eBook - ePub
Information Security Governance
Framework and Toolset for CISOs and Decision Makers
Andrej Volchkov
This is a test
Compartir libro
- 256 páginas
- English
- ePUB (apto para móviles)
- Disponible en iOS y Android
eBook - ePub
Information Security Governance
Framework and Toolset for CISOs and Decision Makers
Andrej Volchkov
Detalles del libro
Vista previa del libro
Índice
Citas
Información del libro
This book presents a framework to model the main activities of information security management and governance. The same model can be used for any security sub-domain such as cybersecurity, data protection, access rights management, business continuity, etc.
Preguntas frecuentes
¿Cómo cancelo mi suscripción?
¿Cómo descargo los libros?
Por el momento, todos nuestros libros ePub adaptables a dispositivos móviles se pueden descargar a través de la aplicación. La mayor parte de nuestros PDF también se puede descargar y ya estamos trabajando para que el resto también sea descargable. Obtén más información aquí.
¿En qué se diferencian los planes de precios?
Ambos planes te permiten acceder por completo a la biblioteca y a todas las funciones de Perlego. Las únicas diferencias son el precio y el período de suscripción: con el plan anual ahorrarás en torno a un 30 % en comparación con 12 meses de un plan mensual.
¿Qué es Perlego?
Somos un servicio de suscripción de libros de texto en línea que te permite acceder a toda una biblioteca en línea por menos de lo que cuesta un libro al mes. Con más de un millón de libros sobre más de 1000 categorías, ¡tenemos todo lo que necesitas! Obtén más información aquí.
¿Perlego ofrece la función de texto a voz?
Busca el símbolo de lectura en voz alta en tu próximo libro para ver si puedes escucharlo. La herramienta de lectura en voz alta lee el texto en voz alta por ti, resaltando el texto a medida que se lee. Puedes pausarla, acelerarla y ralentizarla. Obtén más información aquí.
¿Es Information Security Governance un PDF/ePUB en línea?
Sí, puedes acceder a Information Security Governance de Andrej Volchkov en formato PDF o ePUB, así como a otros libros populares de Betriebswirtschaft y Unternehmensstrategie. Tenemos más de un millón de libros disponibles en nuestro catálogo para que explores.
Información
Chapter 1
Security Governance
As a vital resource in the digital economy, information must be protected. Companies realize the importance of being able to ensure its availability, confidentiality, and integrity. However, technical security measures alone are no longer sufficient. Senior managers are looking for ways to ensure a level of protection in line with the needs of their company. They must also have better control of the costs related to information security while remaining in compliance with legal and regulatory frameworks.
Security governance must be enforced at all levels of an organization. But many still do not understand quite what Security Governance is, what is its main objective and how it should be integrated within existing structures in an organization. This chapter provides answers to the following questions:
■ What issues are behind information security in the global context?
■ What questions should senior officials ask about security governance?
■ What trends are we seeing today?
■ Exactly what does information security governance include?
■ How can inadequate security governance adversely affect a company?
■ How is good security governance recognized?
■ What is the difference between governance and management?
■ Is there any specific standard for information security governance?
What issues are behind information security in the global context?
1.1 Information Security Is Important for Business
Information exists nowadays in multiple formats; it is stored on different media and exchanged through uncontrolled networks. Yet, it is a vital resource for the economy and for everyday transactions. Companies must therefore ensure information’s availability (for its intended use), confidentiality (exploitable by those who are authorized), integrity (protected against unauthorized changes), and authenticity.
Information security (IS) is currently making a serious contribution to business development by ensuring not only reliable operations but also new opportunities for qualitative differentiation. It is increasingly seen as a value creator or facilitator of operations in new business models. Its added value includes providing reliable and secure exchanges, ensuring secure data transfers, enabling remote protected access, ensuring the availability of services, and offering the possibility of outsourcing processes in a controlled and secure manner. More traditionally, it protects a company’s know-how and reputation, reduces operational risks, and ensures compliance with legal and regulatory frameworks. It is no longer considered a technical discipline that can be delegated to specialized services. Security is becoming an increasing matter of concern for top executives and is being supervised more and more at the highest level of company responsibility. This is not only required by laws and regulations but is also a reality in many companies anxious to improve cost controls and the return on their investment in protection systems. It is no longer an ancillary activity, as companies seek to optimize investments and ensure the adequacy of deployed IS measures. Management and the board of directors are additionally involved in developing IS objectives and supervising its added value to business objectives. Whether they are customers, partners, suppliers, employees, or shareholders, all stakeholders are concerned about security issues.
