IT security governance is the system by which an organization directs and controls IT security, as defined by ISO 38500. It is distinct from IT security management, which involves making decisions to mitigate risks. Governance, on the other hand, establishes who is authorized to make those decisions and sets the accountability framework. It also provides oversight to ensure that risks are adequately mitigated while management ensures that controls are implemented to mitigate risks. Management makes recommendations for security strategies, while governance ensures that those strategies align with business objectives and comply with regulations. In summary, IT security governance sets the overall direction and framework for IT security, while IT security management is responsible for implementing specific controls and procedures to protect the organization's IT assets. Together, governance and management work together to ensure that an organization's IT security aligns with its overall business objectives and is compliant with relevant laws and regulations.

NIST (National Institute of Standards and Technology) defines IT governance as the process of establishing and maintaining a framework that provides assurance that information security strategies align with and support business objectives, comply with applicable laws and regulations, and are supported by policies and internal controls, all with the goal of managing risk. Enterprise security governance is the responsibility of leadership to meet fiduciary requirements and ensure reasonable standards of care. This is based on legal rationale and the duty of care that leaders owe to their organization.

In other words, IT governance is a framework that ensures that an organization's information security efforts align with its overall business objectives, comply with relevant laws and regulations, and are supported by policies and internal controls. It also assigns responsibility for decision-making and risk management and ensures that the organization is meeting its fiduciary requirements and reasonable standards of care. The five general governance areas are:

  1. Govern the operations of the organization and protect its critical assets

  2. Protect the organization's market share and stock price (perhaps not appropriate for education)

  3. Govern the conduct of employees (educational AUP and other policies that may apply for the use of technology resources, data handling, etc.)

  4. Protect the reputation of the organization

  5. Ensure compliance requirements are met

"Governing for enterprise security means viewing adequate security as a non-negotiable requirement of being in business."

Governance: doing the right thing.

Management: doing things right.

Characteristics of effective security governance

The eleven characteristics of effective security governance are critical for an effective enterprise information security information program.

They are:

  1. It is an institution-wide issue

  2. Leaders are accountable

  3. It is viewed as an institutional requirement (cost of doing business)

  4. It is risk-based

  5. Roles, responsibilities, and segregation of duties are defined

  6. It is addressed and enforced in policy

  7. Adequate resources are committed

  8. Staff are aware and trained

  9. A development life cycle is required

  10. It is planned, managed, measureable, and measured

  11. It is reviewed and audited

some excellent comparisons of effective and ineffective governance characteristics from the CERT GES

IT Governance is the overall framework that ensures that an organization's IT strategy aligns with its overall business objectives, and is supported by policies and internal controls. It also assigns responsibility for decision-making and risk management. The five main components of IT Governance, as per COBIT (Control Objectives for Information and related Technology) framework are:

  • Strategy: IT strategy aligns with the organization's overall business strategy, and meets the current and future needs of the business.

  • Acquisition: IT acquisitions are made for valid reasons and are based on appropriate analysis, with clear and transparent decision-making.

  • Performance: IT supports the organization and provides the required services, levels of service, and service quality to meet current and future business requirements.

  • Conformance: IT complies with all mandatory legislation and regulations, and policies and practices are clearly defined, implemented and enforced.

  • Human Behavior: IT policies, practices and decisions demonstrate respect for human behavior and the current and evolving needs of all people involved in the process.

IT governance is the overarching framework that ensures that an organization's IT strategy aligns with its overall business objectives and complies with relevant laws and regulations. It also assigns responsibility for decision-making and risk management, and balances the benefits, costs, opportunities, and risks of IT investments in the short and long term.

Listed below are challenges of ineffective governance [1]. These challenges can be very useful in presenting rationale to leadership for implementing an effective institution security governance model.

