Information security governance is the set of practices and structures that an organization puts in place to ensure effective oversight of security activities. In this video, Mike Chapple explains how governance is the responsibility of all levels of leadership within an organization and how it takes place outside of the security function.
- [Instructor] Information security governance is the set of practices and structures that an organization puts in place to ensure effective oversight of security activities. Governance is the responsibility of all levels of leadership within an organization and it takes place outside of the security function. Leaders involved in security governance include the chief information security officer, the chief information officer, the chief executive officer, and even the board of directors.
Everyone with a responsibility to protect the ongoing effectiveness of the organization plays an important role in the information security governance process. The IT Governance Institute outlines five important roles for information security governance. Security governance practices should align security strategy with the organization's business strategy. Everything that happens in an information security program should advance the organization's business objectives. Governance should also implement the organization's risk management process, setting standards for the organization's risk tolerance and ensuring that risks exceeding that tolerance are appropriately mitigated.
Governance structures are also responsible for oversight of security resources, ensuring that financial and human resources are used wisely. Governance also holds the security team accountable to performance standards by measuring, monitoring, and reporting security metrics. And finally, governance processes seek to deliver value by optimizing information security investments in light of the organization's business objectives.
As you design an information security governance program, you'll need to achieve the objectives of governance in a manner consistent with your organization's culture and management practices. It's important to remember that executives and board members are responsible for the governance of the entire organization. Information security is important, but it's one of many areas that these leaders must address. The more that you can integrate security with existing corporate governance practices, the easier it will be for everyone.
For example, if the board uses a committee structure to help oversee specific areas of risk, it might be useful to establish a security committee, or maybe a committee that focuses on technology risk. This committee can get into the details and then provide high level reporting back to the rest of the board.
- Designing an information security strategy
- Aligning security with the business
- Security roles and responsibilities
- Security standards
- Budgeting for security
- Data security
- Obtaining leadership support
- Assessing security programs
- Security principles