In today's global business environment, the significance of information is widely accepted, and information systems are pervasive within business and governmental organisations. Indeed, it may be said that the growth and success of nearly all enterprises rely on harnessing information technology (IT) for secure, profitable use. To address this need and the emerging discipline of information security governance, the IT Governance Institute recently released its monograph, Information Security Governance: Guidance for Boards of Directors and Executive Management.
The growing dependence of most organisations on their information systems, coupled with the risks, benefits and opportunities that IT carries, have made IT governance an increasingly critical facet of overall governance. Boards and management need to ensure that IT is aligned with enterprise strategies and that enterprise strategies take proper advantage of IT.
Within the IT governance debate, information security issues are taking a prominent place.
Security breaches are an increasingly common occurrence. As early as 1996, the US General Accounting Office (GAO) reported that the US Department of Defense experienced as many as 250,000 attacks on 15,000 systems the previous year, of which 65 percent were successful, costing hundreds of millions of dollars. More sobering is that only 400 of these were detected and only 20 reported. In 1996, it was largely a point of vulnerability. Five years later it is a definite threat, as illustrated by the recent US Federal Bureau of Investigation (FBI) probe into the extortion of more than 100 e-commerce sites by attackers not only threatening to disclose customer information, but actually carrying out their threats. Many national governments have recognised the importance of security, establishing initiatives to reinforce such measures as segregating infrastructures according to their sensitivity, investing in better authentication methods and making users of the infrastructure accountable for their actions.
Executive management has a responsibility to ensure that the organisation provides all users with a secure information systems environment. Furthermore, organisations need to protect themselves against the risks inherent in the use of information systems while simultaneously recognising the benefits that can accrue from having secure information systems.
Thus, as dependence on information systems increases, so too does the criticality of information security, bringing with it the need for effective information security governance.
What Is Information Security?
Security relates to the protection of valuable assets against loss, misuse, disclosure or damage. In this context, the valuable assets are the information recorded on, processed by, stored in, shared by, transmitted or retrieved from an electronic medium. The information must be protected against harm, leading to different types of vulnerabilities such as loss, inaccessibility, alteration or wrongful disclosure. Threats include errors and omissions, fraud, accidents and intentional damage. Protection arises from a layered series of technological and nontechnological safeguards such as physical security measures, background checks, user identifiers, passwords, smart cards, biometrics and firewalls. These safeguards should address both threats and vulnerabilities in a balanced manner.
The objective of information security is "protecting the interests of those relying on information, and the systems and communications that deliver the information, from harm resulting from failures of availability, confidentiality and integrity." While emerging definitions are adding concepts such as information usefulness and possession--the latter to cope with theft, deception and fraud--the networked economy has stressed the need for trust and accountability in electronic transactions. For most organisations, the security objective is met when:
- Information is available and usable when required, and the systems that provide it can appropriately resist attacks and recover from failures (availability)
- Information is observed by or disclosed to only those who have a right to know (confidentiality)
- Information is protected against unauthorised modification (integrity)
- Business transactions as well as information exchanges among enterprise locations or with partners can be trusted (authenticity and nonrepudiation)
The relative priority and significance of availability, confidentiality, integrity, authenticity and nonrepudiation vary according to the data within the information system and the business context in which they are used. For example, integrity is especially important relative to management information due to the impact that information has on critical strategy-related decisions.
Simply speaking, when properly implemented, information security governance should provide four basic outcomes:
1) Strategic alignment
- Security requirements driven by enterprise requirements
- Security solutions fit for enterprise processes
- Investment in information security aligned with the enterprise strategy and agreed-upon risk profile
2) Value delivery
- A standard set of security practices, e.g., baseline security following best practices
- Properly prioritised and distributed effort to areas with greatest impact and business benefit
- Institutionalised and commoditised solutions
- Complete solutions, covering organisation and process as well as technology
- A continuous improvement culture
3) Risk management
- Agreed-upon risk profile
- Understanding of risk exposure
- Awareness of risk management priorities
4) Performance measurement
- Defined set of metrics
- Measurement process with feedback on progress made
- Independent assurance
The days of issuing a policy, educating users and then expecting that everyone will comply are gone. The speed with which risks emerge and the rate of change require a different and continuous approach, referred to as test and patch. This implies continuous monitoring and testing of the infrastructure and environment for vulnerabilities and the required response in terms of security fixes through the security management function, improved defences and changed policies, as illustrated in figure 1.
Why is Information Security Important?
