Information security is the term used to describe the maintenance of the confidentiality and integrity of information held on ICT systems and in non-electronic format e.g. paper and the protection of those assets.
Information and the systems that handle information are critical to the operation of virtually all organisations.
Access to reliable information has become a vital component of doing business; in fact, for a growing number of organisations, information is the business. This increasing dependence on information was apparent more than a decade ago when Peter Drucker stated “The diffusion of technology and the commodification of information transforms the role of information into a resource equal in importance to the traditionally important resources of land, labour and capital”.
Until recently, the focus of security had been on protecting the IT systems that process and store data, rather than on the information itself. However, this approach is too narrow to provide assurance to any board or senior management team that the information on which the organisation relies for its daily operation is secure. Information security governance therefore is the term used to describe how those entrusted with governance of an entity will consider information security in their supervision, monitoring, control and direction of the entity.
Information security governance should be an integral part of organisational governance. Information and information security governance primarily are the responsibility of organisational management / board. It is a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over information security and its processes. Information security governance is not a technical issue, but a business and governance challenge that includes the consideration of strategy, risk management, performance measurement, value delivery, organisation and resources, and policies and procedures. Effective security requires the active involvement of executives to assess emerging threats and the organisation’s response to them.
An Effective Information Security Governance Framework
Establishing an effective information governance framework includes defining the appropriate organisational structures, processes, oversight mechanism, roles and responsibilities to ensure that these are aligned and delivered in accordance with the information governance requirements and obligations of the organisation.
A key component of information governance is oversight and this should be provided by an oversight group or steering committee made up of senior management from both the business and from IT. Information governance is not however an IT function and should not be embedded within the IT function.
Effective information security governance:
- Makes sure that the information security strategy is aligned with the ICT and business strategies;
- Cascades information security strategy & goals down through the organisation;
- Provides an appropriate structure to facilitate the implementation of information security strategy and goals;
- Ensures that an information security control framework is adopted and implemented;
- Provides oversight, direction and control of information security;
- Ensures that information security is accountable to the Board (or senior management) of the organisation;
- Ensures that information security resources are used to bring value to the organisation;
- Manages information security risk; and
- Monitors information security performance.
 Drucker, Peter; ‘Management Challenges for the 21st Century’, Harpers Business, 1993
In turn, from a practical perspective, each of these components translates to the following indicators of good information security governance:
- An information security governance/steering committee or equivalent is in place with a clearly defined governance role and a clear mandate from the Board. This mandate should be focused on monitoring information security, supported by a formal charter and containing both ICT security and business leadership. The steering committee or equivalent should have an Organisation wide information security objective for strategic direction, information security risk management, implementation oversight for projects and compliance activities;
- An information security strategy or plan is in place, in line with the business and IT strategies, this is approved and clearly aligned to the organisational business strategy;
- Outcome measures or KPIs are defined to support information security performance measurement and management;
- Processes are in place to ensure resources (people, equipment and budget) are used to best effect in order to assist management in achieving their security goals;
- There is a clear focus on the activities, processes and data that information security must protect;
- Information security processes such as application security, incident and problem management are in place and managed;
- There is central governance and management of information security investment;
- Clear external information security sourcing strategies are in place where necessary;
- An information security governance framework is in place to protect the security and integrity of organisational data and ensure compliance by all parties with applicable laws and regulations relating to data security, data retention and records management (i.e. policies and procedures);
- A clear and appropriate organisational reporting structure is in place and includes information security management functions;
- The role that each individual unit or department should play (including HR, business units, IT, etc.), together with the roles of specific individuals such as asset owners should be specified. A specific paragraph should be included in the job specifications/role profiles setting out their responsibility for complying with information security as well as for managers being responsible for protecting the assets they own; and
- Formal system owners (from the business) should be assigned and take responsibility for the critical applications used by the Organisation and as a direct consequence the data which these systems managed, store and process. In turn the IT department should provide the technical and infrastructure controls to support the effective management of security associated with these applications to organisational and legislative standards.
Information Security Governance Roles
On the basis of best practice as represented by ISACA and ISO 38500 (Corporate Governance of IT) information security governance roles, can broadly be reflected as follows:
This article first appeared in Accountancy Ireland magazine August 2015
Alex Burnham, Director, IT Audit & Security, Mazars, Phone: + 353 1 512 5563 Email: email@example.com