Professional Documents
Culture Documents
Governance
Raising the game
September 2011
Published by
Information Security Forum Limited
Principal Author
Adrian Davis
Design
Louise Liu
Special acknowledgements
The Information Security Forum would like to thank Dr. Lizzie Coles-Kemp (Royal Holloway, University of London)
and Alan Choo Siew Loon (National University of Singapore) for their assistance on this project.
Key to symbols
Note
Warning
This document is confidential and is intended for the attention of and use by either organisations that are Members of the Information Security
Forum (ISF) or by persons who have purchased it from the ISF direct.
If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on info@securityforum.org.
Any storage or use of this document by organisations which are not Members of the ISF or who have not validly acquired the report directly
from the ISF is not permitted and strictly prohibited.
This document has been produced with care and to the best of our ability. However, both the Information Security Forum and the Information
Security Forum Limited accept no responsibility for any problems or incidents arising from its use.
Classification: Restricted to ISF Members, ISF Service Providers and non-Members who have acquired the report from the ISF.
When the information security function adopts governance, it raises its game, systematically engaging with senior
management and other corporate governance functions. This not only manages information risk and minimises
reputational damage, it also delivers continuing added value from information technology.
Information security governance (ISG) enables the direction and oversight of information security related activities
across an enterprise by senior management. It shows customers, business partners, shareholders and regulators that
information is being protected according to industry best practice. ISG provides the agility to deal with incidents
quickly and effectively, and enables better management of all information security activities – decreasing the chances
of breaches, internal misuse and abuse, and the unforeseen effects of change.
This Information security governance – raising the game report showcases the ISF framework for ISG, and provides
a series of actions an enterprise can take to prepare and plan for ISG implementation and enhancement. The ISF
framework for ISG has three objectives: deliver value to stakeholders, achieve strategic goals and provide information
risk assurance. Each objective has activities associated with it:
A. DELIVER C. PROVIDE
B. ACHIEVE INFORMATION RISK
VALUE TO
STRATEGIC GOALS ASSURANCE
STAKEHOLDERS
A3. Enable
B3. Sustain buy-in C3. Ensure
business
and commitment compliance
initiatives
C5. Monitor
and report
on assurance
The ISF framework for ISG is supported by an explanation of the relationship between corporate governance, ISG and
information risk assurance, and guidance on the monitoring and reporting associated with ISG. Additionally, currently
available ISG frameworks are described and compared with the ISF framework for ISG.
To assist Members in assessing ISG, a maturity model is also presented in this report supported by a spreadsheet-based
Information security governance diagnostic tool, which is available on the ISF’s Member Exchange (MX) system.
Finally, the report discusses the way forward for information security governance, including ISF input into the upcoming
draft of ISO/IEC 27104 Information technology – Security techniques – Governance of information security.
The ISF have developed a security model to support organisations in designing their approach to addressing information
security and to give them a basis for identifying the key aspects of an information security programme. The ISF provides
insights, best practice standards and tools which address each aspect of the model to aid organisations in enhancing
their information security environment.
Within the ISF Security Model, the Information Security Governance report forms part of the Research and Reports
service. Using a rating from very low to very high, the way in which this report aligns with the ISF Security Model is
shown below.
Compliance
The policy, statutory and contractual
obligations relevant to information
Risk security which must be met to operate in
The potential business impact and today’s business world to avoid civil or
likelihood of particular threats criminal penalties and mitigate risk.
materialising – and the application
Governance of controls to mitigate risk to
The framework by which policy and acceptable levels.
direction is set, providing senior
management with assurance that security
management activities are being
performed correctly and consistently.
TE
PR
CH
PE
OC
NO
OP
CO
ES
LO
RIS
LE
MP
GY
GO
LIA
VE
E
NC
RE
NG
RN
SE
HA
E
AR
XC
AN
CH
EE
&R
CE
DG
EP
LE
OR
OW
TS
KN
key
Very high High Medium Low Very low
A pdf copy of the ISF Security Model can be downloaded from the ISF’s Member Exchange (MX) system,
which can be used to clearly describe to your team and others (management, potential Supply Chain or other
Membership prospects) the key aspects of the information security environment within your organisation.
Part one
This report presents the main findings from the ISF project Information Security Governance undertaken in 2011.
It highlights the results from this project, including a definition of information security governance (ISG), an ISG
framework and guidance on how to create, implement and maintain ISG.
The report supersedes and replaces the ISF Briefing Paper: Information security governance.
Enterprises are under increasing pressure to show they are well governed from both legal and regulatory perspectives.
Information – and its protection – is a business issue, rather than just an IT issue, and consequently forms part of
an enterprise’s overall governance framework. As a result, information security is now expected to be part of
corporate governance and contribute to enterprise success. Information security governance (ISG) can be used
to demonstrate how information is protected and to highlight the contribution information security makes to the
enterprise’s performance and its governance activities.
This Information Security Governance report provides a framework for ISG that can be adopted to manage information
security and information risk objectives across an enterprise through the direction and oversight of information
security activities. The report also examines topics such as information strategy and its relationship with ISG, explores
key drivers, benefits and identifies stakeholder groups. The report can be used to assess an enterprise’s ISG and
understand where enhancements can be made to strengthen ISG.
• The Chief Information Security Officer (CISO), or the person holding equivalent responsibilities (such as Director
of Information Security), and information security professionals involved in creating, implementing, maintaining
or managing information security. These individuals can use this report to enhance their knowledge of ISG and
examine how to improve the governance arrangements either in place or proposed
• Senior management, CIO, business and IT managers within the enterprise, as this report explains what ISG is and
the benefits information security delivers to an enterprise. This audience can use the report to understand ISG,
support and challenge the CISO about ISG and its implementation.
CISO is used throughout this report to refer to the leader of the information security function.
The relationship of these reports and tools with the ISF framework for information security governance is shown in
Figure 2 over the following pages.
INFORMATION SECUR
Figure 2: ISF framework for information security governance and associated ISF deliverables
RITY GOVERNANCE
Part one
ves C1
C1. Oversee assurance programme
Information security assurance An overview for
implementing an information security assurance
programme
The 211 Standard of Good Practice for
Information Security
• debate and discussion of key topics at four ISF solution development workshops
• analysis of over 75 responses from Members and non-Members collected at the workshops and through a
web-based project questionnaire run in conjunction with National University of Singapore and Royal Holloway,
University of London
Part one
Project-related material is available on the ISF’s Member Exchange (MX) system, including workshop slides,
minutes, the Information security governance diagnostic tool and the analysis results.
When discussing information security governance (ISG), it is vital to be able to define it concisely and within a
business context, positioning drivers and benefits to a number of audiences, including senior management, business
and information security professionals.
Drawing on Member input and project research – and taking into account previous ISF work on defining ISG – the
Part two
following definition has been agreed for the purposes of this report:
ISG is the direction and oversight of information security-related activities across an enterprise by senior management.
ISG is a strategic mechanism to manage information risk and deliver information security across an enterprise by
taking senior management’s direction, creating and performing information security-related activities that achieve the
required aims and provide assurance, and offer timely reliable information on performance.
The ISF has designed a framework for information security governance with three objectives: to deliver value to
stakeholders, achieve strategic goals, and provide information risk assurance. The ISF framework for ISG is described
in detail in Part 3: Preparing for information security governance of this report; it is aligned to and expands on the ISF
2011 Standard of Good Practice, as highlighted in the box below.
The 2011 Standard of Good Practice contains the following relevant topic:
Enterprises have been required to demonstrate ever more rigorous and effective governance over the last two or
three decades. Corporate governance codes such as Turnbull, Dey, Sarbanes Oxley and King suggest that enterprises
put in place a risk management framework – and that the status of such an activity should be reported to stakeholders.
There are several areas of risk that should be addressed by this activity, one of which is information risk.
“In terms of governance, we have a lot of catching up to do. I believe that information security is 10 –
15 years behind IT, who themselves are 10 – 15 years behind corporate governance.”
Over the same period, the protection and use of information has also come under increasing scrutiny and this has
resulted in enterprises having to demonstrate compliance with laws and regulations such as the Data Privacy Act
(UK), breach notification laws (specific US states), Basel II/III, Solvency II, Sarbanes Oxley, Payment Card Industry Data
Security Standard (PCI DSS) and Binding Corporate Rules (European Union but with international implications). In
parallel, enterprise stakeholders, customers and the public in general have become more aware of and impacted by
breaches of privacy and identity theft. This awareness has led to the demand for enterprises to protect information
more effectively.
As the requirement to protect information has become more stringent, the scale, complexity and sophistication of
IT-related attacks on enterprises have increased. Enterprises are attacked regularly using techniques, including hacking,
malware and social engineering, designed to maliciously acquire information or damage enterprise assets. The same
enterprises also have to deal with the consequences of errors or accidents leading to corruption or disclosure of
information.
Against this backdrop, boards and stakeholders need assurance that information risk is being addressed and that
Part two
legal and regulatory requirements for information protection are being met in a structured, efficient and consistent
manner. The information security function is not always well-placed to provide such assurances to the board,
especially when it is engaged with tactical and operational aspects. An added complexity is the technical orientation
of information security which can make it challenging to communicate with staff and senior management in a language
they understand.
“ISG is about creating confidence upwards and sideways in you and the function. It says we know what
should be done and here is how we’re doing it.”
ISG is part of, and consistent with, the wider governance activities within the enterprise. Information security
governance can serve as a powerful link between senior management and those responsible for enterprise-wide
information security. Acting as a two-way filter, ISG takes the mandate provided by senior management and oversees
information security initiatives throughout the enterprise. Effective ISG will ensure that senior management is provided
with information security-related reporting that is straightforward, easy to understand and positioned in the business
context. This reporting can assist management to make decisions about information risk that support the strategic
direction of the enterprise. Figure 3 shows the relationship between corporate governance and ISG.
ISF Definitions
As shown in Figure 3, ISG gives senior management a link to lower-level information security operations. ISG, because
of its position in an enterprise, should thus be viewed as a strategic mechanism to deliver information security. The
next sections discuss the relationship of ISG with corporate governance and information security assurance.
The 2011 Standard of Good Practice contains the following relevant topics:
Part two
How do ISG and corporate governance relate?
The ISF’s report Information risk management in corporate governance defined corporate governance at a high level to
be concerned with how the enterprise is directed and managed within its operating environment. According to the
report, corporate governance can be considered in more detail across six key areas.
It can be seen from the figure above that the six key areas of corporate governance can be split into two groups of
three. The first group deals with the operation of the board, its setup and its duties, while the second group is more
directed towards what the enterprise needs to do to support the board in achieving good corporate governance.
An overview of global corporate governance codes is provided in the Directory of information security
principles, standards and corporate governance, which is available for download from the Security Assurance:
ISO 27000 and beyond project area on the ISF’s Member Exchange (MX) system.