What should senior officials know about security governance?
Executives and board members must therefore be better acquainted with IS issues so that they can fully assume their new responsibilities. If they do not have answers to the following questions or if the answer is “no”, then there is a real need to review the practices of IS governance within the organization:
■ Is the board regularly informed about IS risks and measures taken?
■ Are management or line managers involved in strategic decisions concerning the development of IS?
■ Who defines IS strategy, policies, and guidelines?
■ Who is responsible for data protection and associated measures?
■ Do we know which business processes are threatened by high IS risks and whether anything is being done to mitigate them?
■ Where is confidential data stored and how is it processed? Who is accountable for data privacy protection?
■ Is our IS adapted to the real needs of the business?
■ Are business units members of committees that decide about IS measures concerning their operations?
■ Do our know whether IS expenses are justified and what is their return on investment?
If it can be shown that security plays a part in attaining strategic objectives and reducing the risks involved, then it can benefit from senior executives’ attention and take its place as a link in the value chain. Security is essential, but the question is what level of maturity is needed: in other words, how much and what level of IS are enough? Its contribution margin, and especially its cost, must therefore be measurable. However, this cannot be achieved unless the board of directors and management are involved in setting objectives and monitoring the deliverables of the security program.
What trends are we seeing today?
Several studies have highlighted a positive evolution in management’s awareness of the importance of IS. However, it is still noted that technical means are often deployed in a disorganized manner, in successive layers, to overcome visible threats. Boards and management are not involved or are unable to understand the real issues behind IS, and thus, they delegate this task to bodies with little decision-making power and therefore, few means to act. The return on IS investments is not evaluated systematically. Priority is being given to technical solutions without making the necessary organizational adjustments. Roles and responsibilities are often not well defined, resources are lacking, decisions are not made, objectives and information architectures are not clearly established, and this results in loss of energy, increased costs, and a sense of frustration by both management and the teams responsible for deploying protective measures. This, in turn, causes misunderstanding on the part of the governing bodies, which do not have sufficient visibility regarding the adequacy of the measures and the costs related to real risks, leading to a race to find technical solutions to counter visible threats, but without any real means of control.
The following observations may characterize many companies that have neglected the importance of governance in the field of IS:
■ Lack of awareness of IS strategy and its degree of alignment with business strategies.
■ Ignorance of the problems and concerns of the IS by senior executives.
■ Lack of a formal evaluation process for IS performance or return on security investments (ROSI).
■ Priority is often given to technical solutions without adjusting organizational structures.
■ Lack of manager involvement in the prioritization of risk treatments.
■ Lack of architectural design requirements for IS.
According to PwC (The Global State of Information Security® Survey 2018) [Source: PwC, CIO and CSO, The Global State of Information Security® Survey 2018, October 18, 2017]: “Most corporate boards are not proactively shaping their companies’ security strategies or investment plans. Only 44% of respondents say their corporate boards actively participate in their companies’ overall security strategy”. The implication of the board in overall security is estimated as follows: 45% in the security budget, 44% in the overall security strategy, 39% in security policies, 36% in security technologies, and 1% in the review of current security and privacy risks.
According to EY’s 19th Global Information Security Survey 2016–2017 [EY - 19th Global Information Security Survey 2016-2017], 73% of companies are concerned about poor user awareness and behavior around mobile devices, 86% say their cybersecurity function does not fully meet their organization’s needs, and 86% of respondents say they need up to 50% more budget.
These observations lead us to believe that many companies have yet to establish real IS governance. There are many reasons behind this; our goal is not to list them but rather, to propose tools to facilitate the implementation of a governance process adapted to the realities of each company. But, first, let’s take a closer look at governance and management activities to better understand what we are talking about and why it is important.
What does information security governance mean?
1.2 Information Security Governance
Security governance is an integral part of corporate governance. Remember that there is no single or commonly accepted definition ...