Information security governance: All you need to know
When it comes to running a business, most businesses understand risks when it’s associated to business risk, such as fire, flood, theft, loss of employees and competition and the list goes on. But when we start talking about cyber risk to businesses, they are lost and don’t understand what risks there are.
By having businesses implement asset and risk management into their processes, businesses can gain an understanding of what they have and what areas may affect them when it comes to information security.
Once we have a basic understanding of these risks and what assets we have that need protecting, we can then start looking at the governance of information security.
Information security governance?
But what is information security governance? The governance of information security within a business is the way a business manages its information security needs. It looks to identify and protect its Confidentiality, Integrity and Availability of information (known as the CIA triad). As part of this process the business will look to start identifying all the risks that could impact the business, this will include the business risks as well as information security risks.
It is important that the business looks at all areas of the business from the bottom right up to the top and it’s important that the senior management have buy in and fully support this process.
Once the items have been identified, the business will need to start designing a framework, which includes policies and procedures to ensure that any risks which were identified can be remediated, accepted or treated accordingly.
The information security framework
What is an information security framework and how do we develop it? In simple terms an information security framework is a suite of policies and procedures which are created and are implemented within the daily running of the business.
This can be made up of different components from Cyber Essentials and IASME Cyber Assurance to ISO 27001 or other standards.
Once embedded within the business, it doesn’t stop there, the framework is a living and breathing entity within the business, the framework will be constantly undergoing change and expansion. Policies and procedures need to be tested and implemented, things that don’t work for the business, will need to be changed and tested and implemented again.
The framework should be designed with metrics in mind, look to see what works and what doesn’t work. You should ensure that the framework is reviewed at least annually to ensure that it remains current.
Main areas of information security governance
We now know what information security governance is, we know what a framework is, but what is involved in the governance, what areas are there to build, review and monitor?
The main areas of information security governance are:
- Information security planning
- Policies and procedures
- Asset management
- Risk management
- Compliance and auditing
- Incident response and management