Implement a Security Governance and

Management Program
Align security and business objectives to get the greatest benefit from both.

Info-Tech Research Group Inc. is a global leader in providing IT research and advice.
Info-Tech’s products and services combine actionable insight and relevant advice with
ready-to-use tools and templates that cover the full spectrum of IT concerns.
© 1997-2019 Info-Tech Research Group Inc. Info-Tech Research Group 1
Table of contents
1. Project Rationale
2. Execute the Project/DIY Guide

Phase 1: Align Business Goals With Security Objectives

Phase 2: Develop an Effective Governance Framework
Phase 3: Manage Your Governance Framework

3. Summary/Conclusion
4. Next Steps
5. Appendices

Info-Tech Research Group 2

ANALYST PERSPECTIVE
So, you’ve got a security program, but is it really working for you?

Cybersecurity is rapidly becoming a non-negotiable

requirement for modern businesses to operate in today’s
threat landscape. Yet all too often, there is still disagreement
among business leaders and cybersecurity professionals
about how much security is enough, too much, or just right.
The key to resolving this dilemma is to implement a security
governance and management program that is aligned with
business goals. This implementation begins with a risk
tolerance assessment that takes both security objectives and
business goals into account so that both sides can understand
each other’s point of view. Once this understanding has been
reached, your organization will be in a position to develop
strong security practices that enable business operations –
not impede them.
Logan M. Rohde
Consulting Analyst, Security, Risk, & Compliance
Info-Tech Research Group

Info-Tech Research Group 3

Our understanding of the problem

This Research Is
is Designed For: This Research Will Help You:
CISOs, CSOs, CEOs, CIOs, IT leaders, and Develop a comprehensive information security
business leaders who would like to improve governance and management framework.
alignment between security and business Apply your security governance framework to
activities, optimize security resources, your organization and create a roadmap for
implement an effective risk mitigation strategy, implementation.
and improve the transparency of security
Develop a metrics program to monitor and
initiatives.
improve your security governance program.
CISOs, CSOs, and CIOs who would like to
better support the business.

This Research Will Also

Assist:
Assist: This Research Will Help You:
Them:
CEOs, CFOs, and other business leaders Understand the value of information security
Business stakeholders that are continually governance and management as it has the
affected by security ability to close any security gaps.

Info-Tech Research Group 4

Executive summary

Situation
• Security programs tend to focus on technology to protect organizations 1. Business and security goals should be
while often neglecting the people, processes, and policies needed to the same. Businesses cannot operate
manage the program. without security and security's goal is to
enable safe business operations.
• It seems daunting and almost impossible to govern all the aspects of a
security program. 2. Security governance supports security
strategy and management. These three
Complication elements create a protective arch around
business operations, and governance is
• This leads to several problems: the keystone. It seems like a small aspect,
o The security team often doesn’t understand business goals. but it holds the whole program together.
o The organization lacks direction regarding security initiatives and how
3. Governance defines the laws, but they
to prioritize them. need to be policed. Governance sets
o Risks are not treated appropriately. standards for what actions are permitted,
but only management can verify that these
standards are being observed.
Resolution
• Your security governance and management program needs to be aligned with business goals to be effective.
• This approach also helps to provide a starting point to develop a realistic governance and management program.
• This project will guide you through the process of implementing and monitoring a security governance and management
program that prioritizes security while keeping costs to a minimum.
• Start by defining your organization’s risk tolerance to begin the process of aligning security objectives with business goals.
• Develop a governance framework that supports these aligned objectives and goals.
• Manage the governance program through regular audits, metrics tracking, and regular review of the framework’s
successes and shortcomings.

Info-Tech Research Group 5

Decide between a security governance or a security strategy
focus
This blueprint is for…
This blueprint is intended for organizations that presently do not have a governance framework and are
looking to begin the process of building one.

Developing a governance framework is a large undertaking; it’s important to start small to make the project
manageable.

In this blueprint we will focus on the following steps: In some cases, it’s better to work
• Aligning business goals and security backwards…
objectives. For less-mature organizations, it might be more
appropriate to start by developing a security strategy to
• Setting an appropriate risk tolerance and outline the basics before developing a governance
monitoring threats. framework.
• Deploying three lines of defense. Info-Tech’s blueprint
Build an Information Security Strategy will walk you
• Developing policies, charters, and defining through the process of creating a security program
organizational structure. specific to your organization. It focuses on the following
processes:
• Tracking security metrics and the importance
• Assessing security requirements
of regular audits.
• Building a gap initiative strategy
• And more! • Prioritizing security initiatives

Info-Tech Research Group 6

 Info-Tech’s framework integrates several best practices to
create a best-of-breed security framework
Context and Leadership Evaluation and Direction Compliance, Audit, and Review
Governance

Information Security Security Risk

Charter Management Security Compliance
Internal Security Audit
Management
Information Security
Security Policies
Information Security Framework

Organizational Structure
Management Review of
External Security Audit
Security Strategy and Security
Culture and Awareness
Communication

Prevention
Identity Security Infrastructure Security HR Security
Identity and Access Vulnerability
Network Security HR Security
Management Management

Cryptography
Endpoint Security
Management

Data Security Management Change and Support

Hardware Asset Configuration and
Malicious Code Physical Security
Management Change Management

Data Security & Privacy Application Security Cloud Security Vendor Management

Detection Response and Recovery Measurement

Security Threat Security Incident Security eDiscovery and
Metrics Program
Detection Management Forensics
Log and Event Information Security in Continuous
Backup and Recovery
Management BCM Improvement

Info-Tech Research Group 7

Discard your preconceptions about security and business
being at odds with each other
Ultimately, both the security and business ends of the organization are interested in
the same goal: the organization’s continued success.

It’s true that both groups have different ideas about what the organization’s ideal
state is, but security and the business have more in common than they do in
conflict. They just aren’t used to seeing it that way.

Business Security Organizational

Goals Objectives Success

Business goals and security goals are related and have a tendency to affect each other, making business-
security alignment an iterative process that takes ongoing effort. This effort is well worth it as it leads to
maximum cooperation and thus maximum efficiency.

Info-Tech Research Group 8

Resolve the tension between business and security

It is true that business leaders and security professionals have different ideas about what an
organization’s ideal state is, but this difference can be overcome with a little understanding.

The ideal business state: The ideal security state:

• Operations run easily and efficiently. • Business engages in no risky
• High risk tolerance; no serious behavior.
incidents. • Low risk tolerance; no incidents.
• Strong all-around security with no • Security prioritized over convenience.
compromise to convenience or ease of • Adequate budget to enable
use. comprehensive security.
• Low-cost security.