From a business perspective, corporate governance requirements (such as the Combined Code, Sarbanes Oxley,
Turnbull, King and Dey reports, and Basel II) now require boards to identify and manage risk – and, in the case of
Basel II, link risk management to the allocation of capital within a business. ISG can assist boards to meet their
objectives in the key areas of risk management and compliance (number 4 in Figure 4) and transparency and disclosure
(number 5).
In the corporate governance frameworks referenced in this report, information security and information risk are not
defined as key risks to the enterprise. Instead, information risks are seen as being part of operational, IT or similar,
high-level risk categories. ISG can add to governance by:
There are a number of published definitions for risk appetite, including those from AIRMIC, the Institute of
Operational Risk (IOR), International Standards Organisation (ISO) ISO31000: 2009 Risk management – Principles
and guidelines, and the Committee of the Sponsoring Organisations of the Treadway Commission (COSO)
Enterprise Risk Management framework.
For the information security or information risk professional, these definitions are of limited use. In this report the
following definitions have been adopted:
Risk appetite: An expression of the nature and quantum of risk or uncertainty which an enterprise is willing to
take or accept to achieve its objectives.
Risk tolerance: The amount of variation in risk or uncertainty an enterprise can bear in achieving its objectives
and aligned to its appetite – its capacity to take risk.
Previous ISF work has indicated that it is easier to identify risk appetite at the business unit level. Risk appetite will
change over time and should thus be monitored and reviewed regularly. Triggers for change include:
AIRMIC: http://www.airmic.com/report/research-definition-application-concept-risk-appetite
IOR: http://www.ior-institute.org/education/sound-practice-guidance/8-sound-practice-guidance-part-1
ISO: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=43170
COSO: http://www.coso.org/ERM-IntegratedFramework.htm
ISG addresses the known risks to information and can help a board discharge its responsibility to ensure that
information risk is managed across the enterprise within its corporate governance approach. ISG is thus part of the
overall corporate governance framework.
Corporate governance, information security strategy and ISG typically provide direction and set strategy for information
security within an enterprise. Activities associated with this strategy are then implemented as part of one or more
information security assurance programmes, which are concerned with the effective implementation of information
security management enterprise-wide.
Information security assurance covers activities such as performing an assessment of security, monitoring the state
of security, and establishing clear actions to help mitigate the risks associated with a business application, system or
network. During an information security assurance process, multiple sources of validation are typically considered
and amalgamated to formulate an overall opinion, both on a quantitative and qualitative basis. These typically include
Part two
information security audit results, incident reports, security awareness, system monitoring logs, threat and vulnerability
management and fraud testing. This information is captured, tracked and reported upon to provide a level of assurance
to senior management as to how effectively security is working.
IT governance, as defined by the IT Governance Institute (ITGI), is the leadership and organisational structures and
processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives. IT
governance has five objectives:
The objectives of IT governance and ISG thus overlap to some degree but, typically, ISG is regarded as being a
separate activity from IT governance.
The drivers for ISG encompass both management and technical aspects of information security. The respondents to
the project questionnaire believed that the management drivers are of greater importance than the technical drivers,
as illustrated in Figure 5:
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Figure 5: Drivers for adopting ISG, taken from 75 responses to the project questionnaire
The results presented are taken from 75 responses to the web-based project questionnaire, covering both
ISF Members and non-Members.
The highest-scoring drivers are all focused on the business and how ISG can be used to enhance the management
and value of information security. If these drivers for ISG are not enough to cause adoption, or do not provide
sufficient justification to establish ISG in an enterprise, then a stronger case may need to be made by including the
outcomes of ISG described in the next section.
Project research indicated that the majority of the benefits identified were the complement of the drivers.
For example, the driver ‘manage information security better across the enterprise’ became the benefit
‘better management of information security across the enterprise’.
ISG enables the CISO and the information security function to:
1. Shape responses to topical and evolving threats and issues such as the cyber environment, cloud adoption,
external suppliers and consumerisation
2. Enhance agility, so that the information security function is forward-looking, dynamic and growing, flexible enough
to scale in size and respond to business demands and challenges
3. Understand risks (both within information security and outside) and answering the risk/reward question – getting
to and focusing on the sweet spot that balances known risks with the cost of mitigating those risks
4. Demonstrate legal and regulatory compliance, and due diligence
5. Create a security-positive culture in the enterprise by raising awareness of the need for information security and
knowledge of information security risks
“ISG has helped me break down silos and link pockets of excellence.”
ISG outcomes are, in general, related to improving the ability of the information security function to support the
enterprise’s activities and the manner in which it communicates. These outcomes, being business-focused, can be
Part two
used to further strengthen the investment in ISG.
Many outcomes are generic and desirable in all enterprises. However, efforts should be made to identify
outcomes specific to your enterprise.
Summary
ISG is part of effective corporate governance by providing assurance that information risk is being addressed and that
legal and regulatory requirements for information protection are being met in a structured, consistent manner. It can
also provide a direct link between senior management and lower-level information security activity.
The next section looks at the actions required to prepare for ISG in an enterprise.
Establishing and implementing a robust ISG framework will maximise the benefit of ISG to an enterprise. This
section provides a series of actions to prepare for ISG. Project research has identified four actions that can be taken
to prepare for ISG implementation. These actions include understanding how information security relates to the
enterprise, the published ISG frameworks that can be used and assessing the status of ISG in an enterprise. Figure 6
shows these actions:
PREPARING
STEP 4 Assess ISG in the enterprise
The Information security governance diagnostic tool can be used to support the completion of these actions. Note that,
depending on the results of the diagnostic, either preparatory or enhancement actions can be recommended.
The Information security governance diagnostic tool is a spreadsheet-based tool for Members to assess the
ISG maturity. The diagnostic is described in Appendix A: Information Security Governance diagnostic tool and
can be downloaded from the ISF’s Member Exchange (MX) system.
The first action captures the big picture and provides the CISO with an understanding of the high-level relationship
between information security, the enterprise and the status of information security.
Completion of these tasks will provide the CISO with an understanding of the enterprise and the context in which
information security and ISG will operate. This action will help to define the drivers, benefits and outcomes of ISG in
the enterprise.
“Two key reasons for having ISG is that one, it helps your senior managers meet their corporate
governance obligations and two, it supports the corporate governance framework.”
Once the enterprise strategy is understood, the next action is to examine the information security strategy and
how it aligns with and supports the enterprise. The first task is to review the current information security strategy
and understand how the strategy can be enhanced and the alignment strengthened. Tools such as benchmarking or
maturity assessment, using both qualitative and quantitative measures, can be used.
Part three
Once the gap analysis is complete, the information security strategy should be updated. When updating the strategy,
the following points should be included:
• specific references to ISG and how the information security strategy and ISG support each other
• forward-looking components such as horizon scanning and scenario planning
• alignment between the information security strategy and the enterprise strategy.
The ISF report Information security strategy defined information security strategy, using generally accepted strategy
models, as a plan of action that takes the information security function from ‘what do we do now?’ To ‘what
do we want to do in the future?’ The plan typically consists of a number of strategic projects or initiatives which
move the enterprise closer to its future, desired, state. How long the journey takes will vary from enterprise to
enterprise, but Members noted that, typically, an enterprise strategy takes a view of between two and six years.
The business strategy will typically identify where the enterprise believes it can offer, create or protect value for
its customers and stakeholders. Value drivers will help frame the enterprise risk appetite and can be used to align
information security and its strategy with the business strategy. The information security strategy will typically
need to draw upon the enterprise’s strategy and the IT strategy, and will show how the information security
strategy can support the enterprise in delivering its strategy.
Each of these aspects will contain a number of objectives, such as increasing value for money, protecting against
organised crime and repositioning the information security function as a business enabler. The strategy will also
provide a structure against which decisions concerning information security can be taken, evaluated and audited.
Each decision made should support the achievement of enterprise and information security objectives.
Visualising an information security strategy as having three distinct aspects (supporting the business, defending
against threats and raising the profile of the information security function) can help the development, alignment
and review of the information security strategy against the business strategy. Figure 7 summarises the concepts
in the ISF report.
Project 5
Project 3 Initiative B
Project 4
Project 2
Project 1 Initiative A
By choosing the right mix of projects, programmes and initiatives, the information security function can demonstrate
how it is aligned and how it can contribute to the enterprise’s objectives.
The topic of ISG is an evolving area and academic institutions, professional bodies, enterprises and consultants have
all provided their perspectives on ISG. Having understood the context for ISG, a review of the published frameworks
will assist in deciding which framework to adopt and, if ISG is already implemented, spotting areas for enhancement.
In addition to the ISF framework for ISG described in this report, there are a number of published frameworks which
either directly address ISG or have relevance to ISG. Five such frameworks, drawn from standards setting bodies,
academia and practitioners are listed below:
• ISO/IEC 27014 Information technology – Security techniques – Governance of information security (Draft)
• IT Governance Institute, Information Security Governance: Guidance for Boards of Directors and Executive
Management (2nd edition)
• Da Veiga and Eloff, An Information Security Governance framework
• Carnegie Mellon, Governing for Enterprise Security (GES) Implementation Guide
• Committee of Sponsoring Organisations of the Treadway Commission (COSO), Enterprise Risk Management
framework.
Each of the above frameworks is described and compared at a high-level in Appendix B: Aligning ISF and other ISG
frameworks.
The ISF framework for ISG is composed of three objectives, each of which has key activities. The following diagram
illustrates the framework in detail and its relationship with ISG.
A. DELIVER C. PROVIDE
B. ACHIEVE INFORMATION RISK
VALUE TO
STRATEGIC GOALS ASSURANCE
STAKEHOLDERS
A3. Enable
B3. Sustain buy-in C3. Ensure
business
and commitment compliance
initiatives
Part three
with enterprise security
processes chain risk
requirements
C5. Monitor
and report
on assurance
Figure 8: The ISF framework for ISG, its objectives and activities
The objectives and activities, described in detail in Part 5: Implementing the ISF framework for ISG of this
report, have been created through the analysis of published material, the ISF 2011 Standard of Good
Practice, Member input from the workshops, case studies and project questionnaire.
The importance of each objective will vary from enterprise to enterprise. For example, a Member in the consumer
goods industry emphasised that Objective A: Deliver value to stakeholders was the most important objective, while a
Member in the financial services industry placed Objective B: Achieve strategic goals first. Within every enterprise, the
CISO should discuss and decide the relative importance of these objectives with business management and senior
management.
“ISG is a tool to explain to senior managers how and what information security is doing and how it all
fits together.”
