To do business in today’s world, organizations are reliant on technology and data that’s processed, stored, and transmitted—and protecting that data throughout their life-cycle is critical.
Hackers, malicious insiders, vendors, and employees are all threats to data security. As such, organizations are getting asked by regulators, auditors, customers, and consumers how the data is secured and protected. Organizations often rely on their IT department to have the proper controls in place, but information security is an organizational issue—not an IT issue.
Executive management is just beginning to understand the need for effective controls, which is where information security governance (ISG) comes into play.
Understanding Information Security Governance
ISG is defined as “a subset of enterprise governance that provides strategic direction, ensures that objectives are achieved, manages risk appropriately, uses organizational resources responsibly, and monitors the success or failure of the enterprise security program,” according to the Information Systems Audit and Control Association.
While the definition sounds complex, it can be simplified. The ISG model helps you prepare for threats before they occur by forcing you to continually re-evaluate critical IT and business functions through:
- Threat and vulnerability analysis
- Patch identification and management
- Intrusion detection
- Security incident and event monitoring
Reactive Versus Proactive
It also helps an organization move from a reactive approach to cybersecurity to a proactive approach. It allows you to:
- Categorize and mitigate risks and threats
- Prepare an organization for identifying, remediating, and recovering from a cyberincident or breach
- Provide a method for executive leadership to understand their risk posture and maturity levels
- Outline a risk-based approach to the people, systems, and technology that are used every day
There are four main components to an ISG program: strategy, implementation, operation, and monitoring.
Information security should align with business objectives. The IT strategic plans need to satisfy the current and future business requirements. The goal of the ISG is to align the business and IT strategies and objectives of the organization.
ISG requires commitment, resources, assignment of responsibilities as well as implementation of policies and procedures that address the controls within a chosen framework. Buy in from senior management and above is critical to the implementation of the program.
It’s important that adequate resources are in place, projects that align with your overall strategy are deployed, and that operational and technology risks are addressed and mitigated to appropriate levels.
Metrics and monitoring help document the effectiveness of the program, provide information to help management make decisions, address any compliance issues, and establish information security controls with a more proactive approach.
ISG is the system by which an organization directs and controls IT security. Aligning that with an IT security and governance framework such as the NIST Cybersecurity Framework, ISO 27001, COBIT Internal Control Framework, Federal Information Security Management Act, or HITRUST CSF helps identify the necessary controls that need to be implemented and managed. ISG acts as the governance structure and works in conjunction with these frameworks to enhance the current security posture.
Once aligned with an information security framework or standard, the ISG can help the organization fully develop the controls to adequately protect sensitive data and systems. It establishes and maintains a model that provides an organization with a standardized structure that’s comprehensive and continually improving information security.
Moss Adams and NIST MEP Resources
With the dependence upon information and technology, along with threats from attackers and malicious insiders, it’s more important than ever for senior management and boards to have insight into the cybersecurity controls employed to protect an organization’s assets. Implementing an ISG program can provide the information needed for management and board of directors to make well-informed decisions on the overall security strategy for the organization. If you’d like to learn more about how an ISG program could benefit your organization, Moss Adams can be a great resource.
Additionally, NIST MEP has a variety of resources for manufacturers on Cybersecurity. You can read more about them here.
Troy Hawes has over 25 years of IT experience and serves clients in a variety of industries. He manages and leads cybersecurity and compliance assessments to determine areas of risk and develop practical corrective action plans. He can be reached at (206) 302-6529 or firstname.lastname@example.org.