Professional Documents
Culture Documents
18 - A Framework For Information Security Governance and Management
18 - A Framework For Information Security Governance and Management
18 - A Framework For Information Security Governance and Management
A Framework
for Information
Security
Governance and
Management
Marian Carcary, Maynooth University, Ireland
Karen Renaud, University of Glasgow, Scotland
Stephen McLaughlin and Conor O’Brien, Maynooth University, Ireland
T
he ongoing escalation of security threats Initially, ISGM was regarded as a technical activity.
is driven by numerous factors, includ- However, this view is shifting toward more open,
ing progressively more ubiquitous mo- inclusive approaches that reflect the importance of
bile and cloud computing, social media embedding information security within organiza-
usage, and the increased digitization of business tional structures,3,4 and approaches that empha-
processes.1 These and other emerging technolog- size the development of an information security
ical developments, along with sophisticated inter- culture embedded in employees’ day-to-day work
nal and external attacks, ensure that a company’s practices.5–7 Although many ISGM frameworks
capacity to secure its information effectively re- exist that reflect this progressive thinking, they
mains a critical requirement for business survival. are often high-level and theoretical, and do not
Over time, changes in the nature of security offer practical suggestions to support their opera-
threats have necessitated an evolution in the ap- tionalization or implementation by practitioners.
proaches organizations adopt toward information Here, we present a practitioner-oriented ISGM
security governance and management (ISGM).2,3 capability maturity framework that incorporates
22 IT Pro March/April 2016 Published by the IEEE Computer Society 1520-9202/16/$33.00 © 2016 IEEE
Authorized licensed use limited to: North West University. Downloaded on December 02,2020 at 22:14:56 UTC from IEEE Xplore. Restrictions apply.
IT Capability Maturity Framework
T he IT Capability Maturity Framework (IT-CMF)1
is an action-oriented, IT capability toolset that
provides a modular view of 35 IT-related critical
capabilities, and move toward their desired target
maturity state. Since its inception, IT-CMF has
been adopted by more than 400 organizations,
capabilities. For each IT-CMF capability, a series of and more than 500 formal assessments have been
management insights, maturity roadmaps, assess- undertaken. For more information, visit www.ivi.
ment instruments, and improvement guidelines nuim.ie.
has been developed. The framework’s five-level
maturity curve enables organizations to system- Reference
atically assess and understand their current IT 1. M. Curley, Managing Information Technology for
capability maturity, strategically prioritize specific Business Value, Intel Press, 2004.
technical, process, and human dimensions. The and consultants, who collaborated in a work-
framework is underpinned by the premise that group setting to co-produce the ISGM body of
the pace and manner with which an organiza- knowledge and maturity framework.
tion can proactively respond to new and emerg-
ing security threats depends on the maturity of The resultant framework produced enables orga-
its ISGM capability. Approaches to ISGM must nizations to understand their key ISGM strengths,
be fluid and responsive to the changing infor- weaknesses, and areas for improvement.
mation security landscape; by developing their
capabilities to sense, evaluate, and react to new Framework Overview
and emerging security threats, organizations can The ISGM framework focuses on determining
more proactively position themselves to effec- an organization’s ability to direct, oversee, and
tively and continually secure information assets. control the actions and processes required to
protect documented and digitized information
An Information Security Capability and information systems, and to guard against
Maturity Framework unauthorized access, use, disclosure, disruption,
The Innovation Value Institute (IVI) is a research modification, or destruction in order to provide
entity supported by a diverse international con- data confidentiality, integrity, availability, accessibil-
sortium of organizations, government agencies, ity, and usability.15,16 The framework expands the
and academic institutions. It was formed to ad- commonly cited triad of confidentiality, integrity,
dress the challenges faced in optimizing the and availability with the concepts of accessibil-
business value derived from the application of IT. ity and usability. With respect to accessibility, a
Using an open innovation collaborative research failure to support and understand how security
approach, IVI has developed a capability matu- can change work practices can impede how data
rity framework for ISGM that is a component of and information are accessed, shared, and acted
its IT Capability Maturity Framework (IT-CMF; on in an increasingly dynamic, competitive en-
see the sidebar for more information). Its devel- vironment. Similarly, usability is a key factor in
opment was informed through engaging stakeholders in core business process-
es; irrespective of the availability of technology
• comparisons with information security standards to support work practices, if the technology is
and frameworks (COBIT 5.0 for information se- difficult to interact and engage with, users might
curity,8 the Open Group’s Information Security adopt other locally developed, less secure meth-
Management Maturity Model,9 the IT Security ods of access. The ISGM framework classifies
Essential Body of Knowledge,10 and ISO 2700211); ISGM activities across the following six high-
• academic and practitioner literature analy- level activity categories:
sis5–7,12–14; and
• insights from subject matter experts and key • Governance provides the oversight structures to
opinion leaders, including academic researchers, support ISGM; it implements information se-
industry-based practitioners, thought leaders, curity strategy, policies, and controls; assigns
computer.org/ITPro 23
Authorized licensed use limited to: North West University. Downloaded on December 02,2020 at 22:14:56 UTC from IEEE Xplore. Restrictions apply.
