Expert answer:Information Security Governance
Expert answer:Information security management and governance are not simply implemented tasks within organizations. An information security governance program is a program that must be thoroughly planned, include senior-level management involvement and guidance, be implemented throughout the organization, and be updated and maintained. The International Organization for Standards (ISO) and the International Electrotechnical Commission (IEC) has created information security governance standards. Review the information security governance information provided by ISACA Write a 3-5 page paper in which you:Define the information security governance and management tasks that senior management needs to address.Describe the outcomes and the items that will be delivered to the organization through the information security program.Develop a list of at least five (5) best practices for implementing and managing an information security governance program within an organization.Develop a checklist of items that needs to be addressed by senior management, including priorities and needed resources.Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources. Your assignment must follow these formatting requirements:Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; references must follow APA or school-specific format. Check with your professor for any additional instructions.Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required page length.
information_security_govenance_for_board_of_directors_and_executive_management_res_eng_0510.pdf
Unformatted Attachment Preview
:
Guidance for Boards of Directors
and Executive Management
2ndnd Edition
:
Guidance for Boards of Directors
and Executive Management
2ndnd Edition
“
The rising tide of cybercrime and threats to critical information assets mandate that boards of
directors and senior executives are fully engaged at the governance level to ensure the security
and integrity of those resources.
”
— SHIRLEY M. HUFSTEDLER, BOARD OF DIRECTORS
HARMAN INTERNATIONAL INDUSTRIES
“
To enable secure business operations, an organization must have an effective security
governance strategy.
”
— SUNIL MISRA, CHIEF SECURITY ADVISOR AND MANAGING PARTNER
UNISYS CORP.
“
The complexity and criticality of information security and its governance demand that it be
elevated to the highest organizational levels. As a critical resource, information must be treated
like any other asset essential to the survival and success of the organization.
— TERRY HANCOCK, CEO
EASY I GROUP
”
2
Information Security Governance
Guidance for Boards of Directors and Executive Management, 2nd Edition
IT Governance Institute®
The IT Governance Institute (ITGITM) (www.itgi.org) was established in 1998 to advance
international thinking and standards in directing and controlling an enterprise’s information
technology. Effective IT governance helps ensure that IT supports business goals, optimises
business investment in IT, and appropriately manages IT-related risks and opportunities. The IT
Governance Institute offers original research, electronic resources and case studies to assist
enterprise leaders and boards of directors in their IT governance responsibilities.
Disclaimer
The IT Governance Institute (the “Owner”) has designed and created this publication, titled
Information Security Governance: Guidance for Boards of Directors and Executive
Management, 2nd Edition (the “Work”), primarily as an educational resource for boards of
directors, executive management and IT security professionals. The Owner makes no claim that
use of any of the Work will assure a successful outcome. The Work should not be considered
inclusive of any proper information, procedures and tests or exclusive of other information,
procedures and tests that are reasonably directed to obtaining the same results. In determining
the propriety of any specific information, procedure or test, boards of directors, executive
management and IT security professionals should apply their own professional judgement to the
specific circumstances presented by the particular systems or information technology
environment.
Disclosure
Copyright © 2006 by the IT Governance Institute. All rights reserved. No part of this
publication may be used, copied, reproduced, modified, distributed, displayed, stored in a
retrieval system, or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise), without the prior written authorisation of the IT
Governance Institute. Reproduction of selections of this publication, for internal and
noncommercial or academic use only, is permitted and must include full attribution of the
material’s source. No other right or permission is granted with respect to this work.