  1. Understanding the implications of ubiquitous access and distributed information

  2. Appreciating the institution-wide nature of the security problem

  3. Overcoming the lack of a game plan

  4. Establishing the proper institutional structure and segregation of duties

  5. Understanding complex global legal compliance requirements and liability risks (the word global may or may not apply to education)

  6. Assessing security risks and the magnitude of harm to the institution

  7. Determining and justifying appropriate levels of resources and investment

  8. Dealing with the intangible nature of security

  9. Reconciling inconsistent deployment of security best practices and standards

  10. Overcoming difficulties in creating and sustaining a security-aware culture

Outcomes of effective information security governance should include:

  • Strategic alignment of information security with institutional objectives

  • Risk management - identify, manage, and mitigate risks

  • Resource management

  • Performance measurement - defining, reporting, and using information security governance metrics

  • Value delivery by optimizing information security investment

Defining the Information Security Program (so as to define what needs to be governed)

Activities of an information security program directly support/trace to an institutional risk management plan. In other words, the information security program is targeted to managing institutional risk.

An effective information security program requires the development and maintenance of:

  1. A long-term information security strategy

  2. An overarching institutional security plan (which may be supported by underlying academic/administrative unit security plans and security plans for individual systems)

  3. Security policies, procedures, and other artifacts

  4. The system architecture and supporting documentation

Information Security Program hierarchical relationships

  • Institutional Risk Management Plan is supported by

  • Institutional Security Strategy is supported by

  • Institutional Security Plan is supported by

  • Academic and administrative unit security plans

  • System security plans

  • Policies and procedures

  • System architecture

Some colleges and universities employ risk managers and some do not. Of those institutions that do employ a risk manager, there are few that appear to have an institution-level risk management plan.The reference to an information security program serving as a business plan for securing digital assets is a simple yet effective communication technique.

Information Security Governance Best Practices

  • Information security activities should be governed based on relevant requirements, including laws, regulations, and organizational policies.

  • Senior managers should be actively involved in establishing information security governance framework and the act of governing the agency's implementation of information security. Information security responsibilities must be assigned and carried out by appropriately trained individuals.

  • Individuals responsible for information security within the agency should be held accountable for their actions or lack of actions.

  • Information security priorities should be communicated to stakeholders of all levels within an organization to ensure a successful implementation of an information security program.

  • Information security activities must be integrated into other management activities of the enterprise, including strategic planning, capital planning, and enterprise architecture.

  • Information security organization structure should be appropriate for the organization it supports and should evolve with the organization, if the organization undergoes change.

  • Information security managers should continuously monitor the performance of the security program/effort for which they are responsible, using available tools and information.

  • Information discovered through monitoring should be used as an input into management decisions about priorities and funding allocation to effect the improvement of security posture and the overall performance of the organization.

Why is Infosec Governance needed?

Why is IT governance important

  • Financial payoffs

  • IT is expensive

  • IT is pervasive

  • New technologies

  • IT governance is critical to learning about IT value

  • Not just technical - integration and buy-in from business leaders is needed for success

  • Senior executives have limited bandwidth, especially at large institutions, so they can't do it all

  • Governance patterns depend on desired behaviors

  • Profit - centralized to promote sharing, reuse and efficient asset utilization

  • Top revenue growth - decentralized to promote customer responsiveness and innovation

  • Multiple performance goals - blended centralized and decentralized governance

Directors could be held accountable for breaches of:

  • security standards;

  • privacy legislation;

  • spam legislation;

  • trade practices legislation;

  • intellectual property rights, including software licensing agreements;

  • record keeping requirements;

  • environmental legislation and regulations;

  • health and safety legislation;

  • accessibility legislation;

  • social responsibility standards.

Benefits of information security governance

  • Increased predictability and reduced uncertainty of business operations

  • Protection from the potential for civil and legal liability

  • Structure to optimize the allocation of resources

  • Assurance of security policy compliance

  • Foundation for effective risk management.

  • A level of assurance that critical decisions are not based on faulty information

  • Accountability for safeguarding information

Question to engage institutional leaders

Thought provoking questions that institutional leaders can ask (and should be able to answer) to determine the state of their security governance efforts.

