Internal Context

Operational Structure

Business Units

In the modern business and operational context, information technology has become a key business enabler. It is frequently the case that business units, also called line units, generate their own business requirements, consume external IT services, or get systems dedicated to their own units.

Departments

Departments, also called staff units, perform staff functions to support the entity’s mission. In the context of IT and Information Security, most staff functions are performed through multiple departments with complex interdependencies. Some of the departments involved in a typical CSE for smooth delivery of these functions are:

  • Administration department manages personnel and physical security.

  • Finance department manages the procurement.

  • Workforce (HR) department ensures that people have the right competencies and critical positions are always staffed by candidates with the right mix of skills and experience.

  • Legal and Corporate Governance department manages legal and regulatory compliance.

  • Internal Audit department provides an independent view of compliance of processes and people.

  • Technical functions related to IT are carried out by the IT Department 

  • Information Security related functions are carried out by the Information Security Department.

It is also well-established that Information technology is a key enabler for non-IT staff functions. The functional requirements of various departments are typically enabled through IT. The IT department is usually responsible for the design, development and/ or procurement, implementation and deployment, operation and management of the IT infrastructure, operations, and support. The departments themselves focus on the usage side of IT, covering the users, applications, and data.

Further, the Information Security Department usually works closely with the IT and the Legal and Corporate Governance Departments as part of its responsibility and accountability towards the governance, risk, policies, compliance, and assessment of information security of the entity’s IT infrastructure.

Sites and Locations

Large enterprises are typically spread across multiple sites or geographical locations, typically referred to as remote or branch offices. Sectors such as Power and Energy have OT Sites in the form of substations and regional command and control centres. Enterprises with such geographically separated ICTs must ensure governance mechanisms and controls for the holistic cybersecurity of the entity.

Organisational Structure

Board of Directors

The Board of Directors of CSEs is ultimately accountable for cybersecurity in the organisation and its responsibilities would include:

  • approving strategic goals, business objectives, and policies related to IT, Business Continuity, Information Security, Cyber Security, and Cyber Crisis Management, 

  • approving the cyber risk appetite as part of the overall risk appetite,

  • approving and overseeing the cybersecurity programme, strategy, and policy to manage cyber risks,

  • ensuring the implementation of the cybersecurity program,

  • being aware of and ensuring compliance with legal and regulatory obligations related to cyber security risks,

  • supporting the culture of awareness of cybersecurity in the organisation,

  • allocating adequate budget and resources for fulfilling cybersecurity requirements.

The Board of Directors of the CSEs should set up appropriate board level and other high-level empowered committees for the purpose of Governance of Enterprise IT and Information Security to support both strategic and operational goals while addressing the unique risk and compliance requirements in these areas. The governance structures should be kept in mind while framing these committees. Board should have independent director with substantial IT expertise in managing / guiding information technology initiatives. Further technically competent members should be there in the Committees formed. 

In case, any CSE doesn’t have a Board of Directors, then it would be the responsibility of the top management or executive leadership to set up appropriate high-level empowered committees for the purpose of Governance of Enterprise IT and Information Security and ensure their effective functioning.

CSEs having “Protected System” are mandated to constitute an Information Security Steering Committee (ISSC) under the Chairmanship of the Chief Executive Officer/ Managing Director/ Secretary of the organisation as per the Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018 notified vide Gazette Notification S.O. 2235(E) dated 22 May 2018.   

Top-Level Management

The top management of entities, led by the Chief Executive (Managing Director or CEO) is accountable to the governing body (or Board) with respect to the effective and efficient use of Information, Communication and Operational Technologies and Information Security. Most entities usually have permanent leadership roles, with teams under them, that constitutes enterprise-level top management. Typical leadership roles in a CSE are Chief Risk Officer (CRO), Chief of Operations/ Chief Operating Officer (COO), Chief Technology Officer (CTO), Chief Information Officer (CIO), Chief Strategy Officer (CSO), Chief Information Security Officer (CISO), Chief Human Resource Officer (CHRO) and, if required by law, a Data Protection Officer (DPO).