The ISF framework for ISG and its relationship to the 2011 Standard of Good Practice
The ISF 2011 Standard of Good Practice is closely aligned with the ISO 27000 suite of information security-related
standards but provides greater breadth and depth of guidance to implement and assess an enterprise’s information
security arrangements. As such, the ISF 2011 Standard of Good Practice is a powerful tool to support implementation,
compliance and certification to International Standards Organisation (ISO) standards. The relationship between the
2011 Standard of Good Practice and the relevant ISO information security-related standard (ISO/IEC 27014 Information
technology – Security techniques – Governance of information security, described in this report) is shown in Figure 9:
SECURITY REQUIREMENTS
ISO 27001
(Information
Security
Security CONTROL FRAMEWORK
Assurance
Management
System) 7KH
6
*RRG3U WDQGDUGRI
DFWLFH
IRU,QIRUPD
WLRQ6HF
Figure 9: How the ISF 2011 Standard of Good Practice is aligned with the ISO 27000 suite of standards
The ISF framework for ISG is aligned to the ISF 2011 Standard of Good Practice through Area SG1 – Security
Governance and, more specifically SG1.1 Security Governance Framework, which has the following principle and
Part three
objective.
Principle: A framework for information security governance should be established, and commitment demonstrated
by the organisation’s governing body.
Objective: To ensure that the organisation’s overall approach to information security supports high standards of
governance.
The ISO is currently developing ISO/IEC 27014 Information technology – Security techniques – Governance of information
security. The standard is currently in draft – and will change before it is finally released – but at the time of writing, the
key elements of the standard appear to be agreed.
The ISO standard, particularly sections 4 Concepts and 5 Principles and processes, are of great relevance to this work.
A summary of the most relevant sections in the current draft of ISO/IEC 27014 (September 2011) is presented here.
• Section 4.2 Objectives, which presents three objectives: strategic alignment, value delivery and assurance
• Section 4.3 Outcomes, which highlights six outcomes:
- Close alignment of information security objectives with the objectives of the enterprise overall
- Demonstration of commitment to information security from the governing body and executive management
- An improved link between executive management and the information security function
- A more agile approach to decision making about information risks
- Consistent protection of information assets across the enterprise
- Greater effectiveness and efficiency in providing continued security operations.
The draft of ISO/IEC 27014, the ISF 2011 Standard of Good Practice and the ISF framework for ISG are in alignment.
As a result, Members will be able to use this report to demonstrate how their ISG reflects both the forthcoming ISO
standard and the ISF 2011 Standard of Good Practice.
Draft versions of ISO/IEC 27014 have been read and commented on extensively by the ISF Global Team and
Members during its development as part of the ISF ISO Liaison project. A large number of ISF suggestions
have already been accepted and incorporated into the ISO drafts.
ISACA and the ISF have also collaborated to enhance ISO/IEC 27014 drafts.
Part three
The results from the project questionnaire and case studies indicate that over seven in ten respondents (74%)
have some form of ISG in place. Evaluation of ISG against the ISF framework for ISG will highlight gaps or areas for
improvement. If no ISG is in place, then the evaluation will assist the enterprise in planning to adopt an ISG framework.
“I can’t tell you what ISG is and what it looks like – but I know it when I see it.”
The Information security governance diagnostic tool (described in Appendix A: Information Security Governance diagnostic
tool) can be used to assess current ISG against the ISF framework for ISG. Members can use the spreadsheet-based
diagnostic tool to stimulate thought and debate about ISG and how it is implemented in their enterprise. The
diagnostic allows Members to:
The diagnostic is designed as a simple, easy to complete tool, which provides a common language and terminology
and which is capable of enhancement over time via feedback and the use of metrics. It offers a fact-based analysis of
the current maturity of ISG.
The state of ISG can also be examined using the STARS model. STARS, which is an acronym standing for Start-up,
Turnaround, Realignment and Sustain success, provides a rapid way to analyse a situation and then create actions to
address the issues found.
Appendix D: STARS model describes the model in greater detail and illustrates how it can be applied to ISG.
The results from the diagnostic – and from the previous actions described in this part – will provide the basis for
action going forward.
• Do nothing – this may be the case when an ISG framework is implemented and is meeting its objectives
• Adapt, modify or enhance the ISG framework – in place and working
• Implement an ISG framework – as there is nothing in place.
The results should then be discussed with senior management and, in the case of the last two categories (adapt or
implement), agreement obtained to plan for enhancing or implementing an ISG framework.
Summary
Preparing for ISG involves understanding the big picture and how information security and ISG fit into an enterprise.
An assessment of both information security and ISG will provide a solid understanding of the status of ISG and the
actions required going forward. The actions to prepare for ISG are shown in the table below.
Action Task
Step 1: Evaluate the status of • Understand how the enterprise works and delivers value
Information security in the enterprise - explore the governance frameworks in place
• Recognise how information security is adding value to the enterprise by:
- engaging with the business units and senior management
- knowing about enterprise strategic objectives and key programmes and
projects
- identifying where information security is enabling the business and/or add or
protect value
Step 2: Review information security • Perform a gap analysis to understand how and where information security, its
strategy and objectives strategy and ISG can be enhanced
- employ tools such as benchmarking or maturity assessment
- use both qualitative and quantitative measures
• Review and if necessary update the enterprise’s information security strategy
- including forward-looking components such as horizon scanning and scenario
planning
- building in links between ISG and the strategy
- aligning the information security strategy and objectives with those of the
enterprise
Step 3: Understand published ISG • Review current frameworks
frameworks • Evaluate the utility of the ISF framework for the organisation in question relative
to framework in place or published
Step 4: Assess ISG in the enterprise • Complete the ISF Information security governance diagnostic tool (see
Appendix A: Information Security Governance diagnostic tool)
- seek input from the business, IT and information security professionals to
complete the tool
• Use the STARS model to decide which business phase ISG is in (see Appendix D:
STARS model)
• Discuss the results with senior managers and agree a way forward.
Appendix C: Prepare and plan actions: the checklist contains these actions listed in a checklist format. The
checklist is also included in the Information security governance diagnostic tool.
To assist Members in performing Preparing Step 3, Appendix B: Aligning ISF and other ISG frameworks
presents the results of a comparison of ISG frameworks.
Having shown how the preparations for ISG can be carried out, the next part highlights the actions required to
prepare for ISG implementation or enhancement.
Part three
Having examined the ISF framework for ISG in detail, this section presents the actions required to plan for ISG
implementation and enhancement.
Just under nine out of ten questionnaire respondents (87%) indicated that the CISO will typically have the responsibility
for implementing and owning ISG in an enterprise – supported by the information security function – and would thus
be responsible for the actions described in this part.
Successful ISG implementation and enhancement is dependent on understanding the enterprise and the current
status of ISG, then building on that knowledge. Figure 10 highlights the major actions that should be carried out by
the CISO and the information security function before implementing or enhancing ISG, drawn from an analysis of
the project findings.
PLANNING
STEP 5 Prepare final implementation plan
The actions are presented in a sequential manner but this sequence is likely to vary from enterprise to
enterprise, depending on the status of ISG in the enterprise.
When defining the ISG framework, the ISF framework for ISG can be used and adapted. The ISG framework should
be positioned in relation to the enterprise, its governance framework and its operations. Once this positioning is
described, the terms of reference for ISG and the roles and responsibilities for individuals involved in ISG should be
defined.
Finally, a clear statement of the benefits of ISG and the timeframe in which delivery will occur should be created.
Stakeholder mapping
This is used to understand the degree to which stakeholders can exert power and influence over the ISG framework.
Stakeholder groups can include senior management, shareholders, IT, information security staff, external suppliers,
regulators and customers. Mapping examines the relative power of these stakeholders, the likelihood of them using
that power and their level of interest in the activity. When performed objectively, the analysis will indicate:
• which stakeholders have the greatest potential to positively or negatively affect ISG
• the needs and requirements of each group
• their communication and reporting needs and preferences
Part four
• whether one stakeholder group can lead other groups
• how stakeholder groups can influence each other.
Stakeholders are categorised on a map, rating their level of interest against the power they possess to exercise those
interests. In this way the stakeholders can be broadly divided into four groups; Minimise effort, Keep informed, Keep
satisfied and Manage closely, as shown in Figure 11 below:
High
Keep Manage
satisfied closely
Stakeholder power
Minimise Keep
effort informed
Low
Low High
Stakeholder interest
Based on this analysis, decisions can be made about how to communicate with the stakeholders regarding ISG. In
some cases, the map can be used to identify how to communicate with certain groups to maintain or win their
support.
1. those performing the mapping will have a clearer picture of the categories of stakeholders and be able to identify
groups most likely to affect and be affected by enterprise decisions and ISG
2. Efforts can be prioritised to maximise the effectiveness of the stakeholders’ interest and power through
communication leveraging their interests.
The following table illustrates how to communicate with the four stakeholder types.
“Your customers can wield significant influence. If they don’t like how you handle their information,
they can stop using your business.”
The stakeholder mapping can be used as input into an ISG communications plan.
Whilst the CISO is typically responsible and accountable for delivery, an ISG board can provide valuable guidance,
links to other areas of the business and assistance in evaluating the success of information security governance.
‘ISG board’ was the most commonly used term to refer to a body appointed to oversee ISG in an
enterprise. Other terms included ‘ISG committee’ and ‘ISG oversight panel’.
The ISG board can be given a range of responsibilities and authorities, which the CISO should define and agree with
senior management. The list on the following page highlights the most common of these, grouped according to the
ISF framework for ISG:
“Senior management and the board sets the direction, the information security steering group (or
committee) drives it forward, and the ISG board and governance framework ensures that everything
is on course and will arrive on time.”
The proposed membership of the ISG board should include one or more senior management representatives.
Potential members of the ISG board are shown in the table below.
Part four
Chief Information Officer
Lines of business representatives Or heads of divisions, functions or business units
Chief Information Security Officer Or equivalent
Legal function representative May not be present in all organisations
Finance function representative
Compliance function representative
Marketing function representative
Programme Management Office
representative
Human Resources representative Also known as personnel or talent management
“It may be difficult to get the CEO or CFO or other senior members to attend. One, they don’t get
what we do; two, they’re busy and we’re not on their agenda; and three, there isn’t always a legislative
driver.”
The ISG board may communicate with other functions or committees such as compliance, legal and HR where
information or decisions need to be shared.
“You should engage with the audit committee. Remember, senior management and the CIO do not
argue with that committee; senior management simply address the identified issues.”
The role of internal audit (typically perceived as a major internal stakeholder) and whether an audit representative
should have a seat on this ISG board is a difficult question to resolve. Usually, internal audit would not be
invited to sit on this board, because internal audit may review the activities undertaken, the decisions made and
processes followed by the ISG board. However, there were conflicting views as the following quotes illustrate.
“Audit representation may be driven by materiality – if there is a big deal issue or project that may affect the company,
you may want them on your side during the fact, not afterwards.”
“Audit should be independent. Audit may test whether you have the controls to manage both the information risks and
the information security function.”