IT Governance Institute
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.7491
Fax: +1.847.253.1443
E-mail: info@itgi.org
Web site: www.itgi.org
ISBN 1-933284-29-3
Information Security Governance: Guidance for Boards of Directors and Executive
Management, 2nd Edition
Printed in the United States of America
IT Governance Institute 3
Acknowledgements
From the Publisher
The IT Governance Institute wishes to recognise:
The ITGI Board of Trustees
Everett C. Johnson, CPA, Deloitte & Touche LLP (retired), USA,
International President
Abdul Hamid Bin Abdullah, CISA, CPA, Auditor General’s Office, Singapore,
Vice President
William C. Boni, CISM, Motorola, USA, Vice President
Jean-Louis Leignel, MAGE Conseil, France, Vice President
Lucio Augusto Molina Focazzio, CISA, Colombia, Vice President
Howard Nicholson, CISA, City of Salisbury, Australia, Vice President
Bent Poulsen, CISA, CISM, VP Securities Services, Denmark, Vice President
Frank Yam, CISA, CIA, CCP, CFE, CFSA, FFA, FHKCS, Focus Strategic
Group, Hong Kong, Vice President
Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA,
Past International President
Robert S. Roussey, CPA, University of Southern California, USA,
Past International President
Emil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi, USA, Trustee
Ronald Saull, CSP, Great-West Life and IGM Financial, Canada, Trustee
Erik Guldentops, CISA, CISM, Belgium, Advisor, IT Governance Institute
The Author and Focus Group
W. Krag Brotby, CISM, Senior Security Consultant, USA, Author
Jennifer Bayuk, CISA, CISM, Bear Stearns & Co. Inc., USA
Curtis Coleman, CISM, CISSP, MSIA, Seagate Technology LLC, USA
Leonardo Garcia, CISA, CISM, CISSP, BS 7799LA, ISO 9000LA, Innovaciones
Telemáticas, México
Ronda R. Henning, CISM, CISSP-ISSAP, CISSP-ISSMP, Harris Corporation, USA
Stephen R. Katz, CISSP, Security Risk Solutions LLC, USA
William Malik, CISA, Malik Consulting LLC, USA
Yogita Parulekar, CISA, CISM, CA, Oracle Corporation, USA
Eddie Schwartz, CISA, CISM, CISSP, MCSE, Securevision LLC, USA
Darlene Tester, CISM, CISSP, JD, CHSS, Caveo Technology, USA
Marc Vael, Ph.D., CISA, CISM, KPMG, Belgium
ISACA’s Certified Information Security Manager® (CISM®) Board
David Simpson, CISA, CISM, CISSP, Chair, CQR Consulting, Australia
Kent Anderson, CISM, Network Risk Management LLC, USA
Evelyn Anton, CISA, CISM, UTE, Uruguay
Claudio Cilli, CISA, CISM, CIA, CISSP, Tangerine Consulting, Italy
Robert Coles, Ph.D., CISA, CISM, MBCS, UK
Kyeong-Hee Oh, CISA, CISM, CISSP, Green Soft, Korea
Hitoshi Ota, CISA, CISM, Mizuho Corporate Bank Ltd., Japan
Ashok Pawar, CISA, CISM, CAIIB, State Bank of India, India
Gary Swindon, CISM, Orlando Regional Healthcare, USA
4
Information Security Governance
Guidance for Boards of Directors and Executive Management, 2nd Edition
The ITGI Committee
William C. Boni, CISM, Chair, Motorola, USA
Jean-Louis Leignel, Vice Chair, MAGE Conseil, France
Erik Guldentops, CISA, CISM, Belgium
Tony Hayes, Queensland Government, Australia
Anil Jogani, CISA, FCA, Tally Solutions Ltd., UK
John W. Lainhart IV, CISA, CISM, IBM Business Consulting Services, USA
Ron Saull, CSP, Great-West Life and IGM Financial, Canada
Michael Schirmbrand, CISA, CISM, CPA, KPMG LLP, Austria
Eddy Schuermans, CISA, PricewaterhouseCoopers LLP, Belgium
The Subject Matter Expert Reviewers
Julia Allen, Carnegie-Mellon, USA
William Barrett, CISA, CPA, CRP, Ernst & Young LLP, USA
Endre P. Bihari, CISM, CCSA, GAICD, MCSE, Performance Resources,
Australia
Chris Boswell, CISA, CISSP, CA, USA
Claudio Cilli, CISA, CISM, CIA, CISSP, Tangerine Consulting, Italy
Candi Carrera, Tellindus, Luxembourg
Ulises Castillo, CISA, Scitum, SA de CV, Mexico
Milthon J. Chavez, CISA, CISM, CIFI, MCH Consultoria Integral, Venezuela
Amitava Dutta, Ph.D., CISA, George Mason University, USA
Chris Ekonomidis, CISA, CISSP, Ernst & Young LLP, USA
Lawrence A. Gordon, Ph.D., University of Maryland, USA
Erik Guldentops, CISA, CISM, Belgium
Gary Hardy, ITWinners, South Africa
Avinash W. Kadam, CISA, CISM, CISSP, CBCP, MIEL e-Security Pvt. Ltd.,
India
John W. Lainhart IV, CISA, CISM, IBM Business Consulting Services, USA
Alexandra Lajoux, National Association of Corporate Directors, USA
Cory Notrica, CISA, CISM, CISSP, Ernst & Young LLP, USA
Vernon R. Poole, CISM, IPFA, Sapphire Technologies, UK
N. Ramu, CISA, FCA, Lovelock & Lewes, India
Robert S. Roussey, CPA, University of Southern California, USA
Howard A. Schmidt, CISM, CISSP, Former Chief Security Executive, eBay and
Microsoft, USA
Gad J. Selig, Ph.D., PMP, University of Bridgeport and GPS Group Inc., USA
Dirk Steuperaert, CISA, PricewaterhouseCoopers, Belgium
Johann Tello-Meryk, CISA, CISM, Primer Banco del Istmo, Panama
Ghassan Youssef, MSc., CISM, Bank Audi, Audi Saradar Group, Lebanon
The ITGI Affiliates and Sponsors
ISACA chapters
Commonwealth Association of Corporate Governance
Bindview Corporation
CA
IT Governance Institute 5
ITGI WOULD LIKE TO ACKNOWLEDGE:
Unisys, whose generous support and sponsorship contributed significantly
to the development of the Information Security Governance: Guidance for
Boards of Directors and Executive Management, 2nd Edition.
