Information security governance should not be treated like corporate governance, IT security steering committees must have the right stakeholders and the board can remain largely unaware of security issues. Those are key strategies for effective security governance, says IT security and assurance manager at Sydney Water, Stephen Frede.
Frede said assurance and governance in IT security are often used interchangeably, but in the IT or "corporate" space there is clear separation between governance and management.
"With the models around information security it is much less clear this is the case," Frede said. "Terminology varies quite a lot across the industry and an information security management system (ISMS) can be described by risk, management, governance, assurance and operations."
Frede heads up the IT security and assurance team at Sydney Water and there is governance applied, but he is looking to build a more relevant information security steering committee.
"If you are looking to put together a framework for IS there are a lot of resources like the protective security policy framework here in Australia," he said, adding a lot of the models try and come up with a "fancy representation at a high level".
"It's not really the approach I tend to take, they are all useful and I recommend looking at them when putting together your own governance framework, but I don't think any one will match your particular organisation [as] there is so much difference between organisations."
Frede said every framework talks about the need for senior management buy-in or "it won't work", but that may not always be necessary.
"It's great to have support from the board, but I challenge the assertion the board needs to be deeply involved in security," he said. "Corporate governance is an established framework built up over hundreds of years and there is a strong separation between governance and management."
A more realistic scenario, Frede said, is for the board to ba accountable or aware of a few key areas - a handful out of an average of 30 possibilities.
Frede previously held positions at AMP, JP Morgan, Optus and as a consultant before joining Sydney Water.
"I've never come across an organisation where the board is directly involved in IS," he said. "Despite what the standards and IS people say, I don't know how realistic an approach it is."
Organisational structure will profoundly affect the formation of a governance model. For example, if there are a lot of autonomous sub-units in a company, it may have separate governance frameworks for those divisions.
Frede says this might be out of alignment, but it still may make sense. Most organisations, however, will be centrally managed.
"If you have lots of partnerships, there may need to be separate governance that applies to these areas and the requirements may be different for organisations, but you will have a minimum set of requirements you need to insist on," he said.
"If you're a multinational, it gets really hard. When I was at JP Morgan there was a matrix of what to do for different countries with few common areas."
Before you begin, determine what is important to the organisation across areas like confidentiality, data integrity, availability, control systems, fraud, privacy and transactions.
"When developing a governance framework there are two basic approaches - a big bang project where you seek funding, or do incremental parts refining it as you go," Frede said.
"You will probably be reporting to board, the CIO and the IS steering committee which bears a bit of work to get right. In Sydney Water I am going to change it as it's not right. We adopted an existing body with representatives from different areas of the business. It was a good idea, but we don't have representation from like minded groups like physical security and risk. We will have a dedicated IS steering committee."
IS governance areas at Sydney Water include strategy and planning, policy development, architecture and a security calendar, which Frede said is becoming increasingly important as auditors are asking for it.
During his presentation at the 2010 Security Expo in Sydney, Frede gave and example of how to put a governance framework together.
"The board won't get involved with detail, but they will set the risk appetite. We have [an] info sec steering committee. Then you have the security team doing all the work and whole area of IS management practices."
The ISMS should also include a policy review where user acceptance testing is done on the policy.
"One of the things I want to make sure is the policy we have is workable and is enforceable in practice. We create interim guidelines and ask people to follow it and make refinements around that," Frede said.
"So we don't have to go to everyone with a lot of policies; instead, we have one document that general people in the organisation must read and we have an annual training program for people."
There is also a "risk repository" where staff and auditors note identified risks which are then acted upon.
“Reviews and auditors will come up with risks,” Frede said. “For all of those we make a decision - do we accept the risk or remediate it?”
“The default is to remediate it, but if stakeholders say the cost or disruption is too high we may accept the risk.”
Action plans and risk acceptance also sit in the risk repository.
How long will it take for new governance framework? Frede says any organisation can make an immediate start as an incremental approach is “really small”.
“A typical enterprise can put something in place from scratch within 12 months without huge resources, but that is not the end of the journey, just the beginning,” he said.
In terms of reporting lines for the lead security manager in an organisation, Frede said that will also vary depending on the needs of the organisation.
“I am the IT security manager so I report two down from the CIO,” he said. “I report to infrastructure manager who reports to the CIO who reports to a general manager who reports to the CEO.”