Information Security Governance
Information Security Governance (GSI) is the system by which the information security activities of a particular organization are directed and controlled. GSI, like IT Governance, represents an unfolding of organizational governance and, although there are several possible models in general, GSI and GTI have a certain overlap, depending on their respective objectives and scope.
Governance of information security consists of: (1) aligning information security objectives and strategies with business objectives and strategies; (2) deliver value to stakeholders - this includes any person or organization that may affect, be affected or perceive to be affected by an activity of the organization; and (3) ensure that risks are properly addressed.
To achieve these goals, it is imperative that the organization is aware of and put into practice principles that provide a solid foundation for the implementation of governance processes for information security. There are six principles of information security governance:
Establish information security throughout the organization
In order to integrate information protection into the organization's activities and processes, it is essential to define roles and responsibilities to coordinate actions and engage the various areas of the company.
Take a risk-based approach
Decisions related to information security must be made on the basis of risk. The information security risk management approach must be integrated with the corporate risk management model.
Establish the direction of investment decisions
Identifying the right investment is an open-ended research topic and a headache for those responsible for conducting the GSI strategy. An investment strategy on information security should be established based on the results and objectives of the business. Top management must ensure that information security is integrated with the organization's current processes for capital and operating expenditures.
Ensure compliance with internal and external requirements.
Information security must comply with relevant laws and regulations. A consistent security program that is risk-based is the first step for organizations to seek compliance with new laws and regulations without the uncertainties that the General Data Protection Act (GPL) should provoke in organizations that do not have a consistent safety program.
Promote a positive security environment
Human behavior is a key component for us to maintain the appropriate level of information security. Briefly and objectively: it is important that top management makes it possible to implement education, training and safety awareness programs.
Top management should critically analyze information security performance against its business impact. It is not enough to assess the effectiveness and efficiency of the controls implemented.
Senior management should ensure that these principles are applied. To this end, it is imperative to define and assign this responsibility to someone, such as the chief information security officer (CISO), who plays a strategic role in articulating the areas of business, information security and stakeholders.
The principles mentioned in this article are, ultimately, rules that must be observed in the design of governance processes (evaluation, direction, monitoring, communication and assurance).
Organizations are able to raise the maturity level of governance and hence information security management as they establish security strategies and programs that are aligned with business objectives.