The CISO may not be able to make the decision whether to involve internal audit or not; ultimately, a senior
manager, such as the CIO or CEO, may have to make that decision. Typically, internal audit would be invited on
a case-by-case basis, using criteria such as the topic under discussion and/or the risks being discussed to assist in
making the decision. Another solution would be to appoint an independent internal auditor to the ISG board to
provide expertise and knowledge of audit; another auditor would then independently review the activities of the
ISG board.
The CISO should identify a member of senior management, who may be a C-level executive such as the Chief
Operating Officer, Chief Information Officer, Chief Risk Officer or Chief Executive Officer, and ask them to support
and sponsor the ISG framework. Gaining that person’s support may involve explaining the need, the benefits, value
add and the resource requirements associated with ISG. Preparing Step1 – Step 4 – described in Part 3: Preparing for
information security governance – will assist in this exercise.
Part four
Having described the ISG framework and clearly stated its benefits and delivery timescale, the next step is to identify
and select the measures related to ISG. These measures should be identified in consultation with the business to
decide which measures are appropriate and to identify the audiences and the methods of presentation for each.
Where possible, objectives should be set using the SMART principle – in other words, they should be Specific,
Measurable, Attainable, Relevant and Time-bound.
The selection, agreement and presentation of measurements is a complex process, which this report does
not cover in detail.
Once the measurements have been selected, how they can be used – for example to drive improvements, increase
maturity or enhance benefit of ISG – should be highlighted.
Implementing ISG will require the commitment of time and financial resources. As such, the CISO should gain
approval, preferably from senior management, before starting the implementation. The following tasks will assist in
gaining approval:
• Create a business case or similar document to gain stakeholder support and approval
• Communicate the business case, information security strategy and ISG to the relevant stakeholders
• Obtain buy-in and approval from senior management for the implementation of the strategy and ISG
• Produce a high-level project plan for ISG implementation, detailing delivery milestones.
The project plan should be developed in detail as part of this action. The plan should indicate the resources, the steps
and the sequence in which implementation should occur. The detailed plan will provide the CISO and others working
on implementing ISG with their detailed actions. The plan may also contain review points where implementation
progress and benefit delivery can be assessed.
ISG implementation should be carried out in sequential steps, with each step creating another part of the ISG
framework. When implementing ISG, it should not be viewed as an information security-only activity and should
involve the business in all steps to ensure alignment with the business. A key message from Members was to
start small, provide quick wins with tangible outcomes for the business, and integrate activities such as reporting
information security assurance with enterprise risk management.
“Start small and try not to do everything at once. Don’t over-engineer with fancy tools – start simple
Part four
and don’t try to report too many figures.”
During implementation, the progress of the project and the successes and benefits should be communicated to
the various stakeholders on a regular basis. As resources are usually limited, a balance must be struck between the
delivery of business-as-usual information security and implementing ISG. The business case prepared in Planning Step
4 should clearly state the resources required and how they will be allocated.
“You must ensure that the business knows your focus will be elsewhere for a while as you put ISG
in place, as some work will not get done during that time. You need to manage expectations around
what will and will not get done – you can’t do it all at the same time.”
A number of Members warned that ISG implementation typically took longer than expected and that the CISO
should plan for a medium-term time horizon (for example 12 months) and perhaps longer to socialise the ISG
implementation across the enterprise.
“I wish I had known just how much time it takes to get everything sorted, for example building support,
creating the framework and getting the right people in place.”
Summary
Based on Member experiences, five actions to prepare for ISG implementation or enhancement have been identified.
These five actions, when combined with a stepwise project plan, should lay the foundations for success.
Action Task
Step 1: Describe information security• Identify, link to and (where possible) reuse the other corporate governance
governance framework frameworks in use in the organisation
• Use and if necessary adapt the ISF framework for ISG as the blueprint for ISG in
the enterprise
• Position ISG in relation to the enterprise, its governance framework and
operations
• Set terms of reference for ISG
• Define roles and responsibilities for individuals involved in ISG
• Provide a clear statement of the benefits of ISG and the timeframe in which
delivery will occur
Step 2: Identify and engage your • Use stakeholder mapping to determine the power and influence of stakeholders
stakeholders • Develop a plan to manage and communicate with stakeholders as appropriate,
using the results of the stakeholder mapping exercise
• Obtain senior management support
• Create an ISG board
Step 3: Define what will be measured • Consult with the business to decide which measures will be used as output from
and how ISG
• Identify the audiences and the methods of presentation for each
• Highlight how the measurements will drive improvements, increase maturity or
enhance benefit
Step 4: Gain approval to implement • Create a business case or similar document to gain stakeholder support and
information security governance approval
• Market the vision for ISG to senior management
• Communicate the business case to the relevant stakeholders
Part four
• Obtain buy-in and approval from senior management for the implementation of
the strategy and ISG
• Produce a project plan for ISG implementation, detailing delivery milestones
Step 5: Prepare final implementation • Draw up detailed implementation plan, with milestones, resource requirements
plan and review points
• Review the plan and the ISG framework on a regular basis.
Appendix C: Prepare and Plan actions: the checklist contains these actions listed in a checklist format. The
checklist is also included in the Information security governance diagnostic tool.
The next part of the report examines the ISF framework for ISG in detail.
The following parts of this report – 5a, 5b and 5c – examine the three objectives of the ISF framework for ISG and
associated activities in detail. Figure 12 summarises the information security governance framework developed by ISF.
A. DELIVER C. PROVIDE
B. ACHIEVE INFORMATION RISK
VALUE TO
STRATEGIC GOALS ASSURANCE
STAKEHOLDERS
A3. Enable
B3. Sustain buy-in C3. Ensure
business
and commitment compliance
initiatives
C5. Monitor
and report
on assurance
Figure 12: The ISF framework for ISG, its objectives and activities Part five
The objectives and activities have been created through the analysis of published material, the ISF 2011 Standard of
Good Practice and Member input from the workshops, case studies and project questionnaire.
Enterprises seek to use their resources in the best way possible to meet goals such as generating profit, maximising
the return on investment, using scarce skills to create new products or services, and creating value for stakeholders.
Information security, typically short of resource and needing highly specialised skills, should also seek to use the
resources it is given to best advantage. Often, information security is seen as an overhead that protects value;
however, it can also add value for an enterprise.
Objective A: Deliver value to stakeholders has four major activities, as shown in Figure 13 below:
A. DELIVER C. PROVIDE
B. ACHIEVE IN
NFORMATION RISK
VALUE TO
STRATEGIC GOALS ASSURANCE
STAKEHOLDERS
A3. Enable
B3. Sustain buy-in C3. Ensure
business
and commitment compliance
initiatives
C5. Monitor
Part five
and report
on assurance
The 2011 Standard of Good Practice contains the following relevant topic:
Each of the activities associated with this objective are described over the following pages.
All managers are expected to deliver to budget, quality and deadlines; information security is no different. How well
these targets are met is to some extent related to two concepts: effectiveness and efficiency, described below.
Effectiveness
This is an outcome of doing the right things, ie setting the right targets to achieve an overall goal (the effect). For
information security, this is linked to the extent to which security safeguards are perceived as successfully protecting
IT systems hardware, software, data, information, and services from deliberate, accidental, or random threats to
confidentiality, integrity, or availability. This includes physical, electronic, personnel, and policy safeguards.
Improving effectiveness relies on a number of factors from improving interpersonal skills, personal attitudes and
technical competencies of staff, to the design of the organisation, the workplace and technology. For the CISO,
activities to raise effectiveness include security awareness, education and training; staff engagement; choosing solutions
for tasks such as firewall monitoring to release skilled individuals to work on business projects; and redesigning security
processes. To underpin effectiveness initiatives, the CISO should set clear targets for people to work towards.
Measures can be developed to assess the effectiveness of projects, programmes and initiatives undertaken. These
measures can be based on, amongst others, the following goals:
• Comparison of delivery and benefits against the original rationale, plan or business case
• Contribution of information security to the enterprise – for example assisting in bringing new products or services
to market or enabling the use of collaborative or mobile solutions
• Improvement of security arrangements against policy and regulatory requirements
• Reduction in the frequency and magnitude of potential incidents in terms of impact and cost
• Reduction in reputational damage or loss of customer support due to information security lapses by an external
supplier.
These measures may be used as input into ISG reporting, discussed in Part 6: Monitoring and reporting on ISG.
Efficiency
Part five
This is the achievement of goals in an economical way, striking a balance between economy in terms of resources
(such as time, money, space or materials) and the achievement of aims and objectives.
In information security terms this can be translated into reducing the cost of security, applying the appropriate level
of controls (such as not over- or under-controlling), deploying information security people with the right mix of skills
and knowledge on a project, productivity of staff and the reuse of components, tools, methodologies, assessments
and so on. Other methods of increasing efficiency include adopting standards, as they provide a ready-made control
framework upon which policies and procedures can be based, reducing resources required to produce policies and
procedures from scratch.
Other generally accepted methods of increasing effectiveness and efficiency include using project and programme
management; setting up a programme management office; obtaining feedback; and using benchmarking to assess
efficiency.
Key to satisfying the varying requirements of multiple stakeholders is a clear understanding of their requirements,
communication of those requirements to people who can meet them, and then planning and committing the required
resources. Planning Step 2: Identify and engage your stakeholders provides a number of tasks that can be used to
determine stakeholders’ requirements and their communication and reporting needs and preferences. Based on the
results from Planning Step 2, responsibilities can be allocated, commitment obtained, delivery managed and feedback
to assess satisfaction collected.
An example of meeting these requirements might be to enable the secure provision of consumer devices, or to
enable the secure use of social networking or collaborative tools for the enterprise.
Information security can play a significant role in the business by supporting services such as secure online shopping,
payment and banking, data interchange between an enterprise and service providers in its supply chain, or providing
secure services to remote branches or workers.
By adopting a risk-based, forward looking approach, the CISO and information security function can become a
strategic business enabler. They can investigate and prepare for new business requirements, new technologies, new
ways of working and draw up business-focused responses ahead of demand from the business. This forward-looking
stance will make the function more agile, quicker to respond to business requirements (or requests) and change
the perception of security from being a reactive cost centre to being a proactive business enabler. Additionally, by
understanding the trends and developments in technology (not just security technology), the CISO can propose
how to adopt technology securely and use new or current investments in security to speed or facilitate that
adoption. For example, because ISG can promote a risk-based, forward-looking approach, this would be of great
assistance to enterprises preparing for tomorrow’s challenges and dealing with today’s issues such as cloud adoption,
consumerisation and the cyber environment.
Another way to enable the business is to find new ways to use current security technology for the benefit of the
enterprise. A good example of this is using hardware tokens to provide consumers with two-factor authentication
when accessing their bank accounts online. The advantage of finding new uses for current technology is that the
experience and investment already made in the technology can be built upon, reducing costs and increasing the
return on investment.
