richardb8006 | Chief Information Security Officer (CISO) | Module 2 - Information Security Governance

Module 2 - CIA intro
This lesson covers the principles of security. We can remember the three principles of security using the acronym CIA.
- Confidentiality: preventing the unauthorized disclosure of data
- Integrity: preventing the unauthorized modification of data and detecting any such unauthorized modifications when they occur
- Availability of data; the timely access of resources
You will familiarize yourself with the necessary security objectives that we must strive to achieve, and remember them using the acronym SMART.
Our security objectives must be:
- Specific; such as increasing application security
- Measurable; you have to know when you’ve achieved your goal
- Attainable; is it something that can be done?
- Realistic; can the objective be achieved within the realm of possibility?
- Timely; can the goal be reached within a specific period of time?
You must keep in mind all the threats that can compromise your data security within the CIA and SMART framework.
Module 2 - Information Security Governance
This lesson will cover information security governance within the role of the CISO.
Information security governance is the set of responsibilities and practices implemented by the board and senior management for protecting the C-I-A of information. Information security governance should, therefore:
- Provide long-term goals and short-term objectives
- Include metrics by which to determine success
- Be based on sound risk management principals
- Ensure that the enterprise’s resources are used appropriately
- Require an in-depth understanding of the value of an organization’s information
Ultimately the responsibility for information security must rest upon the organization’s executive level. Information security is an executive responsibility because:
- If an organization’s senior management, including the boards of directors, senior executives, and all managers does not establish and reinforce the business need for effective enterprise security; the organizations desired state of security will not be articulated, achieved, or sustained
- To achieve a sustainable capability, organizations must make enterprise security the responsibility of leaders at the governance level and not of other organizational roles that lack the authority, accountability, and resources to act and enforce compliance
Security is a non-negotiable aspect of the business environment, because if you don’t protect your information you will be out of business.
Module 2 - Information Security governance overview
This lesson will cover information security governance within the role of the CISO.
Information security governance is the set of responsibilities and practices implemented by the board and senior management for protecting the C-I-A of information. Information security governance should therefore:
- Provide long-term goals and short-term objectives
- Include metrics by which to determine success
- Be based on sound risk management principals
- Ensure that the enterprise’s resources are used appropriately
- Require an in-depth understanding of the value of an organization’s information
Ultimately the responsibility for information security must rest upon the organization’s executive level. Information security is an executive responsibility because:
- If an organization’s senior management, including the boards of directors, senior executives and all managers does not establish and reinforce the business need for effective enterprise security; the organizations desired state of security will not be articulated, achieved, or sustained
- To achieve a sustainable capability, organizations must make enterprise security the responsibility of leaders at the governance level and not of other organizational roles that lack the authority, accountability and resources to act and enforce compliance
Security is a non-negotiable aspect of the business environment, because if you don’t protect your information you will be out of business.
- Information security governance is the set of responsibilities and practices implemented by the board and senior management for protecting the C I A of information
- Should provide long term goals and short term objectives
- Should also include metrics by which to determine success
- Based on sound risk management principles
- Ensures that the enterprise’s resources are used appropriately
- Requires an in depth understanding of the value of an organization’s information
Responsibilities of the CISO
- Responsible for providing CIA for all information assets
- Communication of risks to senior management
- Recommend best practices to influence policies, standards, procedures and guidelines
- Establish security measurements
- Ensure compliance with government and industry regulations
- Maintain awareness of emerging threats
Roles and responsibilities
Senior/executive management
CEO: Chief decision maker
CFO: Responsible for budgeting and finances
CIO: Ensures technology supports company’s objectives
CISO: Risk Analysis and mitigation
Steering committee: Define risks, objectives and approaches
Auditors: Evaluate business processes
Data owner: Classifies data
Data custodian: Day to day maintenance of data
Network administrator: Ensures availability of network resources
Security administrator: Responsible for all security related tasks, focusing on Confidentiality and integrity
Module 2 - Security Management Program
This module covers what a security management program looks like and what are the elements that will help make the security management program successful.
The importance of senior management involvement in data security cannot be emphasized enough; they have the understanding of all the elements of the business and how they work together. Consequently, they can help us prioritize and understand critical business functions, and how best to spend our budget. Senior management can answer the question: how much security do we need?
Important points:
- You can have too much security if your security measures begin to interfere with the work of the business
- You have to think about security in terms of cost-benefit analysis; how much security is enough to support the function and the business needs of our environment?
These issues must be resolved by senior management who will provide the necessary governance and establish and manage:
- Policies/standards/procedures/guidelines
- Roles and responsibilities
- Service level agreements/outsourcing
- Data classification/security
- Certification and accreditation
- Auditing
The ultimate responsibility for security in an organization will fall on senior management as the individuals who have been entrusted with the company assets and are liable in any legal action against the company or for the repercussions of not following regulations.
The end result is that everyone working under senior management will respect and abide by the policies, standards, procedures, and guidelines as set forth by the executive level and ensure that the security management program is implemented in an effective manner.
What makes a Information security management program successful?
- Senior management involvement
- Governance
- Policies/standards/Procedures/guidelines
- Roles and responsibilities
- SLA Service Level Agreements/Outsourcing
- Data classification/Security
- C&A (Certification and accreditation)
- Auditing