Now we move on to chapter 28, information security governance. And here we talk about who does what, the functions and the responsible parties. So who does governance? Governance typically is recognized as the responsibility of the board, its members, its various committees, and the company executives.

Security has to be applied at this larger scope rather than just to the IT itself. It has to include physical aspects such as building access, lighting, supply chain, vendors and so on. We need to have the input from the very top because it is their fiduciary responsibility to ensure that governance is effective at all levels and properly tailored. Without knowing whether or not the governance is effective, the program is doomed to failure. And since the governance is driven from the very top, feedback to the very top is necessary to ensure that all levels are communicating both effectively and in a timely manner.

Periodically there will need to be business impact analysis performed and their results communicated to the executives so that they are staying informed and can make better quality, better informed decisions. One of the things that the governance structure needs to define is what the focus areas are going to be.

Key to this is determining how they relate to the business and their relevance in each area. They include overall risk management programs. Ideally it should include process improvement where possible to include elements of risk management and security. We have to be able to do identification of events and therefore incident response. We have to ensure that at each level where it is necessary that improved compliance is a result. We have to ensure that our business continuity and disaster recovery plan components are both designed, implemented, and effective.

All along the way, we will need to do periodic program analysis and measurement to ensure that not only are we measuring it but that we're managing it, that we're doing both the right things and we're doing things right. We have to of course do effective and efficient resource management.

At all combined, we have to ensure that the metrics reflect how we will be performing and that we are achieving improved overall IT governance. Now, as the slide is suggests working with the Top Dogs, we have to look at what the executive team both directs and what they will need in feedback. They need to remain engaged throughout the process to provide direction which means they need to keep their focus on both the operation and how security and compliance affected and are affected by it. This may mean that we have to set up occasional steering committees usually made up of senior reps from the impacted groups.

By having a steering committee to guide us, it can be easier to arrive at a consensus on priorities and the various trade-offs that might accompany them. Vital to this is establishing effective communications channels. Each committee should have its own range and realm of responsibility. Each one needs to address in their own context, how to integrate security with business activities, how to get business units to support them as management support is vital to the success of this program and how we can identify and thus cope with effectively emerging risks and various compliance issues.

There should of course be a security manager that defines the purpose of the committee and how it should operate. One of the problems with any committee is that they will periodically get sidetracked and the security manager can help see to it along with his teammates on the committee to keep that from happening.

Members always need to keep their eye on the ball so to speak and the better we can keep them informed, the better they can deal with this in a timely manner and in an effective manner, and in its proper place in the galaxy of things. All organizations may have a CISO or someone who occupies a role whether and has that title or not. This is a person who may be responsible for ensuring the overall performance and success of the information security program.

In some cases, they respond to the CEO or they may respond to the COO, but wherever they respond and whomever they respond to they need to have in their scope a wide enough and deep enough area of responsibility and authority to ensure their overall effectiveness.

Now, it is typical and throughout our history, we have had a never-ending battle between IT and information security. To be fair, this battle is oftentimes conducted with the entire rest of the business. Now, classic IT responsibilities are all about ensuring performance. This is something that we're well aware of. It means things like how fast, how responsive, how appropriate, how much utility, all of those different things, all focused on performance. And security is added to this sometimes as an afterthought or it can be neglected as being an impediment to IT fulfilling its mission.

Security is oftentimes equated with people who say no rather than say how can we. Being that we are more concerned with keeping things out of hands of the unauthorized parties, we also ask for increased expense, such as for redundancy even if it's at the expense of speed or utility. As security increases, ease of use historically has decreased. Therefore we're put in a position where we must find a balance between these various views, the competition between performance, business success, and securities performance.

One of the results of failing to find these things will be that people will choose the path of least resistance which typically means less security for better performance. When people have clearly defined roles and a properly positioned responsibility for security in that role, it becomes more difficult to deny that security actually integrates with what they do and easier we hope for it to be performed properly in alignment with that role.

Now, the security manager in good organizational division and separation of duties, shouldn't report to the same exact that the IT manager does. This places then in opposition or in competition, but rarely places them on the same side of nearly any argument. Every one involved in this process must be working on identifying the balance between risk mitigation, cost, and performance.

So let's take a look at one NIST guide, the special publication series 800 volume 30 as it describes key roles to support risk management. These are the roles that it typically defines. There is a governing board usually made up of senior management and these people have ultimate responsibility to make the decisions that will guide the rest of the program. There's oftentimes a CRO or chief risk officer which will be in charge of enterprise risk management.

We have, of course, the chief information security officer who is basically in charge of ensuring that security management is done and typically reports to the C-level executives. Below and potentially reporting to the CISO, would be an information security manager who would be responsible for various program elements and performances possibly on a divisional basis or a departmental basis, or even a company-wide basis.