“You have to be visible and get involved in business projects. Sometimes, the best thing to do is get out
Part five
of your office and walk around. That way you’ll discover what’s going on and what needs to be done.”
A major aim of ISG is to embed and integrate information security governance, processes and operations into the
business and existing structures and processes. Integration can take a number of forms, including:
• promoting consistency of information security across the enterprise and its processes
• building security in at the start of an initiative or development programme thus improving security and reducing
cost
• raising security awareness through tailored campaigns incorporated into staff induction and on-going training
• harmonising information security compliance activities across the enterprise leading to efficiencies and decreased
risk
• integrating with other risk management processes and activities.
Integration also improves efficiency, simplifies implementation and reduces the likelihood that the same issues arise
time after time.
“Our approach, our aim, is to embed security governance into the way our business builds and
operates services so it is not known as a discrete security process but part of the only way of getting
things done.”
“A key concern for me is creating and improving a security-positive culture across the business.”
Security architecture can be a mechanism for translating business security requirements into security controls
which can then be applied to the IT and other infrastructure. The ISF definition of security architecture is a set of
representations that describe the function, structure and inter-relationship of the security components within
an environment.
From a technical perspective, whether the security architecture refers to a new environment to be created
(often referred to as the target state) or an existing environment (often referred to as the current state),
security architecture can have a significant role in managing and ensuring the consistency of information security
arrangements across the enterprise. This can be achieved through the use of standards and guidelines (addressing
items such as server configurations, segregation of duties and least privilege), reusable security components (such
as controls, services and technologies or code and security controls) and tools and methods (such as APIs, code
samples and solution repositories).
Some Members believe that security architecture is a key activity and component of ISG, whereas other Members
believe there is no relationship between architecture and ISG. This report takes the view that implementing
security architecture may be a strategic objective to support ISG and its objectives.
The ISF’s Security Architecture report includes a set of guidelines on how security architecture can be developed.
The reports Role of information security in the enterprise and Managing a security function can be used to initiate the
debate with stakeholders about their requirements and expectations.
The Threat horizon reports can be used to as input to a forward-looking information security strategy or as an aid to
discussions with stakeholders about the direction and future plans of the information security function. Reports such
as Architectural responses to the disappearing network boundary, Securing consumer devices and Managing access in a
changing world provide Members with insight to into the developments and trends that may affect the provision of
information security in an enterprise.
One area to consider is the convergence of risk, which will be key in establishing the future shape and size of
information risk functions in an organisation. The Risk convergence: Implications for information risk management report
provides insight into what is meant by risk convergence and how different types of risk can be compared. It offers
pragmatic steps that the information risk function should take right now, in order to secure its position within a
converged risk environment.
Enterprises wishing to create or enhance awareness programmes can consult the Cyber citizenship in an enterprise
environment report, while the Solving the data privacy puzzle: Achieving compliance report can be used to assess and
strengthen an enterprise’s response to the challenges of data privacy and protection.
ISF tools that can be used to support this objective are shown in the table below.
Table 5: Selected ISF tools and their suggested use in Objective A: Deliver value to stakeholders
Summary
Objective A: Deliver value to stakeholders takes in activities such as finding efficiencies, identifying stakeholders, enabling
business initiatives through new technology and integrating information security into enterprise processes.
The next part of the report looks at achieving strategic goals and the activities that can contribute to successful
achievement of that objective.
Part five
Information security should be aligned to the enterprise and its strategy. Information security strategy and ISG can be
used together to create and maintain this alignment whilst overseeing the achievement of information security goals.
The four major activities associated with this objective are shown in Figure 14.
A. DELIVER C. PROVIDE
B. ACHIEVE IN
NFORMATION RISK
VALUE TO
STRATEGIC GOALS ASSURANCE
STAKEHOLDERS
A3. Enable
B3. Sustain buy-in C3. Ensure
business
and commitment compliance
initiatives
C5. Monitor
and report
on assurance
Part five
Figure 14: Objective B: achieve strategic goals – major activities
The 2011 Standard of Good Practice contains the following relevant topic:
Each of the activities associated with this objective are described over the following pages.
Strategy and governance are closely linked. Connecting the information security strategy to ISG will allow for better
targeting of activities, improved reporting on the execution of the strategy and enhanced feedback to amend or
enhance the strategy itself.
“You have to decide what you are going to do first – that’s strategy. Then you need to decide how
you are going to achieve the ‘what’ and report progress – that’s governance.”
ISG will provide the direction and oversight of how well strategic objectives are being set and achieved through
reporting against project, programme or initiative milestones. ISG can also provide for regular review of both the
information security strategy and related objectives against the business strategy, to take into account any changes.
This review should include business representatives and may best be carried out by the ISG board.
Strategic objectives typically have long timeframes for their delivery, compared to short-term tactical or operational
objectives. Usually, a strategic objective will be broken down into programmes and projects with a mixture of shorter
and longer-term objectives.
In information security terms, this means creating projects, programmes and initiatives to support strategic objectives.
These projects may be technical in nature, such as implementing an intrusion detection system, they may be
managerial, such as creating a social media policy, or they may be both, such as interpreting regulation or legislation
and implementing a specific solution to comply with the legal and regulatory requirements. As each project delivers
or completes, the outputs from each will build towards the achievement of the strategic objective.
The oversight provided by ISG will enable measurement of progress towards achieving the strategic objectives. As
milestones are reached and projects completed, the alignment of the information security strategy with the business
strategy should be reviewed. Such a review will assist in keeping the alignment up to date and ensure that the
decisions made reflect enterprise requirements.
The risk appetite of the enterprise and its business units should be determined and understood. Understanding the
Part five
amount of risk the enterprise and its leaders are prepared to accept in order to meet their business objectives is
important, as it will shape the environment in which the strategic objectives and funding for information security are
considered. Culture – enterprise, national or regional – will also play a part, as it influences how decisions are made
and the risks individuals are prepared to take to meet their objectives.
“Our board-level executive was the Chief Legal Officer. His risk appetite was zero.”
By understanding the risk appetite of the enterprise, the CISO and business representatives can determine the
information risk appetite. Knowledge of the enterprise and information risk appetites can be used as guidance for
the initiatives, projects and programmes required to deliver the information security strategy. The information risk
appetite should be reviewed on a regular basis, to ensure it adapts to and reflects the changing risk appetite of the
enterprise.
Translating the enterprise risk appetite into information risk terms can be achieved by creating one or more business
impact reference tables, thereby setting and quantifying the level of risk the enterprise or business unit is prepared to
take. These tables can then be used in information risk assessments to drive the selection of controls and resource
commitment to protect the environment under examination. Figure 15 illustrates the ISF Business Impact Reference
Table (BIRT), which forms the core of the ISF Information Risk Analysis Methodology (IRAM) business impact assessment.
The BIRT uses 15 business impact types and can be configured by Members to reflect unique operating or other
circumstances. Once the modifications are agreed, the BIRT can be used across the enterprise to assess the business
impact should the confidentiality, integrity or availability of an application or information be compromised. From this
assessment, an indication of the criticality of the application can be determined, which will assist in control selection.
“ISG helps keep the enterprise within its risk tolerance.” Part five
Getting and retaining the support of people across an enterprise can be challenging. Many security professionals have,
for a number of years, found it difficult to achieve continued senior management support and buy-in for information
security and related initiatives. ISG can be used to sustain buy-in and commitment through:
• demonstrating the alignment between information security strategy and enterprise strategy and the realisation of
shared objectives
• articulating business value and benefits and sequence in which they will be realised
• using the language and terminology of enterprise risk management
• reporting progress against strategic objectives in a style appropriate for senior management
• reporting regularly on the information security status of the enterprise.
The formation of an information security governance board will also assist in gaining buy-in and commitment as many
(if not all) of the representatives on the ISG board may gain insight and benefit from information security.
“ISG allows you to articulate what is needed and how it works to the business.”
“Culture is a powerful tool. If the people at the top understand information security, take it seriously,
demonstrate their commitment, get security on everyone’s agenda and in their pay packets, then you
get much more commitment from the entire enterprise.”
To sustain buy-in and commitment from senior management in the enterprise, the CISO should be visible and
communicate regularly with them. This should take the form of scheduled face-to-face or teleconference meetings,
with a plan and structure, perhaps supplemented by unstructured discussions. The CISO should be prepared to
provide a summary of achievements and support given to the business. ISG can provide the CISO with the information
needed to demonstrate to senior management that their continued support is yielding results and that information
security across the enterprise is meeting or exceeding their requirements.
The following table provides suggested actions and tasks associated with this step.
Action Tasks
Sustain senior management support Understand the business strategy and the requirements placed on information
security
Discern what the enterprise needs from information security – talk to stakeholders
Ensure the information security vision and strategy are up-to-date, forward-looking
and aligned to enterprise objectives / strategy
Produce a business plan for information security focused on business needs and
benefits
Market the vision and describe the plan to stakeholders and get their approval or
support
Demonstrate how success can support achievement of the enterprise strategy
Build and enhance credibility by helping Present executives with a programme for enabling change
the enterprise to meet its goals Detail business benefits and when they can be realised
Commit to update executives regularly
Identify and deliver quick wins
Part five
The RISE report identified the changes and developments required to move from today’s technical to tomorrow’s
enterprise focus, using the five dimensions of the ISF Managing a security function diagnostic tool. The actions to
be taken provide a series of short-term tasks (approximately two years) against which progress can be measured;
the tasks can be used as a springboard to achieve the final vision.
Three paths of information security evolution were identified in RISE: IT, business, and risk integration. Each
provides a future vision for information security. The results captured by the RISE project indicate that integration
with the business and a focus on the enterprise is the future of information security. Regardless of the path
chosen, information security in an enterprise will have to communicate, integrate, work and deliver with multiple
stakeholders, ranging from IT to HR, from senior management to system administrators. A key component of the
vision is understanding information risk.
ISG is a mechanism by which many of the aspirations identified in the RISE report (such as providing integrated
risk management, assurance, compliance solutions, consultancy and measurement of value) can be delivered.
The Insider view, another RISE deliverable, provides Members with a series of activities to deliver a change
programme to deliver the vision.
The requirements for the confidentiality, integrity and availability of information in systems, risks and environments
should be set and distributed throughout the enterprise. These requirements can take a compliance or threat-based
approach. The following paragraphs discuss the two approaches.
Approach I – Compliance-based
This approach typically uses a standard or agreed baseline to set the controls framework and controls used across
the enterprise. A compliance-based approach will typically result in the scope of the requirements being driven by:
The requirements will thus be limited to the scope of the standard or standards chosen and may only provide a
narrow view of security; this may lead to matters that are important to the business not being addressed. It may also
limit the scope of any audits or assessments.