What both parties must understand:

• Without adequate security, the business takes serious risks that may have serious
consequences.
• Without smooth business operations, there would be no jobs for security professionals.
• Therefore, security goals are business goals and business goals are security goals.

Info-Tech Research Group 9

Position yourself for success by integrating security into your
overall governance framework
Security and the business end of the organization need to work together to achieve their
shared goals, and good governance will set both of them on the road for success.

• Yet it should be understood that security is the focus. Going forward, convenience must
take a backseat to security in order for security governance to actually have an effect on
the organization; however, convenience is a risk that should be managed rather than
removed – a total security lockdown won’t improve business outcomes, but good
governance will.
Security governance is an integral part of IT governance and
corporate governance.

Security governance involves the following activities:

Corporate
• Evaluating current security activities and their impact
Governance
on business objectives.
• Providing direction for the security team by setting an
appropriate risk tolerance, allocating investments
and resources, etc.
• Developing a security charter and organizational IT Security
structure. Governance Governance
• Ensuring compliance.

Info-Tech Research Group 10

 The Security Governance Framework
A security governance framework is a system that will design structures, processes,
authority definitions, and membership assignments that lead the security department
toward optimal results for the business.

Governance is performed in three ways:

1 Evaluate 2 Direct 3 Monitor

Governance ensures that Governance sets the direction Governance establishes a
business goals are achieved of information security by framework to monitor
by evaluating stakeholder delegating priorities and performance, compliance to
needs, criteria, metrics, determining the decisions that regulation, and progress on
portfolio, risk, and definition will guide the organization. expected outcomes.
of value.

Governance specifies the accountability framework and provides oversight to ensure that
risks are adequately mitigated, while management ensures that controls are implemented
to mitigate risks. Management recommends security strategies. Governance ensures that
security strategies are aligned with business objectives and consistent with regulations.
– EDUCAUSE

Info-Tech Research Group 11

Allow security to become a business enabler

Remember: security objectives are business objectives too.

• It is true that without good governance security programs often fail to produce results.
• However, it is also true that without good governance security programs can become too
restrictive, preventing the business from operating smoothly.
• The goal is to create an effective governance framework that keeps the business safe, but also
running smoothly – not just adding security, but the right level of security.

Right level of security

Understanding
Effective
business
governance
needs

Info-Tech Research Group 12

Notice the need for security governance

US organizations who agree Boards of directors confident

Boards who actively participate
compliance requirements are their organization is properly
in developing security strategy:
effective for improving security: secured against cyberattack:
44%
 Including the board in
74% 37%
governance discussions helps  Having a proper governance  Governance promotes the
to align business & security framework helps ensure development of security controls
goals. compliance obligations are met. to protect information assets.
Source: PwC, 2018 Source: Thales, 2018 Source: NACD, 2017-18

Professionals wanting a Government security

security budget increase of up professionals who note
to 50%: carelessness or lack of training
as the biggest security risk:
87%

54%
Developing a governance
framework helps you get the  Governance can help ensure
most out of your security training and awareness needs
budget. are met.
Source: EY, 2017-18 Source: SolarWinds, 2017

Info-Tech Research Group 13

 Create impactful security governance by embedding it within
enterprise governance

The business should engage in security governance

and security should influence the direction of the business.

Enterprise Governance Engage in

Enterprise governance falls into the authority of the board
and executive management.
Responsibilities include:
• Provide strategic direction for the
organization. Security Governance
• Ensure objectives are met. Security governance is a component of enterprise
• Set the risk standards/profile.
•
governance.
Delegate resources responsibly. Responsibilities include:
• Build structure, authority, process, and membership
designations in a governance framework.
• Ensure cybersecurity department is aligned with business goals.
• Influence the direction of the business to ensure business
Influence success.

Info-Tech Research Group 14

Use these icons to help direct you as you navigate this
research
Use these icons to help guide you through each step of the blueprint and direct you to content related to
the recommended activities.

This icon denotes a slide where a supporting Info-Tech tool or template will help you perform
the activity or step associated with the slide. Refer to the supporting tool or template to get
the best results and proceed to the next step of the project.

This icon denotes a slide with an associated activity. The activity can be performed either as
part of your project or with the support of Info-Tech team members, who will come onsite to
facilitate a workshop for your organization.

Info-Tech Research Group 15

Info-Tech offers various levels of support to best suit your
needs

Guided
DIY Toolkit Implementation Workshop Consulting

“Our team has already “Our team knows that “We need to hit the “Our team does not
made this critical we need to fix a ground running and have the time or the
project a priority, and process, but we need get this project kicked knowledge to take this
we have the time and assistance to off immediately. Our project on. We need
capability, but some determine where to team has the ability to assistance through the
guidance along the focus. Some check-ins take this over once we entirety of this project.”
way would be helpful.” along the way would get a framework and
help keep us on track.” strategy in place.”

Diagnostics and consistent frameworks used throughout all four options

Info-Tech Research Group 16

 Implement a Security Governance and Management Program
– project overview
3. Manage Your
1. Align Business Goals 2. Develop an Effective
Governance
With Security Objectives Governance Framework
Framework
1.1 Appreciate what security 2.1 Blend the best of COBIT and NIST 3.1 Track metrics governance-related
governance is in relation to metrics to streamline your initiative
2.2 Understand your three lines of
management and strategy
defense 3.2 Internally audit your security
1.2 Plan for common security program
2.3 Support your first line of defense
governance and management
with a Security Governance Center of 3.3 Reassess your governance
challenges
Excellence framework
1.3 Understand the benefits of security
2.4 Create a governance charter,
governance
policies, and organizational structure
1.4 Prepare a business case to present
to the board
1.5 Assemble the security governance
steering committee
Best-Practice
Toolkit 1.6 Set an appropriate risk tolerance
Understand what security governance Developing an effective framework Metrics, audits, and why they matter
means for you
Governance Development Governance Development
Governance Development Checkpoint II Checkpoint III
Checkpoint I

Guided
Implementations
Phase 1 Outcome: Phase 2 Outcome: Phase 3 Outcome:
• Business Case Presentation Deck • Information Security Charter • Security Metrics Assessment
• Information Security Steering • Security Governance Organizational
Committee Charter Structure
• Risk Register

