This paper describes how a continuous improvement IT Security Governance process provides effective planning and decision making capabilities for a cybersecurity program. Governance can be thought of “doing the right things” while management is “doing things right”. IT Security Governance focuses on doing the right things to protect organizations and agencies.
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Effective IT Security Governance
1. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012
Effective IT Security Governance
Leo de Sousa – IST 725
Abstract
This paper describes how a continuous improvement IT Security Governance process provides
effective planning and decision making capabilities for a cybersecurity program. Governance
can be thought of “doing the right things” while management is “doing things right”. IT Security
Governance focuses on doing the right things to protect organizations and agencies. Operational
Security focuses on doing things right and relies on IT Security Governance to direct those
actions. As organizations and agencies look to save costs, reach more customers and implement
efficiencies, they are turning more and more to digital technology solutions. While the reach and
automation capabilities of information technology solutions and architectures are vast, they also
expose organizations and agencies to risks from cybercrime, cyberattacks, and breaches of legal
regulations, loss of corporate information and protection of personal and confidential
information. Topics covered in this paper are (a) Key Definitions, (b) Introduction to IT Security
Governance, (c) IT Security Governance Capabilities, (d) Effective Approaches to Planning and
Decision Making using IT Security Governance Capabilities and (e) Conclusion. After reading
this paper, the reader should have a clear understanding of the concepts of IT Security
Governance, the capabilities of IT Security Governance, and the uses of those capabilities to
effectively plan and make decisions for an overall, continuously improving cybersecurity
program.
Key Definitions
Cyberattack – is an attempt to undermine or compromise the function of a computer-based
system, or attempt to track the online movements of individuals without their permission.
(wiseGEEK, 2011)
Cybercrime – generally defined as a criminal offence involving a computer as the object of the
crime (hacking, phishing, spamming), or as the tool used to commit a material component of the
offence (child pornography, hate crimes, computer fraud). (Foreign Affairs and International
Trade Canada, 2011)
Cybersecurity – term used by the US Federal government which requires assigning clear and
unambiguous authority and responsibility for security, holding officials accountable for fulfilling
those responsibilities and integrating security requirements into budget and capital planning
processes. (IT Governance Institute, 2006, p. 22)
Information Security Governance – is captured in the Security Architecture Framework and is
used “to define security strategies, policies, standards and guidelines for the enterprise from an
organizational viewpoint.” (Bernard & Ho, 2007, p. 11)
Leo de Sousa Page 1
2. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012
Integrated Governance Framework – is part of an integrated “governance structure that
includes strategic planning, enterprise architecture, program management, capital planning,
security and workforce planning.” (Bernard S. A., 2005, p. 33)
Introduction
IT Security Governance is one of several organizational governing processes that include
Enterprise Architecture, IT Governance, Project Governance and Corporate Governance. It has
strong alignment to enterprise risk management initiatives and programs. Successful
organizations use corporate governance to direct and guide the successful operations of the
company. IT Governance guides investments in technology that are aligned to the business’
goals and strategy. Project Governance is used to rank and prioritize project proposals, so
investments in projects are aligned to business strategy. The IT Governance Institute defines
Information Security Governance as “Security Governance is the set of responsibilities and
practices exercised by the board and executive management with the goal of providing strategic
direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately
and verifying that the enterprise’s resources are used responsibly.” (Harris, 2006) Taking a top
down approach with executive direction and support is a key success factor to establish a culture
of security into organizations and agencies.
Every organization and agency faces the challenge of balancing employee empowerment by
providing access to information with enterprise risk management and compliance. As more and
more organizations and agencies move their services into a digital environment, they are faced
with significant challenges dealing with new corporate risks to information, business processes
and privacy. The use of web-based applications, online payment systems and collaboration
based information management systems introduce new information technology architectures that,
if not properly protected, expose the company to the risk of cyberattacks and information
security breaches. Recently, the downturn in the global economy is forcing organizations and
agencies to cut operational costs and improve their processes. In most cases, this means cutting
their budgets and investments, which can put IT Security efforts in jeopardy due to lack of
funding. These high levels of budget cuts are rippling through companies and organizations
impacting the resources available for IT security. “The $2.1 trillion debt-cap pact that Congress
passed Tuesday could hurt economic and national security as agencies postpone plans to invest
in cybersecurity technology and hire more network specialists due to uncertainty over potential
program cuts, computer security advisers say.” (Sternstein, 2011)
There are five IT Security Governance areas that have evolved from case law and are tied to the
fiduciary duties of executives, board members and officers: 1) Govern the operations of the
organization and protect its critical assets, 2) Protect the organization’s market share and stock
price, 3) Govern the conduct of employees, 4) Protect the reputation of the organization and 5)
Ensure compliance requirements are met. (Allen & Westby, 2007, p. 1)
In this constrained environment, IT Security Governance becomes a strategic practice ensuring
that the appropriate security capabilities are available and adequately funded to maintain and
continually improve an effective cybersecurity program for organizations and agencies.