Questions to uncover information security issues

  • Does the head of security/CISO routinely meet or brief institutional leaders?

  • When was the last time top managers got involved in security-related decisions?

  • Do managers know who is responsible for security?

  • Would people recognize a security incident? Would they know who

Questions to find out how managers addresses information security issues

    • Is the institution clear on its position relative to IT and security risks?

    • How much is spent on information security?

    • What percentage of staff had security training last year?

Questions to assess information security governance practices

  • Are managers confident that security is being adequately addressed in the enterprise?

  • Are managers aware of the latest information security issues and best practices?

  • Does the institution participate in an incident, threat, vulnerability notification and sharing service?

  • What is the industry best practice and how does the institution compare?

  • What can be done to successfully implement information security governance?

Questions individuals responsible for governance should ask and be able to answer.

Questions for directors/trustees

    1. Does the board understand the institution's dependence on information?

    2. Does the institution recognize the value and importance of information?

    3. Does the institution have a security strategy?

    4. Does the board understand the institution's potential liabilities in the event of regulatory non-compliance?

Questions for managers

    1. How is the board kept informed of information security issues? When was the last briefing made to the board on security risks and status of security improvements?

    2. Has someone been appointed to be responsible for developing, implementing and managing the information security program, and is he/she held accountable?

    3. Are security roles and responsibilities clearly defined and communicated?

    4. Is there a CISO or other officer with sufficient authority and resources to accomplish security objectives?

How to Govern Information Security

The role of the Information Security Officer (ISO) is changing from being primarily focused on technical responsibilities to incorporating both technical and management duties. The importance of IT security has become a central concern for organizations, with crucial policy and operational aspects being overseen by senior leaders such as the CIO, general counsel, internal auditor, and executive leadership. While the ISO's responsibilities continue to expand, the authority and challenges to that authority of the role are often handled by senior administrators, legal counsel, or law enforcement. To effectively manage IT security, the ISO must rely on institutional policies and legal compliance.

An effective approach to managing IT security is building relationships and reaching consensus with various groups within an organization. This is achieved by recognizing department managers' responsibility for their data and its protection, and shifting the ISO's role from a compliance enforcer to an assistance provider. By viewing security as a service, the ISO can work collaboratively with other departments to ensure compliance with security policies.

The role of an Information Security Officer (ISO) is often limited in smaller organizations where the number of staff positions does not allow for the assignment of specific roles to individuals and the dedication of a single entity to handle enterprise-wide information security. Larger organizations, particularly those with enrollments over 8,000, tend to recognize security as a top administrative priority and have either created an ISO position or delegated this responsibility to the Chief Information Officer (CIO).

However, the shift towards viewing security as a responsibility for everyone within an organization, rather than solely the IT department, has a greater impact on whether an appointment for an ISO is made. While the identification of the responsibility is clear, the manner in which it should be addressed is less so. As the field of information security continues to evolve and grow in visibility, there is an increasing need for individuals with experience managing security incidents and breaches. As the number of skilled professionals entering this field increases, it is hoped that the role of the ISO will be better defined and given the necessary authority.

Governance frameworks such as COBIT, ITIL, the ISO 17799 information security management standard, and the ISO 9000 quality management standard are commonly used in IT governance processes and structures. ITIL and ISO 17799 are the most commonly used frameworks.

Organizational Structure

The unplanned and uncoordinated localization of authority in an organization poses significant challenges for achieving compliance with security, copyright, privacy, identity, and other regulations across the institution. This can make it difficult for Chief Information Officers (CIOs) to effectively oversee and account for the breadth and depth of overall IT activity, leading to inefficiencies.

While localization of authority in certain areas is necessary, the question is not whether to centralize or decentralize, but rather where and how to centralize or decentralize in order to harmonize institutional efforts and investments in IT. It's important for the organization to strike a balance between centralizing the decision-making process and allowing for local autonomy in order to align IT strategies with institutional goals while also addressing specific needs and concerns of different departments.