Approach II – Threat-based
Information security risks typically encompass threats and vulnerabilities (including special circumstances and control
weaknesses) that can have business impact. Basing requirements on this approach can focus attention on the business
risks (such as the risk of unauthorised access to enterprise information) and the measures in place to address them
or the flow of information through and around the enterprise, and the integrity and quality of that information (such
as transaction data, standing data).
The scope of the requirements will be broad and may require input from other enterprise functions such as risk
management, IT and the board. The scope will be driven by the analysis of threats to the enterprise, its information
and the risk appetite of the enterprise. The simulations will cover people, process and technology risks and how these
risks can be treated.
Taking either an entirely compliance- or threat-based approach may not be suitable, as each can miss certain risks. A
combination approach will blend aspects of both approaches to more fully address the risks, providing the enterprise
with a comprehensive set of requirements for the confidentiality, integrity and availability of information.
To set the requirements, an analysis of the financial, operational and customer-related impacts should be taken from
the perspective of the confidentiality, integrity and availability of information. Once determined, these requirements
should be incorporated in design specifications for system or software developments, included in stage reviews and
built into business process documents.
The requirements will need to be reviewed on a regular basis, to take into account changes in the environments and
other developments.
The ISF 2011 Standard of Good Practice provides a broad and comprehensive view of security, making it less
likely that matters important to the business are ignored.
The reports Role of information security in the enterprise and Managing a security function can be used to define areas
of responsibility and create a profile of the information security function and how information security can support
the business.
The ISF Information security strategy report provides Members with an understanding of strategic concepts, an
overview of practice within Member organisations and a practical way to demonstrate and communicate the strategic
relevance of information security to an enterprise. The report can be used to assist in the creation of an information
security strategy.
The Information Risk Analysis Methodology (IRAM) series of reports provides Members with a complete methodology
covering business impact reference tables, business impact assessment, threat and vulnerability assessment and
Part five
control selection. The Risk convergence: Implications for information risk management report provides insight into what
is meant by risk convergence and how different types of risk can be compared. The report offers pragmatic steps
that the information risk function should take immediately, in order to secure its position within a converged risk
environment.
To help set the information security requirements, the ISF 2011 Standard of Good Practice topics SR1.3, SR1.4 and
SR1.5 can be used, as these set out the principles and objectives for setting confidentiality, integrity and availability
requirements respectively.
The Protecting information in the end user environment report is built around a practical model to help Members
understand the three main elements that affect information protection (end user, technology and location). It
presents a series of recommendations intended for the individuals responsible for information security in the end
user environment to sustain the commitment to protect information.
The Practical approaches to information classification report provides practical guidance on how to design an effective
information classification scheme and deploy it enterprise-wide, while the Information lifecycle: a new way of looking
at information risk report assists members in considering the risk to information, from its creation to destruction, and
deploying controls in proportion to that risk. These two reports will assist Members in determining and then fulfilling
information security requirements.
Finally, Guidelines for information security covers the full spectrum of information security and provides the basis for
implementing information security and the requirements across an organisation.
The ISF has two tools that can be used to help in achieving strategy as shown below.
Table 7: Selected ISF tools and their suggested use in Objective B: Achieve strategic goals
Summary
Aligning information security to the enterprise is vital. Objective B: Achieve strategic goals provides support so that the
information strategy can be realised and progress measured.
The next section will discuss Objective C: Provide information risk assurance, and the major activities that help achieve
that in an enterprise.
Part five
The third and final objective of ISG, to provide information risk assurance, is achieved through activities such as
the adoption of an information security assurance programme and the application of information risk management
techniques. The five major activities of Objective C: Provide information risk assurance are shown in Figure 16.
A. DELIVER C. PROVIDE
B. ACHIEVE INFORMATION RISK
VALUE TO
STRATEGIC GOALS ASSURANCE
STAKEHOLDERS
A3. Enable
B3. Sustain buy-in C3. Ensure
business
and commitment compliance
initiatives
C5. Monitor
and report
on assurance
Part five
The 2011 Standard of Good Practice contains the following relevant topic:
Each of the activities associated with this objective are described over the following pages.
Information security assurance, which the ISF has defined as providing evidence to senior management that
information risks are being managed effectively enterprise-wide, is a key output of ISG. At the highest level, security
assurance may simply be a high-level dashboard report distributed to the relevant stakeholders. For other enterprises,
particularly where IT or the information security function is outsourced, stakeholders may require more detailed
evidence of information security assurance.
ISG can promote the creation, maintenance and monitoring of a security assurance programme to collect evidence
that systems, risks and environments are being managed. At the core of a security assurance programme are one
or more security assurance processes – which can be based around the plan-do-check-act (PDCA) elements of an
information security management system (ISMS). By following these processes carefully for a particular environment
(such as a customer service department or an online banking system), an enterprise will be able to identify security
requirements, select an appropriate control framework, and validate that the control framework is operating effectively.
These security assurance processes need to be supported by a range of specialised activities (such as creating a
security policy, collecting metrics and testing) to ensure that a consistent approach is taken and that all parts of the
enterprise are covered by the security assurance programme. The way in which these components fit together is
shown in Figure 17 below.
Security
assurance Security
programme Security architecture Security
policy strategy
Security Identify
Security assuranceImplement
process 3 Monitor and
Initiate
awareness security control evaluate
improvementsents
requirements framework controls Security
IdentifySecurity assurance
Implement
process 2 Monitor and
Initiate audit / review
security control evaluate
improvements nts
requirements framework controls
IdentifySecurity assurance process 1
Implement Monitor and
Initiate
security control evaluate
improvements
requirements
Identify framework
Implement Monitorcontrols
and
Initiate
security control evaluate
improvements
requirements framework controls
Security
Security assessment
testing
Security
Security
compliance
access control Security
metrics
Part five
Figure 17: Components of a security assurance programme
Finally, it is important that the overall security assurance programme is well managed. Clear lines of communication
should be established with all relevant stakeholders and aligned with the enterprise’s corporate and security
governance approach.
The assurance process illustrated above is compatible with an ISMS plan-do-check-act cycle and the four
COBIT domains: Plan and Organise, Acquire and Implement, Deliver and support, Monitor and Evaluate.
Establishing links between information security assurance and information security governance can be challenging
to achieve in practice. Previous ISF work (Information security assurance: An overview for implementing an information
security assurance programme) suggested that this challenge can be overcome by:
• implementing a coherent, integrated framework that includes key activities relating to corporate governance,
information security governance and information security assurance
• appointing owners to individual security assurance processes for particular environments, who will then jointly
act as a steering committee supporting decision-making
• identifying improvements to the overall security assurance programme to increase the visibility of information
security assurance and better align it with governance objectives.
For consistent information risk assessment and treatment, the organisation will ideally adopt a single information risk
assessment methodology across the enterprise. If this is not be possible, ISG should be used to minimise the number
of methodologies in place and ensure that the methodologies produce outputs that are relevant to the business and
can be compared or used in risk reporting.
For each methodology, guidance on the conduct of assessments, including the information risk appetite, should be
distributed across the enterprise. The information risk assessment, where possible, should have defined links to other
risk tools and methodologies in the enterprise and should produce results in a format suitable for incorporation into
operational or enterprise risk management methodologies and reporting.
After adoption, ISG will monitor how risk assessments are carried out. It will ensure that the decisions made as a
result of those assessments meet the enterprise and information risk appetites, meet statutory obligations and address
specific enterprise requirements. The information risk appetite will be one of the factors that determine whether a
risk will be accepted, avoided, transferred or mitigated, along with other factors such as compliance requirements, the
security architecture in place and the funding available for risk mitigation.
A process should be established for ensuring compliance with relevant legal and regulatory requirements affecting
Part five
information security across the enterprise, such as general legislation that has security implications, information
security-specific legislation, and industry-specific regulation. The process should have a reporting component, which
identifies areas of weaknesses through assessment and audit, new legislation or regulation and provides a measure of
the risk to the enterprise.
Compliance with internal policy and standards should also be measured using a similar or identical process that
produces both qualitative and quantitative measures. Again, assessment and audit can be used to identify weaknesses
or non-compliance.
Create matrix
Translate
Trans Develop Determine of obliga- Define
obligations
o blig to controls new controls
Define tions, requirements
requirements
re
equi based on required requirements, for monitoring
requirements
controls
Develop
business case Deploy Deploy
Implement
and action controls monitoring
plan
Gather Aggregate
Monitor data data
Figure 18: An information security compliance management process, from the ISF report Monitoring compliance
The ISF process provides a practical approach for managing, monitoring and demonstrating compliance with
requirements.
Working with external suppliers raises a number of key issues, including agreeing, validating and comparing the
information security arrangements of external suppliers. Enterprises also face the challenge of understanding where
their information is being stored, processed, transmitted or destroyed within the supply chain.
The ISF framework for ISG can be used to introduce a consistent approach specifying information security requirements
in contracts and service level agreements, and assessing potential and existing external supplier arrangements. Exit
arrangements can also be standardised. A consistent approach is more efficient and provides the enterprise with
better reporting on the risks associated with external suppliers.
This approach is shown in Figure 19 below, along with a high-level overview of the ISF common baseline for information
security in external suppliers.
A. Identifying and
classifying external
suppliers
B. Agreeing
external supplier
security
C.Validating
external supplier
security
D. Handling
termination
Figure 19: The ISF approach and common baseline for external suppliers
The approach and baseline provide a consistent method of assessing external suppliers and reducing information risk
in the supply chain.
Cloud-based services are being increasingly adopted by enterprises and by organisations in their supply chain.
Enterprises need to understand where in the supply chain cloud and other outsourced services are being used and
the specific risk associated with that use. Identifying the key risks can be achieved through risk assessment – but it
should not be limited to technical risks; management, contractual and other risks should be taken into account. Figure
20 illustrates typical risks associated with cloud services.
‘Seven deadly sins’ Cloud Security: Holistic approach for addressing the sins
Organisational sins and related problems
1. Address the 2. Adopt the ISF process for
1 IGNORANCE individual problems managing external suppliers
ACTION
2 AMBIGUITY PROBLEM
Part five
ACTION
Identifying and
ACTION classifying external
Common baseline for external suppliers
suppliers
ACTION
3 DOUBT SIN PROBLEM ACTION
ACTION
Agreeing external
ACTION supplier security
4 TRESPASS PROBLEM ACTION
ACTION
+
Validating
5 DISORDER ACTION external supplier
security
PROBLEM ACTION
ACTION
SIN
6 CONCEIT ACTION
Handling
PROBLEM ACTION termination
ACTION
7 COMPLACENCY
Figure 20: Linking the ISF approach for external suppliers to the seven deadly sins
A holistic approach, involving IT, legal, information risks in the supply chain security and business functions is key to
addressing the seven deadly sins of cloud computing.
