eBook - ePub
Information Security Governance
Framework and Toolset for CISOs and Decision Makers
Andrej Volchkov
This is a test
Buch teilen
- 256 Seiten
- English
- ePUB (handyfreundlich)
- Ăber iOS und Android verfĂŒgbar
eBook - ePub
Information Security Governance
Framework and Toolset for CISOs and Decision Makers
Andrej Volchkov
Angaben zum Buch
Buchvorschau
Inhaltsverzeichnis
Quellenangaben
Ăber dieses Buch
This book presents a framework to model the main activities of information security management and governance. The same model can be used for any security sub-domain such as cybersecurity, data protection, access rights management, business continuity, etc.
HĂ€ufig gestellte Fragen
Wie kann ich mein Abo kĂŒndigen?
Gehe einfach zum Kontobereich in den Einstellungen und klicke auf âAbo kĂŒndigenâ â ganz einfach. Nachdem du gekĂŒndigt hast, bleibt deine Mitgliedschaft fĂŒr den verbleibenden Abozeitraum, den du bereits bezahlt hast, aktiv. Mehr Informationen hier.
(Wie) Kann ich BĂŒcher herunterladen?
Derzeit stehen all unsere auf MobilgerĂ€te reagierenden ePub-BĂŒcher zum Download ĂŒber die App zur VerfĂŒgung. Die meisten unserer PDFs stehen ebenfalls zum Download bereit; wir arbeiten daran, auch die ĂŒbrigen PDFs zum Download anzubieten, bei denen dies aktuell noch nicht möglich ist. Weitere Informationen hier.
Welcher Unterschied besteht bei den Preisen zwischen den AboplÀnen?
Mit beiden AboplÀnen erhÀltst du vollen Zugang zur Bibliothek und allen Funktionen von Perlego. Die einzigen Unterschiede bestehen im Preis und dem Abozeitraum: Mit dem Jahresabo sparst du auf 12 Monate gerechnet im Vergleich zum Monatsabo rund 30 %.
Was ist Perlego?
Wir sind ein Online-Abodienst fĂŒr LehrbĂŒcher, bei dem du fĂŒr weniger als den Preis eines einzelnen Buches pro Monat Zugang zu einer ganzen Online-Bibliothek erhĂ€ltst. Mit ĂŒber 1 Million BĂŒchern zu ĂŒber 1.000 verschiedenen Themen haben wir bestimmt alles, was du brauchst! Weitere Informationen hier.
UnterstĂŒtzt Perlego Text-zu-Sprache?
Achte auf das Symbol zum Vorlesen in deinem nÀchsten Buch, um zu sehen, ob du es dir auch anhören kannst. Bei diesem Tool wird dir Text laut vorgelesen, wobei der Text beim Vorlesen auch grafisch hervorgehoben wird. Du kannst das Vorlesen jederzeit anhalten, beschleunigen und verlangsamen. Weitere Informationen hier.
Ist Information Security Governance als Online-PDF/ePub verfĂŒgbar?
Ja, du hast Zugang zu Information Security Governance von Andrej Volchkov im PDF- und/oder ePub-Format sowie zu anderen beliebten BĂŒchern aus Betriebswirtschaft & Unternehmensstrategie. Aus unserem Katalog stehen dir ĂŒber 1Â Million BĂŒcher zur VerfĂŒgung.
Information
Chapter 1
Security Governance
As a vital resource in the digital economy, information must be protected. Companies realize the importance of being able to ensure its availability, confidentiality, and integrity. However, technical security measures alone are no longer sufficient. Senior managers are looking for ways to ensure a level of protection in line with the needs of their company. They must also have better control of the costs related to information security while remaining in compliance with legal and regulatory frameworks.
Security governance must be enforced at all levels of an organization. But many still do not understand quite what Security Governance is, what is its main objective and how it should be integrated within existing structures in an organization. This chapter provides answers to the following questions:
â What issues are behind information security in the global context?
â What questions should senior officials ask about security governance?
â What trends are we seeing today?
â Exactly what does information security governance include?
â How can inadequate security governance adversely affect a company?
â How is good security governance recognized?
â What is the difference between governance and management?
â Is there any specific standard for information security governance?
What issues are behind information security in the global context?
1.1 Information Security Is Important for Business
Information exists nowadays in multiple formats; it is stored on different media and exchanged through uncontrolled networks. Yet, it is a vital resource for the economy and for everyday transactions. Companies must therefore ensure informationâs availability (for its intended use), confidentiality (exploitable by those who are authorized), integrity (protected against unauthorized changes), and authenticity.
