Effective IT Security Governance

IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012

Leo de Sousa

Effective IT Security Governance

Leo de Sousa – IST 725

Abstract This paper describes how a continuous improvement IT Security Governance process provides effective planning and decision making capabilities for a cybersecurity program. Governance can be thought of “doing the right things” while management is “doing things right”. IT Security Governance focuses on doing the right things to protect organizations and agencies. Operational Security focuses on doing things right and relies on IT Security Governance to direct those actions. As organizations and agencies look to save costs, reach more customers and implement efficiencies, they are turning more and more to digital technology solutions. While the reach and automation capabilities of information technology solutions and architectures are vast, they also expose organizations and agencies to risks from cybercrime, cyberattacks, and breaches of legal regulations, loss of corporate information and protection of personal and confidential information. Topics covered in this paper are (a) Key Definitions, (b) Introduction to IT Security Governance, (c) IT Security Governance Capabilities, (d) Effective Approaches to Planning and Decision Making using IT Security Governance Capabilities and (e) Conclusion. After reading this paper, the reader should have a clear understanding of the concepts of IT Security Governance, the capabilities of IT Security Governance, and the uses of those capabilities to effectively plan and make decisions for an overall, continuously improving cybersecurity program.

Key Definitions Cyberattack – is an attempt to undermine or compromise the function of a computer-based system, or attempt to track the online movements of individuals without their permission. (wiseGEEK, 2011) Cybercrime – generally defined as a criminal offence involving a computer as the object of the crime (hacking, phishing, spamming), or as the tool used to commit a material component of the offence (child pornography, hate crimes, computer fraud). (Foreign Affairs and International Trade Canada, 2011) Cybersecurity – term used by the US Federal government which requires assigning clear and unambiguous authority and responsibility for security, holding officials accountable for fulfilling those responsibilities and integrating security requirements into budget and capital planning processes. (IT Governance Institute, 2006, p. 22) Information Security Governance – is captured in the Security Architecture Framework and is used “to define security strategies, policies, standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho, 2007, p. 11)


Leo de Sousa

Integrated Governance Framework – is part of an integrated “governance structure that includes strategic planning, enterprise architecture, program management, capital planning, security and workforce planning.” (Bernard S. A., 2005, p. 33)

Introduction IT Security Governance is one of several organizational governing processes that include Enterprise Architecture, IT Governance, Project Governance and Corporate Governance. It has strong alignment to enterprise risk management initiatives and programs. Successful organizations use corporate governance to direct and guide the successful operations of the company. IT Governance guides investments in technology that are aligned to the business’ goals and strategy. Project Governance is used to rank and prioritize project proposals, so investments in projects are aligned to business strategy. The IT Governance Institute defines Information Security Governance as “Security Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.” (Harris, 2006) Taking a top down approach with executive direction and support is a key success factor to establish a culture of security into organizations and agencies. Every organization and agency faces the challenge of balancing employee empowerment by providing access to information with enterprise risk management and compliance. As more and more organizations and agencies move their services into a digital environment, they are faced with significant challenges dealing with new corporate risks to information, business processes and privacy. The use of web-based applications, online payment systems and collaboration based information management systems introduce new information technology architectures that, if not properly protected, expose the company to the risk of cyberattacks and information security breaches. Recently, the downturn in the global economy is forcing organizations and agencies to cut operational costs and improve their processes. In most cases, this means cutting their budgets and investments, which can put IT Security efforts in jeopardy due to lack of funding. These high levels of budget cuts are rippling through companies and organizations impacting the resources available for IT security. “The $2.1 trillion debt-cap pact that Congress passed Tuesday could hurt economic and national security as agencies postpone plans to invest in cybersecurity technology and hire more network specialists due to uncertainty over potential program cuts, computer security advisers say.” (Sternstein, 2011) There are five IT Security Governance areas that have evolved from case law and are tied to the fiduciary duties of executives, board members and officers: 1) Govern the operations of the organization and protect its critical assets, 2) Protect the organization’s market share and stock price, 3) Govern the conduct of employees, 4) Protect the reputation of the organization and 5) Ensure compliance requirements are met. (Allen & Westby, 2007, p. 1) In this constrained environment, IT Security Governance becomes a strategic practice ensuring that the appropriate security capabilities are available and adequately funded to maintain and continually improve an effective cybersecurity program for organizations and agencies.


