What is information security governance? who in the organization should plan for it?
|
Show
Recommended textbook solutions
Advanced Engineering Mathematics10th EditionErwin Kreyszig 4,134 solutions
 Fundamentals of Engineering Economic Analysis1st EditionDavid Besanko, Mark Shanley, Scott Schaefer 215 solutions
Chemical Reaction Engineering3rd EditionOctave Levenspiel 228 solutions Chemistry for Engineering Students2nd EditionLawrence S. Brown, Thomas A. Holme 945 solutions John J. Fay, David Patterson, in
Contemporary Security Management (Fourth Edition), 2018 Security governance is the set of responsibilities and practices exercised
by executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly. Our research has shown that through their emerging capabilities in the area of security governance and risk management, many organizations are taking proactive steps to ensure that their investments in security controls directly support their objectives for the
business. A consistent, organization-wide view of security risks integrating both physical security and IT security is an essential element of this strategy. By combining superior security governance and risk management with an integrated approach to logical and physical security, organizations gain an advantage for competing in the global economy with a distinct advantage through an optimized IT infrastructure and better protection for their digital, physical, and human assets. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128092781000244 Domain 1Eric Conrad, in Eleventh Hour CISSP, 2011 Summary of exam objectivesInformation security governance ensures that an organization has the correct information structure, leadership, and guidance. Risk Analysis (RA) helps ensure that an organization properly identifies, analyzes, and mitigates risk. All three of these qualities—information security governance, ethics, and Risk Analysis—are crucial for the success of an organization. Finally, accurately assessing risk and understanding terms such as Annualized Loss Expectancy, Total Cost of Ownership, and Return on Investment will not only help you on the exam but also help advance your information security career. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597495660000011 GovernanceIra Winkler, Araceli Treu Gomes, in Advanced Persistent Security, 2017 AbstractSecurity governance is the combined set of tools, personnel, and processes that provide for formalized risk management. It includes organizational structure, roles and responsibilities, metrics, processes, and oversight, as it specifically impacts the security program. While governance is embodied in a set of documents, specifically standards, guidelines, policies, and procedures, to have an effective security program, the appropriate resources need to be allocated, as defined within the governance. Without the formalization, and especially the implementation of governance, a security program is an accident. It would otherwise rely upon having the appropriately skilled people running the program, who are allocated the appropriate resources. If the people leave, or the level of support varies, the security program could disintegrate. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128093160000087 Domain 1
Eric Conrad, ... Joshua Feldman, in CISSP Study Guide, 2010 Summary of exam objectivesInformation security governance assures that an organization has the correct information structure, leadership, and guidance. Ethics helps ensure that we act morally and reasonably. Risk Analysis (RA) helps ensure that an organization properly identifies, analyzes, and mitigates risk. All three of these qualities: information security governance, ethics, and Risk Analysis, are crucial for the success of an organization. Ethics is required not only to become a CISSP® (you must agree and adhere to the (ISC)2 © code of ethics), but is also required to have an information security career. If you lack ethics, you will likely lack an information security career. Finally, accurately assessing risk, and understanding terms such as Annualized Loss Expectancy, Total Cost of Ownership, and Return on Investment will not only help you in the exam, but also help advance your information security career. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597495639000020 Information Technology Security ManagementRahul Bhaskar, Bhushan Kapoor, in Managing Information Security (Second Edition), 2014 Processes for IT Security Governance PlanningIT security governance planning includes prioritization as its major function. This helps in utilizing the limited sources of the organization. Determining priorities among the potential conflicting interests is the main focus of these processes. This includes budget setting, resource allocation, and, most important, the political process needed to prioritize in an organization. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780124166882000039 Domain 1Eric Conrad, ... Joshua Feldman, in Eleventh Hour CISSP® (Third Edition), 2017 Summary of Exam ObjectivesInformation security governance ensures that an organization has the correct information structure, leadership, and guidance. Governance helps ensure that a company has the proper administrative controls to mitigate risk. Risk analysis helps ensure that an organization properly identifies, analyzes, and mitigates risk. Accurately assessing risk and understanding terms such as ALE, TCO, and ROI will not only help you on the exam, but also to advance your information security career. An understanding and appreciation of legal systems, concepts, and terms are required of an information security practitioner working in the information-centric world today. The impact of the ubiquity of information systems on legal systems cannot be overstated. Whether the major legal system is civil, common, religious, or a hybrid, information systems have made a lasting impact on legal systems throughout the world, causing the creation of new laws and reinterpretation of existing laws, as well as a new appreciation for the unique aspects that computers bring to the courts. Finally, the nature of information security and the inherent sensitivity therein makes ethical frameworks an additional point requiring attention. This chapter presented the IAB’s RFC, Ethics and the Internet, the Computer Ethics Institute’s Ten Commandments of Computer Ethics, and The (ISC)2® Code of Ethics. The CISSP® exam will, no doubt, emphasize the Code of Ethics proffered by (ISC)2®, which presents an ordered set of four canons that attend to matters of the public, the individual’s behavior, the provision of competent service, and the profession as a whole. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128112489000012 Information Governance and Risk ManagementTimothy Virtue, Justin Rainey, in HCISPP Study Guide, 2015 Decentralized GovernanceIn decentralized information security governance structures, the authority, responsibility, and decision-making power are vested in and delegated to individual subordinate organizations within the parent organization (e.g., bureaus/components within an executive department of the federal government or business units within a corporation). Subordinate organizations establish their own policies, procedures, and processes for ensuring (sub) organization-wide involvement in the development and implementation of risk management and information security strategies, risk and information security decisions, and the creation of mechanisms to communicate within the organization. A decentralized approach to information security governance accommodates subordinate organizations with divergent mission/business needs and operating environments at the cost of consistency throughout the organization as a whole. The effectiveness of this approach is greatly increased by the sharing of risk-related information among subordinate organizations so that no subordinate organization is able to transfer risk to another without the latter’s informed consent. It is also important to share risk-related information with parent organizations as the risk decisions by subordinate organizations may have an effect on the organization as a whole. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128020432000057 Product security governance and regulatory complianceArnab Ray, in Cybersecurity for Connected Medical Devices, 2022 Product security governanceThe capability Product Security Governance is responsible for ensuring that the MDM has the proper people, process, and technology to support the design, execution, and maintenance of all other cybersecurity capabilities. Specifically, it is responsible for discharging the following responsibilities: 1.Ensuring that requirements that follow from regulations, regulatory guidance, and cybersecurity standards are captured in the Quality Management System (QMS). This activity consists of ingesting new cybersecurity regulations, guidance, and standards, distilling regulatory guidance down to a set of technical and procedural controls (examples of such procedural and technical control catalogs have been provided in Chapters 4 and 7Chapter 4Chapter 7, respectively), assessing gaps between regulatory requirements and the current state of the QMS, and creating a Quality Plan to bring the QMS in compliance with the new regulations, guidance, and standards. 2.Oversight over developing capabilities: This activity consists of managing the execution of cybersecurity capability development through a Quality Plan. 3.Ensuring that capabilities are being executed and maintained properly: This activity provides oversight over capability execution, i.e., to ensure that processes are being properly followed, resources are properly allocated with properly trained personnel executing processes they have the training and skills to execute, and that tools are available that facilitate process execution and productivity of personnel. 4.Defining roles and responsibilities and information flows between organizational functions as well the external world: This activity consists of defining roles and responsibilities for cross-functional cybersecurity activities. For instance, who needs to be informed when a cybersecurity incident on a medical device is detected? Between the functions Research and Development (R&D), Information Technology (IT), and Quality, how is responsibility for patching manufacturing and other nonproduct software divvied up? In many large MDMs, there is a corporate PCO with provides corporate-level oversight. This can either be an independent function by itself or be housed within corporate's Global Quality office. How then are roles and responsibilities for cybersecurity allocated between the corporate PCO and the PCO at the divisional level? These and similar questions need to be answered by the Product Security Governance capability. The capability Product Security Governance itself is responsible for defining, executing, and maintaining the following procedural controls. Cybersecurity strategyThe Cybersecurity Strategy procedural control defines processes for ensuring that the cybersecurity capabilities capture regulatory and standards guidance, that all cybersecurity capabilities are being developed, executed, and maintained properly, and that roles and responsibilities, especially in an organization where overall cybersecurity is a joint responsibility of multiple functions, are being properly discharged. Procedural controls for cybersecurity strategy should define the following: Criteria for identifying regulations, standards, and guidance that drive cybersecurity strategyWhich regulations, standards, and guidance should the MDM's QMS comply with? Who decides and based on what? Regulations and guidance issued by regulatory regimes in countries which the MDM does business in obviously have to be tracked through the QMS. But what about cybersecurity standards cited by regulators, such as NIST CCF [1] or NIST 800–53 [2] or the UL2900 series [3]? Does the MDM intend to comply with them too? One should remember that once a decision is taken to formally comply with a standard, one has to continuously monitor compliance else one runs the risk of being written up by an auditor. Unfortunately, decisions to comply with standards are sometimes taken without first considering the cost of maintaining compliance by personnel who are not authorized to approve the resultant financial load on the organization's resources. Besides standards cited by regulatory bodies, there are IT cybersecurity standards (e.g. ISO/IEC 27001 [4] for infrastructure, FedRAMP [5] for cloud deployments, and HITRUST [6] for data privacy) that MDMs need to comply with in order to satisfy customer requirements and corporate IT policies. Decisions should be made as to which of these standards are to be tracked through QMS compliance processes and which through IT governance processes that exist outside the QMS. Usually, regulations and regulatory guidance are tracked through the QMS because the QMS is what regulators audit, while general IT cybersecurity standards are tracked outside the QMS through the IT governance process. Method for defining and maintaining mapping from regulations, standards, and guidance to set of technical and procedural controls that drive capability developmentOnce the set of regulations, standards, and guidance to be complied with are chosen, methods need to be defined to distill them down to a control catalog. A control catalog is a set of technical and procedural controls with traceability to clauses and sentences of regulations, guidance, and standards from which they originate. Different standards sometimes refer to the same requirement using different language. At the other extreme, sometimes standards refer to requirements that on the surface look the same, but are not exactly the same (the devil they say is in the details). Finally, different standards are often at different levels of abstraction, some very high-level to some that are extremely prescriptive. Breaking them down to a manageable set of technical and procedural controls requires thought and effort, as does maintaining the control catalog as regulations, guidance, and standards evolve. Method for gap and noncompliance assessmentWhen the decision is taken to comply with a new regulation or guidance or a standard, the QMS must be evaluated to assess the gap between the state of practice and the requirements of whatever regulation, guidance, or standard the QMS is endeavoring to comply with. A realistic gap assessment should not just be about finding gaps in existing processes and policies—after all, people say the right thing in official documents all the time. It should also assess how those processes are currently being implemented, whether records of process execution are being kept, and whether the execution of the processes captures their regulatory and standards intent. Trying to add more compliance requirements to a system that is already noncompliant is a recipe for disaster. One of the best ways of evaluating current practice is through cybersecurity audits. Before a major QMS update for cybersecurity, a cybersecurity audit should be performed, not just to evaluate gaps with the regulations, guidance, and standards to which compliance is being planned, but also noncompliances to the regulations, guidance, and standards that the QMS currently claims compliance with. Method for gap and noncompliance remediationGaps between the QMS and the new regulation, guidance, or standard should be fixed through definition and execution of a Quality Plan. A Quality Plan is a set of tasks, set on a timeline and with resources allocated, that lays out activities that need to be performed in order to bring a QMS to comply with a new regulation, guidance, or standard. These activities could be related to defining new processes, procuring or developing new tools, or staffing up to be able to execute the updated QMS. Noncompliances on the other hand should lead to cybersecurity Corrective and Preventive Actions (CAPAs). Noncompliances can be the following: •Process noncompliance: This kind of noncompliance occurs when procedural controls imperfectly capture the intent of the regulations, guidance, and standards to which compliance is being claimed. For example, if compliance to FDA 2016 [7] postmarket cybersecurity guidance is being claimed, and yet, there is no requirement in the QMS to patch in case risk to patient safety is evaluated to be “Uncontrolled,” that should be captured as a process noncompliance. •People noncompliance: This kind of noncompliance occurs when processes are not being executed properly because of lack of training or lack of resources. For example, training records of individual engineers show that they were not trained on the cybersecurity processes they have executed. •Tool noncompliance: This kind of noncompliance occurs when absence of proper tools leads to execution gaps. For example, consider the result of an audit in which cybersecurity requirements are being consistently traced to the wrong cybersecurity test cases. It's not that the processes stipulating such traceability do not exist, nor is it the case that the process execution is being done by people without sufficient training or background to execute the task. The root cause for the noncompliance is that requirements and test cases are being maintained as Excel documents. This makes difficult the maintenance of traceability across various artifacts, in that when someone changes something in one document the other document is not automatically updated. Remediation plans for such noncompliance are a part of a CAPA investigation process, and progress and resource allocation is tracked through the CAPA process. Defining and maintaining roles and responsibilitiesHow are roles and responsibilities for different cybersecurity activities defined and, even more importantly, how are they maintained? Delineating functional responsibilities