Please enable JavaScript.
Coggle requires JavaScript to display documents.
4.1.2 (Effective Information Security Governance (As a result, enterprises…
4.1.2
Effective Information Security Governance
Therefore, information security is an
important and integral part of IT governance.
Negligence in this regard will
diminish an organization’s capacity to mitigate risk and take advantage of IT opportunities for business process improvement.
As a result, enterprises and their executives strive to accomplish the following:
• Maintain
high-quality INFORMATION to support business decisions
• Generate
business VALUE from IT-enabled investments
(i.e., achieve strategic goals and realize business benefits through effective and innovative use of IT)
• Achieve
OPERATIONAL EXCELLENCE
through the
RELIABLE AND EFFICIENT APPLICATION OF TECHNOLOGY
• Maintain IT-related
RISK AT AN ACCEPTABLE LEVEL
•
OPTIMIZE THE COST
of IT services and technology
• Comply with ever-increasing relevant
laws, regulations, contractual agreements and policies
the reach of protection efforts should encompass not only the process that generates the information, but also the
continued preservation of information generated as a result of the controlled processes.
basic outcomes of effective information security governance include
strategic alignment,
risk management,
compliance
and value delivery.
These outcomes are enabled through the development of:
Performance measurement
Measurement, monitoring and reporting on information security processes to ensure that specific, measurable, attainable, realistic and timely (SMART) objectives are achieved.
The following should be accomplished to achieve performance measurement:
– A defined, agreed-on and
meaningful set of metrics properly aligned with strategic objectives
– A measurement process that will help
identify shortcomings and provide feedback on progress made in resolving issues
–
INDEPENDENT ASSURANCE
provided by external assessments and audits
Resource management
Use of
information security knowledge and infrastructure efficiently and effectively.
To achieve resource management, the following should be considered:
– Ensure that
knowledge is captured and available.
– Document
security processes and practices.
– Develop
security architecture(s) to define and use infrastructure resources efficiently.
Process integration
A focus on the integration of an organization’s management assurance processes for security. Process integration
SERVES TO IMPROVE OVERALL SECURITY AND OPERATIONAL EFFICIENCY
BECAUSE Security activities are at times fragmented and segmented in silos (team) with different reporting structures.
This makes it difficult to seamlessly integrate them.
information security governance framework
An information security governance framework generally consists of the following elements:
•
Governing security policies
that address each aspect of strategy, controls and regulation
• A
complete set of standards for each policy
to ensure that procedures and guidelines comply with policy
• An
effective security organizational structure
void of conflicts of interest
•
Institutionalized monitoring processes to ensure compliance
and provide feedback on effectiveness
• A
comprehensive security strategy
intrinsically linked with business objectives
Framework provides >> information security program which is cost effective
and supports business goal
The objective of the
information security program is a set of activities
that provides
assurance that information assets are given a level of protection commensurate with their value
or the
risk their compromise poses to the organization.
INFORMATION SECURITY GOVERNANCE
Information security governance is a
subset of corporate governance that provides strategic direction
for
security activities and ensures that objectives are achieved.
ensures that information
SECURITY RISK IS APPROPRIATELY MANAGED
and
ENTERPRISE INFORMATION RESOURCES ARE USED EFFECTIVELY