Information security (IS) is currently making a serious contribution to business development by ensuring not only reliable operations but also new opportunities for qualitative differentiation. It is increasingly seen as a value creator or facilitator of operations in new business models. Its added value includes providing reliable and secure exchanges, ensuring secure data transfers, enabling remote protected access, ensuring the availability of services, and offering the possibility of outsourcing processes in a controlled and secure manner. More traditionally, it protects a companyâs know-how and reputation, reduces operational risks, and ensures compliance with legal and regulatory frameworks. It is no longer considered a technical discipline that can be delegated to specialized services. Security is becoming an increasing matter of concern for top executives and is being supervised more and more at the highest level of company responsibility. This is not only required by laws and regulations but is also a reality in many companies anxious to improve cost controls and the return on their investment in protection systems. It is no longer an ancillary activity, as companies seek to optimize investments and ensure the adequacy of deployed IS measures. Management and the board of directors are additionally involved in developing IS objectives and supervising its added value to business objectives. Whether they are customers, partners, suppliers, employees, or shareholders, all stakeholders are concerned about security issues.
What should senior officials know about security governance?
Executives and board members must therefore be better acquainted with IS issues so that they can fully assume their new responsibilities. If they do not have answers to the following questions or if the answer is ânoâ, then there is a real need to review the practices of IS governance within the organization:
â Is the board regularly informed about IS risks and measures taken?
â Are management or line managers involved in strategic decisions concerning the development of IS?
â Who defines IS strategy, policies, and guidelines?
â Who is responsible for data protection and associated measures?
â Do we know which business processes are threatened by high IS risks and whether anything is being done to mitigate them?
â Where is confidential data stored and how is it processed? Who is accountable for data privacy protection?
â Is our IS adapted to the real needs of the business?
â Are business units members of committees that decide about IS measures concerning their operations?
â Do our know whether IS expenses are justified and what is their return on investment?
If it can be shown that security plays a part in attaining strategic objectives and reducing the risks involved, then it can benefit from senior executivesâ attention and take its place as a link in the value chain. Security is essential, but the question is what level of maturity is needed: in other words, how much and what level of IS are enough? Its contribution margin, and especially its cost, must therefore be measurable. However, this cannot be achieved unless the board of directors and management are involved in setting objectives and monitoring the deliverables of the security program.
What trends are we seeing today?
Several studies have highlighted a positive evolution in managementâs awareness of the importance of IS. However, it is still noted that technical means are often deployed in a disorganized manner, in successive layers, to overcome visible threats. Boards and management are not involved or are unable to understand the real issues behind IS, and thus, they delegate this task to bodies with little decision-making power and therefore, few means to act. The return on IS investments is not evaluated systematically. Priority is being given to technical solutions without making the necessary organizational adjustments. Roles and responsibilities are often not well defined, resources are lacking, decisions are not made, objectives and information architectures are not clearly established, and this results in loss of energy, increased costs, and a sense of frustration by both management and the teams responsible for deploying protective measures. This, in turn, causes misunderstanding on the part of the governing bodies, which do not have sufficient visibility regarding the adequacy of the measures and the costs related to real risks, leading to a race to find technical solutions to counter visible threats, but without any real means of control.
The following observations may characterize many companies that have neglected the importance of governance in the field of IS:
â Lack of awareness of IS strategy and its degree of alignment with business strategies.
â Ignorance of the problems and concerns of the IS by senior executives.
â Lack of a formal evaluation process for IS performance or return on security investments (ROSI).
â Priority is often given to technical solutions without adjusting organizational structures.
â Lack of manager involvement in the prioritization of risk treatments.
â Lack of architectural design requirements for IS.
According to PwC (The Global State of Information SecurityÂź Survey 2018) [Source: PwC, CIO and CSO, The Global State of Information SecurityÂź Survey 2018, October 18, 2017]: âMost corporate boards are not proactively shaping their companiesâ security strategies or investment plans. Only 44% of respondents say their corporate boards actively participate in their companiesâ overall security strategyâ. The implication of the board in overall security is estimated as follows: 45% in the security budget, 44% in the overall security strategy, 39% in security policies, 36% in security technologies, and 1% in the review of current security and privacy risks.
According to EYâs 19th Global Information Security Survey 2016â2017 [EY - 19th Global Information Security Survey 2016-2017], 73% of companies are concerned about poor user awareness and behavior around mobile devices, 86% say their cybersecurity function does not fully meet their organizationâs needs, and 86% of respondents say they need up to 50% more budget.
These observations lead us to believe that many companies have yet to establish real IS governance. There are many reasons behind this; our goal is not to list them but rather, to propose tools to facilitate the implementation of a governance process adapted to the realities of each company. But, first, letâs take a closer look at governance and management activities to better understand what we are talking about and why it is important.
What does information security governance mean?
1.2 Information Security Governance
Security governance is an integral part of corporate governance. Remember that there is no single or commonly accepted definition ...