Leo de Sousa Page 2
3. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012
IT Security Governance Capabilities
IT Security Governance relies on a set of core capabilities that enable organizations to provide
oversight, authorize decisions and create and enable policy. These capabilities support
accountability, strategic planning and resource allocation for IT Security programs in an
organization. To successfully deploy IT Security Governance capabilities, organizations and
agencies need to consider organizational strategy, culture and structure as well as compliance
and risk management policies. These capabilities need to be implemented in a top down
approach with the responsibility for success sitting with the Board of Directors and the Executive
Committee.
Bernard and Ho describe IT Security Governance capabilities at a high level as “to define
security strategies, policies, standards and guidelines for the enterprise from an organizational
viewpoint.” (Bernard & Ho, 2007, p. 11) The Carnegie Mellon Software Engineering Institute
published a paper “Governing Enterprise Security Implementation Guide” which provides a
more detailed approach of IT Security Governance Capabilities including responsibilities and
artifacts. The capabilities are grouped into the following four high level categories and
subcategories: (Allen & Westby, 2007)
Governance Category Governance Sub Categories
Structure and Tone • Establish a Governance Structure
(Deming – Plan – design or revise business • Assign Roles and responsibilities,
process components to improve results) Indicating Lines of Responsibility
• Develop Top-Level Policies
Assets and Responsibilities • Inventory Digital Assets
(Deming – Do – implement the plan and • Develop and Update System
measure its performance) Descriptions
• Establish and Update Ownership and
Custody of Assets
• Designate Security Responsibilities and
Segregation of Duties
Compliance • Determine and Update Compliance
(Deming – Check – assess the measurements Requirements
and report the results to decision makers) • Map Assets to Table of Authorities
• Map and Analyze Data Flows
• Map Cybercrime and Security Breach
Notification Laws and Cross-Border
Cooperation with Law Enforcement to
Data Flows
• Conduct Privacy Impact Assessments
and Privacy Audits
Assessments and Strategy • Conduct Threat, Vulnerability, and
(Deming – Act – decide on the changes needed Risk Assessments (including System
to improve the process) C&As)
• Determine Operational Criteria
Leo de Sousa Page 3
4. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012
• Develop and Update Security Inputs to
the Risk Management Plan
• Develop and Update Enterprise
Security Strategy (ESS)
Interestingly, the implementation guide proposed by Allen and Westby follows the continuous
improvement approach of W. Edwards Deming. (Balanced Scorecard Institute, 1998) By
implementing the four major categories in the order specified, organizations and agencies
establish accountability and responsibility at the most senior levels of their organization structure
with a focus that these activities are part of a continuous improvement process.
Effective Approaches to Cybersecurity Planning and
Decision Making
IT Security Governance delivers the key capabilities to facilitate planning and decision making
for enterprise risk management and strategic planning in a cybersecurity program. This section
explores the GES major categories using a higher education example and shows how they are
essential to support the planning and decision making of a cybersecurity program with a focus on
continuous improvement.
Structure and Tone (Deming – Plan)
There are 3 main activities in this category: Establish a Governance Structure, Assign Roles and
responsibilities, Indicating Lines of Responsibility and Develop Top-Level Policies. The focus
of these three activities is to clearly establish a top down, organization-wide approach to IT
Security. At the British Columbia Institute of Technology (BCIT), our top level governance
group is the Audit and Finance Committee of the Board of Governors. The committee reports
quarterly to the Board of Governors and has overall responsibility for Enterprise Risk
Management including IT Security Governance. In 2008, we created the Information Security
Advisory Council (ISAC) to implement IT Security Governance. This governance committee
consists of the Chief Information Officer, Director of Safety and Security, Manager, Institutional
Records Management, Director of Finance and the Information Security Officer. The ISAC
sponsors audits, PCI-DSS implementation, copyright policy and compliance training. This
committee also has responsibility for the Security architecture domain in our EA practice. The
ISAC created two top level policies: 3501 – Acceptable Use of Information Technology and
3502 - Information Security. (British Columbia Institute of Technology, 2009) These policies
and the ISAC are the backplane for IT Security Governance in BCIT’s Enterprise Architecture
and fit with Deming’s Plan step. (de Sousa, 2007)
Assets and Responsibilities (Deming – Do)
There are four main activities in this category: Inventory Digital Assets, Develop and Update
System Descriptions, Establish and Update Ownership and Custody of Assets and Designate
Security Responsibilities and Segregation of Duties. There is a requirement of the BCIT 3502 –
Information Security policy to inventory systems and establish system ownership for the purpose
Leo de Sousa Page 4
5. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012
of designing security access. (British Columbia Institute of Technology, 2009) This process is
essential to determine who gets access to secure systems and defining access controls for the
BCIT community. These activities fit with Deming’s Do step for continual improvement.
