Sydney Water IT security manager talks governance strategy

Policy should be workable and enforceable in practice

Sydney Water IT security and assurance manager Stephen Frede

Sydney Water IT security and assurance manager Stephen Frede

Information security governance should not be treated like corporate governance, IT security steering committees must have the right stakeholders and the board can remain largely unaware of security issues. Those are key strategies for effective security governance, says IT security and assurance manager at Sydney Water, Stephen Frede.

Frede said assurance and governance in IT security are often used interchangeably, but in the IT or "corporate" space there is clear separation between governance and management.

"With the models around information security it is much less clear this is the case," Frede said. "Terminology varies quite a lot across the industry and an information security management system (ISMS) can be described by risk, management, governance, assurance and operations."

Frede heads up the IT security and assurance team at Sydney Water and there is governance applied, but he is looking to build a more relevant information security steering committee.

"If you are looking to put together a framework for IS there are a lot of resources like the protective security policy framework here in Australia," he said, adding a lot of the models try and come up with a "fancy representation at a high level".

"It's not really the approach I tend to take, they are all useful and I recommend looking at them when putting together your own governance framework, but I don't think any one will match your particular organisation [as] there is so much difference between organisations."

Frede said every framework talks about the need for senior management buy-in or "it won't work", but that may not always be necessary.

"It's great to have support from the board, but I challenge the assertion the board needs to be deeply involved in security," he said. "Corporate governance is an established framework built up over hundreds of years and there is a strong separation between governance and management."

A more realistic scenario, Frede said, is for the board to ba accountable or aware of a few key areas - a handful out of an average of 30 possibilities.

Frede previously held positions at AMP, JP Morgan, Optus and as a consultant before joining Sydney Water.

"I've never come across an organisation where the board is directly involved in IS," he said. "Despite what the standards and IS people say, I don't know how realistic an approach it is."

Organisational structure will profoundly affect the formation of a governance model. For example, if there are a lot of autonomous sub-units in a company, it may have separate governance frameworks for those divisions.

Frede says this might be out of alignment, but it still may make sense. Most organisations, however, will be centrally managed.

"If you have lots of partnerships, there may need to be separate governance that applies to these areas and the requirements may be different for organisations, but you will have a minimum set of requirements you need to insist on," he said.

"If you're a multinational, it gets really hard. When I was at JP Morgan there was a matrix of what to do for different countries with few common areas."

Before you begin, determine what is important to the organisation across areas like confidentiality, data integrity, availability, control systems, fraud, privacy and transactions.

"When developing a governance framework there are two basic approaches - a big bang project where you seek funding, or do incremental parts refining it as you go," Frede said.

"You will probably be reporting to board, the CIO and the IS steering committee which bears a bit of work to get right. In Sydney Water I am going to change it as it's not right. We adopted an existing body with representatives from different areas of the business. It was a good idea, but we don't have representation from like minded groups like physical security and risk. We will have a dedicated IS steering committee."

IS governance areas at Sydney Water include strategy and planning, policy development, architecture and a security calendar, which Frede said is becoming increasingly important as auditors are asking for it.

During his presentation at the 2010 Security Expo in Sydney, Frede gave and example of how to put a governance framework together.

"The board won't get involved with detail, but they will set the risk appetite. We have [an] info sec steering committee. Then you have the security team doing all the work and whole area of IS management practices."

The ISMS should also include a policy review where user acceptance testing is done on the policy.

"One of the things I want to make sure is the policy we have is workable and is enforceable in practice. We create interim guidelines and ask people to follow it and make refinements around that," Frede said.

"So we don't have to go to everyone with a lot of policies; instead, we have one document that general people in the organisation must read and we have an annual training program for people."

There is also a "risk repository" where staff and auditors note identified risks which are then acted upon.

“Reviews and auditors will come up with risks,” Frede said. “For all of those we make a decision - do we accept the risk or remediate it?”

“The default is to remediate it, but if stakeholders say the cost or disruption is too high we may accept the risk.”

Action plans and risk acceptance also sit in the risk repository.

How long will it take for new governance framework? Frede says any organisation can make an immediate start as an incremental approach is “really small”.

“A typical enterprise can put something in place from scratch within 12 months without huge resources, but that is not the end of the journey, just the beginning,” he said.

In terms of reporting lines for the lead security manager in an organisation, Frede said that will also vary depending on the needs of the organisation.

“I am the IT security manager so I report two down from the CIO,” he said. “I report to infrastructure manager who reports to the CIO who reports to a general manager who reports to the CEO.”

Rodney Gedda is Deputy Editor of CIO Australia. Follow Rodney on Twitter at @rodneygedda. Rodney's e-mail address is Follow CIO Australia on Twitter at @CIO_Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags boardssydney watersecurityCSOgovernance

More about AMPJP MorganMorganOptusSydney Water

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rodney Gedda

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place