02 Implement A Security Governance and Management Program Phases 1 3
02 Implement A Security Governance and Management Program Phases 1 3
Management Program
Align security and business objectives to get the greatest benefit from both.
Info-Tech Research Group Inc. is a global leader in providing IT research and advice.
Info-Tech’s products and services combine actionable insight and relevant advice with
ready-to-use tools and templates that cover the full spectrum of IT concerns.
© 1997-2019 Info-Tech Research Group Inc. Info-Tech Research Group 1
Table of contents
1. Project Rationale
2. Execute the Project/DIY Guide
3. Summary/Conclusion
4. Next Steps
5. Appendices
This Research Is
is Designed For: This Research Will Help You:
CISOs, CSOs, CEOs, CIOs, IT leaders, and Develop a comprehensive information security
business leaders who would like to improve governance and management framework.
alignment between security and business Apply your security governance framework to
activities, optimize security resources, your organization and create a roadmap for
implement an effective risk mitigation strategy, implementation.
and improve the transparency of security
Develop a metrics program to monitor and
initiatives.
improve your security governance program.
CISOs, CSOs, and CIOs who would like to
better support the business.
Situation
• Security programs tend to focus on technology to protect organizations 1. Business and security goals should be
while often neglecting the people, processes, and policies needed to the same. Businesses cannot operate
manage the program. without security and security's goal is to
enable safe business operations.
• It seems daunting and almost impossible to govern all the aspects of a
security program. 2. Security governance supports security
strategy and management. These three
Complication elements create a protective arch around
business operations, and governance is
• This leads to several problems: the keystone. It seems like a small aspect,
o The security team often doesn’t understand business goals. but it holds the whole program together.
o The organization lacks direction regarding security initiatives and how
3. Governance defines the laws, but they
to prioritize them. need to be policed. Governance sets
o Risks are not treated appropriately. standards for what actions are permitted,
but only management can verify that these
standards are being observed.
Resolution
• Your security governance and management program needs to be aligned with business goals to be effective.
• This approach also helps to provide a starting point to develop a realistic governance and management program.
• This project will guide you through the process of implementing and monitoring a security governance and management
program that prioritizes security while keeping costs to a minimum.
• Start by defining your organization’s risk tolerance to begin the process of aligning security objectives with business goals.
• Develop a governance framework that supports these aligned objectives and goals.
• Manage the governance program through regular audits, metrics tracking, and regular review of the framework’s
successes and shortcomings.
Developing a governance framework is a large undertaking; it’s important to start small to make the project
manageable.
In this blueprint we will focus on the following steps: In some cases, it’s better to work
• Aligning business goals and security backwards…
objectives. For less-mature organizations, it might be more
appropriate to start by developing a security strategy to
• Setting an appropriate risk tolerance and outline the basics before developing a governance
monitoring threats. framework.
• Deploying three lines of defense. Info-Tech’s blueprint
Build an Information Security Strategy will walk you
• Developing policies, charters, and defining through the process of creating a security program
organizational structure. specific to your organization. It focuses on the following
processes:
• Tracking security metrics and the importance
• Assessing security requirements
of regular audits.
• Building a gap initiative strategy
• And more! • Prioritizing security initiatives
Organizational Structure
Management Review of
External Security Audit
Security Strategy and Security
Culture and Awareness
Communication
Prevention
Identity Security Infrastructure Security HR Security
Identity and Access Vulnerability
Network Security HR Security
Management Management
Cryptography
Endpoint Security
Management
Data Security & Privacy Application Security Cloud Security Vendor Management
It’s true that both groups have different ideas about what the organization’s ideal
state is, but security and the business have more in common than they do in
conflict. They just aren’t used to seeing it that way.
Business goals and security goals are related and have a tendency to affect each other, making business-
security alignment an iterative process that takes ongoing effort. This effort is well worth it as it leads to
maximum cooperation and thus maximum efficiency.
It is true that business leaders and security professionals have different ideas about what an
organization’s ideal state is, but this difference can be overcome with a little understanding.
• Yet it should be understood that security is the focus. Going forward, convenience must
take a backseat to security in order for security governance to actually have an effect on
the organization; however, convenience is a risk that should be managed rather than
removed – a total security lockdown won’t improve business outcomes, but good
governance will.
Security governance is an integral part of IT governance and
corporate governance.
Governance specifies the accountability framework and provides oversight to ensure that
risks are adequately mitigated, while management ensures that controls are implemented
to mitigate risks. Management recommends security strategies. Governance ensures that
security strategies are aligned with business objectives and consistent with regulations.
