1. Do we have a strategy?

2. Have we established our policies?

3. Is our security organization adequate?

4. What are the risks and how are they managed?

Pertinent
5. How is our IS program managed?
questions
about IS 6. Is the reporting and oversight system adequate?
Governance
7. Which assets (data, applications, etc.) are impacted, and who is responsible for them?

8. Are we in compliance with the legal and regulatory framework?

9. Do we have metrics or key performance indicators (KPIs)

to track the adequacy of our protection system?

Governance: The method by which and enterprise ensures that stakeholder needs, conditions and options are evaluated
to determine balanced, agreed-on enterprise objectives are achieved. It involves setting direction through prioritization
and decision making; and monitoring performance and compliance against agreed-on direction and objectives.

by ISACA

Information Security Governance is the process of directing and controlling an organization to establish and
sustain a culture of security in the organization’s conduct (beliefs, behaviors, capabilities, and actions),
Term treating adequate security as a non-negotiable requirement of being in business.

Information Security Governance is the responsibility of the board of directors and executive management. It is an
integral part of enterprise governance and consists of the leadership and organizational structures and processes that
ensure that the organization’s IS sustains and extends the organization’s strategies and objectives

Stakeholder needs, conditions and options are evaluated

to determine balanced, agreed-on enterprise objectives.

Direction is set through prioritization and decision making.

Governance ensures that:
SABSA by COBIT 2019 Performance and compliance are monitored
against agreed-on direction and objectives.
ISO 2700x Family
Management plans, builds, runs and monitors activities, in alignment with the
ISO 27014 Governance of Information Security Frameworks direction set by the governance body, to achieve the enterprise objectives

by COBIT 2019
Governing for Enterprise Security (GES)
Implementation Guide
the board of directors, under the leadership
Other Governance vs Governance of the chairperso
COBIT 2019 Other Management
Responsibility
the executive management under the
Information Security Governance. Framework and Toolset for Management leadership of the chief executive officer (CEO)
CISOs and Decision Makers, Andrej Volchkov
The difference between security management and security governance is not very clear. To simplify,
management encompasses the implementation and monitoring of the security program, while
Strategy is the first mission of IS governance. governance provides strategic orientations and ensures its proper execution.

Strategy is the declaration of an objective, including ways to achieve it Governance Evaluate, Direct and Monitor (EDM)

The mission is a short statement recalling Align, Plan and Organize (APO)
Domains by COBIT 2019
security’s main objectives, its main functions,
and its contribution to business goals. Mission
Build, Acquire and Implement (BAI)
Management
Context Strategy Deliver, Service and Support (DSS)

Roles and Responsibilities

Monitor, Evaluate and Assess (MEA)
Essential elements
Strategic Objectives or Vision Benefits realization

expected results Benefits of IS Governance Risk optimization

by COBIT 2019
contribution to business goals Strategic Security Initiatives Resource optimization

key point indicators

Do we have a security strategy aligned with

business objectives?
Review the security strategy based on
discussions that will take place between 1. Strategic alignment of information security with
What is the level of management’ s
business managers and the CISO. business strategy to support organizational objectives.
understanding of security issues? 1. Strategy
Align security initiatives with business
objectives 2. Effective risk management by executing appropriate
How involved is the security executive
measures to manage and mitigate risks and reduce potential
manager in developing business strategies?
impacts on information resources to an acceptable level.

Do our security policies and guidelines

correspond to the needs of the business units? 3. Value delivery by optimizing information security
Objectives of IS Governance investments in support of organizational objectives.
Intro
Do we have the means to monitor the
effective application of our guidelines? 4. Resource management by using information security

Information Security knowledge and infrastructure efficiently and effectively.

Do policies mention the responsibility of all the

Review the documentary framework of the
policies and guidelines and provide better
readability
employees and the consequences of neglect? Governance 5. Performance measurement by measuring, monitoring
and reporting information security governance metrics to
2. Policies
ensure achievement of organizational objectives.
Have we established a documentary 1.0 by Andrey Prozorov
framework for internal regulations?
Lack of awareness of IS strategy and its degree of alignment with business strategies.

Who is responsible for proposing

Ignorance of the problems and concerns of the IS by senior executives.
adaptations to policies and guidelines?

Signs of Lack of a formal evaluation process for IS performance

What is our security policy validation process? weak IS or return on security investments (ROSI).
Governance
Have we delegated responsibilities in the
governance of IS? Priority is often given to technical solutions without adjusting organizational structures.

Does the position of the security officer and Lack of manager involvement in the prioritization of risk treatments.
their team make it easier to take business
unit needs into account? Lack of architectural design requirements for IS.
Each business line must appoint a security
delegate to participate in quarterly security
Do we have a committee empowered to rule 3. Organization The whole company is involved
project review meetings
on exceptions and changes to security
policies and directives?
Characteristics of Responsibilities are defined
Effective IS Governance
How does the security officer communicate
The level of protection depends on risk appetite
with the business units about security
objectives (in both directions)?
Security is actively managed
Does security risk management fit into the
company’ s operational risk management concept? Principle 1: Establish organization-wide
information security.

How involved are business unit risk

managers in analyzing security risks? Principle 2: Adopt a risk-based approach.

Have we established a security risk inventory Principle 3: Set the direction of

No improvements needed investment decisions.
validated by all the business lines? 4. Risk management
Сharacteristics of
Do we have metrics and key performance good IS Governance Principle 4: Ensure conformance with
indicators (KPIs) to measure the performance internal and external requirements.
by ISO 27014
of our different security controls?
Principle 5: Foster a security-
Have we established a security risk treatment plan? positive environment.

How involved are the board, management, and Principle 6: Review performance in
business unit leaders in setting security priorities? relation to business outcomes.

How are operations managers involved in TLCF

prioritizing security initiatives? questions Processes
and plan
Do business units participate in the Organizational structures
development of the security business plan?

Set up a committee to validate 5. IS program Principles, policies and frameworks

IS initiatives and projects Are all the expenses in technical solutions management
justified by a risk and cost– benefit analysis?
Are the objectives clearly defined? COBIT 2019 Information

Do we have an inventory of operational Culture, ethics and behavior

controls with responsibilities, maturity level,
and validity test plans? People, skills and competencies

Have we established an employee awareness Services, infrastructure and applications

program regarding the protection of our assets?
1. Strategy
Do we have an IS reporting system for
management, the board, and business units?
2. Policies Strategic
6. Reporting
No improvements needed Does the reporting system contain relevant and oversight 3. Organization
information on the state of IS, high risks,
compliance and maturity gaps, and the
effectiveness of actions taken? 4. Risk management

Three-Layer
Have we identified, classified, and 5. IS program management
Control
categorized our data?
Framework (TLCF)
Define data classes and categories 6. Reporting and oversight
and inventory them in a catalog. Do we know who the data owners are? 7. Asset
Tactical
Identify data owners for each class/ management
7. Asset management
business line. How is it guaranteed that data owners’ privacy,
availability, and integrity requirements are
integrated into the security program? 8. Compliance

Do we know what laws and regulations apply to IS? 9. Metrics

Set up an employee awareness

program regarding the legal and How is the legal and regulatory framework Operations Operational
8. Compliance
regulatory framework that communicated to employees?
impacts security
Components of a
Have we established a compliance program?
governance system
Do we know the direct, indirect, and analytical (
by activity) costs of information security?

Do we have metrics to measure the

performance of our various security controls?
No improvements needed
9. Metrics
How do we measure the degree of employee training
regarding threats and means of protection?

How are business lines involved in validating security metrics?

Operations

ISO 27001 and TLCF