Chapter 2
Why Governance?

Information security is not only a technical issue, but also a business and governance challenge that involves risk management, reporting, and accountability. Effective security requires the active engagement of executive management to assess emerging threats and provide strong cyber security leadership. The term penned to describe executive management's engagement is corporate governance. Corporate governance consists of the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed. Information security governance is a subset of organizations' overall governance program. Risk management, reporting, and accountability are central features of these policies and internal controls. [1]

Can a business case be convincingly made to implement information security governance or is it simply another needless layer of complexity designed to boost security department budgets? Although there are relatively few studies, the conclusions provide strong support for the necessity. Combined with the continuing growth of preventable cybercrime, mounting losses, and the all-too-common chaotic, unintegrated state of information security also suggests that there is simply no other rational approach to achieving effective enterprise-wide security given the complexity, breadth, and the sheer number of "moving parts."

One of the more interesting and significant recent studies by the Aberdeen Group found that "Firms operating at best-in-class (security) levels are lowering financial losses to less than one percent of revenue, whereas other organizations are experiencing loss rates that exceed five percent" [2].

To the extent that the research proves accurate, this dramatic finding would appear to make any organization not practicing "best-in-class" security bordering on sheer recklessness and its management utterly failing its responsibilities. For any organization, the results of this study, suggesting that they might lower security-related losses by more than 80%, would seem to make a compelling case for effective security governance to drive "best-in-class" security.

The study involved a number of companies of various sizes, but extrapolating from an organization with $500 million U.S. in revenues, a reduction of losses from $25 million (5%) to $5 million (1%) annually would fund substantial security efforts and probably leave some money left over.

The question that arises then is what constitutes "best-in-class" security? Some would suggest that it means adherence to so-called "best practices" that are the cornerstone of ITIL. In some cases, however, best practices may be appropriate; in other cases, they may excessive or insufficient. A persuasive argument can be made that "best practices" is merely a substitute for a lack of real knowledge. That is to say, one size will not fit all, and with good planning and effective metrics, adequate and sufficient practices are a far more cost-effective approach. In any event, practices of any sort, whether best or not, must be managed in an integrated manner consistent with supporting business objectives to be of any significant value to an organization.

Although it may not be possible to provide a specific set of precise specifications to define "best in class" or "appropriate" level, there are several internationally recognized and accepted gauges and standards available to assess what that entails. The attributes and characteristics defined in the CobiT version of Capability Maturity Model (CMM) Level 4 paints a clear picture and would fulfill the requirement for most organizations. It states:

4-Managed and Measurable

• The assessment of risk is a standard procedure and exceptions to following the procedure would be noticed by IT management. It is likely that IT risk management is a defined management function with senior level responsibility. Senior management and IT management have determined the levels of risk that the organization will tolerate and have standard measures for risk/return ratios.
• Responsibilities for Information security are clearly assigned, managed and enforced. Information security risk and impact analysis is consistently performed. Security policies and practices are completed with specific security baselines. Security awareness briefings have become mandatory. User identification, authentication and authorization are standardized. Security certification of staff is established. Intrusion testing is a standard and formalized process leading to improvements. Cost/benefit analysis, supporting the implementation of security measures, is increasingly being utilized. Information security processes are coordinated with the overall organization security function. Information security reporting is linked to business objectives.
• Responsibilities and standards for continuous service are enforced. System redundancy practices, including use of high-availability components, are consistently deployed. [3]

Although it is somewhat imprecise and subjective, CMM is an integral part of CobiT [3] and provides a straightforward intuitive approach that most find easy to apply.

A more detailed and specific approach is provided by the ISO/IEC 27002 Code of Practice and the 27001 Standard that specifies comprehensive requirements for governance, implementation, metrics, controls, and compliance.

High-level governance requirements are also set forth comprehensively in FISMA documentation pursuant to the U.S. Federal Information Security Management Act.

Whichever approach is utilized, the objective is to achieve "best-in-class" security through good governance, which, in summary, will ensure:

• Assignment of roles and responsibilities
• Periodic assessments of risks and impact analysis
• Classification and assignment of ownership of information assets
• Adequate, effective, and tested controls
• Integration of security in all organizational processes
• Implementation of processes to monitor security elements
• Effective identity and access management for users and suppliers of information
• Meaningful metrics
• Education of all users, including management and board members, of information security requirements
• Training as needed in the operation of security processes
• Development and testing of plans for continuing the business in case of interruption or disaster

2.1 BENEFITS OF GOOD GOVERNANCE

A number of identifiable benefits will devolve from implementing effective information security governance, depending on the current state of security and particulars of the organization. The following subsections discuss be some of the more direct and obvious benefits but there are likely to be other, less obvious ones. For example, embarking on a program to implement governance as detailed in the following pages is likely to improve the awareness and commitment of management and result in a better "tone at the top." This in turn may initiate a culture more conducive to security.

2.1.1 Aligning Security with Business Objectives

Although it seems an obvious requirement, the majority of organizations globally do not have a program or process to align IT strategy, much less security activities, with the objectives of the business. This was vividly highlighted by the 2006 Global State of Information Security Governance study of more than seven thousand organizations by the IT Governance Institute [4]. It revealed that processes to align IT strategy with business strategy had only been implemented by 16% of the respondents. Another 12% indicated that they were in the process of implementing a program to address the issue. The remaining 72% of organizations did not know what guided their IT and security activities (Table 2.1).

Table 2.1. Implementation of IT strategy by businesses

Demonstrably aligning security and other "assurance" functions directly and specifically with business strategy and objectives arguably provides a number of benefits. It serves to provide greater support for and cooperation with security efforts by business owners and senior management. This will in turn improve the "tone at the top" and the overall security culture as it counters the perception that "security" is a bottomless cost pit whose main objective is to hinder business activities and complicate life generally.

The ongoing, effective alignment of security with business can only be accomplished by properly implemented information security governance which creates the structure and process to align not only IT...