Info-Tech Research Group 17

PHASE 1
Align Business Goals With Security Objectives

Implement a Security Governance and Management Program

Info-Tech Research Group Inc. is a global leader in providing IT research and advice.
Info-Tech’s products and services combine actionable insight and relevant advice with
ready-to-use tools and templates that cover the full spectrum of IT concerns.
© 1997-2019 Info-Tech Research Group Inc. Info-Tech Research Group 18
Step 1: Align Business Goals With Security Objectives
PHASE 1 PHASE 2 PHASE 3

1. 1. 2. 2. 3. 3.
1 6 1 4 1 3
Appreciate Set an Blend the best of Create a governance Track Reassess your
security appropriate risk COBIT and NIST charter, policies, and governance- governance
governance… tolerance organizational… related metrics… framework

This step will walk you through the following activities: This step involves the following participants:
• Plan for common security governance and management • Cybersecurity
challenges. • Business leaders and decision makers
• Understand the benefits of security governance. • Risk specialists
• Prepare a business case to present to the board.
• Assemble the security governance steering committee.
• Set an appropriate risk tolerance.

Outcomes of this step

• Improved understanding of governance benefits and challenges.
• Created business case presentation deck.
• Formed Governance Steering Committee.
• Improved understanding of business and security approaches to risk management.
• Defined risk tolerance.

Info-Tech Research Group 19

Phase 1 outline
Call 1-888-670-8889 or email [email protected] for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of
2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Guided Implementation 1: Align Business Goals With Security Objectives
Proposed Time to Completion: 4-6 weeks

Step 1.1: Understand What Security Governance Means Step 1.6: Governance Development Checkpoint I
for You
Start with an analyst kick-off call: Review findings with analyst:
• Discuss security governance, strategy, and management. • Discuss progress with getting executive support.
• Understand the importance of business-security alignment. • Address challenges with assembling steering committee.
• Discuss how to begin setting an appropriate risk tolerance. • Discuss progress on establishing risk tolerance and
deploying risk register.

Then complete these activities… Then complete these activities…

• Prepare a business case to present to the board. • Fine-tune the business case presentation.
• Assemble the security governance steering committee. • Finalize steering committee charter.
• Establish risk tolerance. • Continue identifying and assessing risks.

With these tools & templates:

Information Security Governance Business Case Template
Information Security Steering Committee Charter
Security Risk Register Tool

Phase 1 Results & Insights:

• Business case presentation deck and ability to argue for business-security alignment.
• Steering committee to oversee the governance initiative.
• How to set an appropriate risk tolerance and the advantage of a high risk tolerance.

Info-Tech Research Group 20

 Appreciate security governance in relation to
1.1
security management and strategy
There are three elements that make up an effective security program: governance, strategy, and
management.

These elements do overlap with each other and the terms are sometimes used interchangeably. However,
each refers to a specific element of the overall security program and it’s important to account for them.

Governance: Strategy: Management:

• Organization’s framework for how • Organization’s approach towards • Driving force of the security
the business will operate in mediating the risks within its risk program.
accordance with security appetite.
controls/protocols. • Ensures that both governance and
• Plan for preserving data’s strategy are operating properly and
• Overarching set of policies and
confidentiality, integrity, and are well understood by those who
charters detailing an organization’s
accessibility in the face of tolerated need to follow it.
expectations for minimizing risk.
risks. • Training and awareness, audits,
• Developed via risk tolerance
• Balances security pressures (e.g. and tracking metrics are large
assessment.
compliance obligations or components.
• Used to align security objectives attackers) with business goals.
and business goals. • Keeps the security program acting
• Executes the objectives laid out by as a business enabler rather than a
• Maintained through regular audits.
the governance framework. business impediment.

As a general rule, the more mature an organization, the more these elements will be separated from
each other. However, the point is not to get hung up on naming conventions – just make sure each
element is accounted for to get the most from your security program.

Info-Tech Research Group 21

Visualize governance as the keystone of your security
program
These three basic elements: governance, management, and strategy create an arch that secures
business operations, enabling them to run smoothly.

In this model, governance appears to be the smallest element of the arch. However, this does not mean it
is the least important. Rather, governance is a framework that works in the background of the more active
elements: management and strategy. Governance is also the keystone of the security arch, meaning that
it is the essential component holding the arch together by ensuring that the other elements are adequately
supported.

Governance

t
en

St
m
ge

ra
a

te
a n

g
M

y
Business Operations

Info-Tech Research Group 22

 Plan for common security governance and
1.2
management challenges
Governance is an important part of any security program. However, to implement it you’ll need to prepare
for certain challenges, which may derail the whole initiative or even prevent it from getting off the ground in
the first place.
• Before attempting to get executive buy-in for the project, consider these issues not just as challenges to
overcome, but also as reasons for why your organization needs a governance framework.

Non-compliance: Enforcement: Budget:

Security controls tend to interrupt the It can be hard to see what everyone The old belief that business
flow of people's day-to-day habits, so is doing at every minute of the day, operations make money and security
it's not uncommon for them to which is why it is important to costs money can be a hard mindset
continue doing things the “easy way” establish a mandatory governance to break. Fortunately it is getting
if they experience no consequences framework. Ensure managers, easier to convince business leaders
or they see others not following the directors, and executives follow the to invest in security.
rules. framework and supporting policies.

• Countering these behaviors is • The governance framework will • Convincing them to invest in the
exactly why a governance need maintenance to ensure it is most worthwhile security protocols
framework is needed. working properly. can still create some friction.
• Without well-defined controls in • This is why management is a • Strategy should be developed
place, security will continue to be necessary component of any alongside governance to prioritize
an afterthought for end users. governance initiative. security needs.

A governance framework is meant to increase an organization’s collective safety. For governance to

be effective, its controls must be observed as the laws of the land by everyone from the CEO down to
the most recent entry-level employee.

Info-Tech Research Group 23

Challenges continued

Non-compliance, enforcement, and budget are broad challenges made up of more-specific issues.
• Be sure to consider how the following might present unique obstacles for your organization’s
governance initiative – each one presents a specific talking point that you can use to highlight a
problem and how you plan to solve it, thus convincing executives of the value of security governance.
• Rest assured, this blueprint will prepare you for meeting these challenges!