Top-level management’s responsibilities in CSEs will centre around strategic alignment, value delivery, risk management, resource optimization, and stakeholder engagement to leverage IT for competitive advantage and sustainable business performance.

The essential top-level management functions for Enterprise Governance of IT (EGIT) and Information Security Governance (EISG) are:

  • Aligning IT and infosec goals and objectives with the overall business strategy and vision set by the Board of Directors. This involves

    • setting objectives and initiatives in line with the overall business goals.

    • establishing governance structures by creating committees and steering groups to oversee the alignment between business, IT and cyber resilience.

    • establishing entity-wide policies and programs.

    • ensuring stakeholder involvement.

  • Providing leadership, direction and oversight for the IT and Infosec departments. This includes defining the IT operating models, planning, organising and implementing projects to achieve the desired business outcomes, budgeting, organisational structure, roles and responsibilities, and project management oversight.

  • Resource Management - This entails ensuring optimal allocation and utilization of IT and infosec resources (e.g., personnel, technology, budgets), capacity planning, developing strategies for internal and external sourcing of IT and infosec services and solutions, exercising oversight on contracts with third-party service providers, outsourcing of work to Managed Service Providers (MSP), etc. Adequate resources should be designated specifically for cybersecurity, separate from those allocated for general IT needs. Allocation of such resources may widely vary based on the business objective and risk management of each CSE. However, based on global best practice, it is recommended that at least 10% of the total IT budget should be allocated to cybersecurity. This should progressively increase as per the cybersecurity risks faced by the entity. Such allocation should be mentioned under a separate budget head for monitoring by the Board of Directors, Governing Body

  • Risk Management - This involves

    • establishing a risk management framework that identifies, assesses and mitigates risks associated with the use of technology, and ensures compliance with the relevant laws, regulations, and policies.

    • analysing and managing the business impact of degradation, failure and non-availability of IT, OT and IIoT systems, and safety of operational technologies (OT).

  • Monitoring and measuring IT performance and value delivery - This involves

    • maintaining oversight using management systems for all IT, OT and Information Security aspects that can adversely affect the organisation.

    • establishing and tracking key performance indicators (KPIs) for IT and infosec services and activities.

    • using performance data to drive continuous improvement in services and processes.

    • benchmarking to compare IT and infosec performance against industry standards and best practices.

  • Fostering effective communication, collaboration and partnership between business and IT stakeholders. Communicate regularly within and outside the entity to ensure coherence. This is especially important during crisis management related to high-impact IT and cybersecurity incidents.

The Enterprise Information Security Governance (EISG) functions are usually led by the CRO or the Enterprise CISO, who is responsible for the implementation of enterprise-wide information security policies, and exercising information security-related oversight on the business groups and business units of the enterprise.

A CISO should have knowledge and experience of information security governance, risk and compliance management, ISMS and related issues. The CISO’s responsibilities typically includes cyber resilience and cybersecurity planning, development and rollout of ISMS, coordinating the cyber security related issues within the organisation and with relevant external agencies. The CISO must be capable of performing the duties as per “Roles and Responsibilities of CISOs” as defined by NCIIPC, CERT-In and Regulators.

CSEs must clearly define the roles, responsibilties and teams for governance of enterprise IT and information security, as appropriate to their organisational structures. The leadership and teams must be given the required authority and resources to carry out their functions and held accountable for the required outcomes. A key factor for success is the ability of the leaders, their teams, business units and departments to work collaboratively to address the shared concerns of all stakeholders. Adequate thought must be given to behavioural aspects and conflict resolution mechanisms while assigning responsibilities to leaders and teams. Further, each team must have a proper mix of expertise and experience and should use technology to carry out the functions effectively.

Committees

Entities usually have different formal and semi-formal structures to support the governing body and the top management in their IT and information security governance functions. These structures are in the form of committees, groups, task forces etc, and typically carry out evaluation, monitoring, and oversight functions to support the governing body and the top management.