IT governance-related committees include:

  1. Top-level IT steering committee for oversight of major IT policies and initiatives

  2. IT advisory committees for administration and teaching and learning

  3. IT initiative specific committees for items like enterprise resource planning, security or business continuity

Governance structures depend on desired outcomes

CERT GES desribes structure based on desired outcomes.

  • Top revenue growth - decentralized to promote customer responsiveness and innovation

  • Profit - centralized to promote sharing, reuse and efficient asset utilization

  • Multiple performance goals - blended centralized and decentralized

Information Security Governance Structures

The NIST Security Handbook states that governance is highly dependent on the overall organization structure.

  • Centralized maintain budget control and ensure implementation and monitoring of information security controls.

  • Decentralized have policy and oversight responsibilities and budget responsibilities for their departmental security program not the operating unit information security program. Reporting structures are different as well.

  • Governance structures can be hybrid, with a combination of characteristics from both centralized and decentralized.

Political Archetypes

Weill and Ross use political archetypes in IT Governance to describes people or groups who have decision rights.

  • Business monarchy: Senior business executives make IT decisions

  • IT monarchy: IT executives make IT decisions

  • Feudal: Business unit leaders make IT decisions to optimize local needs, but does not facilitate enterprise decision-making.

  • Federal: Coordinated IT decision-making between the center and the business units.

  • IT duopoly: IT executives and one other group (such as senior executives or business units) make IT decisions.

  • Anarchy: Individual users or small groups make IT decisions Anarchy is expensive, difficult to support and rare, but sometimes used when very rapid customer responsiveness is needed.

What Governance Arrangements Work Best

  • Monarchies work well when profit is a priority.

  • Feudal or business monarchy arrangements might work best when growth is a priority.

  • Federal arrangements can work well for input into all IT decisions. Avoid federal arrangement for all decisions since it's difficult to balance the center with the business unit needs.

  • Duopoly arrangements work well for IT principles, investment decisions and business application needs. Duopolies also work best when asset utilization is a priority.

Roles and Responsibilities

The role of an Information Security Officer (ISO) or Chief Information Security Officer (CISO) is an emerging profession that is attracting highly-motivated individuals who are seeking professional development through membership in organizations, participating in training, and sharing ideas and advice with others both within and outside of their organization. However, there is currently no clearly defined career path for this new subfield within IT.

The majority of individuals currently in an ISO or CISO position have held previous positions in IT and come from higher education backgrounds. Institutions appear to be recruiting security officers from IT managerial ranks, and these individuals often start with strong technical experience and then develop skills in business process analysis, moving away from hands-on activities. It is important for individuals who aspire to be in this role to stay informed about the latest security trends, gain technical and management skills, and network with other professionals in the field to expand their knowledge and advance their careers.

In addition to certifications, ISOs find the following "soft skills" beneficial.

  • Reputation building

  • Campus-wide coordination and communication

  • Collaboration

  • Campus-wide profiles

These soft skills are critical for effective engagement with diverse campus audiences.

  • Senior leader of the institution

  • Deans, Department Chairs and Directors

  • IT managers

  • Auditors

  • Attorneys

  • Human Resources

  • Faculty

  • Staff

  • Students

Primary ISO responsibilities

  • Development and enforcement of security policies and procedures

  • Risk management

  • Security awareness program

  • Incident management and forensics

  • Business continuity

  • Disaster recovery

Supportive functions of an ISO

  • Application and system security

  • Network security

  • Access control

  • Authentication and authorization

  • Identity management

Decision-Making Structures

Weill and Ross describe organizational units and roles responsible for making IT decisions, such as committees, executive teams, and business/IT relationship managers.