We have systems and informations owners who ensure that the controls that have been put in place through this program are protecting the confidentiality, integrity and availability of the information in their charge. We have, of course, the business and functional managers who have responsibilities for security, but also have to balance that with their business operations responsibilities. We have at the functional level IT security practitioners. These are those persons who will implement, manage, and handle controls in the various events that occur on a daily basis. And then we have to have security awareness trainers.

Training as we all know functions to inform, advise and otherwise communicate awareness of security program elements, compliance requirements, legal requirements, and other things to make the human end as effective as we possibly can. In keeping with that, we have this RACI chart of roles and responsibilities.

In here you see a responsibility matrix. The RACI is of course an acronym meaning responsible, accountable, consulted, or informed. Now there is a distinction between a role in individually identified persons. The role is the descriptor of an associated set of tasks, things that a person will actually do in their job. And this role may be performed by many people, whereas one person may occupy many different roles throughout their day or week.

Now, for example, an organization may have 10 people who can perform the role of project manager. Although traditionally, each project has only one project manager at any one given time, and a person who is able to perform the role of project manager may also be able to perform that role or may be able to perform in parallel that of a business analyst and possibly a tester as well.

So to describe these roles, what we have is we have first responsible, and those who do the work that complete the task. Then we have accountable. This is the party that ultimately is answerable for the correct and thorough completion of the deliverable or task or the one who ensures that the prerequisites are met and who delegates the works to those who are responsible.

Then we have consultant. Sometimes this is someone called a consultant or a council. And these are those whose opinions are sought typically as SMEs and with whom there is a two-way communication. And then we have informed. These are the ones who are kept up to date on progress, often only on completion of the task or deliverable, and with whom there is just a one-way communication.

Very often the role that is accountable for a task or deliverable may also be the one who is responsible for completing it. Outside of this exception, it is generally recommended that each role in the project or process for each task receive at most just one of the participation types where more than one participation type is shown. It generally implies that the participation has not yet been fully resolved which can impede the value of this technique in clarifying the participation of each task.

In addition to this, it could potentially provide an illustration of a conflict of interest between the roles concerned. With that question, any program in security or any other type must get buy-in from the top if it expects to be successful. Getting the approval from the top means we hope that the security program will have sufficient resource, manpower, and all the other items necessary to make it successful. This might require that the manager of this program is going to have to educate the board as they present the strategy. In it they will have to include discussion about possible compliance issues, potential sanctions that may be suffered in the event that the program is effective or absent, the importance of assets, and the ways in which they will be measured.

Actions that the senior management must understand that will be necessary in this program will include this list. Clear approval and support, the ability to measure performance always required to ensure that we're being both operationally effective and cost-effective. Support for the training and awareness program, that we have sufficient resources and authority to implement security as decided.

Treating security as a critical business issue which we all know that it is. Demonstrating that security is taken seriously by virtue of the results that we measure. We of course will have to have oversight control and the description to the board members will have to be how that will be performed and by which role. There will be periodic reviews to determine program effectiveness and ways in which it will be adjusted to achieve the stated objectives, that it sets an example so that others in the organization will realize that this is to be taken as an important or even critical aspect.

And then what issues will be escalated to board level that may require their attention to resolve? Many times what we find is that there is never going to be enough time, money, or resources to conduct the program that we believe is necessary, leaving us in the position where we will have to make due so to speak with what we have. This is frequently the case but it does force us to be adaptable and very choosy about which priorities we have to emphasize.

Now, one of the things that comes about is there may be the question of tying a paycheck to a security role. What this really reflects is, that security is written into job descriptions into roles, that your performance includes elements of security for which you are being employed and that which you will be performing in your role.

Sometimes employees are compensated based on their adherence to responsibilities. Now, this is frequent, but rarely does it include the element of security in this kind of compensation. Tying it to employee performance and making it integral to the performance evaluation can emphasize just how important overall security performance of every employee is to the organization.

One of the ways to make sure that this happens is to work with management and then with the personnel director to ensure that these elements having to do with security and performance are defined and integrated into the roles and responsibilities descriptions. Doing that will of course beg the question. Do we have the proper skills? How do we find the right personnel and what do we do for those we already have? 

Every strategy must consider the workforce that will implement it and whether or not they have the available skills and the necessary resources. If we find that the required skills are not existent, then the strategy will fail and therefore we have to take remedial action to ensure that that isn't the case and acquire in our workforce the required skills. Needing to require this, we have the trade-off to make between and doing it in-house or having it sent from outside. We can train our existing employees or we can hire new ones and bring in the skills from the outside.

Both strategies work and they can work effectively together. And the more you ingrain this in the organization, the more likely it's long-term effectiveness will be. We need to start of course, with an inventory of what we do have so that we know where our gaps lie and that we can fill them with training more personnel.

One of the ways to begin could include proficiency testing as well as taking a survey of who has what certifications. Whatever the case is and whatever the method is that is being used, we need to identify the gaps to establish their levels of relative criticality and take care of them through training and awareness or hiring as quickly as possible.