. Washington, DC, USA.British Columbia Institute of Technology. (2009). 3501 - Acceptable Use of Technology. Retrieved from Policies: http://www.bcit.ca/files/pdf/policies/3501.pdfBritish Columbia Institute of Technology. (2009). 3502 - Information Security. Retrieved from Policies: http://www.bcit.ca/files/pdf/policies/3502.pdfde Sousa, L. (2007, Jun 22). EA Model V.2. Retrieved Jan 18, 2012, from Enterprise Architecture in Higher Education: http://leodesousa.ca/2007/06/ea-model-v2/Foreign Affairs and International Trade Canada. (2011, Oct 14). Cybercrime. Retrieved 02 02, 2012, from International Security: http://www.international.gc.ca/crime/cyber_crime- criminalite.aspx?view=dHarris, S. (2006, Aug). Information Security Governance Guide. Retrieved Feb 1, 2012, from TechTarget: http://searchsecurity.techtarget.com/tutorial/Information-Security- Governance-GuideIT Governance Institute. (2006). Information Security Governance: Guidance for Board of Directors and Executive Management, 2nd Edition. Rolling Meadows, Illinois, USA.Sternstein, A. (2011, Aug 02). Debt deal could be a blow for cybersecurity. Retrieved from Nextgov: http://www.nextgov.com/nextgov/ng_20110802_1799.php?oref=topstorywiseGEEK. (2011). What Is a Cyberattack? Retrieved from wiseGEEK: http://www.wisegeek.com/what-is-a-cyberattack.htmLeo de Sousa Page 6