IT GOVERNANCE AND Management
Governance Information security Develop, communicate, and support the organization’s information security
strategy objectives.
Security policies & Establish and maintain security policies and controls, taking into account
controls relevant security standards, regulatory and legislative security requirements,
and the organization’s security objectives.
Security roles, Establish responsibilities and accountabilities for information security roles,
responsibilities, & and check enforcement.
accountabilities
Communication & Disseminate security approaches, policies, and other relevant information to
training develop security awareness and skills.
Security performance Report on the effectiveness and efficiency of information security policies and
reporting activities, and the level of compliance with them.
Supplier security Define security requirements pertaining to the procurement and supply of
hardware, software, services, and data.
Technical Security architecture Build security criteria into the design of IT solutions—for example, by
security defining coding protocols, depth of defense, configuration of security
features, and so on.
IT component security Implement measures to protect all IT components, both physical and virtual,
such as client computing devices, servers, networks, storage devices, printers,
and smartphones.
Physical infrastructure Establish and maintain measures to safeguard the IT physical infrastructure
security from harm. Threats to be addressed include extremes of temperature,
malicious intent, and utility supply disruptions.
Security Budget for security Provide security-related budget criteria.
resource Tools & resources Specify and procure security tools/products and resources; manage the tools,
management security solutions, and staff assigned for security purposes.
Resource effectiveness Measure “value for money” from security investments; capture feedback
from stakeholders on the effectiveness of security resource management.
Security risk Security threat profiling Gather intelligence on IT security threats and vulnerabilities to better understand
control the IT security threat landscape within which the organization operates,
including the actors, scenarios, and campaigns that might pose a threat.
Security risk assessment Identify exposures to security-related risks, and quantify their likelihood and
potential impact.
Security risk prioritization Prioritize information security risks and risk-handling strategies based on
residual risks and the organization’s risk appetite.
Security risk handling Implement strategies for handling information security risk, including risk
acceptance, transfer, absorption, and mitigation, as appropriate. Promote
interaction with incident management functions.
Security risk monitoring Manage the ongoing efficacy of information security risk-handling strategies
and control options.
Security data Data identification & Define information security classes, and provide guidance on protection and
administration classifications access control appropriate to each class.
Access rights Manage user access rights to information throughout its life cycle, including
management granting, denying, and revoking access privileges.
Data life-cycle Provide the security expertise and guidance to ensure that data throughout
management its life cycle is appropriately available, adequately preserved, or destroyed to
meet business, regulatory, and other security requirements.
Business Business continuity Provide stakeholders throughout the organization with security advice to
continuity planning assist in the analysis of incidents and to ensure that data is secure before,
management during, and after the execution of the business continuity plan.
Incident management Manage security-related incidents and near incidents. Develop and
train incident response teams to identify and limit exposure, manage
communications, and coordinate with regulatory bodies as appropriate.
computer.org/ITPro 25
Authorized licensed use limited to: North West University. Downloaded on December 02,2020 at 22:14:56 UTC from IEEE Xplore. Restrictions apply.