This activity checks the effectiveness of the controls implemented as part of the assurance programme and assesses
whether they are working as intended. During the assessment, enterprises may need to identify controls that are not
functioning as required and suggest areas where additional controls may be needed. There are four tasks that can be
carried out as part of this activity, as shown in the following table:
Table 8: Actions to consider when monitoring and reporting on information risk assurance
The table is based on the ISF report Information security assurance: An overview for implementing an
information security assurance programme.
These tasks check the effectiveness of implemented controls and assesses whether they are working as intended.
Enterprises may need to identify controls that are not functioning as required and suggest areas where additional
controls may be needed.
The ISF project Information security assurance: An overview for implementing an information security assurance
programme provides an overview of information security assurance and includes high-level actions to consider when
implementing an information security assurance programme enterprise-wide. As a central part of this programme, a
repeatable security assurance process is outlined that can be applied to individual environments within an enterprise.
The ISF 2011 Standard of Good Practice provides Members with a ready-made control framework for use in a security
assurance programme covering the complete spectrum of security arrangements. The control framework will assist in
keeping business risks associated with information systems within acceptable limits. Members can adopt the standard
in whole or in part, or use it as a reference when creating or selecting their own controls.
The Information Risk Analysis Methodology (IRAM) series of reports provides Members with a complete methodology
covering business impact reference tables, business impact assessment, threat and vulnerability assessment and
control selection.
The Monitoring compliance report examines how enterprises’ compliance obligations give rise to information security
requirements which, in turn, define requirements for information security controls. To demonstrate compliance,
enterprises must conduct effective monitoring on implemented controls. The report considers what monitoring
information security compliance means in practice. It then touches on the recent emergence of process-based
compliance management approaches being adopted in leading enterprises. Security audit of business applications
provides Members with a mechanism to integrate risk considerations into an audit and reporting, further enhancing
the risk-based approach implicit in ISG.
The Information security for external suppliers: A common baseline report provides a set of common security
arrangements that can be applied to all external suppliers. This report builds on the Information security in third party
relationship management report, which includes a four-step process (identify, agree, validate and exit) for managing
multiple third parties from an information security perspective. The Securing cloud computing: addressing the seven
deadly sins report highlights the seven deadly sins – from a security perspective – that are commonly committed by
Part five
enterprises when deploying cloud services. It addresses the security of cloud services from a business standpoint,
providing detailed information on each of the sins and outlining an approach that enterprises can adopt to address
them.
The Reporting information risk report provides Members with easy-to-follow guidance on reporting information risk
efficiently and effectively in their enterprises by:
• setting out a practical framework for establishing an effective and efficient information risk reporting capability
• explaining quantitative techniques that can be used for analysing and forecasting information risks
• presenting illustrative approaches to incorporate in a risk report (such as heatmaps, risk radars and risk treatment
tables)
• providing examples of security metrics mapped to the ISF’s risk types in IRAM to help Members monitor changes
in information risk ratings.
There are seven ISF tools that can be used to support Objective C: Provide information risk assurance as shown in
Table 9.
Table 9: Selected ISF tools and their suggested use in providing information risk assurance
Summary
The objective of providing assurance covers a wide range of activities, from risk assessment to programme
implementation and external supplier evaluation.
Having discussed the three objectives individually, the next part of the report examines reporting associated with ISG.
Part five
A key feature of ISG is oversight and review of how information security is delivered across the enterprise. ISG
can be used to integrate information security reporting with that of other functions (such as finance or IT) so that
senior management is presented with information in a familiar style and language. Such presentation will allow better
comparison of risks, governance and compliance measurements enterprise-wide.
This section examines how the ISG framework can be used to generate reports that are evidence-based, factually
accurate, business-focused, and that demonstrate the value and benefit of both ISG and information security in
general.
Monitoring
Security data is produced (often automatically) by business and security applications, computer systems and network
devices. They are typically voluminous and very detailed, requiring processing (such as normalisation, aggregation and
analysis) before they can be interpreted and used as metrics. Security metrics are traditionally used by operational
staff, such as system administrators, network engineers and information security specialists. Security metrics add value
to the enterprise by providing the underlying data set upon which key performance indicators (KPIs) are based.
In addition to security metrics, there are other measures of relevance to the security function which can be grouped
into financial and non-financial measures.
Financial measures
Approaches such as return on investment, return on security investment and payback can be used to capture the
costs and benefits (such as savings and revenue or profit generation) associated with a security initiative. These can be
combined with expected management approaches such as delivery to budget, monthly financial comparison between
actual and budget costs, and review of expenses.
Non-financial measures
Such benefits may indirectly lead to increased financial return, but are usually difficult to quantify and therefore fall
under the heading of non-financial or intangible benefits. Benefits may be presented using quantitative and qualitative
measures.
“The real output of ISG is intangible – it’s confidence. Confidence in you, your function and what you
do. If senior management has confidence and believes in you, it’s a major step forward.”
The project questionnaire indicated that respondents used a range of measures to demonstrate the benefit of
ISG. The top five measures used by Members are:
Interestingly, measures such as return on investment or return on security investment of projects, increased staff
qualifications, and quantification of risk such as value at risk, residual risk or business impact were much less used.
The findings indicate that many respondents to the project questionnaire currently use qualitative measures to
demonstrate the benefit of ISG.
Reporting
Reporting can be used to assess the state of ISG and how much value it is delivering to the enterprise; it can also
be shared with decision-makers as part of regular reporting cycles. Such reporting typically uses key performance
indicators and key risk indicators, which are discussed in the following paragraphs.
The selection, agreement and presentation of reporting measures are complex processes, which this report
does not cover in detail.
Key performance indicators (KPIs) for information security are used to measure and report against targets associated
with information security. KPIs are typically used for reporting on business performance to senior management. They
should convey details relating to targets of particular interest to each audience, and be clear, concise and limited to
four or five in number.
“Beware of aggregation risks (for example losing important information when consolidating figures) when
creating and presenting your reporting at any level.”
Typical drivers for using key performance indicators can be grouped into the three objectives of the ISF framework
for ISG as shown in the figure below.
$'(/I9(59$/8(72S7$.(+2/'(5S
$
$UHZHVDWLVI\LQJVWDNHKROGHUUHTXLUHPHQWV"
LI L N K OG L "
$UHZHHQKDQFLQJSURGXFWLYLW\DQGHIILFLHQF\"
+RZPDQ\EXVLQHVVLQLWLDWLYHVKDYHZHHQDEOHG
DQGVXSSRUWHG"
ISG
.3IV
%$&+I(9(S75$7(GI&G2$/S &3529I'(I1)250$7I215IS.
$SS85$1&(
+
+RZPDQ\LQIRUPDWLRQVHFXULW\UHODWHG
PDQ LQI UPDWL Q VHF ULW UHODWHG
LQLWLDWLYHVKDYHZHGHOLYHUHG" :K
:KDWLVWKHOHYHORIDGKHUHQFHWRLQWHUQDO
W L WK O O I GK W L W O
+RZDOLJQHGDUHZHWREXVLQHVVVWUDWHJ\" VWDQGDUGVDQGSROLFLHV"
+RZZHOOGRWKHHQWHUSULVHDQGLQIRUPDWLRQ +RZFRPSOLDQWDUHZHZLWKH[WHUQDO
ULVNDSSHWLWHVPDWFK" UHTXLUHPHQWV"
:KDWLVWKHVWDWXVRILQIRUPDWLRQULVNLQWKH
HQWHUSULVH"
The figure highlights how KPIs can be grouped under the three objectives.
Each enterprise and information security function will have its own KPIs, along with KPIs shared with the business,
such as those concerned with financial reporting. The CISO will need to work with the audiences for KPIs to define
what is relevant and determine the manner in which KPIs should be presented.
Key risk indicators (KRIs), as defined in the ISACA Risk IT framework, are measures capable of showing that
the organization is subject to or has a high probability of being subject to a risk that exceeds the defined risk
appetite. They are thus different from KPIs, which measure how well something is being done.
“You need leading and lagging measures. In this context, key risk indicators are lead indicators, key
performance indicators are lag indicators.”
The results of internal and external audits can be also be expressed as KPIs and are usually focused around the
number of audit points raised and how quickly they are closed.
KPIs in practice
Members use a wide range of KPIs in their ISG, as revealed by the case studies and project questionnaire, including:
• degree of compliance
• protection performance (such as number of viruses stopped at the firewall, number of port scans, number of
incidents and intrusions)
• number of audit findings.
Part six
• accessibility: how easy security documents were to read and then implement
• use: the degree to which security requirements, standards or guidelines were implemented as intended,
without interpretation or modification
• opinion: surveys of staff about their perception of information security.
The three examples in the second bulleted list above represent an attempt to move away from technical to more
business – and output focused – measures.
Presenting reports
Determining how to report KPIs (and other information) involves liaising with members of each audience (such
as senior management, legal, operational risk, internal audit, compliance and physical security teams, functions or
groups). Individuals in other business functions should be consulted to understand how they report their KPIs and the
type of response they receive from each recipient.
Based on this consultation, the decision about which KPIs to report should be taken. KPIs for information security can
be presented using a combination of methods, in a clear, easy to understand and concise manner. The figure below
illustrates common visual reporting methods.
250
200
150
Number
100
50
0
January
April
July
October
January
April
July
October
January
April
July
October
January
April
July
October
January
April
July
October
January
April
July
Time
ISF resource: Information Security Metrics: SIG report and ISF Briefing: Key performance indicators for information security
Each of the visual methods presented here has advantages and disadvantages. Typically, visual methods are not used
on their own, but are combined with text and tabulated data.
“ISG needs tools such as a dashboard; it also needs a control framework and measures.”
The Return on Security Investment (ROSI) - Workshop Report assists Members to understand the main issues associated
Part six
with return on security investment and its use. The report does this by providing:
At the control framework level, Information security metrics: SIG report can be used to help understand the main
issues associated with the selection, use and presentation of information security metrics: and how these issues can
be overcome.
Reports which look at various aspects of reporting include Monitoring compliance, Information security assurance,
Reporting information risk and the ISF Briefing: Key performance indicators for information security. These deliverables
provide Members with practical insights on measuring and reporting the performance of information security.
Summary
Information security metrics, KRIs and KPIs, along with audience-specific presentation methods, can be used to report
on the status and successes of ISG on a regular basis.
The next section examines the future of ISG and looks at the efforts undertaken by the ISO and the ISF to reflect
information security governance in standards.
Part six
Overview
ISG is an evolving concept and is yet to be fully implemented across all surveyed Member and non-Member enterprises.
To assist in the further development of ISG, this section will look to the future of ISG and provide recommendations
for the next version of the ISF 2011 Standard of Good Practice and ISO/IEC 27014.
Development of ISG
The publication of ISO/IEC 27014 will provide the information security profession with a yardstick against which to
judge their ISG. It is likely that ISG in enterprises will evolve to reflect the ISO standard and that there will be calls to
further develop that standard to meet the specific requirements of industry sectors and/or countries. The practical
application of the standard will lead to feedback from individuals and enterprises to the ISO asking for changes,
additions and amendments to the text.