ITGI appreciates the support the following organisations have provided to this project:
AICPA
®
6
Information Security Governance
Guidance for Boards of Directors and Executive Management, 2nd Edition
Table of Contents
Introduction………………………………………………………………………………………..7
1. What Is Information Security Governance?—An Overview………….11
Desired Outcomes ………………………………………………………………………….11
Knowledge and the Protection of Information Assets ………………………..12
Benefits of Information Security Governance …………………………………..13
Process Integration …………………………………………………………………………14
2. Why Are Information Security and Information
Security Governance Important?………………………………………………….15
Information Security Governance Defined ……………………………………….17
3. Who Should Be Concerned With Information
Security Governance? …………………………………………………………………..21
Boards of Directors/Trustees …………………………………………………………..21
Executives……………………………………………………………………………………..21
Steering Committee………………………………………………………………………..22
Chief Information Security Officer ………………………………………………….22
4. What Should the Board of Directors/Trustees and
Senior Executives Be Doing?…………………………………………………………24
Illustrative Matrix of Outcomes and Directives …………………………………25
5. What Are Some Thought–provoking Questions to Ask? ………………..27
Questions to Uncover Information Security Issues…………………………….27
Questions to Find Out How Management Addresses
Information Security Issues ………………………………………………………….27
Questions to Self-assess Information Security Governance Practices ….28
6. What Should Information Security Governance Deliver? ……………..29
Strategic Alignment………………………………………………………………………..29
Risk Management…………………………………………………………………………..29
Resource Management……………………………………………………………………30
Performance Measurement ……………………………………………………………..30
Value Delivery ……………………………………………………………………………….30
7. How Is Information Security Governance Evolving? …………………….32
8. What Can Be Done to Successfully Implement
Information Security Governance?……………………………………………….34
Questions for Directors …………………………………………………………………..34
Questions for Management ……………………………………………………………..34
9. How Does My Organisation Compare on Information
Security Governance? …………………………………………………………………..36
Maturity Level Description ……………………………………………………………..36
Appendix—Regulatory and Standards Bodies’
Guidance on Information Security Governance…………………………………40
References…………………………………………………………………………………………46
IT Governance Institute 7
Introduction
Organisations today face a global revolution in governance that directly
affects their information management practices. There is an increased need
to focus on the overall value of information protected and delivered—in
terms of enabled services. Due to the high-profile organisational failures of
the past decade, legislatures, statutory authorities and regulators have created
a complex array of new laws and regulations designed to force improvement
in organisational governance, security, controls and transparency. Previous
and new laws on information retention and privacy, coupled with significant
threats of information systems disruptions from hackers, worms, viruses and
terrorists, have resulted in a need for a governance approach to information
management, protecting the organisation’s most critical assets—its
information and reputation.
Information and the systems that handle it are critical to the operation of
virtually all organisations. Access to reliable information has become an
indispensable component of conducting business; indeed, in a growing
number of organisations, information is the business.
This increasing dependence on information was apparent more than a decade
ago when Peter Drucker stated:
The diffusion of technology and the commodification of
information transforms the role of information into a resource
equal in importance to the traditionally important resources of
land, labor and capital.1
During the intervening years, value escalation of and dependence on
information have increased exponentially. There is every indication that this
quickening pace will continue unabated into the foreseeable future. Gartner
recently estimated that in less than a decade, organisations will typically deal
with 30 times more information than they do today.2 With the chaos, glaring
vulnerabilities and perpetual crisis-mode activities observed in most
information technology operations, that is not a reassuring notion.