– EDUCAUSE
• It is true that without good governance security programs often fail to produce results.
• However, it is also true that without good governance security programs can become too
restrictive, preventing the business from operating smoothly.
• The goal is to create an effective governance framework that keeps the business safe, but also
running smoothly – not just adding security, but the right level of security.
This icon denotes a slide where a supporting Info-Tech tool or template will help you perform
the activity or step associated with the slide. Refer to the supporting tool or template to get
the best results and proceed to the next step of the project.
This icon denotes a slide with an associated activity. The activity can be performed either as
part of your project or with the support of Info-Tech team members, who will come onsite to
facilitate a workshop for your organization.
Guided
DIY Toolkit Implementation Workshop Consulting
“Our team has already “Our team knows that “We need to hit the “Our team does not
made this critical we need to fix a ground running and have the time or the
project a priority, and process, but we need get this project kicked knowledge to take this
we have the time and assistance to off immediately. Our project on. We need
capability, but some determine where to team has the ability to assistance through the
guidance along the focus. Some check-ins take this over once we entirety of this project.”
way would be helpful.” along the way would get a framework and
help keep us on track.” strategy in place.”
Guided
Implementations
Phase 1 Outcome: Phase 2 Outcome: Phase 3 Outcome:
• Business Case Presentation Deck • Information Security Charter • Security Metrics Assessment
• Information Security Steering • Security Governance Organizational
Committee Charter Structure
• Risk Register
1. 1. 2. 2. 3. 3.
1 6 1 4 1 3
Appreciate Set an Blend the best of Create a governance Track Reassess your
security appropriate risk COBIT and NIST charter, policies, and governance- governance
governance… tolerance organizational… related metrics… framework
This step will walk you through the following activities: This step involves the following participants:
• Plan for common security governance and management • Cybersecurity
challenges. • Business leaders and decision makers
• Understand the benefits of security governance. • Risk specialists
• Prepare a business case to present to the board.
• Assemble the security governance steering committee.
• Set an appropriate risk tolerance.
Step 1.1: Understand What Security Governance Means Step 1.6: Governance Development Checkpoint I
for You
Start with an analyst kick-off call: Review findings with analyst:
• Discuss security governance, strategy, and management. • Discuss progress with getting executive support.
• Understand the importance of business-security alignment. • Address challenges with assembling steering committee.
• Discuss how to begin setting an appropriate risk tolerance. • Discuss progress on establishing risk tolerance and
deploying risk register.
These elements do overlap with each other and the terms are sometimes used interchangeably. However,
each refers to a specific element of the overall security program and it’s important to account for them.
As a general rule, the more mature an organization, the more these elements will be separated from
each other. However, the point is not to get hung up on naming conventions – just make sure each
element is accounted for to get the most from your security program.
In this model, governance appears to be the smallest element of the arch. However, this does not mean it
is the least important. Rather, governance is a framework that works in the background of the more active
elements: management and strategy. Governance is also the keystone of the security arch, meaning that
it is the essential component holding the arch together by ensuring that the other elements are adequately
supported.
Governance
t
en
St
m
ge
ra
a
te
a n
g
M
y
Business Operations
• Countering these behaviors is • The governance framework will • Convincing them to invest in the
exactly why a governance need maintenance to ensure it is most worthwhile security protocols
framework is needed. working properly. can still create some friction.
• Without well-defined controls in • This is why management is a • Strategy should be developed
place, security will continue to be necessary component of any alongside governance to prioritize
an afterthought for end users. governance initiative. security needs.
Non-compliance, enforcement, and budget are broad challenges made up of more-specific issues.
• Be sure to consider how the following might present unique obstacles for your organization’s
governance initiative – each one presents a specific talking point that you can use to highlight a
problem and how you plan to solve it, thus convincing executives of the value of security governance.
• Rest assured, this blueprint will prepare you for meeting these challenges!
Reduce costs
3 • Investing in security now helps prevent huge costs associated with data breaches later.
• Remember: not all costs are monetary; reputational damage can also be very costly.
A governance framework is what holds an organization's security posture upright. Without one, an
organization’s overall security can become too lax, posing additional risks to the health and longevity
of the business.
Security controls can restrict business operations. In today's cybersecurity landscape there are too
many threats to not have some protection. A business can’t operate without security and security
must enable business operations. The two need to cooperate to ensure an organization's (continued)
success.
Info-Tech Research Group 26
Use Info-Tech’s business case template to convey the
need for security governance
1.4 Information Security Governance and Management Business Case Template
When giving this presentation, remember to emphasize the need to set an appropriate risk tolerance. This is a key part of
security-business alignment (step 1.6 of this blueprint).
