We're moving on to section 27 and we continue our discussion of information security governance by talking about the strategy. So the question arises, who's creating this strategy anyway? Information security governance typically focuses on several specific processes. These regard personnel management, supply chain, configuration control, and change management, information and identity access management, vulnerability and threat management, incident response, and business continuity, and disaster recovery.

Along with this must come the building and alignment of an effective organizational element with clear roles and responsibilities. This organization must, of course, use some form of standard set up to analyze and measure program and organizational effectiveness against established KPIs and KRIs.

This governance operation should have, as its strategic goal, to continually evolve, adapt, improve, and integrate with the business mission. In this slide, you see the general programmatic flow of where this organizational unit fits, its interactions, and interfaces with the other elements.

This structure should recognize immediately that the information security program must be oriented to risk management which is very clearly business risk. As such, it is part of the job of this organizational leader to ensure that executive management and the board, whatever form that might take, understands this and the role this element has in meeting the challenges associated with it.

So here we have the program structure as illustrated in a graphic. Now, based on your perspective, this graphic may appear upside down. In fact, it is not. It is a representation of the pinnacle, which is the achievement of our enterprise objectives, that by working progressively downward in successive layers, is accomplished.

At the base are the measurements of how program elements are performing which are contained within processes and combined with other metrics, creating operational and managerial information out of that data. Moving further upward, the measurements provide insight as to how well the standards are being attained, followed by policy compliance. The result here tells us we have chosen appropriate standards and that our policies, mostly based on laws and other requirements sources, are effectively applying controls.

Starting at the top, the vision of the enterprise describes its destination, a new horizon, so to speak. The strategy outlines how we will get there and the objectives to be met along the desired course. The IT and security strategies, subsets of the main, describe in greater detail, the specific elements of these two aspects that support achievement of the main through focusing on critical aspects of operations and information. 

Furthermore, these highlight how the IT and security functions will align with the enterprise vision to ensure that all efforts are properly directed and prioritized. Now you'll note that there are blue feedback loops. These feedback loops are critical to ensure that operations are kept on track through informed decision-making, that any mid-course corrections in the strategy can be made in a timely manner, and that overall alignment is maintained when and where adjustment might be needed. These loops are also required to ensure manic information integrity and consistency, when provided to the information decision-makers for their action.

Now, information classification and categorization is a vital and necessary task to be performed. Without the information classification and categorization being performed, there is no way to tell where in the business this information will be most valuable, properly applied, or how it should be properly protected to ensure that its value is maintained. You can classify this information on the basis of its criticality or sensitivity. 

Inherently, most data have neither criticality or sensitivity until combined to create operational information. In performing these tasks, we are able to attach value and define its basis to make it easier to prioritize what should be protected and how, because the value derives from the business context.

Now there is no necessarily easy way of deriving this value. It includes many different factors: cost to acquire, cost to create, cost to replace, its contribution to the operational element for which it's used. And sometimes the value is purely arbitrary. Essentially it is worth what I declare it's being worth. If we boil the entire process down to the aspects of the business elements to which it applies, we can start to set standards and therefore start setting a scale of value by which the information can be compared to other elements and have a consistent scale.

Typically classification based on criticality is a binary sort of setting, something like a fuse in an electrical circuit. If it's present, the process works, if it's not present, the process does not work. Compare this to sensitivity, which is more of a gradient. The idea is it's sensitive to various changes. The information may be very sensitive, meaning that a small change in the process that produces it may produce a large change in the information and its value.

On the other hand, it may be relatively stable or insensitive, where even a change of a large magnitude may change it very little or not at all. These elements, the classification categorization of information are vital to helping us understand how it is used and to set the various priorities and values which will, in their turn, result in protective measures appropriate to it, to ensure that its value, and even its presence, is consistently assured. Such levels and decisions should, of course, be made by the data owner, to ensure that the classifications properly present the kinds of priorities and applications, and thus the importance, that this information has.

One of the things we always have to be sure of is that our security program, whatever its configuration, remains both operationally effective and cost effective. It should be aligned and employ the same tools as the business logic that drives the rest of the enterprise.

One way of describing a program of this type is to say that it is a least cost and least effort sort of program. By this we mean that the amount of time, effort, and money spent on it should be appropriate to the identified needs and compliance requirements, but it should never be more than can be justified based on the loss potentials that should be revealed through the risk analysis process.

As with all other business operations, we need to seek cost-effective solutions. And these strategies will require having the business requirements be defined clearly, having the goals equally clearly defined, knowing what our pool of assets and resources, making sure that asset and resource values have been assigned by the appropriate parties, that the information itself has been classified, and categorized, and that all assets have a responsible data owner to set such values and definitions.

One of the things that we want to do throughout our program is to avoid reinvention of the wheel. The strategy work that has been done by other entities and has been published, may serve as object lessons and guides for how we may do our own. To be able to leverage these, the choice of frameworks, the choice of standards, can help us be more productive by helping us design and implement a program more effectively and more quickly.

We have to bear in mind that not all are created equal. Some may apply to your organization better than others. Take, for example, in the graphic, here at the top we have Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, and FISMA, which are regulatory in nature. These could be employed by public or private entities.

Below that we see COSO, OECG, and GDPR, which are governance frameworks that have both national and international application possibilities. Then we have below that standards: CoBIT, ITIL, the ISO-27001, and the CMMI. All of these contain various forms of assurance program goals and again have national and international applicability.

Then we have the ISO-27002, which supports the 27001, the NIST 800-53, and SABSA. These specify various forms of controls and their applications, and can by be used by any entity whether public or private as it might choose.