  • Executive or senior management committees

  • IT leadership committee

  • Process teams with IT members

  • Business/IT relationship managers

  • IT council of IT and business executives

  • Architecture committee

  • Capital improvement committee

Who should be concerned with information security governance?

  • Board of directors/trustees - The board has fundamental responsibility to protect the interests of the organization.

  • Executives - This group develops strategies and ensures integration with and cooperation of business unit managers and process owners

  • Steering committee - This group includes representation across the organization and is responsible for ensuring that stakeholders concerns are addressed.

  • CISO

What should the board of directors/trustees and senior executives be doing?

  • Understand why information security needs to be governed

    • Address risks and threats

    • Protect the organization's reputation

    • Ensure coordination and cooperation among business units

    • Take board level action

    • Become informed about information security

    • Set direction (e.g., drive policy and strategy)

    • Provide resources

    • Assign responsibilities

    • Set priorities

  • Take senior level action

    • Provide oversight for the development of a security framework

    • Policy development

    • Assign roles and responsibilities

    • Implement

    • Monitor

    • Ensure awareness and training

Roles and Responsibilities for an Institution-Wide Security Program

The CERT framework assumes a board risk committee (or equivalent) at the highest governance level.

There are nine groups of personnel involved in developing and sustaining an effective institution-wide security program.

  1. Board risk committee

  2. Senior officers of the institution: chief officers such as Chief Executive Officer (CEO)/President and Chief Operating Officer (COO)/Provost

  3. ross-organizational security steering council comprised of:

    1. General Counsel

    2. Chief Information Officer

    3. Chief Security Officer and/or Chief Risk Officer

    4. Chief Privacy Officer

    5. Chief Financial Officer

    6. Deans/academic unit executives and/or other unit executives

    7. Communications executives/public relations

    8. Director of Human resources

  4. set owners

  5. Business managers

  6. Operational personnel, including procurement

  7. Certification agent

  8. Board audit committee

  9. Internal and external audit personnel

Information Security Governance Framework

"Information security governance," "cybersecurity organizational structure," and "information security organizational structure" are buzzwords that may sound trendy, but they are important concepts to understand in today's business landscape. These terms refer to the strategies and frameworks organizations put in place to manage and protect their sensitive information and systems from cyber threats.

Information security governance is the overall framework for managing an organization's information security. It includes the policies, procedures, and standards that are put in place to ensure the confidentiality, integrity, and availability of sensitive information. The goal of information security governance is to align an organization's information security efforts with its overall business objectives.

Implementing an information security governance model can help organizations meet IT and cybersecurity compliance requirements in a more streamlined and efficient manner. IT compliance refers to the regulations and standards an organization must adhere to, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA). Cybersecurity compliance frameworks, like ISO 27001, provide a set of guidelines and best practices for managing information security. By aligning their information security efforts with these frameworks, organizations can more easily meet their compliance requirements and protect their sensitive information from cyber threats.

Why is Information Security Governance Important?

In addition to maintaining their day-to-day operations, businesses often have to contend with competing compliance requirements. Many organizations seek out independent auditors to help them obtain SOC 2 reports, which may be required to fulfill a contractual obligation or to improve their market position. After the initial year, it is not uncommon for these organizations to start seeking assistance in meeting other IT compliance requirements that their clients may be requesting.

As more companies outsource services and technology, the need for increased compliance and proof of compliance also increases. The requirements can vary, but some of the most commonly requested include HIPAA, HITRUST, and GDPR. As an independent auditor, the auditor is able to issue different compliance attestation reports to help clients demonstrate their compliance with various IT and cybersecurity compliance requirements. This can help organizations to demonstrate compliance with different but similar requirements, and to better position themselves in the marketplace.

Benefits of Information Security Governance

Many new companies are becoming increasingly concerned about information security, but may not have the expertise to define IT controls themselves. Start-ups may be focused on getting their innovative product off the ground and making a profit, rather than on information security. Meanwhile, established companies may have been patching together IT security controls over time to meet different requirements, resulting in competing priorities, redundancies, and inefficiencies across their internal controls.

