Source of information: https://buildsecurityin.us-cert.gov/bsi/articles/best.../563-BSI.pdf
This overview defines the scope of governance concern as it applies to security. It describes some of the top-level considerations and characteristics to use as indicators of a security conscious culture and whether an
effective program is in place.
Security's days as just a technical issue are done. It is becoming a central concern for leaders at the highest level of many organizations and governments, transcending national borders. Customers are demanding it as worries about privacy, the protection of personally identifiable information, and identity theft grow. Business partners, suppliers, and vendors are requiring it from one another, particularly when providing mutual network and information access. Networked efforts to steal competitive intelligence and engage in extortion are becoming more prevalent. Security breaches and data disclosure increasingly arise from criminal behavior motivated by financial gain. Current and former employees and contractors who have or had authorized access to their organization's system and networks are familiar with internal policies, procedures, and technology and can exploit that knowledge to facilitate attacks and even collude with external attackers. Malicious insider acts that need to be mitigated include sabotage, fraud, theft of confidential or proprietary information, and potential threats to our nation's critical infrastructure. Recent CERT research documents cases of successful insider incidents during the software development life cycle. According to the IT Governance Institute "...boards of directors will increasingly be expected to make information security an intrinsic part of governance, integrated with processes they already have in place to govern other critical organizational resources" [ITGI 2006]. Ultimately, directors and senior executives set the direction for how enterprise security (including software security) is perceived, prioritized, managed, and implemented. This is governance in action.
As additional evidence of this growing trend, the Deloitte 2007 Global Security Survey of top global financial services institutions states the following: Information security is no longer a technology-focused problem. It has become the basis for business survival as much as any other issue. A key finding shows that 81% of respondents, many more than in studies of previous years, feel that the issue of security has risen to the level of the C-suite or board as an issue of critical concern. Information Security Governance is a framework predicated on principles and accountability requirements that encourage desirable behavior in the application and use of technology. Results from the present study indicate 81% of respondents have a defined information security governance structure (e.g., defined responsibilities, policies, and procedures) while 18% are in the process of establishing one [Deloitte 2007]. According to the Building Security In Maturity Model, «Executives and middle management, including line of business owners and product managers must understand how early investment in security design and security analysis affects the degree to which users will trust their products. Business requirements should explicitly address security needs. Any sizeable business today depends on software to work. Software security is a business necessity» [McGraw 2009]. While there is growing evidence that senior leaders are paying more attention to the risks and business implications associated with poor or inadequate security governance (refer to Maturity of Practice), a recent Carnegie Mellon University survey indicates that there is much work to be done: Survey results confirmed the belief among IT security professionals that boards and senior executives are not adequately involved in key areas related to the governance of enterprise security. Of the pool of respondents, only 36% of them indicated that their board had direct involvement with oversight of information security. The respondents indicated that the vast majority of boards that are reviewing privacy and security issues are not focusing on important activities that could help protect the organization from high risk areas, such as reputational or financial losses flowing from breaches of personally identifiable information [Westby, 2008].
Governance means setting clear expectations for business conduct and then following through to ensure
the organization fulfills those expectations. Governance action flows from the top of the organization to all
of its business units and projects. Done right, governance enables an organization's approach to nearly any
business problem, including security. National and international regulations call for organizations and their
leaders to demonstrate due care with respect to security. This is where governance can help.
Moreover, organizations are not the only entities that will benefit from strengthening enterprise security
through clear, consistent governance. Ultimately, entire nations will benefit. "The critical information
infrastructures comprising cyberspace provide the backbone for many activities essential to the transaction
of domestic and international business, the operation of government, and the security of a nation" [BRT
2004].
The term governance applied to any subject can have a wide range of interpretations and definitions. For the purpose of this chapter, we define governing for enterprise security as [Allen 2005] directing and controlling an organization to establish and sustain a culture of security in the organization's conduct (beliefs, behaviors, capabilities, and actions) treating adequate security as a non-negotiable requirement of being in business In its publication Information Security Handbook: A Guide for Managers [Bowen 2006], NIST (National Institute of Standards and Technology) defines information security governance in greater detail: . . . the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies
In his article «Adopting an Enterprise Software Security Framework» John Steven states
In the context of an Enterprise Software Security Framework, governance is competency in measuring
software-induced risk and supporting an objective decision-making process for remediation and
software release. This competency involves creating a seat at the project management table for
software risk alongside budget and scheduling concerns [Steven 2006]. (See also the BSI Project
Management content area.)
In the context of security, governance incorporates a strong focus on risk management. Governance is an
expression of responsible risk management, and effective risk management requires efficient governance.
One way governance manages risk is to specify a framework for decision making. It makes clear who is
authorized to make decisions, what the decision making rights are, and who is accountable for decisions.
Consistency in decision making across an enterprise, a business unit, or a project boosts confidence and
reduces risk.
In the absence of some type of meaningful governance structure and way of managing and measuring enterprise security, the following questions naturally arise. Organization can include an entire enterprise, a business or operating unit, or a project.
Art Coviello, co-chair of the Corporate Governance Task Force, states that "It is the fiduciary responsibility
of senior management in organizations to take reasonable steps to secure their information systems.
Information security is not just a technology issue; it is also a corporate governance issue."
As a result, director and officer oversight of corporate digital security (including software security) is
embedded within the duty of care owed to enterprise shareholders and stakeholders. Leaders who hold
equivalent roles in government, non-profit, and educational institutions need to view their responsibilities
similarly.
Demonstrating duty of care with respect to security is a tall order, but leaders must be up to the challenge.
Their behaviors and actions with respect to security influence the rest of the organization. When staff
members see the board and executive team giving time and attention to security, they know that security is
worth their own time and attention. In this way, a security-conscious culture can grow.
It seems clear that boards of directors, senior executives, business unit and operating unit, and project
managers all must play a role in making and reinforcing the business case for effective enterprise security.
Trust, reputation, brand, stakeholder value, customer retention, and increased operational costs are all at
stake if security governance and management are performed poorly. Organizations will be much more
competent in using security to mitigate risk if their leaders treat it as essential to the business and are aware
and knowledgeable about security issues.
One of the best measures that an organization is addressing security as a governance and management concern is a consistent and reinforcing set of beliefs, behaviors, capabilities, and actions that are consistent with security best practices and standards. These measures aid in building a security-conscious culture. They can be expressed as statements about the organization’s current behavior and condition.
Leaders who are committed to dealing with security at a governance level can use this checklist to determine
the extent to which a security-conscious culture is present (or needs to be present) in their organizations. The
relative importance of each statement depends on the organization's culture and business context.
Most senior executives and managers understand governance and their responsibilities with respect to it. The intent here is to help leaders expand their perspectives to include security and incorporate enterprise– wide security thinking into their own and their organizations' governance and management actions. An organization's ability to achieve and sustain adequate security starts with executive sponsorship and commitment.