JOnline: How Does Information Security Fit Into a Governance Framework? 

Download Article

Information systems (IS) security has had a tough childhood. Its value proposition has been obscured. In its infancy, suppliers and businesses did not give security great priority. Applications and operating systems were released with inadequate security features and vulnerabilities that could be exploited. The teenage years have been a catch-up, with a focus on the technological aspects of security and the protection of assets.

But this is only part of the picture. Security is about managing risk, and risk management covers opportunity and threat. Consequently, the IS security value proposition has two components—business enablement and asset protection. Security covers people and process issues as well as technology, so security needs to be integrated into the enterprise risk management framework and cover the entire enterprise.

A governance framework is a formal method of establishing the corporate model for setting and delivering business strategy, measuring performance, managing risk and establishing a corporate culture with ethical standards. To effectively fit into a governance framework, IS security must be aligned to deliver on business strategy. Consequently, within business and IS strategy, the evolving requirements of security to maintain trusted environments; provide secure channels to customers and suppliers; support the availability, integrity and expansion of core business processes; and protect the organisation's infrastructure must all be captured. Security managers must be able to respond to evolving business needs.

Along with a security strategy and an associated security policy, the business must clearly define roles and responsibilities. Successful security strategy delivery incorporates clarity regarding business ownership and technology support responsibilities, as well as their interaction. For example, the business owner of a customer database may be the sales and marketing department, but the responsibility for the security of this sensitive information may lie within IT. In this instance, the parameters within which IT operates must be established and communicated by the business owner, and IT should regularly report to sales and marketing on the management of this delegated responsibility.

Policies by themselves are of little use without effective processes to drive their implementation and compliance. Processes require the knowledge and support of people to maintain them. Security issues often arise from deficiencies in the process and people areas. Processes must be developed and maintained in line with policy. Awareness of an individual staff member's responsibility for security must be embedded into the culture of the organisation from induction to exit, and must be resilient, changing as requirements change. Security awareness and responsibility must apply to those with external or temporary access rights to information assets, as well as permanent staff.

Therefore, communication is highly important and should cover security objectives, policies and processes to nontechnical stakeholders.

Trends are toward the implementation of standards, such as ISO 17799. Changing regulatory requirements are pushing security to where it should be. This is also a reflection of the lost value proposition in the eyes of senior management.

The framework can be completed by effective reporting of security key performance indicators (KPIs) up the organisation, thus increasing awareness of the value of security. Reporting can either stand alone in the format of an IS security dashboard or be a component of reporting on technology, risk management or project management.

IS security is integrated into an IS governance framework through its ability to align strategically with business enablement objectives and asset protection. Security manages risks, and alignment with enterprise risk management provides a framework to evaluate investment in security; cover the people, process and technology aspects; enable business objectives and protect assets.


International Organisation for Standardisation, ISO 17799: Information Security Management

IT Governance Institute COBIT Security Baseline—An Information Security Survival Kit, 2004

IT Governance Institute, Information Security Governance: Guidance for Boards of Directors and Executive Management, 2001

Rupert Dodds, CISA, CISM
is the KPMG director responsible for security, privacy and continuity services in New Zealand. Dodds sits on the IT Governance Steering Committee and is the ISACA Membership Board representative for Oceania. He can be contacted on

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA® and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

© Copyright 2005 by ISACA® Inc., formerly the EDP Auditors Association. All rights res erved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA® Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.