Governance Challenges Management Challenges

• Getting security policies approved by management. • Managing IT systems effectively.
• Communicating security policies within the • Managing security processes effectively.
organization. • Dealing with security incident management effectively.
• Establishing security organizational structure. • Developing a metrics program to track governance
• Prioritizing and initiating security objectives. efficacy.
• Defining an appropriate risk tolerance. • Conducting regular internal audits.
• Securing business initiatives. • Overseeing managed security service providers.
• Keeping up with compliance obligations. • Responding to physical security issues.
• Incorporating security into IT system design. • Implementing regular training and awareness.
• Enforcing policies consistently across all departments.

Info-Tech Research Group 24

1.3 Understand the benefits of security governance
There are many advantages to a well-defined governance framework, but focusing on the
ones below will help you gain support and get the project approved.
A governance framework will help to…

Enhance security culture

1 • Governance provides a solid foundation to develop strong security controls.
• Allows for security decisions to be made ahead of time so that firefighting-style responses and ad hoc
decision making can be avoided.

Improve incident management

2 • Problems can and will arise, but a governance framework helps speed up remediation.
• Defines the state the organization must return to.

Reduce costs
3 • Investing in security now helps prevent huge costs associated with data breaches later.
• Remember: not all costs are monetary; reputational damage can also be very costly.

Meet compliance obligations

4 • Reporting and other duties easily become challenges when firm security controls are not in place.
• Some regulations (e.g. GDPR) may impose additional fines if security controls are inadequate.

A governance framework is what holds an organization's security posture upright. Without one, an
organization’s overall security can become too lax, posing additional risks to the health and longevity
of the business.

Info-Tech Research Group 25

1.4 Prepare a business case to present to the board

There’s no way around Business Case Talking Points

it: implementing a • IT security is not the same as IT.
governance framework • Security is meant to enable business.
is going to cost money, • No longer simply a cost, but a necessary protection.
so it’s important to • Not necessarily a massive overhaul, but a fine-tuning,
demonstrate why it’s a development, and formalization of processes already
in place.
worthwhile investment.
• Helps to cement organization's internal culture,
interests, and politics around security.
• Removing red tape so the CISO can act in the best
interest of the company.
• Design security policies to meet compliance
obligations.
• Above all: managing risk (by identifying it in the first
Consider using these talking points to place).
structure your business case
presentation.

Security controls can restrict business operations. In today's cybersecurity landscape there are too
many threats to not have some protection. A business can’t operate without security and security
must enable business operations. The two need to cooperate to ensure an organization's (continued)
success.
Info-Tech Research Group 26
Use Info-Tech’s business case template to convey the
need for security governance
1.4 Information Security Governance and Management Business Case Template

Use this presentation deck as a

starting point for your own
business case presentation by
following these steps:
1. Review each slide.
2. Customize the text to tailor
the information to match
your organization’s needs.
3. Add additional material to
address any unique
challenges your organization
faces.
4. Present to board or other
approving body.

When giving this presentation, remember to emphasize the need to set an appropriate risk tolerance. This is a key part of
security-business alignment (step 1.6 of this blueprint).

Info-Tech Research Group 27

 Assemble the Information Security Steering
1.5
Committee (ISSC)
Once the governance plan has the

6
green light, you will need to create
a steering committee to:
• Develop the policies that will
make up the governance • Your steering committee should contain
framework. approximately six people.
• Verify that the governance • This amount allows for various view points to be
implementation is on schedule represented while balancing the need to get things
done.
and going to plan.
• Avoid committees with more than eight people; they
• Offer guidance for effective tend to struggle with decision making.
management.
The steering committee
membership should represent
security and business personnel
equally to make the process as Check out Info-Tech’s resources on using
an ISSC, including the blueprint,
democratic as possible. Improve Security Governance With a Securi
ty Steering Committee
.
When deciding on steering committee participants, don’t forget to account for the unique qualities of
your organization. It may be appropriate to include members from outside security or business-related
departments, such as HR, particularly if your organization needs to protect a lot of sensitive employee
data.
Info-Tech Research Group 28
Typical ISSC responsibilities and duties

Use the following list of responsibilities to customize the list of responsibilities your ISSC may take on.
These should link directly to the Responsibilities and Duties section of your ISSC charter.
Strategic Oversight Policy Governance
• Provide oversight and ensure alignment • Review company policies pertaining to
between information security governance and information security and cyber threats, taking
company objectives. into account the potential for external threats,
• Assess the adequacy of resources and funding internal threats, and threats arising from
to sustain and advance successful security transactions with trusted third parties and
programs and practices for identifying, vendors.
assessing, and mitigating cybersecurity risks • Review privacy and information security policies
across all business functions. and standards as well as the ramifications of
• Review controls to prevent, detect, and respond updates to policies and standards.
to cyberattacks or information or data breaches • Establish standards and procedures for
involving company electronic information, escalating significant security incidents to the
intellectual property, data, or connected ISSC, board, other steering committees,
devices. government agencies, and law enforcement, as
• Review the company’s cyber insurance policies appropriate.
to ensure appropriate coverage.
• Provide recommendations, based on security
best practices, for significant technology
investments.
Info-Tech Research Group 29
ISSC responsibilities and duties continued

Use the following list of responsibilities to customize the list of responsibilities your ISSC may take on.
These should link directly to the Responsibilities and Duties section of your ISSC charter.
Risk Governance Monitoring & Reporting
• Review and approve the company’s information • Receive periodic reports and coordinate with
risk governance structure and key risk management on the metrics used to measure,
management processes and capabilities. monitor, and manage cyber and IT risks posed
• Assess the company’s high-risk information to the company and to review periodic reports
assets and coordinate planning to address on selected risk topics as the committee deems
information privacy and security needs. appropriate.
• Provide input to executive management • Review reports provided by the IT organization
regarding the enterprise’s information risk regarding the status of and plans for the
tolerance. security of the company’s data stored on
• Review the company’s cyber response internal resources and with third-party
preparedness, incident response plans, and providers.
disaster recovery capabilities as applicable to • Monitor and evaluate the quality and
the organization’s information security strategy. effectiveness of the company’s technology
• Promote an open discussion regarding security, capabilities for disaster recovery, data
information risk, and integrate information risk protection, cyber threat detection, and cyber
management into the enterprise's objectives. incident response, and management of
technology-related compliance risks.

Info-Tech Research Group 30

Customize Info-Tech’s Information Security Steering
Committee Charter to suit your organization’s needs
1.5 Information Security Steering Committee Charter

Use this template to create an

information security steering
committee charter that accounts for
your organization’s unique needs.