Organisations continue to witness information-related crime and vandalism
becoming the choice of a growing global criminal element. Existing
institutions burdened by countless conflicting jurisdictions and inadequate
resources have not been successful in reducing the amount or impact of these
activities. Therefore, a large portion of the task of protecting critical
information resources falls squarely on the shoulders of executives and
boards of directors.
1
2
Drucker, Peter; ‘Management Challenges for the 21st Century’, Harpers Business, 1993
Hallawell, Arabella; Gartner Global Security and Privacy Best Practices, Gartner Analyst
Reports, USA, 2004, www.csoonline.com/analyst/report2332.html
8
Information Security Governance
Guidance for Boards of Directors and Executive Management, 2nd Edition
Until recently, the focus of security had been on protecting the IT systems
that process and store the vast majority of information, rather than on the
information itself. However, this approach is too narrow to accomplish the
level of integration, process assurance and overall protection that is now
required.
To achieve effectiveness and sustainability in today’s complex,
interconnected world, information security must be addressed at the highest
levels of the organisation, not regarded as a technical specialty relegated to
the IT department.
An enlightened approach to information security takes the larger view that an
organisation’s information and the knowledge based on it must be adequately
protected regardless how it is handled, processed, transported or stored. It
addresses the universe of risks, benefits and processes involved with all
information resources. The security of information, as with other critical
organisational resources, must be addressed at the total enterprise level.
Information security is not only a technical issue, but a business and
governance challenge that involves adequate risk management, reporting and
accountability. Effective security requires the active involvement of executives
to assess emerging threats and the organisation’s response to them.3
As organisations strive to remain competitive in the global economy, they
respond to constant pressures to cut costs through automation, which often
requires deploying more information systems. Whilst managers become ever
more dependent on these systems, the systems have become vulnerable to a
widening array of risks that can threaten the existence of the enterprise. This
combination is forcing management to face difficult decisions about how to
effectively address information security. This is in addition to scores of new
and existing laws and regulations that demand compliance and higher levels
of accountability.
The Data Governance Council, with a focus on the review and approval
aspects of board responsibilities, recently recommended that boards provide
strategic oversight regarding information security, including:
1. Understanding the criticality of information and information security to
the organisation
2. Reviewing investment in information security for alignment with the
organisation strategy and risk profile
3. Endorsing the development and implementation of a comprehensive
information security programme
3
Corporate Governance Task Force, ‘Information Security Governance: Call to Action’,
USA, 2004
IT Governance Institute 9
4. Requiring regular reports from management on the programme’s adequacy
and effectiveness4
In this regard, governing boards and executive management should review:
• The scale and return of the current and future investments in information
resources to ensure that they are optimised
• The potential for technologies to dramatically change organisations and
business practices, thereby creating new opportunities and value whilst
reducing costs
They should also consider the associated ramifications of the:
• Increasing dependence on information and the systems and
communications that deliver the information
• Dependence on entities beyond the direct control of the enterprise
• Increasing demands to share information with partners, suppliers and
customers
• Impact on reputation and enterprise value resulting from information
security failures
• Failure to set the tone at the top with regard to the importance of security
Whilst executive management has the responsibility to consider and respond
to these issues, boards of directors will increasingly be expected to make
information security an intrinsic part of the enterprise’s governance efforts,
aligned with their IT governance focus and integrated with processes they
have in place to govern other critical functions. The purpose of this
publication is to provide boards and senior executives a basis, rationale and
acknowledged approach for protecting vital information assets that support
critical business processes.
This guide, prepared by one of the world’s leading institutions dedicated to
researching issues and principles of IT governance, is written to address
these concerns. It covers fundamental issues such as:
• What is information security governance?
• Why is it important?
• Who is responsible for it?
It also provides practical, pragmatic advice on:
• What information security governance should deliver
• Questions to ask regarding information security governance
• How information security governance is evolving
• How to measure an organisation’s maturity level relative to information
security governance
4
IBM, Data Governance Council, Oversight of Information Security, USA, 2005
10
Information Security Governance
Guidance for Boards of Directors and Executive Management, 2nd Edition
IT Governance Institute 11
1. What Is Information Security Governance?—An Overview
Information security governance is the responsibility of the board of
d …
Purchase answer to see full
attachment
How it works
- Paste your instructions in the instructions box. You can also attach an instructions file
- Select the writer category, deadline, education level and review the instructions
- Make a payment for the order to be assignment to a writer
- Download the paper after the writer uploads it
Will the writer plagiarize my essay?
You will get a plagiarism-free paper and you can get an originality report upon request.
Is this service safe?
All the personal information is confidential and we have 100% safe payment methods. We also guarantee good grades