Information systems can generate many direct and indirect benefits, and as many direct and indirect risks. These risks have led to a gap between the need to protect systems and the degree of protection applied. The gap is caused by:
- Widespread use of technology
- Interconnectivity of systems
- Elimination of distance, time and space as constraints
- Unevenness of technological change
- Devolution of management and control
- Attractiveness of conducting unconventional electronic attacks against organisations
- External factors such as legislative, legal and regulatory requirements or technological developments
This means there are new risk areas that could have a significant impact on critical business operations, such as:
- Increasing requirements for availability and robustness
- Growing potential for misuse and abuse of information systems affecting privacy and ethical values
- External dangers from hackers, leading to denial-of-service and virus attacks, extortion and leakage of corporate information
Because new technology provides the potential for dramatically enhanced business performance, improved and demonstrated information security can add real value to the organisation by contributing to interaction with trading partners, closer customer relationships, improved competitive advantage and protected reputation. It can also enable new and easier ways to process electronic transactions and generate trust.
How Should the Board and Management Ensure Information Security Governance?
Boards and management have several fundamental responsibilities within information security governance. They should:
- Understand why information security needs to be governed
- Ensure that it fits in the IT governance framework. Effective security is not just a technology problem, it is a business issue. Related risk management must address the corporate culture, management's security consciousness and actions. Sharing information with those responsible for governance is critical to success. An information security programme is a risk mitigation method like other control and governance actions and therefore should clearly fit into overall enterprise governance.
- Take board level action, such as:
- Becoming informed about information security
- Setting direction, i.e., drive policy and strategy, and defining a global risk profile
- Providing resources to information security efforts
- Assigning responsibilities to management
- Setting priorities and supporting change
- Take management level action, such as:
- Writing the security policy, with business input
- Ensuring that individual roles, responsibilities and authority are clearly communicated and understood by all
- Identifying threats, analysing vulnerabilities and identifying industry practices for due care
- Setting up a security infrastructure
- Developing a security and control framework that consists of standards, measures, practices and procedures after a policy has been approved by the governing body of the organisation and related roles and responsibilities assigned
- Conducting periodic reviews and tests
- Embedding awareness of the need to protect information, and offer training in the skills needed to operate information systems securely and be responsive to security incidents
- Ensuring that security is considered an integral part of the systems development life cycle process and explicitly addressed during each phase of the process
Asking the Right Questions
Those responsible for governance may need some thought-provoking and awareness-raising questions to uncover information security issues and to get a feel for what is being done about the issues. A few sample questions are provided for each topic.
1) To Uncover Information Security Issues
- When was the last time top management got involved in security-related decisions? How often does top management get involved in progressing security solutions?
- Does management know who is responsible for security? Does the responsible individual know? Does everyone else know?
- Would people recognise a security incident when they saw one? Would they ignore it? Would they know what to do about it?
2) To Find Out How Management Addresses the Information Security Issues
- Is the enterprise clear on its position relative to IT and security risks? Does it tend toward risk-avoidance or risk-taking?
- How much is being spent on information security? On what? How were the expenditures justified? What projects were undertaken to improve security last year?
- How many of the staff had security training last year? How many of the management team received training?
3) To Self-assess Information Security Governance Practices
- Is management confident that security is being adequately addressed in the company?
- Is management aware of the latest IT security issues and best practices?
- What are other people doing, and how is the enterprise placed in relation to them?
This article is a synopsis of Information Security Governance: Guidance for Boards of Directors and Executive Management, which is now posted for complimentary download on the www.itgi.org web site. Hard copies are available in the ISACA Bookstore, www.isaca.org/bookstore. The complete publication offers further detail on the topics covered briefly in this article, and:
- Provides more questions for boards of directors and management to ask to assure the successful implementation of IT governance
- Suggests best practices for boards and management
- Defines critical success factors for information security governance
- Outlines performance measures to help determine if the information security governance programme is succeeding
- Describes a maturity model for measuring an enterprise's level of information security governance maturity
- Offers information on other leading standards-setting and regulatory bodies' statements on information security
Erik Guldentops, CISA
was until recently security advisor for the Society of Worldwide Interbank Financial Telecommunication (SWIFTsc) in Brussels, Belgium, where he previously held the positions of chief inspector and director of information security. SWIFT provides secure global communication to more than 7,000 financial institutions in more than 190 countries. More than five million messages valued in trillions of dollars are sent over SWIFT's network every business day. Guldentops is advisor to the board of the IT Governance Institute and an executive professor in the management school of the University of Antwerp, Belgium, where he teaches on the subjects of IT security and control, IT governance and risk management. He initiated and has headed up the development of COBIT since the early 1990s and is currently chair of ISACA's COBIT Steering Committee.