Search This Blog

Wednesday, 14 October 2015

What is a Security Governance Review, and why do I need one?

Regardless of what service or product your company produces, Information is your most critical asset. The organization, management, and protection of that data could make or break your ability to stay operational in today's corporate environment.

Many high-profile organizational failures over the past several years have driven home the requirement to adopt appropriate Information Systems policies, processes, and standards.

Privacy requirements, regulatory compliance, shareholder and customer transparency are all mandating a more mature approach to Information Security.

Your corporate reputation and well being depend on your ability to manage, organize, and protect your Information Assets.

This article, and the next few, will try at a high level to explain the various tools we can use to assess and document your roadmap to Information Security Maturity.

Let's start with the definition of an Information Security Governance Maturity Model:
An Information Security Governance Maturity Model is a representation of how well your company understands, organizes, manages, and maintains security controls and processes specific to your Corporate Information assets.

There are a few models to chose from, but the Industry accepted standard is the 6-level COBIT maturity model, which is based on work pioneered at the Software Engineering Institute at Carnegie Mellon, to evaluate each of the ISO 27002:2013 security control groups.   

That said, the ISO 27002:2013 security control groups, in and of themselves are the Industry Standard set of controls - based on 18 specific sections - that provide guidance in protecting your corporate assets.

The COBIT definitions for the 6 levels of maturity are:

0 – Non-existent – Management processes are nonexistent or not applied

  • Complete lack of any recognizable processes. The organization has not even recognized that there is an issue to be addressed.

1 – Initial – Processes are ad hoc and disorganized

  • There is evidence that the organization has recognized that the issues exist and need to be addressed. There are, however, no standardized processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganized.

2 – Repeatable – Processes follow a regular pattern
  • Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely.
3 – Defined – Processes are documented and communicated
  • Procedures have been standardized and documented, and communicated through training. However, it is left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.
4 – Managed – Processes are monitored and measured
  • It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.
5 – Optimized – Best practices are followed and automated
  • Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modeling with other organizations. Information technology is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

To understand where your company sits with respect to each of the ISO 27002:2013 security control groups, you would engage a non-biased 3rd party to conduct a Security Governance Review. This review would be an immersive engagement between the Security Assessors and various members of your organization. Everyone from Human Resources, Privacy, IT administrators, Network Administrators, Database Administrators, Software Developers, Project and Change Managers, Internal Auditors, and Corporate Executive.

A Security Governance Review  (SGR) provides guidance for Corporate Executives and Board of Directors in establishing and maintaining an appropriate Information Security programme within your company.

A Security Governance Review provides critical feedback regarding the adequacy of existing controls and safeguards in maintaining your security posture.  This feedback can provide guidance in the reduction and/or mitigation of Information Security risks within the company.

Typically, this report would consist of a high level executive summary of your organization's maturity levelsacross the ISO security domains, compared to peers in your particular industry.  Remediation recommendations and a roadmap to completion would usually be included.  Most Security assessors would also deliver the detailed ISO27002:2013 working sheets with which the domains have been assessed.

The Radar Map to the right represents a sample posture map compared to a baseline of your industry.

This chart illustrates, by ISO 27002:2013 control area, the areas which Acme Widgets Inc. is performing at a evaluated level to its industry peers (yellow within the red boundary), and the areas which Acme Widgets Inc. is evaluated to be performing at a level below its industry peers (yellow outside the red boundary), as along with the relative degree of effort required to accomplish improvements (more yellow exposed = more effort).

You will want to periodically (annually?) review this maturity model to ensure that you are on track as things change both outside and within your organization. This periodic review will allow you to show metrics regarding your security governance programme growth.

In future posts, we will be discussing the following:
  • What is a Threat Risk Assessment?

  • What is a Privacy Impact Assessment?

  • What is a Vulnerability Assessment?

  • What is a Penetration Test?

Sections of the ISO27002:2013 
 5. Security Policy Management
 6. Corporate Security Management
 7. Personnel Security Management
 8. Organizational Asset Management
 9. Information Access Management
10. Cryptography Policy Management
11. Physical Security Management
12. Operational Security Management
13. Network Security Management
14. System Security Management
15. Supplier Relationship Management
16. Security Incident Management
17. Security Continuity Management
18. Security Compliance Management


ISACA: Information Security Governance Guidance for Boards of Directors and Executive Management
Comparing different information security standards: COBIT vs. ISO 27001  
ISACA: Assessing IT Security Governance Through a Maturity Model and the Definition of a Governance Profile 
ISO 27002:2013 in plain English.
ISO/IEC 27002:2013 Information technology — Security techniques -Code of practice for information security controls 
Wikipedia: ISO27002 technology-cobit