Step Up Your Security - Accountancy Ireland

Alex Burnham, Director, IT Audit & Security, Mazars outlines some best practice guidance in developing an information security governance framework.

Information security is the term used to describe the maintenance of the confidentiality and integrity of information held on ICT systems and in non-electronic format e.g. paper and the protection of those assets.

Information and the systems that handle information are critical to the operation of virtually all organisations.

Access to reliable information has become a vital component of doing business; in fact, for a growing number of organisations, information is the business. This increasing dependence on information was apparent more than a decade ago when Peter Drucker stated “The diffusion of technology and the commodification of information transforms the role of information into a resource equal in importance to the traditionally important resources of land, labour and capital”.[1]

Until recently, the focus of security had been on protecting the IT systems that process and store data, rather than on the information itself. However, this approach is too narrow to provide assurance to any board or senior management team that the information on which the organisation relies for its daily operation is secure. Information security governance therefore is the term used to describe how those entrusted with governance of an entity will consider information security in their supervision, monitoring, control and direction of the entity.

Information security governance should be an integral part of organisational governance. Information and information security governance primarily are the responsibility of organisational management / board. It is a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over information security and its processes. Information security governance is not a technical issue, but a business and governance challenge that includes the consideration of strategy, risk management, performance measurement, value delivery, organisation and resources, and policies and procedures. Effective security requires the active involvement of executives to assess emerging threats and the organisation’s response to them.

An Effective Information Security Governance Framework

Establishing an effective information governance framework includes defining the appropriate organisational structures, processes, oversight mechanism, roles and responsibilities to ensure that these are aligned and delivered in accordance with the information governance requirements and obligations of the organisation.

A key component of information governance is oversight and this should be provided by an oversight group or steering committee made up of senior management from both the business and from IT. Information governance is not however an IT function and should not be embedded within the IT function.

Effective information security governance:

  • Makes sure that the information security strategy is aligned with the ICT and business strategies;
  • Cascades information security strategy & goals down through the organisation;
  • Provides an appropriate structure to facilitate the implementation of information security strategy and goals;
  • Ensures that an information security control framework is adopted and implemented;
  • Provides oversight, direction and control of information security;
  • Ensures that information security is accountable to the Board (or senior management) of the organisation;
  • Ensures that information security resources are used to bring value to the organisation;
  • Manages information security risk; and
  • Monitors information security performance. 

[1] Drucker, Peter; ‘Management Challenges for the 21st Century’, Harpers Business, 1993

In turn, from a practical perspective, each of these components translates to the following indicators of good information security governance:

  • An information security governance/steering committee or equivalent is in place with a clearly defined governance role and a clear mandate from the Board. This mandate should be focused on monitoring information security, supported by a formal charter and containing both ICT security and business leadership. The steering committee or equivalent should have an Organisation wide information security objective for strategic direction, information security risk management, implementation oversight for projects and compliance activities;
  • An information security strategy or plan is in place, in line with the business and IT strategies, this is approved and clearly aligned to the organisational business strategy;
  • Outcome measures or KPIs are defined to support information security performance measurement and management;
  • Processes are in place to ensure resources (people, equipment and budget) are used to best effect in order to assist management in achieving their security goals;
  • There is a clear focus on the activities, processes and data that information security must protect;
  • Information security processes such as application security, incident and problem management are in place and managed;
  • There is central governance and management of information security investment;
  • Clear external information security sourcing strategies are in place where necessary;
  • An information security governance framework is in place to protect the security and integrity of organisational data and ensure compliance by all parties with applicable laws and regulations relating to data security, data retention and records management (i.e. policies and procedures);
  • A clear and appropriate organisational reporting structure is in place and includes information security management functions;
  • The role that each individual unit or department should play (including HR, business units, IT, etc.), together with the roles of specific individuals such as asset owners should be specified. A specific paragraph should be included in the job specifications/role profiles setting out their responsibility for complying with information security as well as for managers being responsible for protecting the assets they own; and
  • Formal system owners (from the business) should be assigned and take responsibility for the critical applications used by the Organisation and as a direct consequence the data which these systems managed, store and process. In turn the IT department should provide the technical and infrastructure controls to support the effective management of security associated with these applications to organisational and legislative standards.

Information Security Governance Roles

On the basis of best practice as represented by ISACA and ISO 38500 (Corporate Governance of IT) information security governance roles, can broadly be reflected as follows:

Organisational Group Responsibility
Overall Board or equivalent level
  • Set direction for information security, monitor results and insist on corrective measures
Senior Management
  • Defines business requirements for information security and ensures that value is delivered and risks are managed
  • Monitors overall summary performance against requirements
  • Approves information security strategy and policies

Steering/

Governance Committee or equivalent

  • Directs information security enabled investment in security services and assets (IT and non IT)
  • Ensures oversight of information security plans and expenditure
  • Agrees security standards or guidelines to be adopted
  • Proposes information security strategy and policies to senior management following review
  • Monitors detailed performance metrics against requirements
  • Reviews information security incidents and associated actions
  • This committee should be chaired by a second line function to ensure independence
ICT Management
  • Delivers and improves ICT services in accordance with information security policy, security standards, plans, budgets and policies agreed with steering committee and approved by senior management
  • Develops and implements IT security procedures in support of information security policy
  • Monitors and tracks performance and reports to steering committee  
Business Unit
  • Implements  the information security policy and procedures at an operational level
  • Each business unit head and their team should design their operational practices so that they are in compliance with the information security policy and associated procedures
  • HR should ensure that job specifications/ role profiles are updated to reflect responsibility for complying with information security as well as for managers being responsible for protecting the assets they own
  • HR should ensure that all staff are provided with information security training and that this is incorporated into induction training
Risk
  • Integrates all of the information security (IT and non IT) risks for the whole of the organisation into the overall risk management framework.
  • Ensures that an appropriate framework is in place to manage these risks
  • Reports on levels of risk to the Board  as a subcommittee of the Board
  • As a second line function, either the Risk or Compliance function may be an appropriate home for the Information Security Officer and associated function if such a role exists
Compliance
  • Ensures that the full compliance requirements, legislative and regulatory obligations for the Organisation have been adequately understood and analysed 
  • Measures compliance with policies
  • Acts as the main organisational department for all compliance roles within the Organisation e.g. data protection officer or similar
  • As a second line function, either the Risk or Compliance function may be an appropriate home for the Information Security Officer role and associated function if such a role exists
Internal Audit
  • Provides independent assurance by way of audit to demonstrate that ICT and non ICT functions deliver on what is required in accordance with information security standards and protects the data and other assets of the Organisation in accordance with the policies of the Organisation and legislative and regulatory requirements
  • Tests information security controls exist, are adequate and are operating effectively

This article first appeared in Accountancy Ireland magazine August 2015

Alex Burnham, Director, IT Audit & Security, Mazars, Phone: + 353 1 512 5563 Email: aburnham@mazars.ie

Downloads

Share