This charter will help ensure that

your security governance program
gets the attention it deserves by:
• Outlining roles and
responsibilities of committee
members.
• Defining the approach to security
governance, supporting policies,
overall strategy, and risk
management.
• Prescribing committee’s
procedures.
This package contains a RACI chart to help you document members’
roles and responsibilities. Be sure to review the various jobs listed as
they will help you get started with defining the needs of your own
governance initiative.

Info-Tech Research Group 31

Discuss your organization’s ideal security state

1.5 90 minutes

Once the steering committee is established, they’ll need to get to know each other and learn what other
members value. To help facilitate this process, have cybersecurity and business leaders talk to each other
about their ideal scenarios for the organization.
Things to consider when making presentations:
Follow this process:
• Past incidents and their costs.
1. Divide into departmental teams. • Alignment of security and business goals.
2. Have each team prepare a mini presentation • Compliance obligations.
explaining their goals and why they're important.
• Industry’s threat landscape.
3. Allow the other team(s) to give constructive • Business pressures.
rebuttals for elements of the other teams’
• Resources.
presentations they disagree with.
• Consequences of losing various data types.
4. Avoid starting fights (this isn’t the point); the
• Point when a security incident would prevent
goals for this exercise are to:
business operations.
• Discuss possible solutions or compromises. • Roles and responsibilities
• Begin conversations around risk tolerance.
• Have the steering committee get a sense of
what the organization's risk tolerance
actually is, not where they think it is or wish Many organizations think of themselves as having a low
risk tolerance. However, upon closer inspection of what
it to be. they are willing to tolerate, these same organizations
often fall into the moderate risk tolerance category.

Info-Tech Research Group 32

1.6 Set an appropriate risk tolerance
To get business and security operations to align, they will need to agree on an acceptable level of risk (i.e.
what they are willing to tolerate). This is the basis of the entire governance initiative.

There are two parts to setting a risk tolerance:

Risk Tolerance Curve Risk tolerance is
1. Surveying possible risks (assess as many based on a
as possible) to decide which ones you are threat’s probability
and impact.
and are not willing to accept.
Do not More-severe risks

Probability
accept the can be tolerated
2. Evaluating each risk individually to R
is risk
k provided their
determine at what point it would become To
le probability is low.
ra
intolerable. nc
e Business and
security can align
• Remember to account for Accept the by agreeing what
compliance obligations while risk
is and is not an
completing these activities. Impact acceptable risk.

% of business opportunity lost from a data breach

Organizations cannot simply hope they won't be
breached – or worse, assume they won't because they
avoided it so far.

50% 58% Lost

<20%
25% Lost
20-40%
9% Lost
40-60%
5% Lost
60-80%
4% Lost
80-100%
of US retailers suffered a data breach in 2017.
Sources: “2018 Thales Data Threat Report”; “Cisco 2017 Annual Cybersecurity Report”
Info-Tech Research Group 33
Visualize the advantages of a high risk tolerance
Think of your risk tolerance
like a mountain: the base Maximum risk tolerance
represents the risks your
organization can comfortably
tolerate, while the summit
represents the limit of your risk Caution zone
tolerance. For a risk to
become intolerable, its
magnitude must be greater
than that of the mountain’s
summit.

The higher the risk tolerance, Comfortably tolerated risk

the more risks an organization
can accept, thus improving the
organization’s ability to operate
within a given threat
landscape.

In short, the bigger the Increasing risk level

mountain the better.
There are advantages to a high risk tolerance, but that doesn’t mean it’s a good idea to blindly accept
all risks. Set an appropriate risk tolerance to maximize business output without taking unnecessary or
unwise risks. It may be worthwhile to investigate security solutions to help you increase your risk
tolerance.
Info-Tech Research Group 34
Use Info-Tech’s Risk Register to help set an
appropriate risk tolerance and track risks
1.6 Security Risk Register Tool

1. Use this tool to help you quantify

your organization’s risk tolerance
using Info-Tech’s 0-40 scale.
2. Once you decide on a risk tolerance,
enter that value on tab 4 (Results)
and enter the required information for
each risk your organization faces to
see whether or not those risks are
within the risk tolerance you’ve set.
3. To help you get the full picture of
your organization’s threat landscape,
this tool allows you to track a threat’s
inherent risk (to the organization)
and the residual risk after deploying
a mitigation strategy.
4. The final 2 tabs will let you see all
risk and mitigation details at a glance
and in graphical form, making it easy
to present to non-risk specialists. Risk registers are valuable tools, but they are only as good as the
information they contain. To get the most value from this tool, take the
time to consider all possible risks. The more risks you track, the better
your understanding of the overall threat landscape will be.

Info-Tech Research Group 35

Track the high-level details of your compliance
obligations with Info-Tech’s Information Security
Compliance Template
1.6 Information Security Compliance Template

Assessing your ability to meet your compliance

obligations is an important part of determining
your organization’s overall risk tolerance.

In many cases, these obligations will set certain

standards your organization must live up to and
failing to do so usually results in fines and other
costs. In other words, not meeting compliance
requirements and obligations is a risk not worth
taking.

Use this template to record the regulations your

organization is subject to so that you can
quickly assess what each obligation requires.

Sometimes, organizations aim only to be compliant rather than

fully secure. However, this approach is short sighted. While Use compliance as a starting point, but seek to go beyond the
compliance will limit some risks, there are still plenty of threats minimum of what they ask. That way, your organization will be
that exist outside of compliance obligation minimums. able to handle a variety of complex threats.

Info-Tech Research Group 36

If you want additional support, have our analysts walk you
through this phase as part of an Info-Tech guided
implementation
Book a guided implementation with our Info-Tech analysts:

Guided implementations offer an easy way to

accelerate your project. Our analysts will work
with you and your team over the phone to
facilitate the activities outlined in the blueprint.

Getting key stakeholders together to formalize

the program while getting started on developing Logan Rohde
your governance framework allows you to kick- Consulting Analyst – Security, Risk & Compliance
start the overall program. Info-Tech Research Group

Guided Implementations are included in

advisory memberships and offer additional
support over a do-it-yourself approach by
ensuring continuous improvement of your
governance initiative.

Call 1-888-670-8889 for more information.

