Governance

Organisational governance is defined as “a system by which an organisation makes and implements decisions in pursuit of its objectives.” Organisational governance is achieved by a mix of standards, rules, processes, practices, and technology platforms that support maturity in governance.

In view of enhanced role of ICT for achieving the business mission and objectives, governance of IT and information security are considered as a subset or domain of organisational (entity) governance. Definitions of governance in specific context of IT and Information security are provided in ISO/IEC 26000, ISO/IEC 38500:20151 and ISO/IEC 27014:20202.

  • Governance of Enterprise IT (ISO/IEC 38500:2015) deals with resources required to acquire, process, store and disseminate information.

  • Enterprise Information Security Governance (ISO/IEC 27014:2020) deals with assurance of information confidentiality, integrity and availability and effective communication of the same with various external stakeholders.

Governance of Enterprise IT

 A model for good governance of IT shall assist those at the highest level of the entities to understand and fulfil their legal, regulatory and other obligations in respect of their entity’s use of IT.  Further it assists governing bodies to ensure that the use of IT contributes positively to the performance of the organisation. Governing bodies should exercise their authority to ensure that their organisations follow a well-defined and suitable model for governance of IT, based on global best practices, to ensure that the risks arising from the use of IT can be managed and opportunities can be exploited.

ISO/IEC 38500:2015 describes the principles and practices for good governance of IT and provides a baseline for each entity to develop their own model. The six core principles are:

  1. Establish responsibility.

  2. Define strategy for IT to support business.

  3. Make acquisitions as appropriate.

  4. Ensure performance.

  5. Ensure conformance.

  6. Achieve appropriate human behaviour.

Further, three main practices through which the governing bodies can continuously evolve governance of IT are:

  1. Evaluate the current and future use of IT in the context of the business need.

  2. Direct preparation and implementation of strategies and policies to ensure that use of IT meets business objectives.

  3. Monitor performance against the strategies particularly regarding their business objectives and conformance to external obligations and internal work practices.

Governance of Information Security

Governance of information security ensure effective implementation of information security controls and provides the following assurance:

  • Directives concerning information security will be followed.

  • The governing body will receive reliable and relevant reports about information security related activities.

The framework for governance of information security will assist the governing body to make decisions concerning the strategic objectives for the organisation. It further provides information about information security that can affect these strategic objectives. It also ensures that information security strategy aligns with the overall objectives of the entity.

ISO/IEC 27014:2020 defines six objectives for information security governance that provide a baseline for overall direction and control by the governing bodies and the top management. The detailed description of each objective and process is given in the ISO document. The practical application of each objective within an entity is briefly described below:

1. Establish integrated comprehensive entity-wide information security

Objective 1 calls for the establishment of an integrated comprehensive entity-wide information security framework. In practice, this would generally be addressed as under:

  • Organisations should define and document an enterprise level context for their Information Security Management System (ISMS). Further, the context, scope, external elements etc. of each of their individual ISMS implementations (business-unit or site-based) should flow from and be fully aligned with the enterprise context.

  • Organisations should define and document an enterprise level ISMS objective and policy. The ISMS policies of each of the individual ISMS implementations should be aligned with the enterprise context.

An enterprise level approach would provide the following benefits:

  • Governing bodies and top management can evaluate, direct, and monitor that information security is consistent across the enterprise.

  • Regulators and national nodal agencies can validate that the policy directives and regulatory guidelines provided to the regulated and critical sector entities are incorporated into the enterprise level ISMS framework, which further gets applied uniformly into all the ISMS implementations in the entities.

  • Auditors can easily assess and verify whether all the mandated policies have been incorporated in each of the ISMSs audited by them.

2. Make decisions using a risk-based approach

Objective 2 calls for using a risk-based approach for decisions. A risk-based approach is recognised world-wide as an effective mechanism for inter-se prioritisation of the following:

  • Investment in protection functions that includes business continuity.

  • Allocation and use of resources.

  • Work related to tracking and monitoring functions.

  • Incident response and crisis management activities.

In general, risk is a function of impact and likelihood. However, entities may decide that the potential impact of some of the disruptions are so devastating that they have the highest risk even if their likelihood is very low. In all other cases, risk reflects the organisation’s ability to accomplish its assigned mission, protect its assets, fulfil its legal responsibilities, maintain its day-to-day functions, and protect individuals.  

Regulated and critical sector entities would benefit from using the ISO, IEC, NIST and other well-known standards to design, develop and implement risk management system within their organisations. A risk-based approach helps entities correctly identify all the controls that are applicable in their ISMSs.  An enterprise level approach to risk management would provide the following benefits:

  • Governing bodies and top management can evaluate the information security risks with the use of IT to achieve business objectives and further incorporate them into the enterprise level ISMS framework. This will help them direct and monitor the individual ISMSs effectively.

  • Regulators and national nodal agencies can validate that all the additional controls prescribed by them are consolidated into the enterprise level ISMS framework, which further gets applied uniformly into all the ISMS implementations in the entities.

