Information Security Governance (ISG) refers to the system through which an organization directs and controls its Information Security (InfoSec) activities. Just like corporate governance, ISG seeks to protect the interest of all stakeholders (shareholders, customers, service providers, government, employees, etc.) of an organization. It ensures the alignment of InfoSec strategies with organizational strategies.
The accountability of ISG usually resides with the Board of Directors or Executive Management of the organization. According to Mears and Von Solms (2004), in order for organizations to ensure adequate protection of their information asset, the Board of Directors and Senior Managers must be serious about InfoSec.
According to the IT Governance Institute (2006), ISG is an aspect of enterprise governance, which is responsible for setting strategic direction, attainment of InfoSec objectives, risk management, and monitoring of the enterprise security framework. ISG is the means of dealing with the security of enterprise information assets in a holistic approach, to include all organizational stakeholders, including those at the governance and management levels. (Rebollo et al, 2014).
InfoSec is essential to all organizations, regardless of size, location, and industry; hence, ISG cannot be relegated to the background. According to Von Solms et. al (2011), ISG has become one of the main areas of strategic management because of its importance in the overall protection of organizations’ information assets.
Organizations undertake several activities to ensure the security of their information assets. However, majority of them lose sight of ISG in their operations. The best security control without governance will ultimately fail. In the study of Bihari (2008), the respondents ranked risk management and regulatory requirement as the two most important activities out of nine activities undertaken by corporate governance professionals. InfoSec was however ranked as the least important by the respondents. Contrary to the aforementioned response, majority of the participants after being probed; said InfoSec was important for the fulfillment of the obligations of the Board of Directors. The findings of this study clearly demonstrate how the importance of ISG is downplayed in some organizations.
Allen (2007) has enumerated eleven characteristics of effective ISG as follows:
- It should be an enterprise-wide issue
- Leaders of the organization should be accountable
- It should be considered as an organizational requirement
- It should be risk-based
- There should be defined roles and responsibilities, and segregation of duties
- It should be addressed by policies
- Adequate resources should be made available
- Awareness and training should be conducted for employees
- It should require a development life cycle
- It should be planned, managed, and measured
- It should be reviewed and audited
There are a number of frameworks, standards, and best practices that help ensure proper governance of InfoSec within organizations. Organizations need not reinvent the wheel; they just need to adopt frameworks, standards, and best practices from reputable sources like the National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), IT Governance Institute, Business Software Alliance (BSA), and Information Systems Audit and Control Association (ISACA).
NIST enumerates the following ISG best practices that organizations can adopt:
- ISG should be based on relevant laws, regulations, and organizational policies.
- Senior Managers should be involved in the formulation and implementation of ISG frameworks.
- Responsibilities for InfoSec should be assigned and undertaken by adequately trained personnel.
- Personnel responsible for InfoSec must be held accountable for their actions and inactions.
- Priorities for InfoSec must be communicated to all organizational stakeholders to ensure effective execution.
- InfoSec activities should be integrated into all management activities and business processes of the organization.
- The InfoSec organization structure needs to be appropriate for the organization and should be easily amenable to suit changes within the organization.
- Managers responsible for InfoSec should continuously monitor the performance of the security program.
- The results of monitoring should serve as input into management decision making to improve the security posture of the organization.
There are so many benefits associated with effective ISG. Organizations can realize the following benefits as stated by the IT Governance Institute:
- It ensures effective management of organizational risk.
- It helps in the optimal allocation of resources for information security.
- It protects the organization against contractual, legal, and regulatory breaches.
- It reduces the uncertainty of business operations
- It provides the assurance that organizational policies are being adhered to.
The importance of ISG cannot be overemphasized. A lot of InfoSec breaches have occurred globally due to poor ISG practices. ISG ought to be integrated into the overall governance of organizations to help safeguard the interest of key stakeholders. Organizations should always set InfoSec objectives and ensure these objectives align with the overall business objectives, and further integrated into the tactical and operational levels of the organization. With the right ISG framework in place, the organization’s security posture will be strengthened to withstand any shocks.
Sherrif Issah – (IT GRC Consultant | PCI-QSA | Trainer @ Digital Jewels Ltd. | Editorial Board Member, Institute of ICT Professionals Ghana)
For comments, contact author [email protected]