Info-Tech Research Group 37

PHASE 2
Develop an Effective Governance Framework

Implement a Security Governance and Management Program

Info-Tech Research Group Inc. is a global leader in providing IT research and advice.
Info-Tech’s products and services combine actionable insight and relevant advice with
ready-to-use tools and templates that cover the full spectrum of IT concerns.
© 1997-2019 Info-Tech Research Group Inc. Info-Tech Research Group 38
Step 2: Develop an Effective Governance Framework
PHASE 1 PHASE 2 PHASE 3

1. 1. 2. 2. 3. 3.
1 6 1 4 1 3
Appreciate Set an Blend the best of Create a governance Track Reassess your
security appropriate risk COBIT and NIST charter, policies, and governance- governance
governance… tolerance organizational… related metrics… framework

This step will walk you through the following activities: This step involves the following participants:
• Blending the key parts of COBIT and NIST. • Cybersecurity
• Understanding your three lines of defense. • Business leaders
• Creating a governance charter, organizational structure, • Risk specialists
and supporting policies.

Outcomes of this step

• Improved risk management.
• Formed Security Governance Center of Excellence.
• Developed governance charter, supporting documents, and organizational structure.
• Assigned roles and responsibilities.

Info-Tech Research Group 39

Phase 2 outline
Call 1-888-670-8889 or email [email protected] for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of
2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Guided Implementation 2: Develop an Effective Governance Framework
Proposed Time to Completion: 4-6 weeks

Step 2.1: Developing an Effective Framework Step 2.4: Governance Development Checkpoint II

Start with an analyst kick-off call: Review findings with analyst:

• Discuss separation of governance and management • Talk through challenges with framework design and
(COBIT 5). deployment.
• Address other challenges and how NIST helps with them. • Discuss structure of three lines of defense.
• Consideration for a Security Governance Center of • Address suitability of using a Center of Excellence.
Excellence.
• Need for a governance charter and supporting documents.

Then complete these activities… Then complete these activities…

• Create governance charter. • Finalize charter and organization structure (including RACI
• Draft organizational structure document. chart).
• Assign governance roles and responsibilities. • Establish Center of Excellence.

With these tools & templates:

Information Security Charter Template
Security Governance Organizational Structure Template

Phase 2 Results & Insights:

• Information security governance charter.
• Improved insight into organization structure and how it affects security.
• Assignment of roles and responsibilities.
• Establishment of Security Governance Center of Excellence.

Info-Tech Research Group 40

2.1 Blend the best of COBIT and NIST
Prebuilt frameworks, like COBIT 5 and NIST’s Cybersecurity Framework, offer good starting
points for developing your own governance framework.

COBIT 5 provides the

key insight that
management and
NIST Cybersecurity Framework
governance are
provides practical insights for
separate activities
making governance subcategories
and should not
to help you develop your own
treated as the same.
framework, making sure that
This point should be
essentials like policy
observed no matter
communication, role and
how your governance
responsibility alignment, legal and
framework shapes up.
regulatory requirements, and risk
management processes are
included.
Image sources: ISACA; NIST

Your industry may use other frameworks, such as ISO, but this doesn’t mean you won’t
benefit from studying COBIT and NIST. Most frameworks integrate well with each
other.
Info-Tech Research Group 41
Benefit from the wisdom of COBIT 5

COBIT reminds us not to blur the lines between governance and management;
each has a unique role to play. Confusing them means wasted time and confusion
around ownership.

Governance Management

IT governance sets Management is responsible

direction through for executing on,
prioritization and decision operating, and monitoring
making, and monitors activities as determined by
overall IT performance. IT governance.

Governance aligns with the Management makes

mission and vision of the decisions for implementing
organization to guide IT. based on governance
direction.

Image Source: ISACA

Info-Tech Research Group 42

Appreciate the practicality of NIST

NIST uses the following subcategories in its framework. Use these suggestions as guidelines
for developing the more granular aspects of your organization’s governance initiative.

Excerpted from NIST Framework for Improving Critical Infrastructure Cybersecurity

Governance:

• ID.GV-1: Organizational cybersecurity policy is established and communicated.

• ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and
external partners.

• ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties
obligations, are understood and managed.

• ID.GV-4: Governance and risk management processes address cybersecurity risks.

Following this blueprint will set you up

to meet these goals!
Image Source: NIST
Info-Tech Research Group 43
2.2 Understand your three lines of defense
The three lines of defense risk management framework originally emerged after the dot-com bubble
burst in the mid-to-late ’90s, and it became standard in the financial industry after the 2008 banking crisis.
However, its principles can be applied to any industry as a risk management technique.

Incorporating the three lines of defense into your cybersecurity governance framework will help you
identify and manage risk and ensure that your controls are providing the desired result.

Cyber risks: Everyone is talking about them, but most aren’t quite sure how to handle
them.
– Christophe Veltsos, InfoSec, Risk, and Privacy Strategist
Minnesota State University, Mankato

First Line of Defense: Business Management

• Made up of managers who own and make decisions about risk (i.e. what actions are or are not permitted under the
organization’s risk policies).
• Includes cybersecurity, who offers guidance for good decision making, but cannot veto decisions after they’ve been made.
• Addresses actual risks via established security controls.
• Manages security controls.
• Follows guidance of key risk indicators (KRIs).

To create an effective security program, two conditions must be in place: management and
governance must be separate functions and there must be three lines of defense.

Info-Tech Research Group 44

Lines of defense continued
The use of the three lines of defence to understand the system of internal control and risk
management should not be regarded as an automatic guarantee of success. All three lines
need to work effectively with each other and with the audit committee in order to create the
right conditions.
– Chartered Institute of Internal Auditors
Second Line of Defense: Risk Management
• Committee of risk, compliance, and privacy specialists who provide oversight of the first line of defense.
• Has key role in setting risk tolerance.
• Responsible for developing high-level risk management policies.
• Develops KRI and ERM documents.
• Assesses effectiveness of security controls based on performance of the first line of defense.

Third Line of Defense: Independent Assurance

• Provided by the internal audit committee who operates independently of the other two lines to avoid conflicts of interest.
• May also include external audit.
• Measures the true effectiveness of the security governance framework by challenging the performance of the other two
lines (i.e. makes them account for their risk management methods).
• Reports directly to board of directors to avoid conflicts of interest.

Info-Tech Research Group 45

 Support your first line of defense with a Security
2.3
Governance Center of Excellence
A Center of Excellence (COE) is a department-like entity embedded within an organization to provide
specific knowledge about a process or topic an organization is trying to develop in the interest of
efficiency and organizational development.
Unlike a department though, a COE is usually less centralized and might incorporate people from several
different departments or silos.
Maximize efficiency with a Security Governance Center of
Excellence
• Using a COE allows first-line
defenders to consult experts
whenever they are not sure how
to make risk-related decisions.
• The COE helps to support
security controls by ensuring
managers are observing those
controls.
• This reduces the need for
second- and third-line defenders
to police the first.

