Welcome to this video on security governance.

Organizations work under the scrutiny of external bodies who validate their security policies and procedures. Within this, the Information Security Manager must govern the internal security practices so they meet the external requirements.

This video looks at the review, evaluation and revision process for security policies, how to conduct security audits against important standards, like ISO 27001 and how to monitor compliance of internal security policies.

We’ll also look at the importance of suppliers and other third parties meeting the same standards of governance and other security requirements.

In information security, the term governance specifically relates to the continual scrutiny of security performance by an overseeing body. This could be a government department or an agency such as the British Standards Institute who ensure that the claims made about the organization’s security are true and continuously maintained.

Governance of the internal security policy is usually the responsibility of the Information Security Manager or the owner of Information Security Risk (which could be a senior executive).

Governance can be applied to an organization in different ways, including ensuring staff consistently adhere to the internal security policy and the rules laid out in processes and work instructions, regardless of the challenges these create.

Governance also refers to certification of compliance to external standards and laws, like ISO 27001 or Sarbanes Oxley and HIPAA in the US.  In order to be certified, organizations will need to be audited.  The auditors will need to be accredited.  In the UK, the accreditation body is UKAS (the UK Accreditation Service).

An effective governance regime will incorporate a regular management review of all security measures and procedures. Reviews will report on incidents and organizations must listen to feedback and strive for improvement. Attendance at the review meetings should be mandatory for all security stakeholders in the organization, including senior management, department heads and system administrators. Anyone with an input into the security review should be invited to provide their view on the efficacy of processes and procedures.

The review should be focused on things that might trigger an amendment to the current security policy, like changes to technology or processes, or the need to adopt a new external regulatory requirement.

Results from the review should be recorded in official minutes and actions should be signed-off at the earliest practical opportunity. Findings and recommendations from security breaches or incidents should be discussed with the intention of reducing the likelihood of them happening again.

Once the management review is complete, the policy should be circulated for approval by the corporate stakeholders, then all affected processes and work instructions should be revised and reissued. Where relevant, affected external third parties should also be advised.

Regular information security audits and reviews are essential to focus the organization on security – at least for the period of the audit. Reviews should cover physical, technical and personal security matters, so there may be different teams required to cover each of these areas.

As there are likely to be ramifications for audit failures, this is a good time for the Information Security Manager to arrange a meeting with senior management to discuss security awareness and the security team’s annual budget.

Ideally, an impartial team should undertake the audit. This could include staff in the business who aren’t involved in running security systems or setting policy, or external independent security auditors.

In some cases, expert knowledge is required to undertake the audit. For example, if the review relates to the perimeter security technology, then experts in the firewall and network technology solutions will be required. Similarly, if the review is of building security, the auditors need to be familiar with door entry systems, security guarding protocols and social engineering techniques.

The contractual arrangements between the organization and the auditors (or the internal agreement, if the group are within the organization) should include a non-disclosure agreement, or NDA. This will help protect the organization’s intellectual property and reduce the risk of vulnerabilities being disclosed to unauthorized third-parties or competitors. 

Prior to the review, the scope of the testing should be agreed with the auditors to ensure they know what’s required of them. The levels of access they need to complete the job should also be determined – this might involve giving the auditors special user accounts on the systems, providing network access for penetration testing, or arranging for individuals to make themselves available for interview.

The results of the audit review should be delivered in a concise report, showing where the organization is compliant, non-compliant and partially compliant, depending on the nature of the test. It should also include recommendations for improvement.

This should then trigger a set of internal meetings to discuss the findings with the security and business stakeholders affected by the audit.

Finally, after any remedial action has been undertaken, documents have been updated and systems have been improved, the resulting set of documents become the baseline for the next audit.

In addition to the formal audit reviews, organizations should plan regular internal security policy compliance checks. For example, reviewing the register of people who can access a secure cabinet or checking staff no longer employed don’t have access to the network. Non-compliances should be reported, the business impact assessed and action taken.

Local security managers and department heads are responsible for enforcing compliance. However, they might need to share responsibility with technical experts, like the IT department. The IT department should also independently provide reports on policy matters, like the number of times a person failed to log in and the number of locked user accounts. These are useful metrics for determining how well the organization is performing against the security policy.

Every incident should be recorded in the incident log with investigation and remedial action taken. This could include disciplinary action, advising an individual that they’ve breached a policy or delivering a team briefing to remind them of the policy. Often a soft approach is enough to ensure the problem doesn’t arise again.

Many organizations are required to adhere to external compliance requirements. These include laws like the Data Protection Act in the UK which affect organizations that process personal information.

Organizations must know the range of compliance requirements they must meet and this often relates to understanding who they’re accountable to. Private companies are accountable to the governments of countries in which they operate. They are also accountable to their shareholders, customers and any regulatory bodies in their industry.

An organization will need to satisfy all the requirements placed on them by these external stakeholders and should appoint someone to manage external compliance requirements, ensuring that enough evidence is generated for the relevant external regulatory bodies.

In some cases, the external agency may need to conduct the audit. In other cases the organization may be required to self-certify through the Information Security Team. If the organization has an internal information security policy, it is more likely to meet the requirements of regulatory bodies.

Some organizations adopt an industry standard like ISO 27001 (and its associated controls). If this is implemented effectively, then the obligations of the Data Protection Act should already be met. However, compliance should never be assumed just because another standard has been followed.

The ISO 27001 model provides an approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving information assurance within an organization. This is based on the Plan-Do-Act-Check approach to continuous improvement.

Organizations often overlook third-party compliance when, in fact, many of the vulnerabilities in information systems result from non-compliant third parties. Third parties can include internet service providers, hosting providers and sub-contractors. Any of these could adversely affect the compliance status of an organization, perhaps because they have access to confidential information or to the organization’s computer systems.

They must be bound by the same rules as the organization’s staff which means signing an NDA and incurring penalties for breaches of security. In addition, risk can be mitigated through third-party liability insurance.

The best way to ensure compliance in the supply chain is to insist the third party has the same level of compliance as the organization. So, if the organization has implemented ISO 27001 and has been audited to prove compliance, their suppliers should have the same certification. 

That’s the end of this video on security governance.