6
green light, you will need to create
a steering committee to:
• Develop the policies that will
make up the governance • Your steering committee should contain
framework. approximately six people.
• Verify that the governance • This amount allows for various view points to be
implementation is on schedule represented while balancing the need to get things
done.
and going to plan.
• Avoid committees with more than eight people; they
• Offer guidance for effective tend to struggle with decision making.
management.
The steering committee
membership should represent
security and business personnel
equally to make the process as Check out Info-Tech’s resources on using
an ISSC, including the blueprint,
democratic as possible. Improve Security Governance With a Securi
ty Steering Committee
.
When deciding on steering committee participants, don’t forget to account for the unique qualities of
your organization. It may be appropriate to include members from outside security or business-related
departments, such as HR, particularly if your organization needs to protect a lot of sensitive employee
data.
Info-Tech Research Group 28
Typical ISSC responsibilities and duties
Use the following list of responsibilities to customize the list of responsibilities your ISSC may take on.
These should link directly to the Responsibilities and Duties section of your ISSC charter.
Strategic Oversight Policy Governance
• Provide oversight and ensure alignment • Review company policies pertaining to
between information security governance and information security and cyber threats, taking
company objectives. into account the potential for external threats,
• Assess the adequacy of resources and funding internal threats, and threats arising from
to sustain and advance successful security transactions with trusted third parties and
programs and practices for identifying, vendors.
assessing, and mitigating cybersecurity risks • Review privacy and information security policies
across all business functions. and standards as well as the ramifications of
• Review controls to prevent, detect, and respond updates to policies and standards.
to cyberattacks or information or data breaches • Establish standards and procedures for
involving company electronic information, escalating significant security incidents to the
intellectual property, data, or connected ISSC, board, other steering committees,
devices. government agencies, and law enforcement, as
• Review the company’s cyber insurance policies appropriate.
to ensure appropriate coverage.
• Provide recommendations, based on security
best practices, for significant technology
investments.
Info-Tech Research Group 29
ISSC responsibilities and duties continued
Use the following list of responsibilities to customize the list of responsibilities your ISSC may take on.
These should link directly to the Responsibilities and Duties section of your ISSC charter.
Risk Governance Monitoring & Reporting
• Review and approve the company’s information • Receive periodic reports and coordinate with
risk governance structure and key risk management on the metrics used to measure,
management processes and capabilities. monitor, and manage cyber and IT risks posed
• Assess the company’s high-risk information to the company and to review periodic reports
assets and coordinate planning to address on selected risk topics as the committee deems
information privacy and security needs. appropriate.
• Provide input to executive management • Review reports provided by the IT organization
regarding the enterprise’s information risk regarding the status of and plans for the
tolerance. security of the company’s data stored on
• Review the company’s cyber response internal resources and with third-party
preparedness, incident response plans, and providers.
disaster recovery capabilities as applicable to • Monitor and evaluate the quality and
the organization’s information security strategy. effectiveness of the company’s technology
• Promote an open discussion regarding security, capabilities for disaster recovery, data
information risk, and integrate information risk protection, cyber threat detection, and cyber
management into the enterprise's objectives. incident response, and management of
technology-related compliance risks.
1.5 90 minutes
Once the steering committee is established, they’ll need to get to know each other and learn what other
members value. To help facilitate this process, have cybersecurity and business leaders talk to each other
about their ideal scenarios for the organization.
Things to consider when making presentations:
Follow this process:
• Past incidents and their costs.
1. Divide into departmental teams. • Alignment of security and business goals.
2. Have each team prepare a mini presentation • Compliance obligations.
explaining their goals and why they're important.
• Industry’s threat landscape.
3. Allow the other team(s) to give constructive • Business pressures.
rebuttals for elements of the other teams’
• Resources.
presentations they disagree with.
• Consequences of losing various data types.
4. Avoid starting fights (this isn’t the point); the
• Point when a security incident would prevent
goals for this exercise are to:
business operations.
• Discuss possible solutions or compromises. • Roles and responsibilities
• Begin conversations around risk tolerance.
• Have the steering committee get a sense of
what the organization's risk tolerance
actually is, not where they think it is or wish Many organizations think of themselves as having a low
risk tolerance. However, upon closer inspection of what
it to be. they are willing to tolerate, these same organizations
often fall into the moderate risk tolerance category.
Probability
accept the can be tolerated
2. Evaluating each risk individually to R
is risk
k provided their
determine at what point it would become To
le probability is low.
ra
intolerable. nc
e Business and
security can align
• Remember to account for Accept the by agreeing what
compliance obligations while risk
is and is not an
completing these activities. Impact acceptable risk.