for cybersecurity in a large MDM is frequently contentious, in that every function often ends up feeling they are underresourced for the responsibilities they have been signed onto. And that is just the easy part. Functions are reorganized, functional priorities are recalibrated, what could have been the role of one function may now have become another's. People leave the organization and the next person may not have been informed of their specific role for cybersecurity. All of this organizational movement and evolution leads to the degeneration of the roles and responsibilities document. What is the result? The day a major cybersecurity incident happens, no one knows who to call, or bring into the war room. Decisions regarding project planning or product design are taken without involvement of all appropriate stakeholders. Overall, product security governance suffers. It is thus important to capture as part of the strategy process, maintenance activities for the roles and responsibilities document. This includes periodic review of the roles and responsibility document with different stakeholders. Even more importantly, one should conduct table top exercises [8,9]. In such exercises, real situations are simulated (e.g., an external researcher makes a presentation at a security conference disclosing a critical cybersecurity vulnerability, someone calls into the call center claiming that they suspect someone hacked into the device and killed a patient) and organizational response observed. The purpose of regular tabletop exercises is to ensure that individuals within an organization remain aware of their roles and responsibilities at all time and have the proper resources at hand to discharge them. Cybersecurity management reviewRegular audits are not the only way for evaluating the health of a QMS. Management review is a QMS practice in which metrics of different types are collected and presented to executive management as a means of tracking how well a QMS is meeting its quality objectives. Procedural controls for cybersecurity management review should define the following: Operational metricsExample of operational metrics an MDM should track as part of management review for cybersecurity: •Number of open cybersecurity CAPAs •Number of cybersecurity Quality Plan activities whose deadlines have expired, but the output deliverables of the activity have not been incorporated into the QMS •Number of medical devices in postmarket phase that have uncontrolled risk and have not been patched •For cybersecurity patches for medical devices in the field, the patch adoption rate Design metricsExample of design metrics an MDM should track as part of management review for cybersecurity: •For every medical device, number of cybersecurity system threats that are not mitigated by a primary control in the system cybersecurity risk model •Number of medical devices that have uncontrolled risk items in its system risk model that have been resolved by a Risk Benefit Analysis •Number of medical devices that fail to implement, totally or partially, a technical control from the master set of technical controls. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128182628000097 Domain 2Eric Conrad, ... Joshua Feldman, in Eleventh Hour CISSP® (Third Edition), 2017 COBITCOBIT is a control framework for employing information security governance best practices within an organization. COBIT was developed by the ISACA (Information Systems Audit and Control Association, see http://www.isaca.org). COBIT has four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. There are 34 IT processes across the 4 domains. More information about COBIT is available at: http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx. Version 5 was released in Apr. 2012. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128112489000024 Domain 3: Information Security Governance and Risk ManagementEric Conrad, ... Joshua Feldman, in Eleventh Hour CISSP (Second Edition), 2014 AbstractThis chapter presents a fundamental domain tested on the CISSP, Domain 3: Information Security Governance and Risk Management. Key terms, concepts, and formulas related to risk management are presented within this chapter. Risk, threat, and vulnerability are basic terms that must be understood to prove successful with this domain. Understanding how to perform calculations using Annualized Loss Expectancy (ALE), Single Loss Expectancy (SLE), Annualized Rate of Occurrence (ARO), and Exposure Factor (EF) is highlighted as part of quantitative risk analysis. Important concepts related to information security governance such as privacy, due care, due diligence, certification, and accreditation are also a focus of this chapter. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780124171428000030 Who is responsible for an organisation information security?A company's CISO is the leader and face of data security in an organization. The person in this role is responsible for creating the policies and strategies to secure data from threats and vulnerabilities, as well as devising the response plan if the worst happens.
What is security governance in information security?Information security governance is defined as “a subset of enterprise governance that provides strategic direction, ensures that objectives are achieved, manages risk appropriately, uses organizational resources responsibly, and monitors the success or failure of the enterprise security program,” according to the ...
What is Infosec governance and why is IT important in an organization?Information security governance is part of cybersecurity and IT governance, and it addresses typical IT security issues such as data breaches, security policies, and mitigation of security incidents.
What is an information governance plan?Information governance is the development of a decision and accountability framework that defines acceptable behavior in the creation, valuation, use, sharing, storage, archiving, and deletion of information.
|