Leo de Sousa

IT Security Governance Capabilities IT Security Governance relies on a set of core capabilities that enable organizations to provide oversight, authorize decisions and create and enable policy. These capabilities support accountability, strategic planning and resource allocation for IT Security programs in an organization. To successfully deploy IT Security Governance capabilities, organizations and agencies need to consider organizational strategy, culture and structure as well as compliance and risk management policies. These capabilities need to be implemented in a top down approach with the responsibility for success sitting with the Board of Directors and the Executive Committee. Bernard and Ho describe IT Security Governance capabilities at a high level as “to define security strategies, policies, standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho, 2007, p. 11) The Carnegie Mellon Software Engineering Institute published a paper “Governing Enterprise Security Implementation Guide” which provides a more detailed approach of IT Security Governance Capabilities including responsibilities and artifacts. The capabilities are grouped into the following four high level categories and subcategories: (Allen & Westby, 2007) Governance Category Governance Sub Categories Structure and Tone (Deming – Plan – design or revise business process components to improve results)

• Establish a Governance Structure • Assign Roles and responsibilities,

Indicating Lines of Responsibility • Develop Top-Level Policies

Assets and Responsibilities (Deming – Do – implement the plan and measure its performance)

• Inventory Digital Assets • Develop and Update System

Descriptions • Establish and Update Ownership and

Custody of Assets • Designate Security Responsibilities and

Segregation of Duties Compliance (Deming – Check – assess the measurements and report the results to decision makers)

• Determine and Update Compliance Requirements

• Map Assets to Table of Authorities • Map and Analyze Data Flows • Map Cybercrime and Security Breach

Notification Laws and Cross-Border Cooperation with Law Enforcement to Data Flows

• Conduct Privacy Impact Assessments and Privacy Audits

Assessments and Strategy (Deming – Act – decide on the changes needed to improve the process)

• Conduct Threat, Vulnerability, and Risk Assessments (including System C&As)

• Determine Operational Criteria


Leo de Sousa

• Develop and Update Security Inputs to the Risk Management Plan

• Develop and Update Enterprise Security Strategy (ESS)

Interestingly, the implementation guide proposed by Allen and Westby follows the continuous improvement approach of W. Edwards Deming. (Balanced Scorecard Institute, 1998) By implementing the four major categories in the order specified, organizations and agencies establish accountability and responsibility at the most senior levels of their organization structure with a focus that these activities are part of a continuous improvement process.

Effective Approaches to Cybersecurity Planning and Decision Making

IT Security Governance delivers the key capabilities to facilitate planning and decision making for enterprise risk management and strategic planning in a cybersecurity program. This section explores the GES major categories using a higher education example and shows how they are essential to support the planning and decision making of a cybersecurity program with a focus on continuous improvement.

Structure and Tone (Deming – Plan)

There are 3 main activities in this category: Establish a Governance Structure, Assign Roles and responsibilities, Indicating Lines of Responsibility and Develop Top-Level Policies. The focus of these three activities is to clearly establish a top down, organization-wide approach to IT Security. At the British Columbia Institute of Technology (BCIT), our top level governance group is the Audit and Finance Committee of the Board of Governors. The committee reports quarterly to the Board of Governors and has overall responsibility for Enterprise Risk Management including IT Security Governance. In 2008, we created the Information Security Advisory Council (ISAC) to implement IT Security Governance. This governance committee consists of the Chief Information Officer, Director of Safety and Security, Manager, Institutional Records Management, Director of Finance and the Information Security Officer. The ISAC sponsors audits, PCI-DSS implementation, copyright policy and compliance training. This committee also has responsibility for the Security architecture domain in our EA practice. The ISAC created two top level policies: 3501 – Acceptable Use of Information Technology and 3502 - Information Security. (British Columbia Institute of Technology, 2009) These policies and the ISAC are the backplane for IT Security Governance in BCIT’s Enterprise Architecture and fit with Deming’s Plan step. (de Sousa, 2007)

Assets and Responsibilities (Deming – Do)

There are four main activities in this category: Inventory Digital Assets, Develop and Update System Descriptions, Establish and Update Ownership and Custody of Assets and Designate Security Responsibilities and Segregation of Duties. There is a requirement of the BCIT 3502 – Information Security policy to inventory systems and establish system ownership for the purpose


Leo de Sousa

of designing security access. (British Columbia Institute of Technology, 2009) This process is essential to determine who gets access to secure systems and defining access controls for the BCIT community. These activities fit with Deming’s Do step for continual improvement.

