3. There is no single universal model for organizational structure to ensure that
the Information Security requirements for the organization are adequately
met.
There is still some uncertainty regarding what such Information Security
Governance actually consists of
Information Security Governance does not function in isolation
Information Security Governance, Management and Operations have very different
functions, and clarity among them is fundamental to the performance of
each.
How do Organizations currently operate Globally & in the Middle East?
3 Information Security Governance @ 2011 Deloitte & Touche
4. 17% of Organizations Globally have a person responsible for Information Security. 33% in
the Middle East
40% of the CISOs Globally report directly to IT related positions (CIO, IT executive and
CTO). 31% in the Middle East
Only 67% of respondents indicate that have a security governance structure. 49% in the
Middle East
Only 56% of respondents indicate they have a documented and approved information
security strategy. 38% in the Middle East
Only 18% of respondents have established metrics that have been aligned to business
value and report on a scheduled basis. 15% in the Middle East
Only 30% of respondents state that there is appropriate alignment between the business
and information security initiatives. 32% in the Middle East
4 Information Security Governance @ 2011 Deloitte & Touche
5.
6. Corporate governance is the set of processes, customs, policies, laws, and
institutions affecting the way a corporation (or company) is directed, administered or
controlled.
includes the relationships among the many
Corporate governance also
stakeholders involved and the goals for which the corporation is
governed.
Subsets of Corporate Governance include:
• Financial Governance
• Information Technology Governance
• Enterprise Risk Governance
• Information Security Governance
6 Information Security Governance @ 2011 Deloitte & Touche
7. The structure, oversight and management
processes which ensure the delivery of Corporate
the of overall corporate governance Governance
requires integration between the different
subsets of the Corporate Governance
Model
Enterprise Information
Legal
Risk Technology
Governance
An organization’s Information Governance Governance
Security Governance can be defined
as "the processes that ensure that
reasonable and appropriate actions are
taken to protect the organization's
Information
information resources, in the most Security
Governance
effective and efficient manner, in pursuit
of its business goals“
Information Information
Security Security
Management Operations
Information Security Organization @ 2011 Deloitte & Touche
7 Information Security Governance
8. ―Information Security governance―, ―Information Security Management" and
―Information Security Operations" are broad terms, and we must bring these topics into
focus. Members of governance committees must understand the difference between
them in order to avoid dysfunction and meet Business, Risk and IT goals
Very Broadly,
Information Security Governance: Exists to ensure that the security program adequately
meets the strategic needs of the business.
Information Security Management: Implements that program.
Information Security Operations: executes or manages security-related processes
relating to current infrastructure on a day-to-day basis.
Each of these layers must engage with corresponding layers throughout
the enterprise.
8 Information Security Governance @ 2011 Deloitte & Touche
9. Information Security Steering Commitee
3rd Party Service Corporate Risk
Providers Management
Chief Infromation
Officer (CIO)
Lines of Business
IT Operations
Management Information Security
Governance
Information Security
Information Security
Communication
Advisory Board
Forum
3rd Party Service Information Security Information Security 3rd Party Service
Providers Management Operations Providers
9 Information Security Governance @ 2011 Deloitte & Touche
10.
11. Prudent CISOs are building their Security Governance Strategies based on the current
economic climate, changes in the technology landscape, and most importantly, to meet
and exceed the business expectations. Yet despite their best intentions, many are still
struggling to improve relationships with the business that they operate in.