  • Cybersecurity auditors can use the comprehensively defined Statement of Applicability (SoA) to verify that all risks have been considered for their technical audit.

3. Set the direction of acquisition

Objective 3 calls for setting the direction of acquisition of IT, OT, and Information Security capabilities in a comprehensive and consistent manner.

The enterprise level risk assessment carried out as part of Objective 2 will help in the prioritisation of investments and allocation of resources. The Information Security Steering Committees (ISSC) of critical sector entities can provide right guidance to the top management when there is a common understanding of risk.

4. Ensure conformance with internal and external requirements.

Objective 4 calls for ensuring conformance with internal and external requirements.

One of the objectives of regulators and national bodies is to standardise information security management and its audit across various entities, particularly the critical sector entities. A common approach and methodology of audit of IT Security can be achieved through the guidelines given in various national / international standards.

Entities should evaluate and adopt an internationally accepted methodology for audit of the implemented IT and Information Security Management System at agreed frequency and scope (this frequency and scope should be compliant with the minimum baseline promulgated vide various rules and regulations). The audit scope, audit objective, audit criteria and the competency of the auditors should be such that it provides adequate assurance to the stakeholders on the objectivity and impartiality of the results. The results of the audit are to be reviewed at an appropriate level in the entity / controller / regulator. The causal analysis and corrective action plan for any non-conformities observed in the audit are also to be reviewed and tracked for acceptable closure.

5. Foster a security-positive culture

Objective 5 calls for fostering a security-positive culture, which is largely a people-driven activity. This requires the top management to focus on building a positive information security culture within the entity through security education, training and awareness programs and integrating the information security responsibilities into the roles of employees and managers.

6. Ensure the security performance meets current and future requirements of the entity

Objective 6 calls for ensuring that the security performance meets current and future requirements of the entity.

A data-driven analytical approach for security performance monitoring and measurement would be highly beneficial for entities. This approach requires entities to identify and use software applications and automation platforms for data acquisition, evidence collection and analysis of both IT and information security performance. The acquired measurement data would help the internal, external, and special audit teams to review and assess the information security processes and activities.

National nodal agencies can further evolve platforms and processes for machine-processing of data from different entities to carry out sectoral and cross-sectoral analysis of audit compliance, audit effectiveness and grading of auditors. 

The governing bodies and the top management may apply following four main processes repetitively to achieve the above objectives:

  1. Evaluate

  2. Direct

  3. Monitor

  4. Communicate

Essential Top Level Management Governance Functions

The key processes for governance of Enterprise IT and Information Security are depicted in the pictorial below.

Governance of Enterprise IT and Information Security Governance of Enterprise IT and Information Security

A harmonised view of the governance functions are covered here.

Summary

The governance frameworks provide the core principles, objectives and processes in IT and Information Security for the governing bodies and top management to implement effective governance in their respective business context. The focus of governance of IT is on managing resources to acquire, process, store and disseminate information (this may include OT and IIoT). This functionality is complemented by the governance of Information Security, which focuses on confidentiality, integrity, and availability of information (including the safety of OT and IIoT).

The governing bodies and top management of all regulated and critical sector entities are accountable for the Governance of Enterprise IT and Information Security. They have the responsibility to evaluate and direct the specific actions required to implement the principles within their organisations and monitor their efficacy. In short, Governance of Enterprise IT and Information Security are board-level agendas.

Communication is an important Information Security governance process since it enables entities to be held accountable to interested parties. As part of this function, the critical sector entities must maintain continuous information flow with the national nodal agencies and the sectoral regulators. This communication is necessary for the national nodal agencies to evaluate the effectiveness of their risk management and information security management.  The entities are also required by law to report information security incidents to appropriate national nodal agencies and regulators, as applicable.

Assurance aspect is overseen by the sectoral regulators and the national nodal agencies bodies, who exercise their authority to audit the regulated and critical sector entities for compliance to law, regulation and directives issued by them.

It is also important to recognise that, while the authority for specific aspects of IT and Information Security may be delegated to managers within the organisations, the accountability for effective, efficient, and acceptable use of IT and Information Security within the entity and all its organisations remains with the governing body and top management in case of CSEs. This responsibility and accountability cannot be delegated.

The governance of enterprise IT and information security in the internal context (within the jurisdiction of the entity) is fairly straightforward. All entities typically implement their IT, OT and IS infrastructure to align with their business functions. The operational structure is usually in the form of business units, departments, sites/ branches, and locations. The organisational structure is closely aligned with the operational structure in the form of a governing body or board, top or executive management, senior, middle-level, and lower-level management.

  1. https://www.iso.org/obp/ui/#iso:std:iso-iec:38500:ed-2:v1:en ↩︎

  2. https://www.iso.org/obp/ui/#iso:std:iso-iec:27014:ed-2:v1:en ↩︎