Compliance (Deming – Check)

There are five main activities in this category: Determine and Update Compliance Requirements, Map Assets to Table of Authorities, Map and Analyze Data Flows, Map Cybercrime and Security Breach Notification Laws and Cross-Border Cooperation with Law Enforcement to Data Flows and Conduct Privacy Impact Assessments and Privacy Audits. Each year most organizations go through a financial audit. At BCIT, a component of the annual financial audit is an IT security audit. The auditors look at our IT systems and particularly the protections and security around financial transactions. With each audit there are recommendations for improving our treatment of secure transactions and access controls. These recommendations fit with Deming’s Check step and enable our organization to continually improve our IT Security program.

Assessment and Strategy (Deming – Act)

There are four main activities in this category: Conduct Threat, Vulnerability, and Risk Assessments (including System C&As), Determine Operational Criteria, Develop and Update Security Inputs to the Risk Management Plan and Develop and Update Enterprise Security Strategy (ESS). Each year, BCIT proactively conducts vulnerability assessments and external penetration tests which lead to changes in our security practices. Placing emphasis on actively testing our IT Security Governance framework fits with Deming’s Act process for continual improvement.

Conclusion IT Security Governance is a strategic practice that ensures appropriate security capabilities are available and adequately funded to maintain effective cybersecurity program planning and decision making. Organizations and agencies that invest in IT Security Governance are able to manage the use of their assets securely, manage enterprise risk internally and externally and help ensure the ongoing viability of their operations.

Information Security Governance is part of an integrated “governance structure that includes strategic planning, enterprise architecture, program management, capital planning, security and workforce planning.” (Bernard S. A., 2005, p. 33) Information Security Governance is captured in the Security Architecture Framework and is used “to define security strategies, policies, standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho, 2007, p. 11) By taking W. Edwards Deming’s Plan-Do-Check-Act continuous improvement model as the guiding principle for IT Security Governance, organizations and agencies will benefit from a consistent cybersecurity program focusing on secure business management and operations.


Leo de Sousa

References Allen, J. H., & Westby, J. R. (2007). Governing for Enterprise Security (GES) Implementation

Guide. Pittsburgh: Software Engineering Institute, Carnegie Mellon. Balanced Scorecard Institute. (1998). The Deming Cycle. Retrieved from Balanced Scorecard

Institute: http://www.balancedscorecard.org/TheDemingCycle/tabid/112/Default.aspx Bernard, S. A. (2005). An Introduction to Enterprise Architecture 2nd Edition. Bloomington, IL:

AuthorHouse. Bernard, S., & Ho, S. M. (2007, Oct 29). Enterprise Architecture as Context and Method for

Implementing Information Security and Data Privacy. Washington, DC, USA. British Columbia Institute of Technology. (2009). 3501 - Acceptable Use of Technology.

Retrieved from Policies: http://www.bcit.ca/files/pdf/policies/3501.pdf British Columbia Institute of Technology. (2009). 3502 - Information Security. Retrieved from

Policies: http://www.bcit.ca/files/pdf/policies/3502.pdf de Sousa, L. (2007, Jun 22). EA Model V.2. Retrieved Jan 18, 2012, from Enterprise Architecture

in Higher Education: http://leodesousa.ca/2007/06/ea-model-v2/ Foreign Affairs and International Trade Canada. (2011, Oct 14). Cybercrime. Retrieved 02 02,

2012, from International Security: http://www.international.gc.ca/crime/cyber_crime-criminalite.aspx?view=d

Harris, S. (2006, Aug). Information Security Governance Guide. Retrieved Feb 1, 2012, from TechTarget: http://searchsecurity.techtarget.com/tutorial/Information-Security-Governance-Guide

IT Governance Institute. (2006). Information Security Governance: Guidance for Board of Directors and Executive Management, 2nd Edition. Rolling Meadows, Illinois, USA.

Sternstein, A. (2011, Aug 02). Debt deal could be a blow for cybersecurity. Retrieved from Nextgov: http://www.nextgov.com/nextgov/ng_20110802_1799.php?oref=topstory

wiseGEEK. (2011). What Is a Cyberattack? Retrieved from wiseGEEK: http://www.wisegeek.com/what-is-a-cyberattack.htm

Effective IT Security Governance

Technology

Transcript of Effective IT Security Governance