Information security governance is a subset of corporate governance and can complete or encompass the governance of information technologies. It directs or strategically aligns information security activities and ensures that the company’s business objectives are reached. It also guarantees that information security risks are adequately managed and that information resources are used responsibly.
The board of directors and senior management are responsible for information security governance. They must therefore exercise leadership and establish both the organizational structure and the processes to facilitate the implementation of a governance structure.
To achieve effective security governance, managers must define a reference framework that could include
- a security strategy;
- an information security policy and directives that address each aspect of the strategy, the controls to be implemented and the regulations to be respected;
- an organizational structure (with roles and responsibilities) for security to guarantee the resources required and the authority necessary, and to avoid conflicts of interest;
- metrics and a surveillance process to ensure compliance and to provide accountability.
The security governance framework provides a foundation on which to build an effective information security program. The program includes a range of activities to ensure an appropriate level of protection for information assets, according to their value and the risks and impacts that compromising them would cause.
One of the first steps in mounting a security program is the development of an information security strategy. It addresses high-level security issues and must be aligned with the business objectives of the organization. To that end, direct traceability between the security strategy and the business objectives must be defined. The security strategy includes a set of objectives, processes, methods and tools. The development of this strategy is normally the responsibility of the person in charge of information security.
An information security strategy must take into account internal and external influencing factors (risk tolerance, legal and regulatory requirements, etc.), the available resources (people, processes, technologies, architecture, etc.) as well as constraints (costs, time, expertise, culture, etc.). One of the results of the strategy to be achieved is limiting residual risks to an acceptable level for the organization through the implementation of effective control measures.
The primary objective of information security is to protect information assets so as to ensure
- availability (accessibility of information when needed);
- integrity (high quality, complete and precise information);
- confidentiality (personal, sensitive and confidential information that is only accessible to authorized personnel in the scope of their duties).
To sum up, in organizations that are adequately governed, information security activities support business goals and objectives while reducing information risks to an acceptable level. Given the dependence of business on information, information security governance is becoming increasingly important to ensure sufficient protection of information.