Information Security Governance:

IT security governance is the system by which an organization directs and controls

IT security. IT security governance should not be confused with IT security
management. IT security management is concerned with making decisions to
mitigate risks; governance determines who is authorized to make decisions.
Governance specifies the accountability framework and provides oversight to
ensure that risks are adequately mitigated, while management ensures that
controls are implemented to mitigate risks. Management recommends security
strategies. Governance ensures that security strategies are aligned with business
objectives and consistent with regulations.
It is the process of establishing and maintaining a framework to provide assurance
that information security strategies are aligned with and support business
objectives, are consistent with applicable laws and regulations through adherence
to policies and internal controls, and provide assignment of responsibility, all in an
effort to manage risk.
IT security governance can be defined as, structures, processes, and relational
mechanisms for guidance and control or literature uniformly identifies it as an
organizational skills of great importance for alignment and organizational value
achievement through information technology.

Why Information Security Governance is Needed

Financial payoffs

IT is expensive

IT is pervasive

New technologies

IT governance is critical to learning about IT value

Not just technical - integration and buy-in from business leaders is needed for
success

Senior executives have limited bandwidth, especially at large institutions, so they

can't do it all

Governance patterns depend on desired behaviors

Top revenue growth - decentralized to promote customer responsiveness and

innovation

Profit - centralized to promote sharing, reuse and efficient asset utilization

Multiple performance goals - blended centralized and decentralized governance

Major Security Risks:

Risk is defined as the possibility that an event will occur, which will impact an
organization's achievement of aims and objectives. There are many forms of risk in
an organization, including IT risk, financial risk, operational risk, network security
risk, and personnel risk. To address risks more effectively, organizations may use a
risk management approach that identifies, assesses, manages, and controls
potential events or situations.
Among other things, the objective of effective risk management is to guarantee that
each risk is identified, documented, prioritized, and mitigated whenever possible.
Because all organizations face risk, whether positive (i.e., opportunities) or negative
(i.e., events that hinder company processes), the test for auditors is to know when
risk will occur and the impact it will have on the organization.
The risk assessment process starts with the identification of risk categories. An
organization most likely will have several risk categories to analyze and classify
risks that are specific to the organization. Examples of risk categories include:

Technical or IT risks.

Project management risks.

Organizational risks.

Financial risks.

External risks.

Compliance risks.

The growing vulnerability of an IT risk specifically Information Security (InfoSec) risk

has become the major attention in most global information security survey
conducted
by
Public
Accountant
(Ernst
and
Young,
2013,
2014;
PricewaterhouseCoopers, 2014). Among InfoSec risk area that the respondent place
top priorities are business continuity and disaster recovery, cyber risks and cyber
threats, data leakage and data loss prevention, information security transformation,
and compliance monitoring (Ernst & Young, 2014). The purpose of Information
Security is to protect and preserve the confidentiality, integrity, and availability of
information. It may also involve protecting and preserving the authenticity and
reliability of information and ensuring that entities can be held accountable (ISO
27000).

Following are the most likely sources, or causes, of security breaches and what
businesses can, and should, do to protect against them.
1.
2.
3.
4.
5.
6.

Dissatisfied Employees
Careless or Uninformed Employees
Mobile Devices
Cloud Applications
Unpatched or Un-Patchable Devices
Third-party Service Providers

Solution to improve the security:

The above risks can identify and solve.
The first step in vindicating the risk of privileged account exploitation is to identify
all privileged accounts and credentials [and] immediately dismiss those that are no
longer in use or are connected to employees that are no longer at the company.
Closely monitor, control and manage privileged credentials to prevent exploitation.
Finally, companies should implement necessary protocols and infrastructure to
track, log and record privileged account activity [and create alerts, to] permit for a
quick response to malicious activity and mitigate potential harm early in the attack
cycle.