IT GOVERNANCE AND Management
Figure 1. Assessment results showing an organization’s maturity ratings across the capability building blocks (CBBs).
managed to meet business, regulatory, and secu- ed incident prediction systems are in place, and
rity requirements. Recurring incidents are sys- security incidents are effectively managed.
tematically addressed enterprise-wide through
problem-management processes that are based Assessing Capability Maturity
in root cause analysis. The framework’s assessment tool provides a
granular and focused view of an organization’s
Optimizing. Level 5 maturity reflects an informa- current maturity state for each CBB, desired or
tion security strategy that is regularly aligned to target maturity state for each CBB, and impor-
business and IT strategies and risk appetite across tance attributed to each CBB. These maturity and
the business ecosystem. Information security pol- importance scores are primarily determined by an
icies and standards are periodically reviewed and online survey undertaken by the organization’s
revised based on input from the business ecosys- key IT and business stakeholders. The survey
tem. The management of IT component security typically takes each assessment participant 40–50
is optimized across the security framework layers. minutes to complete, and the data collected can be
Physical access and environmental controls are augmented by qualitative interview insights that
regularly improved. Security budget requirements focus on issues such as key information-security-
are improved to provide adequate funding for cur- related business priorities, successes achieved,
rent and future security purposes. The security and initiatives taken or planned. The assessment
risk-management process is agile and adaptable, provides valuable insight into the similarities and
and tools can be used to address the business eco- differences in how key stakeholders view both the
system’s requirements. Access rights management importance and maturity of individual CBBs, as
is dynamic and can effectively address organiza- well as the overall vision for success.
tional restructures, acquisitions, and divestments. Figure 1 shows the results of an organization’s
Processes for managing data security throughout ISGM capability maturity assessment, outlining
its life cycle are continuously improved. Automat- its current and target CBB maturity across all
1.7
Security risk D2 Security risk assessment
0.7
2.9 3.2 3.4 3.7 3.9 4.2 4.4 4.7 4.9
Importance
Figure 2. Assessment results showing an organization’s maturity gap vs. importance scores for all capability
building blocks.
computer.org/ITPro 27
Authorized licensed use limited to: North West University. Downloaded on December 02,2020 at 22:14:56 UTC from IEEE Xplore. Restrictions apply.
IT GOVERNANCE AND Management
Table 2. Example practices and metrics to drive improvement in specific capability building blocks (CBBs).15
Access rights 1.5 2 Establish a process to withdraw Number of access rights audit
management employee access rights if abused. exceptions
Discourage sharing of credentials. Number of grant/revoke of access
Provide employees with access rights by department
to a password-management
package.
Incident 2 3 Prioritize and manage security Number of business units that
management incidents based on the urgency contributed to prioritization
to restore services. Record Number of incidents and percent
security incidents and handling resolved
actions in IT and some other
business units.
computer.org/ITPro 29
Authorized licensed use limited to: North West University. Downloaded on December 02,2020 at 22:14:56 UTC from IEEE Xplore. Restrictions apply.
IT GOVERNANCE AND Management
Stephen McLaughlin is the former head of R&D for the His research interests are in adaptive self-auditing pro-
Innovation Value Institute and IT Competence Centre at cesses and understanding the contribution of knowledge
Maynooth University, Ireland. His research interests are sources to innovative practices in software development
in understanding how organizations can develop effec- environments. O’Brien is an accomplished IT profes-
tive performance-related knowledge transfer mechanisms. sional with extensive experience in business analysis,
McLaughlin has led research for IBM in identifying knowl- innovative solutions conceptualization, and solutions
edge and innovation barriers within complex organizations, design, development, test, and delivery. Contact him at
and developing frameworks for assessing service innovation conor.obrien@nuim.ie.
capability. Contact him at stephen.mclaughlin@nuim.ie.
Conor O’Brien is a senior researcher at the Innova- Selected CS articles and columns are available
tion Value Institute at Maynooth University, Ireland. for free at http://ComputingNow.computer.org.
pioneering ideas,
SYSTEMS AND SOFTWARE VARIABILITY
IEEE SOFTWARE
software professionals
who need to keep up
Volume 32 Number 3
CO
DE
MA INFL A
on translating software
22
JANUARY/FEBRUARY 2015 WWW.COMPUTER.ORG/SOFTWARE
IEEE SOFTWARE
www.computer.org/
Volume 32 Number 2
January/February 2015
software/subscribe
INTERNETWARE AND BEYOND
MEANINGFUL INDUSTRIAL—
ACADEMIC PARTNERSHIPS // 18
MOBILE MONEY IN TANZANIA // 29
Volume 32 Number 1