This week’s blog is the first of a three part series about my idea for an expedited method of implementing IT security Governance.  Your feed back would be most appreciated.

Executive Summary

IT Governance is difficult for most organizations to initiate and maintain as it is an ongoing process, particularly for medium and small institutions. There are many subject experts, vendors, and consultants that cater to implementation, but the inherent difficulties and complexities make the implementation of it an elusive goal for many.

Since Governance is, by definition, strategic and focused over long timeframes, it is not designed to deal with unexpected and potentially costly IT security threats. Threats which can evolve into costly security events.  A distraught client once described how a serious access breach within his organization could have been prevented if the senior management had evaluated and acted upon his impromptu but appropriate recommendations to harden access controls.  The author proposes a modified process to respond to mitigating threats that require funds exceeding the annual IT security budget. I call this micro Governance.

Definitions of IT Governance

IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management.  Various bodies of authority on the subject publish similar definitions of IT Governance, each with its own emphasis of intent.  Four prominent authorities define IT governance on their web sites as follows:
1. ISACA: …provide the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives.
2. ITGI:… an effective IT governance framework that addresses strategic alignment, performance measurement, risk management, value delivery and resource management.
3. Forrester: … The act of establishing IT decision structures, processes, and communication mechanisms in support of the business objectives and tracking progress against fulfilling business obligations efficiently and consistently.
4. MIT Sloan School of Management:  IT governance is the process by which firms align actions with their performance goals and assign accountability for those actions and their outcomes.
The three predominant frameworks for implementing IT Governance are provided by ISACA, ITIL and ISO.  In a more granular view, the ISO 38500:2008 guiding principles are organized into three prime sections, specifically Scope, Framework and Guidance.  The framework comprises definitions, principles and a model. It sets out six principles for good corporate governance of IT:
* Responsibility
* Strategy
* Acquisition
* Performance
* Conformance
* Human behaviour
Significance of IT Security Governance for Compliance
Compliance violations may attract all manner of liability directly affecting a governance committee, such as fines and confinement for SOX, revocation of interconnection agreements with electrical utilities for NERC CIP, and violation notices from third party auditors for COBIT.

Examples of well known regulatory frameworks and compliance standards are as follows:
* Financial  -  SOX, Bill 109, Basel II, PCI, SAS 70
* Electrical Infrastructure for North America  -  NERC CIP
* Privacy  – PIPEDA, Red Flag, GLB
* Industry Best Practices -  COBIT, ITIL

Next week’s blog will cover the problems caused by insufficient Governance and the root causes of this problem.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors

www.ere-security.ca

Tags: Information Security, IT Governance, IT Security

This entry was posted on Tuesday, December 22nd, 2009 at 2:42 pm and is filed under Information Security, Internet Security, Security Postings. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.