Without alignment, Information Culture
Security Governance operates in
a vacuum and will implement
security controls that are Controls
1. Plan
Process
invariably either too strong —
and thus, is expensive and
restrictive — or too weak, 3. Manage
resulting in too much residual 2. Implement 4. Monitor
risk. People Security Governance Integration
Technology
11 Information Security Governance @ 2011 Deloitte & Touche
12. The following 4 domains must be considered when establishing an Information Security
Governance Program
Plan Implement Manage Monitor
Security Program Develop Governance
Accountabilities Project Oversight
Strategy Processes
Institute Governance
Security Architecture Funding Value Assessments
Forums
Security Policy
Conflict Conciliation Operational
Security Budget Review and
and Arbitration Oversight
Development
Governance Policy Program and Project Metrics and
Management Oversight Measurement
12 Information Security Governance @ 2011 Deloitte & Touche
13. Culture
Controls Process
1. Plan
3. Manage
2. Implement 4. Monitor
People Security Governance Integration
Technology
Plan Security Program Strategy
Security Program 1. Current State
Strategy
2. Desired State
3. Gap Analysis
Security Architecture
4. Project and Initiatives Derived from the Gap Analysis
5. A Reporting Framework
Security Budget
Governance Policy
Management
13 Information Security Governance @ 2011 Deloitte & Touche
14. Culture
Controls Process
1. Plan
3. Manage
2. Implement 4. Monitor
People Security Governance Integration
Technology
Plan Security Architecture
Security architecture is the planning discipline that provides the
Security Program foundational models, templates and principles that support the
Strategy
program strategy. These artifacts are used to develop security
technology and process solutions that match business
requirements while maximizing standardization and reuse
Security Architecture
• Security Operations
• Security Monitoring and Review
• User Management
Security Budget • User Awareness
• Application Security
• Database / Metadata Security
• Host Security
Governance Policy • Internal Network Security
Management
• Network Perimeter Security
• Physical and Environmental Security
14 Information Security Governance @ 2011 Deloitte & Touche
15. Culture
Controls Process
1. Plan
3. Manage
2. Implement 4. Monitor
People Security Governance Integration
Technology
Plan Security Budget Planning
The process of allocating financial resources to information
Security Program security projects and operational
Strategy
activities
Security Architecture
Governance Policy Management
Sets the principles for policy management, specifically regarding issues
such as:
Security Budget
• Ownership
• Documentation standards
• Approval and formalization procedures
Governance Policy • Enforcement regimes
Management
• Review and exception procedures
15 Information Security Governance @ 2011 Deloitte & Touche
16. Culture
Controls Process
1. Plan
3. Manage
2. Implement 4. Monitor
People Security Governance Integration
Technology
Implement Develop Governance Processes
Design the governance processes:
Develop Governance • The goal of the process
Processes • The action steps to be taken and in what sequence
• The responsibilities associated with the process
• The process flow
Institute Governance
Forums
Integrate the security governance framework with existing IT
frameworks and Information Security Management frameworks in
order to leverage the commonalities between the frameworks
Security Policy
Review and
Development Institute Governance Forums
Establish Governance forums and steering committee
• Establish the accountabilities and responsibilities for information security
within the organization.
• Oversee the governance processes.
• Commission and sponsor the corporate information security program.
16 Information Security Governance @ 2011 Deloitte & Touche
17. Culture
Controls Process
1. Plan
3. Manage
2. Implement 4. Monitor
People Security Governance Integration
Technology
Implement Security Policy Review and Development
Assess the (1) completeness (2) effectiveness and (3) practicality of
Develop Governance enforcement of your organization’s information security policy.
Processes
Identify major strengths and weaknesses of the policy and provide
recommendations for improvement.
Institute Governance
Forums
Security Policy
Review and
Development
17 Information Security Governance @ 2011 Deloitte & Touche
18. Culture
Controls Process
1. Plan
3. Manage
2. Implement 4. Monitor
People Security Governance Integration
Technology
Manage Design and explain management processes to the respective
stakeholders for implementation:
Accountabilities Process Process Description
Accountabilities and responsibilities for information security are
Accountabilities
executed effectively.
Manage effective allocation of financial resources for security
Funding Funding
initiatives as decided in the budget process.
Facilitate assessment of conflicting security requirements
Conflict Conciliation between different stakeholders. Ensure specific policy and
Conflict Conciliation and Arbitration controls decisions are based on adequate consideration of
and Arbitration individual and collective requirements.
Program and Project Track security program and projects, deliverables, and costs to
Program and Project Oversight ensure they remain within acceptable tolerances.
Oversight
18 Information Security Governance @ 2011 Deloitte & Touche
19. Culture
Controls Process
1. Plan
3. Manage
2. Implement 4. Monitor
People Security Governance Integration
Technology
Monitor Design and explain monitoring processes to the respective
stakeholders for implementation:
Project Oversight Process Process Description
Assess project results. Report on objectives achieved and
Project Oversight
missed, as well as unexpected results and consequences.
Value Assessments Periodically assess the value of information security
Value Assessments investments. Is the organization getting the anticipated
benefits from investments involving information security?
Operational Ensure that the execution of the information security
Oversight program, and all its associated processes and activities, is
Operational Oversight
done within the parameters set out by the program strategy,
architecture, and policy strategy.
Measuring and reporting on the impact of the information
Metrics and Metrics and
Measurement security program on overall IT governance and Corporate
Measurement Governance.
19 Information Security Governance @ 2011 Deloitte & Touche
20.
21. Strategic Alignment of information security with business strategy to support
organizational objectives
Risk Management by executing appropriate measures to manage and mitigate risks
and reduce potential impacts on information resources to an acceptable level
Resource Management by utilizing information security knowledge and infrastructure
efficiently and effectively
Performance Measurement by measuring, monitoring and reporting information
security governance metrics to ensure that organizational objectives are achieved
Value Delivery by optimizing information security investments in support of
organizational objectives
21 Information Security Governance @ 2011 Deloitte & Touche
24. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which
is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu
Limited and its member firms.
Member of Deloitte Touche Tohmatsu Limited