Compliance (Deming – Check)
There are five main activities in this category: Determine and Update Compliance Requirements,
Map Assets to Table of Authorities, Map and Analyze Data Flows, Map Cybercrime and
Security Breach Notification Laws and Cross-Border Cooperation with Law Enforcement to
Data Flows and Conduct Privacy Impact Assessments and Privacy Audits. Each year most
organizations go through a financial audit. At BCIT, a component of the annual financial audit is
an IT security audit. The auditors look at our IT systems and particularly the protections and
security around financial transactions. With each audit there are recommendations for improving
our treatment of secure transactions and access controls. These recommendations fit with
Deming’s Check step and enable our organization to continually improve our IT Security
program.
Assessment and Strategy (Deming – Act)
There are four main activities in this category: Conduct Threat, Vulnerability, and Risk
Assessments (including System C&As), Determine Operational Criteria, Develop and Update
Security Inputs to the Risk Management Plan and Develop and Update Enterprise Security
Strategy (ESS). Each year, BCIT proactively conducts vulnerability assessments and external
penetration tests which lead to changes in our security practices. Placing emphasis on actively
testing our IT Security Governance framework fits with Deming’s Act process for continual
improvement.
Conclusion
IT Security Governance is a strategic practice that ensures appropriate security capabilities are
available and adequately funded to maintain effective cybersecurity program planning and
decision making. Organizations and agencies that invest in IT Security Governance are able to
manage the use of their assets securely, manage enterprise risk internally and externally and help
ensure the ongoing viability of their operations.
Information Security Governance is part of an integrated “governance structure that includes
strategic planning, enterprise architecture, program management, capital planning, security and
workforce planning.” (Bernard S. A., 2005, p. 33) Information Security Governance is captured
in the Security Architecture Framework and is used “to define security strategies, policies,
standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho,
2007, p. 11)
By taking W. Edwards Deming’s Plan-Do-Check-Act continuous improvement model as the
guiding principle for IT Security Governance, organizations and agencies will benefit from a
consistent cybersecurity program focusing on secure business management and operations.
Leo de Sousa Page 5
6. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012
References
Allen, J. H., & Westby, J. R. (2007). Governing for Enterprise Security (GES) Implementation
Guide. Pittsburgh: Software Engineering Institute, Carnegie Mellon.
Balanced Scorecard Institute. (1998). The Deming Cycle. Retrieved from Balanced Scorecard
Institute: http://www.balancedscorecard.org/TheDemingCycle/tabid/112/Default.aspx
Bernard, S. A. (2005). An Introduction to Enterprise Architecture 2nd Edition. Bloomington, IL:
AuthorHouse.
Bernard, S., & Ho, S. M. (2007, Oct 29). Enterprise Architecture as Context and Method for
Implementing Information Security and Data Privacy. Washington, DC, USA.
British Columbia Institute of Technology. (2009). 3501 - Acceptable Use of Technology.
Retrieved from Policies: http://www.bcit.ca/files/pdf/policies/3501.pdf
British Columbia Institute of Technology. (2009). 3502 - Information Security. Retrieved from
Policies: http://www.bcit.ca/files/pdf/policies/3502.pdf
de Sousa, L. (2007, Jun 22). EA Model V.2. Retrieved Jan 18, 2012, from Enterprise Architecture
in Higher Education: http://leodesousa.ca/2007/06/ea-model-v2/
Foreign Affairs and International Trade Canada. (2011, Oct 14). Cybercrime. Retrieved 02 02,
2012, from International Security: http://www.international.gc.ca/crime/cyber_crime-
criminalite.aspx?view=d
Harris, S. (2006, Aug). Information Security Governance Guide. Retrieved Feb 1, 2012, from
TechTarget: http://searchsecurity.techtarget.com/tutorial/Information-Security-
Governance-Guide
IT Governance Institute. (2006). Information Security Governance: Guidance for Board of
Directors and Executive Management, 2nd Edition. Rolling Meadows, Illinois, USA.
Sternstein, A. (2011, Aug 02). Debt deal could be a blow for cybersecurity. Retrieved from
Nextgov: http://www.nextgov.com/nextgov/ng_20110802_1799.php?oref=topstory
wiseGEEK. (2011). What Is a Cyberattack? Retrieved from wiseGEEK:
http://www.wisegeek.com/what-is-a-cyberattack.htm
Leo de Sousa Page 6