Anyone who uses the term governance is throwing around a powerful word. The concept was established in corporate management a long time ago. Within the context of crises and crisis management, governance as a general term has been used since the 1990s to refer to the principles of responsible corporate management and monitoring geared towards long-term value creation. This ongoing discussion about the fundamental principles of sustainable business, which started in the United States and which generally gains in intensity in the wake of company bankruptcies, has become a fashionable topic for debate of late (think of the economic and financial crisis that began in 2008). And governance remains a buzzword today. Nevertheless, it is unfortunately still not exactly clear what aspects the main categories of governance, IT governance and security governance actually cover. A similar uncertainty prevails in the frequent reports on issues of risk management, compliance, and information security.
Systematic and well-integrated governance, risk, compliance and security management incorporate the following factors:
We will now assess these factors in terms of effective control and regulation systems of capital market-oriented companies, a central theme when it comes to responsible, transparent, efficient and secure business management. These factors further break down into the following related areas:
The most basic principles here are, in simple terms:
So governance is a term that, depending on the thematic underpinnings and professional discipline in question, may be understood in different ways. To better understand what governance means from the perspective of information security, one should bring to mind the many aspects of corporate governance, IT governance and security governance:
On the most abstract level, one might say that governance encompasses responsible, sustainable organization geared towards long-term value creation and steering of activities and therefore the entire system of internal and external performance, control and monitoring mechanisms.
Consensus on a definition for IT governance is harder, because it is unfortunately impossible to determine whether a singular definition has already been established. However, there is a tendency towards a common understanding, which can be described as follows:
One might then also derive a common basic understanding for IT governance that encompasses the organization, steering and monitoring of a company’s IT resources to ensure the consistent alignment of IT processes with the corporate strategy. Like the company’s governance, IT should ultimately be integrated into a uniform framework that is in line with the company’s business interests and that defines guidelines and standards.
So what does this mean for information security and the need for security governance?
Security governance is most easily defined in terms of information security objectives; that is, how does security governance contribute to information security? (Source: IT Governance Institute (ITGI) – ISACA):
Security governance is thus directly aligned with a company’s information security strategy, thereby establishing the foundation for managing activities in the area of information security. Only in this way is it possible to effectively and efficiently implement information security requirements that are fully in line with a company’s processes.
For this reason information security governance must ultimately aim not only at ensuring IT dependability in a management context (while observing information security management requirements), but must also ensure the controllability, per se, of information technologies.
Accordingly, security governance is a set of clear responsibilities, practices, and principles that are used by the certified information security officer (CISO) and managers to set out strategic goals. This should also ensure effective fulfillment of information security targets. Additionally, there is a need to ensure that risks are managed properly and that a company’s resources are used responsibly.
First and foremost, overlap between corporate, IT, and security governance and the interfaces with risk, compliance, and information security management must be clearly identified, delineated, and structured to allow a view of the big picture. For company management, the CIO and the CISO, this requires a common understanding of the concept.
The CISO has a key role in the development of security governance practices. The CISO’s management tool is the Security Board, which enables effective development information security throughout the organization. The CISO sees to it that his or her security process is put into practice, and has the following responsibilities (source: IT Governance Institute – ITGI):
Here, the CISO should also ask the following high-level questions:
The CISO should also be able to assess the company’s business model with respect to consequences for its IT and information security:
The CISO must spell out what governance means within the company:
In terms of information security management, security governance encompasses the role of managing planning processes and aims to achieve harmony between the corporate culture, organizational principles, and the actual organizational structure within the company, as well as addressing specific opportunities and technical topics that IT and information security require to handle the market requirements of the industry.
This offers the following advantages:
Above all, highly regulated industries that may not immediately recognize the positive impact the many new regulations and stricter requirements might have on business must set about creating efficient governance structures. Introducing mechanisms and meeting standards costs money, but those who take the trouble to systemically establish governance in coordination with these mechanisms and standards will discover the long-term, value-oriented prospects that security governance management offers.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here