Governance of information security

30 Apr, 2015

Information security relates to all aspects of information, that is, spoken, written, printed and electronic or any other medium, including the information handling which has been created, viewed, transported, stored or destroyed. Information security is different than IT security since the same is concerned with security of information within the boundaries of the network infrastructure. Typical confidential information disclosed in an elevator conversation or sent via regular mail does not fall within the bounds of IT security.1
Here the question arises what is information, it basically consists of data having meaning, relevance and purpose and information has to have these attributes. Information creates knowledge and thus knowledge is captured and stored as organised information which is an asset that is why it requires protection.
Governance of information security is a subset of enterprise and it provides strategic direction, as it ensures the achievement of objectives by appropriately managing the risk by using the organisational resources carefully while monitoring the security programme with diligence as the success of an enterprise depends on it.
The organisation must establish and maintain a framework to achieve effective information security governance, by guiding the development and maintenance of a comprehensive information security programme. The institutional responsibility in this regard includes to treat the information security as an intrinsic part of governance. The protection of information assets is achieved through a layered series of technological and non-technological safeguards and controls, ie, safety and environmental security measures, perimeter and physical security, including the background checks, access control measures, user identifiers, passwords, IT technical measures and manual and automated procedures.
-- Expectation or outcome from the program
-- Knowledge and protection of information asset
-- Benefit
-- Process integration
These necessary safeguards and controls generally address threats and vulnerabilities to reduce potential impacts with a framework of defined and acceptable levels. The integrated security system must comprehensively cover the key controls.
-- Information is available and usable when required, and the systems that provide it can appropriately resist or recover from attacks.
-- Information is observed by or disclosed to only those who have a need to know.
-- Information is protected against unauthorised modification.
-- Business transactions and information exchange between enterprise locations and external trading partners in trustworthy.
The system of security created thus covers the needed goals of information availability, confidentiality, integrity, authority and repudiation. The derived outcome can be achieved through.
- Effective communication;
- Constructive approach;
- Team relationship;
- Common language; and
- Shared commitments
-- Security risk management methodology
-- Strategy explicitly linked with business and IT objectives
-- An effective security organisational structure
-- A security strategy based on the value of information protected and delivered
-- Policies based on comprehensive strategy, control and regulation
-- security standards for each policy to ensure that procedures and guidelines conform to the policy preferences
-- Institutionalised monitoring processes for compliance and to provide effective feedback for the mitigation of risk
-- A process to ensure continued evaluation, standards, procedures, risks and process for updating.
The system will provide alignment, business strategies, managing the risk and resources, knowledge and value delivery as shown below in the information security governance chart.
How we can achieve it that is by placing information security on agenda of top bosses, identifying security leaders, by adopting an effective policy.
The governance of information security can increase predictability and reduce uncertainty by creating a firm foundation for efficient information system which will build trust, reputation and confidence.
(The writer is an advocate and is currently working as an associate with Azim-ud-Din Law Associates Karachi)
1 From an information security perspective, the nature and type of compromise is not as important as the fact that security has been breached; that is the crucial concern.

Read Comments