Information Security Governance

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 15 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
>> Hi, and welcome to
00:00
our next module, information security governance.
00:00
Let's get into what we're
00:00
going to be covering in this lesson.
00:00
Basically, what is information security governance?
00:00
We'll get a good definition,
00:00
a good understanding of what it is made up of.
00:00
A little bit on the governance frameworks,
00:00
and now there are a number of different frameworks,
00:00
and different industries have
00:00
different specific frameworks to go by.
00:00
But we'll just give a bit of an overview here.
00:00
Effective IS governance and some of
00:00
the expected outcomes of information security governance.
00:00
Let's begin.. Basically,
00:00
what is information security governance?
00:00
Ultimately, as the name would suggest,
00:00
it is basically a subset of corporate governance.
00:00
It's basically designed for
00:00
information security to support
00:00
the strategic directions of
00:00
the business and just provide
00:00
strategic directions for all the security activities.
00:00
In large organizations, security functions and
00:00
security projects and other activities can be
00:00
quite significant and can have
00:00
a direct impact on the business.
00:00
What information security governance
00:00
does is enable a linkage to
00:00
the bigger and larger corporate governance process to
00:00
ensure that it's working
00:00
for the goals and objectives of the business.
00:00
Now, as I mentioned,
00:00
there's a number of different frameworks,
00:00
but generally speaking,
00:00
what you'll find common in most of them will be
00:00
a comprehensive security strategy
00:00
linked with business objectives,
00:00
and this is pretty key.
00:00
This will be a strategy document that will be
00:00
born out of the corporate governance,
00:00
so it's going to directly
00:00
support what the business is doing.
00:00
There will also be a governing set of security policies,
00:00
so this will be at
00:00
the very highest level in terms of what
00:00
the focus of the security mandate
00:00
will be within the organization.
00:00
There will also be a set of standards,
00:00
so these are just lower-level policies
00:00
and procedures for people to follow.
00:00
There'll also be a security organizational structure.
00:00
There'll be different roles,
00:00
such as, for example,
00:00
in a lot of organizations,
00:00
there's a chief security officer,
00:00
there's a chief information security officer,
00:00
and there's a range of other types of roles
00:00
which vary across the organization.
00:00
But each of those have different responsibilities
00:00
at different levels of the organization.
00:00
As with all good governance,
00:00
there needs to be a process of
00:00
monitoring to make sure it is
00:00
doing exactly what you set out and plan to do.
00:00
What is the effective information security governance?
00:00
Basically, there's a couple of
00:00
factors you've got to look for.
00:00
There's ultimate responsibility
00:00
at the board of directors,
00:00
we'll see those levels.
00:00
While the functions will be
00:00
devolved down throughout the organization,
00:00
the ultimate responsibility needs to
00:00
lie at the very top of the organization.
00:00
Now, provable of the policies,
00:00
of the security policies will require
00:00
input from diverse organizational experience.
00:00
You need stakeholders who
00:00
are responsible for running different systems,
00:00
different parts of the business,
00:00
having input into how the security policy will work.
00:00
Now, in effective information security governance,
00:00
one of the key outcomes here is
00:00
ensuring that information is available
00:00
to support the business decisions and that
00:00
this information is maintained in a high-quality.
00:00
Now, we also need to look at
00:00
information security governance
00:00
is generating business value.
00:00
Not too long ago,
00:00
it was actually seen as a cost and a drain on business.
00:00
But in this day and age,
00:00
it is certainly a business value factor.
00:00
Now, there's also areas of
00:00
operational excellence, and of course,
00:00
as with a lot of things
00:00
we have covered in this course so far,
00:00
it needs to maintain risk at an acceptable level.
00:00
What are the basic outcomes?
00:00
We'll be looking at basically performance measurement.
00:00
Defined, agreed upon,
00:00
and meaningful metrics that
00:00
are aligned with the strategic objectives.
00:00
So if you can't measure it,
00:00
you can't manage it is a very old saying,
00:00
but it's very true here.
00:00
We need to ensure that a governance is measurable.
00:00
We also need to ensure that
00:00
the resources that are put into it,
00:00
that are expended by the business are managed.
00:00
That ensures that the knowledge is captured,
00:00
so the work that's being done
00:00
is maintained as part of the corporate memory,
00:00
is processes that are documented,
00:00
and there's a security architecture developed.
00:00
Finally, there's a process integration.
00:00
Information security governance needs to exist within
00:00
the larger ecosystem of
00:00
the governance structures within the enterprise itself.
00:00
Now, okay, now that's the end of our lesson.
00:00
Just to cover what we've gone through,
00:00
we've looked at what information security governance is.
00:00
We've looked a little bit about
00:00
the makeup of governance frameworks,
00:00
and also what effective
00:00
information systems governance is,
00:00
and the outcomes that you should be expecting
00:00
from your information security governance programs.
00:00
I hope you enjoyed the lesson
00:00
and I will see you at the next one.
Up Next