The implementation of an information security governance framework can help align priorities, eliminate redundancies, and reduce inefficiencies. When done correctly, an information security governance framework takes into account a company's strategy, operations, and compliance requirements, and provides a structure for managing these objectives in a balanced and organized manner. This helps companies to effectively protect sensitive information and meet compliance requirements while also allowing them to focus on their core business objectives.

How to Build An Information Security Governance Framework

First and foremost, you need to identify the compliance, regulatory, and contractual requirements your company is subject to. To start, here are some good questions to ask:

    1. Did we sign a contract with a new client promising to deliver a SOC 2 report by year-end?

    2. Do we process and/or store electronic protected health information (ePHI)?

    3. Do we do business in the European Union or offer goods or services to individuals or businesses in the EU? What about California?

    4. Are we trying to win a Federal government contract?

    5. Are we a public company? Do we process financial transactions on behalf of our clients?

    6. Are one or more of our clients asking if we have ISO 27001 certification?

The way an organization answers questions about its operations and customers can help identify the various IT compliance frameworks it may be subject to. For example, if an organization processes and/or stores ePHI, it may be required to demonstrate compliance with HIPAA or HITRUST. If an organization is looking to enter the Federal contracting space, it should research whether it will be subject to FEDRAMP, CMMC, or one of the NIST frameworks.

Once an organization has identified its requirements, it can select the appropriate framework or frameworks that will help it meet its IT compliance objectives. The IT compliance standards an organization is subject to can serve as the basis for its information security governance framework. Each IT compliance standard will help identify the minimum standards an organization is required to meet through its information security policies and IT controls, and in turn, helps to define those policies and controls.

If an organization is subject to multiple IT compliance standards, further analysis is required to understand how to design its information security governance framework to bring together common requirements under multiple compliance requirements, while also ensuring the unique requirements of each are met. This may require a mapping of the different standards and identifying the commonalities and differences between them, and then designing the framework in such a way that it addresses all the requirements of the different standards.

Example of Information Governance

Going back to our SOC 2 vs. HIPAA example, consider the requirements for information system authentication under each standard, and compare to authentication requirements under PCI, which is an IT compliance framework designed specifically for entities that process and store credit card data:

SOC 2 and HIPAA are two different IT compliance frameworks that have different requirements for information system authentication.

SOC 2 is a security standard that focuses on controls related to security, availability, processing integrity, confidentiality, and privacy. It requires organizations to implement controls for secure user authentication, such as two-factor authentication, to protect against unauthorized access to systems and data.

HIPAA, on the other hand, is a healthcare-specific regulation that focuses on protecting the privacy and security of protected health information (PHI). It requires organizations to implement controls for secure user authentication, such as unique user identification, to protect against unauthorized access to systems and data.

PCI DSS is a standard that is designed specifically for entities that process and store credit card data. It also requires organizations to implement controls for secure user authentication, such as unique user identification and two-factor authentication, to protect against unauthorized access to systems and data.

As we can see, all three standards have similar requirement for secure user authentication, but they have slight differences, it's important for organizations to understand the specific requirements of each standard and implement controls that meet or exceed those requirements to protect their systems and data from unauthorized access.

Why Do You Need An Information Security Governance Framework

(Deeper Dive: Cyber Security Management: Trim, Peter )

It is important to remember that the goals of an information security governance framework should be to not only help an organization meet its IT compliance obligations, but to do so in the most efficient way possible. When IT compliance requirements are addressed in an ad hoc manner, redundancy and inefficiency can result, as well as the potential for missed requirements. A holistic, top-down approach, which takes into account an organization's overall strategy, operations, and compliance requirements, will help effectively manage IT compliance within the organization. By using a governance framework, an organization can streamline its compliance efforts, reduce costs and minimize the risk of non-compliance, while also aligning its IT security efforts with its overall business objectives.

Last updated