A new report from the independent information security body, the Information Security Forum (ISF), provides organisations with a clear picture of how better governance can help the information security function raise its game within the business.
Entitled ‘Information Security Governance – raising the game’, the report outlines how adopting a governance-style approach can lift security out of its technical ‘comfort zone’ and into a wider business context.
The ISF argues that while corporate governance is well-known and common practice, even obligatory, within the corporate environment, governance itself is not always present in information security – a critical part of any business. However, when the security function does adopt governance, it leads to better engagement with senior executives and other corporate governance functions, helping to foster better understanding, minimise risk and limit reputational damage.
The report’s author and ISF Principal Analyst, Adrian Davis, comments: “Corporate information is becoming much more complex because the technologies and processes to manage it are becoming more complex. At the same time, information is much more susceptible to attack or abuse, as we’ve witnessed many times this year already. This new report shows how information security governance can become an integral part of corporate governance, demonstrating to a company’s stakeholders – customers, partners, shareholders and regulators – that corporate data is being protected according to industry best practice.”
As with each new ISF report, ‘Information Security Governance – raising the game’ offers practical step-by-step guidance for businesses via a comprehensive security governance framework, developed using ISF Member experience, analysis, research, tools and workshops. This framework enables Members to demonstrate how information security can:
· Deliver value to stakeholders: Improve effectiveness and efficiency; meet stakeholder requirements; enable business initiatives; and integrate with enterprise processes
· Achieve strategic goals: Execute strategic objectives; set and refine information risk appetite; sustain buy-in and commitment; and maintain security requirements
· Provide information risk assurance: Oversee assurance programme; implement risk assessment; ensure compliance; manage supply chain risk; and monitor and report on assurance.
“As information security governance is an emerging concept and yet to be fully realised and understood by many organisations, this report is unique in providing practical hands-on guidance,” adds Adrian Davis. “It outlines the key components you need to have in place for effective information security governance, pointers to additional ISF materials and information to help determine if your current governance framework measures up, and most important, tools to check its levels of maturity.”
An executive summary of the ‘Information Security Governance – raising the game’ report is available from the ISF website at: https://www.securityforum.org/?page=publicdownloadisg . The report also points to the new version of the ISF’s Standard of Good Practice (SoGP) launched in September 2011 and the ISO/IEC 27014 standard to help in the development of information security governance.