Info-Tech Research Group 46

 Create a governance charter, policies, and
2.4
organizational structure
A governance framework won’t support itself; you’ll need documents that define roles,
responsibilities, procedures, expectations, and the overarching reporting structure your
security program follows.

Once you’ve decided on your approach to

developing a security governance
framework, you’ll need documents to
support it to make sure its various aspects
can be efficiently communicated to the
people who need to follow them (i.e.
everyone).

• Remember: an organization’s policies

should be customized to meet their
unique needs. But this doesn’t mean you
can’t start from a templated example. Develop and Deploy Security Policies
• Review Info-Tech’s material for creating
practical and effective information
Use this blueprint to develop policies specific to your
security policies by following the organization to help support your governance
provided link. framework.

Info-Tech Research Group 47

Customize Info-Tech’s Information Security Charter
Template
2.4 Information Security Charter Template

A charter is an essential document for

defining the scope and purpose of a
security project or program and is the
foundation of any governance initiative.

Use this template to document your

organization’s:
• Security vision, mission, and scope
• Strategic security and policy
objectives
• Roles and responsibilities for
developing the security program
• Risk tolerance statement
• Corporate and management
commitment
Remember, a governance framework is a living organism (i.e. it will
• Evaluation and renewal evolve over time). Make sure you review your information security
requirements charter every 12 months or so to confirm that it is still relevant and
meeting your organization’s needs.

Info-Tech Research Group 48

Customize Info-Tech’s Organizational Structure
Template to define your organization’s chain of
command
2.4 Security Governance Organizational Structure Template

Creating an effective governance

framework involves understanding your
organization’s reporting structure and
how the various departments connect
and interact with each other.

Because governance must be

implemented top-down, it’s important to
have a document outlining who
answers to whom. Creating this
document can also help you identify
any conflicts of interest or other issues
in your organization’s current structure.

This template also includes a

Ideally, security should be a department independent from IT to prevent a situation in RACI chart to help you
which IT has authority over the security controls they are supposed to adhere to. In assign roles and
smaller organizations this isn’t always possible, but being aware of this potential conflict responsibilities for your
can go a long way towards improving organizational structure. overall governance initiative.

Info-Tech Research Group 49

If you want additional support, have our analysts walk you
through this phase as part of an Info-Tech guided
implementation
Book a guided implementation with our Info-Tech analysts:

Guided implementations offer an easy way to

accelerate your project. Our analysts will work
with you and your team over the phone to
facilitate the activities outlined in the blueprint.

Getting key stakeholders together to formalize

the program while getting started on developing Logan Rohde
your governance framework allows you to kick- Consulting Analyst – Security, Risk & Compliance
start the overall program. Info-Tech Research Group

Guided Implementations are included in

advisory memberships and offer additional
support over a do-it-yourself approach by
ensuring continuous improvement of your
governance initiative.

Call 1-888-670-8889 for more information.

Info-Tech Research Group 50

PHASE 3
Manage Your Governance Framework

Implement a Security Governance and Management Program

Info-Tech Research Group Inc. is a global leader in providing IT research and advice.
Info-Tech’s products and services combine actionable insight and relevant advice with
ready-to-use tools and templates that cover the full spectrum of IT concerns.
© 1997-2019 Info-Tech Research Group Inc. Info-Tech Research Group 51
Step 3: Manage Your Governance Framework
PHASE 1 PHASE 2 PHASE 3

1. 1. 2. 2. 3. 3.
1 6 1 4 1 3
Appreciate Set an Blend the best of Create a governance Track Reassess your
security appropriate risk COBIT and NIST charter, policies, and governance- governance
governance… tolerance organizational… related metrics… framework

This step will walk you through the following activities: This step involves the following participants:
• Metrics tracking to streamline the initiative. • Cybersecurity
• Internally auditing your security controls. • Risk specialists
• Reassessing your governance framework. • Audit committee

Outcomes of this step

• Established governance metrics.
• Identified gap between current and target security program.
• Gained insight into the effectiveness of your security controls.

Info-Tech Research Group 52

Phase 3 outline
Call 1-888-670-8889 or email [email protected] for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of
2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Guided Implementation 3: Manage Your Governance Framework
Proposed Time to Completion: 8-12 weeks

Step 3.1: Metrics, Audits, and Why They Matter Step 3.3: Governance Development Checkpoint III

Start with an analyst kick-off call: Review findings with analyst:

• Discuss the value of metrics and insights they provide. • Address challenges with metrics and audit.
• Understand who should conduct your internal audits. • Discuss next steps for the maintenance and improvement
• Appreciate the need to reassess. of the governance initiative.

Then complete these activities… Then complete these activities…

• Track your governance-related metrics. • Fine-tune metrics tracking.
• Complete gap analysis. • Adjust security controls.

With these tools & templates:

Security Metrics Assessment Tool

Phase 3 Results & Insights:

• Metrics program.
• How to improve governance framework for maximum effectiveness and business alignment.

Info-Tech Research Group 53

 Track governance-related metrics to streamline
3.1
your initiative
All organizations change over time, and controls that were appropriate at one time may not
be at another. Therefore, it is a good idea to track governance-related metrics to see whether
or not your security controls need to be adjusted to meet security or business needs better.
As noted in Phase 1, business-security
alignment is an essential part of getting a
governance framework up and running.
• Don't forget that re-alignment should
occur at regular intervals as part of
maintaining good governance.
• Especially important during:
o Major staffing changes on either
the business or security end.
o Business strategy overhaul (e.g.
competing for a greater market
share).
o Identification of emerging
industry-related threat(s).

A governance framework outlines an organization's laws of the land, but situations will arise in which
these laws will be broken (out of necessity or otherwise). It is important to have the management
function make sure the security program is doing what was intended; tracking metrics is an essential
part of this effort.
Info-Tech Research Group 54
Use Info-Tech’s Security Metrics Assessment Tool to
help define your security objectives
3.1 Security Metrics Assessment Tool

1. Use this tool to assess the gap

between your current and
target state across a variety of
security metrics categories.
2. Assess the results of the gap
analysis and then move on to
the metrics worksheet on tab
4, which will help you get your
metrics program up and
running.
3. Remember to complete the
prioritization exercise on tab 5
so that you set realistic goals
for your security program.

Info-Tech encourages the use of SMART

metrics (Specific, Measureable, Assignable,
Realistic, Time-bound). The included metrics
meet these criteria; ensure that you follow suit
when customizing this tool for your program.