1. 1. 2. 2. 3. 3.
1 6 1 4 1 3
Appreciate Set an Blend the best of Create a governance Track Reassess your
security appropriate risk COBIT and NIST charter, policies, and governance- governance
governance… tolerance organizational… related metrics… framework
This step will walk you through the following activities: This step involves the following participants:
• Blending the key parts of COBIT and NIST. • Cybersecurity
• Understanding your three lines of defense. • Business leaders
• Creating a governance charter, organizational structure, • Risk specialists
and supporting policies.
Step 2.1: Developing an Effective Framework Step 2.4: Governance Development Checkpoint II
Your industry may use other frameworks, such as ISO, but this doesn’t mean you won’t
benefit from studying COBIT and NIST. Most frameworks integrate well with each
other.
Info-Tech Research Group 41
Benefit from the wisdom of COBIT 5
COBIT reminds us not to blur the lines between governance and management;
each has a unique role to play. Confusing them means wasted time and confusion
around ownership.
Governance Management
NIST uses the following subcategories in its framework. Use these suggestions as guidelines
for developing the more granular aspects of your organization’s governance initiative.
• ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and
external partners.
• ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties
obligations, are understood and managed.
Incorporating the three lines of defense into your cybersecurity governance framework will help you
identify and manage risk and ensure that your controls are providing the desired result.
Cyber risks: Everyone is talking about them, but most aren’t quite sure how to handle
them.
– Christophe Veltsos, InfoSec, Risk, and Privacy Strategist
Minnesota State University, Mankato
• Made up of managers who own and make decisions about risk (i.e. what actions are or are not permitted under the
organization’s risk policies).
• Includes cybersecurity, who offers guidance for good decision making, but cannot veto decisions after they’ve been made.
• Addresses actual risks via established security controls.
• Manages security controls.
• Follows guidance of key risk indicators (KRIs).
To create an effective security program, two conditions must be in place: management and
governance must be separate functions and there must be three lines of defense.
1. 1. 2. 2. 3. 3.
1 6 1 4 1 3
Appreciate Set an Blend the best of Create a governance Track Reassess your
security appropriate risk COBIT and NIST charter, policies, and governance- governance
governance… tolerance organizational… related metrics… framework
This step will walk you through the following activities: This step involves the following participants:
• Metrics tracking to streamline the initiative. • Cybersecurity
• Internally auditing your security controls. • Risk specialists
• Reassessing your governance framework. • Audit committee
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of
2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Guided Implementation 3: Manage Your Governance Framework
Proposed Time to Completion: 8-12 weeks
Step 3.1: Metrics, Audits, and Why They Matter Step 3.3: Governance Development Checkpoint III
A governance framework outlines an organization's laws of the land, but situations will arise in which
these laws will be broken (out of necessity or otherwise). It is important to have the management
function make sure the security program is doing what was intended; tracking metrics is an essential
part of this effort.
Info-Tech Research Group 54
Use Info-Tech’s Security Metrics Assessment Tool to
help define your security objectives
3.1 Security Metrics Assessment Tool
Internal audit provides your organization’s third line of defense – make sure you use it to
give your security program regular check-ups.
It is essential that audits are not performed by the same people being audited. These audits will only
be useful if they are conducted objectively. Therefore, they should be the duty of the risk
management team (or similar body who is at an arm’s length from the security controls or processes
being audited).
Info-Tech Research Group 56
3.3 Reassess your governance framework
Follow your metrics. The numbers won't lie – as long as you’re honestly tracking
metrics and performing regular audits.
Review your metrics to ensure that your security controls are not too tight or too loose, and verify if
they need to be updated to address changes in business operations not accounted for the last time
the governance framework was updated.
Deliverables Completed
• Information Security Governance Business Case
• Information Security Steering Committee Charter
• Security Risk Register
• Information Security Compliance Template
• Information Security Charter
• Security Governance Organizational Structure Template
• Security Metrics Assessment Tool
Cisco. “Cisco 2017 Annual Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches and the Actions
Organizations Are Taking.” Web.
Chartered Institute of Internal Auditors. “Governance of Risk: Three Lines of Defence.” Web.
Thales. “2018 Thales Data Threat Report: Trends in Encryption and Data Security Global Edition.” Web.
PwC. “Strengthening Digital Society against Cyber Shocks: Key Findings from 'The Global State of Information Security
Survey 2018.” Web.
Veltsos, Christophe. “Take a Load Off: Delegate Cyber Risk Management Using the Three Lines of Defense Model” IBM
Security Intelligence. Web.