This is part 2 of Risk, Governance, and Compliance article. In this blog, we will focus on the “Governance” element.
What is Information Security Governance
Information security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying the organization’s resources are used responsibly.
COBIT 5 defines governance in terms of objectives as “Governance ensures that stakeholder needs, condition, and opinions are evaluated to determine balanced, agreed on Enterprise objectives to be achieved; setting direction through prioritization and decision-making; and monitoring performance and compliance against agreed-on directions and objectives.” The goal of having governance is to enable a process through which the security objective of the Enterprise are set and the means of attaining those objectives and monitoring performance are determined.
Importance of information security governance
Information security governance is increasingly critical as dependence on information grows and information becomes the new oil. Learnings based on information is the most critical asset and critical to their daily operations and long term success. IT tools and technologies are getting pervasive throughout the public and private sector globally making information security governance a critical facet of overall corporate governance.
The value derived from an information security governance
There are few outcomes that can be derived from a good governance practice
Alignment between information security strategy and business strategy. This ensures that security requirements are driven based on business requirements. The information security solution fits the enterprise process (DevOps, CI/CD) and technology stack (cloud, containers, Kubernetes, etc.)
A strong focus on delivering value. The security spends and effort are commensurate to the value of asset protected. The security solutions are complete - covering all aspects of an organization, people and process based on an end-to-end understanding of the organization
Built-in Risk Management mindset. Continuously take measures to reduce the overall risk of an enterprise. This includes understanding the threat landscape (assets and app inventory), understanding risk exposure based on what apps and assets are running where and talking to whom, taking account of the impact of compromise, and putting right controls in place. Finally, the outcome of risk-management is to get to a point to achieve acceptable consequences from residual risk.
Measurement practice and accountability mindset. Create frameworks to monitor, measure and report information security processes. This includes meaningful metrics that are measurable, timely and actionable. Make people, especially leaders accountable for delivering and adhering to the right practices including resource commitment and staff training.
End-to-end coverage with right alerting mechanisms. Run end-to-end audits similar to integration testing to ensure processes are operating as intended. Also, ensure the right mechanism are put in place to raise timely alerts followed by actionable steps to contain any risk
Some thought-provoking questions that institutional leaders can ask themselves:
Do I routinely update the board of directors on security?
When was the last time leadership got involved in security-related decisions?
How would employees recognize a security incident? Do they know whom to call?
Are security roles and responsibilities clearly defined and communicated?
Some about information security governance practices:
Does my security team and application development team collaborate and work well together?
Does my security and application team have an inventory of all the assets and applications running in my environment?
Is my team confident that security is being adequately addressed in the enterprise?
Does my security and application team (including broader developers) feel accountable for security?
Are my team members and broader developer groups aware of the latest information security issues and best practices?
How can Araali help enterprise
On risk - Araali Networks is helping Enterprises to understand their risk through Araali Gamma Visibility (realtime visibility about assets and apps) and reduce risk by protecting and fortifying prioritized assets. We also monitor apps and assets at a very granular level for incidents and proactively alert you on new things while automatically taking care of lateral spread, zero-day events, and quarantining assets.
On governance - Araali Networks is creating workflows to enable security teams to have meaningful interactions with the app development team to quickly identify risk and create mitigation policies. This reduces friction and gives app development an automated template to express their application behavior without worrying about how it is implemented by the security team. Also, Araali workflows help with expectation setting - where app development teams a priori know what they are supposed to submit with their app which reduces resentment with the security team. In addition, app and asset inventory enable teams to have clear accountability on what apps and assets are running and if their security is commensurate with the value of the asset. Finally, Araali provides a dashboard view to enable CISOs to share and update members of the board on current risks and risk mitigation processes in place.
If you are interested please reach out to us for a demo!