To establish security governance principles, adopt a framework such as the one from the National Institute of Standards and Technology (NIST). Be sure the framework you choose includes the following:
- Alignment of security function to strategy, goals, mission, and objectives. An organization has a mission and uses strategy, plans and objectives to try to meet that mission. These components flow down, with the ones below supporting the ones above. Business strategy is often focused 5 or more years out. In the shorter term, typically 1 to 2 years, you have tactical plans that are aligned with the strategic plan. Below that are operational plans — the detailed tactical plans that keep the business running day to day. Objectives are the closest to the ground and represent small efforts to help you achieve a mission. For example, a car manufacturer’s mission might be to build and sell as many high-quality cars as possible. The objectives might include expanding automation to reduce the total build time of a car and expanding from 2 factories to 3. A security framework must closely tie to the organization’s mission and objectives, enabling the business to complete its objectives and advance the mission while securing the environment based on risk tolerance. Continuing with the car manufacturer example, the security framework must enable the expansion of automation. If the security framework is such that automation cannot be expanded, then the security framework isn’t sufficiently aligned with the mission and objectives.
- Organizational processes (acquisitions, divestitures, governance committees). Be aware of the risks in acquisitions (since the state of the IT environment to be integrated is unknown, due diligence is critical) and divestitures (you need to determine how to split the IT infrastructure and what to do with identities and credentials). Understand the value of governance committees (vendor governance, project governance, architecture governance, etc.). Executives, managers and appointed individuals meet to review architecture, projects and incidents (security or otherwise), and provide approvals for new strategies or directions. The goal is a fresh set of eyes, often eyes that are not purely focused on information security.
- Organizational roles and responsibilities. There are multiple roles to consider. Management has a responsibility to keep the business running and to maximize profits and shareholder value. The security architect or security engineer has a responsibility to understand the organization’s business needs, the existing IT environment, and the current state of security and vulnerability, as well as to think through strategies (improvements, configurations and countermeasures) that could maximize security and minimize risk. There is a need for people who can translate between technical and non-technical people. Costs must be justified and reasonable, based on the organization’s requirements and risk.
- Security control frameworks. A control framework helps ensure that your organization is covering all the bases around securing the environment. There are many frameworks to choose from, such as Control Objectives for Information Technology (COBIT) and the ISO 27000 series (27000, 27001, 27002, etc.). These frameworks fall into four categories:
- Preventative — Preventing security issues and violations through strategies such as policies and security awareness training
- Deterrent — Discouraging malicious activities using access controls or technologies such as firewalls, intrusion detection systems and motion-activated cameras
- Detective — Uncovering unauthorized activity in your environment
- Corrective — Getting your environment back to where it was prior to a security incident
Due care / due diligence. Ensure you understand the difference between these two concepts. Due care is about your legal responsibility within the law or within organizational policies to implement your organization’s controls, follow security policies, do the right thing and make reasonable choices. Due diligence is about understanding your security governance principles (policies and procedures) and the risks to your organization. Due diligence often involves gathering information through discovery, risk assessments and review of existing documentation; creating documentation to establish written policies; and disseminating the information to the organization. Sometimes, people think of due diligence as the method by which due care can be exercised.
After you establish and document a framework for governance, you need security awareness training to bring everything together. All new hires should complete the security awareness training as they come on board, and existing employees should recertify on it regularly (yearly).