Once the ISO standard is released, consulting organisations will offer services around ISG, including implementation
and assurance, each with their own unique angle. The availability of the standard may also spur more academic
research into ISG.
All of these developments may lead to a vibrant future for ISG, where it becomes business as usual. As part of this
development, the ISF will be suggesting updates for the ISF 2011 Standard of Good Practice and ISO/IEC 27014.
With the release of the 2011 Standard of Good Practice, the ISF has moved to a yearly update cycle for this flagship
document, helping to make the content even more timely, practical and relevant to Members.
The ISG project will contribute to the 2012 update cycle, by offering the following as input:
• revise the topic titles in SG2 Security Governance Components to match Objective A: Deliver value to stakeholders,
Objective B: Achieve strategic goals and Objective C: Provide information risk assurance presented in this report
• perform a gap analysis between the ISG framework in this report and the areas and topics in SG1 and SG2
• add a section covering the creation and role of the ISG board
• incorporate the ISF framework for ISG, described in this report, into the 2011 Standard of Good Practice.
Part seven
The ISF has liaison status (category C) with the ISO SC27 steering group which is responsible for overseeing
development of the ISO 27000 suite of information security related standards. This enables the ISF to represent
Member needs and influence enhancement of existing, and development of new, ISO standards.
Based on this report, the following high-level recommendations and suggestions will be put forward to the ISO:
The ISF Global Team will submit detailed written comments and amendments, based on the findings of this report,
for consideration by the editors of ISO/IEC 27014 in September 2011. A copy of these comments will be made
available to Members on MX.
The ISF can actively contribute to the debate and evolution of ISG, through Member input, the development and
publication of the 2011 Standard of Good Practice and work with ISO. The project implementation space on MX
can be used to start this debate and create a community of practitioners and experts to discuss and propose
enhancements to ISG.
The analysis of Benchmark data may yield new insights into the topic and suggest further enhancements to the 2011
Standard of Good Practice. Additionally, the ISF could work with its academic partners, making available research and
results from those institutions.
Concluding remarks
ISG is the direction and oversight of information security-related activities across an enterprise by senior
management. The ISF framework for information security governance has three objectives: deliver value to
stakeholders, achieve strategic goals and provide information risk assurance. The following diagram presents the
complete ISG framework presented in this report.
Part seven
A. DELIVER C. PROVIDE
B. ACHIEVE INFORMATION RISK
VALUE TO
STRATEGIC GOALS ASSURANCE
STAKEHOLDERS
A3. Enable
B3. Sustain buy-in C3. Ensure
business
and commitment compliance
initiatives
C5. Monitor
and report
on assurance
Figure 21: The ISF framework for ISG, objectives and activities for information security governance
The framework, the three objectives and the activities align with the major published works on ISG, including the
ISF 2011 Standard of Good Practice and the draft ISO/IEC 27014 Information technology – Security techniques –
Governance of information security.
In summary, ISG provides a way to turn the aspiration of delivering high-value enterprise-focused information security
a reality.
“ISG is perfect because it helps you set the agenda with boards.”
Part seven
Members can use the spreadsheet-based diagnostic tool to stimulate thought and debate about ISG and how it is
implemented and managed in their enterprise. The diagnostic allows Members to:
The diagnostic is designed as a simple, easy-to-complete tool, which provides a common language and terminology
and which is capable of enhancement over time via feedback and the use of metrics. It offers a fact-based analysis of
the current maturity of ISG in an enterprise.
The diagnostic is a Microsoft Excel-based tool with eight worksheets, listed below.
The diagnostic can be completed in a reasonably short time, either electronically or on paper, as the user only has
to answer 13 questions on Sheet 3 ISG assessment and fill in four boxes on Sheet 8 Assessment results template.
Those responsible for completing the diagnostic should select the answer that best matches the enterprise’s actual
or perceived state; if two options seem appropriate, select the one closest and make a note of the reasoning behind
that selection. The process or sequence to complete the diagnostic is shown below:
STEP 4a: Complete sheet 8 STEP 4b: Define actions using sheet 7
Preparatory actions checklist (O) ISG enhancement plan (O)
O = Optional
M = Mandatory
The following screenshots highlight the input sheet – Sheet 3 ISG assessment and the output sheet – Sheet 8
Assessment results template.
There is no right answer as the diagnostic does not assign a score to any of the options presented, rather
it presents a level of maturity. The optimum answer is one that is most appropriate to the enterprise and
circumstances of ISG within that organisation. Completing the diagnostic in a rigorous, objective, manner
will maximise benefit from the exercise.
An information security maturity model (ISMM) is typically set out as a scale of five or six increasing levels of maturity,
supplemented by clear descriptions of capability or characteristics for each level that are demonstrated by information
security in an enterprise. An ISMM is sometimes supplemented with an assessment diagnostic, which provides a series
of tests or questions that assist an enterprise to determine its maturity.
Further information on maturity models can be found in the ISF Briefing Paper: Information security maturity
models available on the ISF’s Member Exchange (MX) system.
Table B-2 provides statements of capability across the five levels of maturity:
The diagnostic presented here, while built on real-world experience and insight, represents only the first step in
providing information security and businesses with the tools that can be used to examine ISG maturity in a consistent
manner. As Members use the diagnostic, practical experience will yield new insights and ideas for improvement to
the diagnostic and the ISF framework for ISG.
The project team encourages and welcomes feedback on and suggestions for improvements to the diagnostic.
Contributions such as case studies, examples highlighting how the diagnostic has been used and completed profiles
are also invited. Input of this kind from Members will provide a rich bank of experience for other diagnostic users to
draw upon and will offer valuable insights into how the diagnostic could be developed further.
This appendix describes the five ISG frameworks examined in the project research and mentioned previously in this
report, namely:
The appendix provides a high-level comparison with the ISF framework for ISG.
This is described in detail in Part 3: Preparing for information security governance and, as a result, a summary is
presented in this Appendix. Sections 4 Concepts and 5 Principles and processes are of great relevance to this work and
a summary of the most relevant sections in the current draft of ISO/IEC 27014 (September 2011) is presented here.
Six principles are presented in the draft:
Information Security Governance: Guidance for Boards of Directors and Executive Management
(2nd edition)
(http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Information-Security-Governance-
Guidance-for-Boards-of-Directors-and-Executive-Management-2nd-Edition.aspx)
This report, published by the IT Governance Institute, presents five pillars of ISG:
• Strategic alignment of information security with business strategy to support enterprise objectives
• Risk management through the execution of appropriate measures to manage and mitigate risks and reduce
potential impacts on information resources to an acceptable level
• Resource management by utilising information security knowledge and infrastructure efficiently and effectively
• Performance measurement by measuring, monitoring and reporting robust and auditable information security
governance metrics to ensure that enterprise objectives are achieved
• Value delivery by optimising information security investments in support of the enterprise’s objectives.
This is an academic work, which has three high–level categories: strategic; managerial and operational; and technical,
all underpinned by change management. Each of the three categories is further broken down into sub-categories and
information security components, as shown below:
Table B1: The categories, sub-categories and components of the Da Veiga and Eloff ISG framework
This three-part work presents eleven characteristics of effective security governance, which are intended to answer
the question “How would I know effective security governance if I saw it?” The characteristics are:
1. An Enterprise-wide Issue
2. Leaders are Accountable
3. Viewed as a Business Requirement
4. Risk-based
5. Roles, Responsibilities, and Segregation of Duties Defined
6. Addressed and Enforced in Policy
7. Adequate Resources Committed
8. Staff Aware and Trained
9. A Development Life Cycle Requirement
10. Planned, Managed, Measurable, and Measured
11. Reviewed and Audited.
Part 3: Enterprise Security Governance Activities, provides four categories of activities that can be used to develop and
sustain an enterprise security programme: governance; integration and operations; implementation and evaluation;
and capital planning and review.
The Committee of Sponsoring Organisations of the Treadway Commission (COSO) published this framework. It
defined enterprise risk management (ERM) as a process, effected by an entity’s board of directors, management and
other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect
the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of
entity objectives.
The report presents objectives, ERM components and entity units (such as function, division or business unit) and
their relationship using a cube, nicknamed the ‘COSO cube’, as shown below:
Comparison of frameworks
The following table compares the major published ISG frameworks with the ISG objectives and activities presented
in the report at a high-level.
The table presents the likely coverage and comparison between the ISF framework for ISG and the draft
ISO/IEC 27014 standard. The comparison shown in the table is at a high level and may change in the future.
The following checklist will assist Members in their preparation and planning for ISG implementation. It is based on
the actions presented in Parts 3 and 4 of this report.
updated?
Step 3: Understand Review current frameworks Current frameworks reviewed
published ISG frameworks and examined?
Compare the in-place ISG framework Comparison complete and
to other, published, frameworks gaps highlighted?
Step 4: Assess ISG in the Complete the ISF Information security Assessment complete?
enterprise governance diagnostic tool (see
Appendix A)
Use the STARS model to decide Business phase diagnosed by
which business phase ISG is in (see STARS?
Appendix D)
Discuss the results with senior Discussion held?
managers and agree a way forward Outcomes recorded?
Step 1: Describe Identify, link to and (where possible) Other governance frameworks
PLAN FOR IMPLEMENTATION
Overview
The STARS model is a method of examining the condition of an enterprise, business unit, function, product, service
or strategy (also known as an entity). In the model, the entity under examination can be placed in one of four business
situations:
• Start-up
• Turn-around
• Realignment
• Sustain success.
The four business situations are related to each other, as the following diagram shows:
Fail
Realignment Turnaround
Sustain Success
Succeed
Start-up
Figure D1: The STARS model, showing the relationship of the four business situations
By deploying people, management time, money and other resources, the entity can move from one business situation
to another.
The STARS Model was created by Michael Watkins and is described in his book: The First 90 days: critical
success strategies for new leaders at all levels, Harvard Business Press 2003, ISBN 978-1591391104.
In the majority of cases, an enterprise will have some form of ISG in place. This may not be recognised as such, or
brought together in an ISG framework. The challenge is then to recognise what is in place and how to build and
develop it to create a coherent ISG framework.
“I’ve used the STARS model to understand the situation the function is in – start-up, turnaround,
realignment and sustaining success – and then tailored my strategy, actions and communications to fit.”
When considering the implementation of ISG, the STARS model can assist the CISO in deciding the approach for
implementation. The following table summarises the four business situations and associated descriptions as well as
providing a link to ISG implementation.
Table D1: The STARS business situations and their relevance to ISG implementation
In all four business situations, the actions listed in Parts 3 and 4 and Appendix C should be carried out. The STARS
model allows the CISO to tailor the actions and communications to best fit the business and increase the likelihood
of support for and success in implementation.