Evaluation and revision process for security policies

Do you remember the name of the 1999 report which provided guidance on risk and its obligations? You're going to encounter it again in this section during the exploration of governance. You’ll also discover its importance for the CISO as well as the entire company.

What is governance?

In general terms, governance is defined as 'the action or manner of governing a state, organisation, etc.' In information security, the term governance specifically relates to the continual scrutiny of security performance by an overseeing body. This could be a government department or an agency such as the British Standards Institute who ensure that the claims made about the organisation’s security are true and continuously maintained.  

Governance of the internal security policy is usually the responsibility of the information security manager or the owner of information security risk (which could be a senior executive). In an IA context, governance is extra-important as networks are connected all over the world and therefore common best practice is fundamental to a safer cyber world for all. 

Another definition for governance, in a business sense, is the practice of the board of directors coming together to make decisions about the direction of the company. Duties such as oversight, strategic planning, decision-making, and financial planning are all governance activities.  

Governance can be applied to an organisation in different ways, including ensuring staff consistently follow the internal security policy and the rules indicated in processes and work instructions, regardless of the challenges these create. 

Governance also refers to certification of compliance to external standards and laws, like ISO 27001 or Sarbanes Oxley (SOX), and HIPAA in the US. The effects on corporate governance of the Turnbull Report, the Companies Act in the UK and related issues have all helped bring risk management to the top of the agenda in many boardrooms. The Turnbull Report was first published in 1999 and set out best practice on internal control for UK listed companies. It focused primarily on financial aspects, ensuring that companies have good audits and checks to ensure the quality of financial reporting and to detect any fraud before it becomes a problem. 

To be certified, organisations will need to be audited by e.g., a member of CREST (Council of Registered Ethical Security Testers). The auditors will need to be accredited. In the UK, the accreditation body is UKAS (the UK Accreditation Service). 

Governance reviews

As you’ve already seen in this Course, rules and policy need to be maintained over time in order to have a real effect, and so governance without regular review and revision will fail. 

An effective governance regime will incorporate a regular management review of all security measures and procedures. Reviews will report on incidents and organisations must listen to feedback and strive for improvement. Attendance at the review meetings should be mandatory for all security stakeholders in the organisation, including senior management, department heads and system administrators. Anyone with an input into the security review should attend to provide their view on the efficacy of processes and procedures. 

The review should focus on things that might trigger an amendment to the current security policy, like changes to technology or processes, or a new external regulatory requirement. 

Results from the review should be recorded in official minutes and actions should be signed-off at the earliest practical opportunity. Management should discuss findings and recommendations from security breaches or incidents with the aim of reducing the likelihood of them happening again. 

Once the management review is complete, the policy should be circulated for approval by the corporate stakeholders, then all affected processes and work instructions should be revised and reissued. Where relevant, affected external third parties should also be advised. 

As well as reviews, regular security audits are also required for the governance model to succeed. In the next section, you'll see the importance of audit and observe how it's implemented. 

What's next?

Now that you have learned something of governance, you're going to look at the importance of auditing in the monitoring of the security system.