Info-Tech Research Group 55

3.2 Internally audit your security program

Internal audit provides your organization’s third line of defense – make sure you use it to
give your security program regular check-ups.

• Trust is important for any

organization, but when it comes
to security, you’ll also need to
ensure that the program is being
followed.
• Perform regular audits to ensure
that the governance framework
is being observed, is properly
understood, and is in overall
good health.
• Audits are a key element of
security program management.

It is essential that audits are not performed by the same people being audited. These audits will only
be useful if they are conducted objectively. Therefore, they should be the duty of the risk
management team (or similar body who is at an arm’s length from the security controls or processes
being audited).
Info-Tech Research Group 56
3.3 Reassess your governance framework
Follow your metrics. The numbers won't lie – as long as you’re honestly tracking
metrics and performing regular audits.

Now that your governance initiative is

up and running, it will need be
maintained (and, ideally, improved).

• Using what you learn from your

internal audits and metrics tracking,
reassess your governance
framework every 12 months to see
if there are any recurring problems
that tweaking the framework may
help to correct.
Reassessing your framework’s success may reveal the need for
additional end-user training and awareness. Use Info-Tech’s
Humanize the Security Awareness and Training Program blueprint
to help you meet these needs.

Review your metrics to ensure that your security controls are not too tight or too loose, and verify if
they need to be updated to address changes in business operations not accounted for the last time
the governance framework was updated.

Info-Tech Research Group 57

If you want additional support, have our analysts walk you
through this phase as part of an Info-Tech guided
implementation
Book a guided implementation with our Info-Tech analysts:

Guided implementations offer an easy way to

accelerate your project. Our analysts will work
with you and your team over the phone to
facilitate the activities outlined in the blueprint.

Getting key stakeholders together to formalize

the program while getting started on developing Logan Rohde
your governance framework allows you to kick- Consulting Analyst – Security, Risk & Compliance
start the overall program. Info-Tech Research Group

Guided Implementations are included in

advisory memberships and offer additional
support over a do-it-yourself approach by
ensuring continuous improvement of your
governance initiative.

Call 1-888-670-8889 for more information.

Info-Tech Research Group 58

Establish baseline metrics
Baseline metrics will improve through:
1. Decreased security incidents: via regular maintenance and management of the governance framework to ensure
suitability of security controls.
2. Increased insight into policy exceptions and non-compliance: either of these cases implies some part of your
governance framework needs to be adjusted.
3. Regular internal audits: helps to identify potential issues before they become entrenched behaviors that cause
additional security problems.
Below are some examples taken from the Security Metrics Assessment Tool included in the blueprint:
Metric Description Current Metric Future Goal
Number of information security incidents (by severity): 60 24
Number of policy exceptions during a given period: 36 <12
On-time/satisfactory audit completion rate: 1 4
Annual cost of information security controls: $70,000 $50,000
Other metric
m ple
Other metric Sa
Other metric
Other metric
Other metric
Other metric

Info-Tech Research Group 59

Insight breakdown

Business and security goals should be the same.

• Businesses cannot operate without security, and security’s goal is to enable safe business operations.
• Therefore, security and business share the same goal: the overall success of the business (otherwise neither will have
jobs).
• These departments rely on each other, so business and security need to align their goals and objectives for mutual
success.

Security governance supports security strategy and management.

• These three elements create a protective arch around business operations, and governance is the keystone.
• Governance may seem like a small aspect, but it holds the whole program together.
• It provides a framework that works in the background of the more active elements: management and strategy.

Governance defines the laws, but they need to be policed.

• Governance sets standards for what actions are permitted, but only management can verify that these standards are
being observed.
• The governance framework will need to be managed, but don’t confuse governance and management activities.
• Be sure to track metrics, internally audit security controls, and reassess your framework every 12 months to keep your
governance initiative in good health.

Info-Tech Research Group 60

Summary of accomplishment

Knowledge Gained Processes Optimized

• Importance of business-security alignment via risk • Definitions of security governance, strategy, and
tolerance. management
• Understanding that business and security share the • Executive support for security governance
same goals. • Business-security alignment
• Why governance needs to be separated from • Assembling steering committee
management. • Risk assessment and setting risk tolerance
• Implementation of three lines of defense and value of • Development, maintenance, and management of
doing so. governance framework
• Advantages of a Security Governance Center of • Meeting compliance obligations
Excellence.
• Formalization of documents
• Developing information security charter, policies, and
organizational structure.
• Metrics tracking

• Importance of tracking metrics and internal audit to

• Internal audit
manage governance initiative.

Deliverables Completed
• Information Security Governance Business Case
• Information Security Steering Committee Charter
• Security Risk Register
• Information Security Compliance Template
• Information Security Charter
• Security Governance Organizational Structure Template
• Security Metrics Assessment Tool

Info-Tech Research Group 61

Research contributors and experts

Scott Trickett, Director of IS Infrastructure\Operations

Chesapeake Employers’ Insurance

Dave Millier, CEO

Uzado Inc.

Info-Tech Research Group 62

Research contributors and experts

Two anonymous contributors

Info-Tech Research Group 63

Related Info-Tech research

Humanize the Security Awar

eness and Training Program
If it’s not human-centric, you’re
not training your humans.

Build an Information Securit

y Strategy
Tailor best practices to
effectively manage information
security.

Info-Tech Research Group 64

Bibliography

Cisco. “Cisco 2017 Annual Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches and the Actions
Organizations Are Taking.” Web.

Chartered Institute of Internal Auditors. “Governance of Risk: Three Lines of Defence.” Web.

Educause. “Information Security Governance.” Web.

EY. “Cybersecurity Regained: Preparing to Face Cyber Attacks 2017-18.” Web.

ISACA. “COBIT 5 Framework.” Web.

Thales. “2018 Thales Data Threat Report: Trends in Encryption and Data Security Global Edition.” Web.

NADC. “2017–2018 NACD Public Company Governance Survey.” Web.

NIST. “NIST Framework for Improving Critical Infrastructure Cybersecurity.” Web.

PwC. “Strengthening Digital Society against Cyber Shocks: Key Findings from 'The Global State of Information Security
Survey 2018.” Web.

SolarWinds. “Federal Cybersecurity Survey 2017.” Web.

Veltsos, Christophe. “Take a Load Off: Delegate Cyber Risk Management Using the Three Lines of Defense Model” IBM
Security Intelligence. Web.

Info-Tech Research Group 65