Many Sectoral Regulators have prescribed the frameworks for the Governance of Enterprise IT and Information Security for their regulated entities. The governance frameworks and governance related guidance of the important regulators of the country emphasise the need to have a good governance framework for enterprise IT and Information Security of entities using ICT for achieving their business mission and objectives.

Information Security Division/ Department (ISD)

The ISD of an entity is responsible for planning, implementing and continually improving the technology-driven capabilities, processes, and workforce to achieve cybersecurity.

Each business group or unit in the CSE may have its own ISO (Information Security Officer) and a team under him who may hierarchically report to the CISO. Together, they constitute the entity’s Information Security Division/ Department with appropriate resources and manpower based on the size and business of the CSE.

Technology Strategy and Perspective Planning

All modern enterprises use technology to carry out their business functions. A good practice followed by many organisations is to have a Technology Strategy and Perspective Planning (TS&PP) programme for planning, implementing and continually improving the technology-driven capabilities, processes, and workforce.

The technologies and processes are typically deployed through individual projects that are conceived, designed, and implemented by different business units and departments. In many cases, this leads to duplication or inadequate optimisation of enterprise resources, operations, and workforce utilisation.

The use of IT, OT and Information Security should therefore be evaluated, directed, and monitored from an entity-wide perspective that enables the governing bodies and top management to holistically evaluate the achievement of mission and business objectives. This will ensure that the individual IT, OT and IS projects of different business units and departments are aligned with the enterprise’s strategic IT and Information Security objectives and compliant with all enterprise policies and processes. Further, it helps in the optimisation of investments, IT and cybersecurity workforce competency development, exploitation of the latest technologies and practices, continuous improvement of cybersecurity maturity etc. 

Organisations will benefit from having an entity-wide TS&PP programme that provides enterprise-wide strategic direction and decisions on the use of IT, OT, and information security. The CTO, CIO, Heads of OT and CISO should be a part of Technology Strategy and Perspective Planning committee. Typically the committee should

  • evaluate the objectives and expected outcomes of different projects within the overall technology adoption roadmap of the organisation.

  • synergise activities and investments across multiple projects.

  • provide oversight and guidance to individual project management teams.

  • oversee the cyber resilience aspects.

Performance and Effectiveness Monitoring

Governing bodies and top management should have a well-defined mechanism for monitoring and measurement of IT, OT and Information Security performance and effectiveness of management systems and processes at the strategic, tactical, and operational levels. The monitoring and measurement mechanism should cover all processes, both automated and manual, with the objective of providing actionable evidence to take preventive and corrective actions at each level.

Metrics are tools designed to enhance the performance and accountability through collection, analysis, and reporting of relevant performance related data. Metrics in information security track the achievement of set goals and objectives by measuring the degree to which security measures are applied, as well as assessing the controls’ efficiency and efficacy, evaluating the sufficiency of security measures, and pinpointing potential areas for improvement. Entities should develop Key Performance Indicators (KPIs) for evaluation of their IT and Information Security programmes and periodically evaluate the implementation and effectiveness of their IT and Information Security Governance programmes by measuring the defined KPIs.

Organizations will benefit significantly from having a Performance and Effectiveness Monitoring (P&EM) programme to assist the governing bodies and top management in their function of enterprise-wide monitoring and measurement of IT, OT and infosec performance and effectiveness. The Governance, Risk and Compliance team should work with the business units, IT, OT and Infosec Heads and other stakeholders to develop KPIs that monitor and measure vital aspects of IT, OT and Information Security processes, people and technologies. The KPIs should address the concerns of the governing body and top management.

CSEs should put in place a structured process of reporting cybersecurity related matters to the Board or the Board Level Committees through the CISO. Structured reporting should inter alia include, key cyber risks faced by the organisation, cyber security preparedness, cyber security postures, organisational initiatives to enhance the cyber security resilience, status of compliance with regulatory guidelines, reporting of cyber security events and incidents.