Escolar Documentos
Profissional Documentos
Cultura Documentos
INFORMATION SECURITY
GOVERNANCE
ffirs.qxd 3/31/2009 1:08 PM Page iii
INFORMATION SECURITY
GOVERNANCE
A Practical Development
and Implementation Approach
KRAG BROTBY
Copyright 2009 by John Wiley & Sons, Inc. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as
permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior
written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to
the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax
(978) 646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should
be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008 or online at http://www.wiley.com/go/permission.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in
preparing this book, they make no representations or warranties with respect to the accuracy or
completeness of the contents of this book and specifically disclaim any implied warranties of
merchantability or fitness for a particular purpose. No warranty may be created or extended by sales
representatives or written sales materials. The advice and strategies contained herein may not be
suitable for your situation. You should consult with a professional where appropriate. Neither the
publisher nor author shall be liable for any loss of profit or any other commercial damages, including
but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please contact our
Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax
(317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may
not be available in electronic format. For information about Wiley products, visit our web site at
www.wiley.com.
Brotby, W. Krag.
Information security governance : a practical development and implementation approach / Krag Brotby.
p. cm. (Wiley series in systems engineering and management)
Includes bibliographical references and index.
ISBN 978-0-470-13118-3 (cloth)
1. Data protection. 2. Computer securityManagement. 3. Information technologySecurity
measures. I. Title.
HF5548.37.B76 2009
658.4'78dc22 2009007434
10 9 8 7 6 5 4 3 2 1
ftoc.qxd 3/31/2009 1:13 PM Page v
Contents
Acknowledgments xi
Introduction xiii
2. Why Governance? 9
2.1 Benefits of Good Governance 11
2.1.1 Aligning Security with Business Objectives 11
2.1.2 Providing the Structure and Framework to Optimize 12
Allocations of Limited Resources
2.1.3 Providing Assurance that Critical Decisions are Not 13
Based on Faulty Information
2.1.4 Ensuring Accountability for Safeguarding Critical Assets 13
2.1.5 Increasing Trust of Customers and Stakeholders 14
2.1.6 Increasing the Companys Worth 14
2.1.7 Reducing Liability for Information Inaccuracy or Lack 14
of Due Care in Protection
2.1.8 Increasing Predictability and Reducing Uncertainty of 15
Business Operations
2.2 A Management Problem 15
v
ftoc.qxd 3/31/2009 1:13 PM Page vi
vi Contents
5. Strategic Metrics 27
5.1 Governance Objectives 28
5.1.1 Strategic Direction 29
5.1.2 Ensuring Objectives are Achieved 29
5.1.3 Risks Managed Appropriately 30
5.1.4 Verifying that Resources are Used Responsibly 31
Contents vii
9. Current State 81
9.1 Current State of Security 81
9.1.1 SABSA 82
9.1.2 CobiT 82
9.1.3 CMM 82
9.1.4 ISO/IEC 27001, 27002 83
9.1.5 Cyber Security Taskforce Governance Framework 83
9.2 Current State of Risk Management 84
9.3 Gap AnalysisUnmitigated Risk 84
9.3.1 SABSA 85
9.3.2 CMM 85
viii Contents
Contents ix
Index 185
flast.qxd 3/31/2009 1:18 PM Page xi
Acknowledgments
K. B.
xi
flast.qxd 3/31/2009 1:18 PM Page xiii
Introduction
For most organizations, reliance on information and the systems that process, trans-
port, and store it, has become absolute. In many organizations, information is the
business. Actionable information is the basis of knowledge and as Peter Drucker
stated over a decade ago, Knowledge is fast becoming the sole factor of productiv-
ity, sidelining both capital and labor.*
This notion is buttressed by recent studies showing that over 90% of organiza-
tions that lose their information assets do not survive. Research also shows that cur-
rently, information assets and other intangibles comprise more than 80% of the val-
ue of the typical organization.
Yet, even as this realization has belatedly started to reach executive management
and the boardroom in recent years, organizations are plagued by evermore spectac-
ular security failures and losses continue to mount. This is despite a dramatic a rise
in overall spending on a variety of security- or assurance-related functions and na-
tional governments imposing a host of increasingly restrictive regulations.
This host of new security-related regulations has in turn led to a proliferation of
the number and types of assurance functions. Until recently, for example, priva-
cy officers were unheard of, as were compliance officers. Now, they and others,
such as the Chief Information Security Officer, are commonplace. It should be not-
ed that all assurance functions are an aspect of what is arbitrarily labeled security
and, indeed, what is called security is invariably an assurance function. In turn,
both are elements of risk management.
Not only has the diversity of assurance functions increased, the requirements
for these activities in many of an organizations other operations are now the norm.
Examples include the HIPAA privacy assurance functions generally handled by
Human Resources, or SOX disclosure compliance as a purview of Finance.
For many larger organizations, a list of assurance-related functions might include:
Risk management
BCP/DR
Project office
Legal
*Drucker, Peter; Management Challenges for the 21st Century, Harpers Business, 1993.
xiv Introduction
Compliance
CIO
CISO
IT security
CSO
CTO
Insurance
Training/awareness
Quality control/assurance
Audit
HR
Privacy
Introduction xv
tus and remain merely a concept in the typically fragmented multitude of assur-
ance- and security-related stovepipes. Allocation of security resources is likely to
remain haphazard and unrelated to risks and impacts as well as to cost-effective-
ness. Breaches and losses will continue to grow and regulatory compliance will be
more costly to address. It is clear that senior management will increasingly be seen
as responsible and legally liable for failing the requirements of due care and dili-
gence. Customers will demand greater care and, failing to get it, will vote with their
feet, and the correlation between security, customer satisfaction, and business suc-
cess will become increasingly obvious and reflected in share value.
Against this backdrop, this book provides a practical basis and the tools for de-
veloping a business case for information security (or assurance) governance, devel-
oping and implementing a strategy to increasingly integrate assurance functions
over time, improving security, lowering costs, reducing losses, and helping to en-
sure the preservation of the organization and its ability to operate.
Chapters 1 through 6 provide the background, rationale, and basis for developing
governance. Chapters 7 through 14 provide the tools and an approach to developing
a governance implementation strategy.
Developing a strategy for governance implementation will, at a high level, con-
sist of the following steps:
1. Define and enumerate the desired outcomes for the information security pro-
gram
2. Determine the objectives necessary to achieve those outcomes
3. Describe the attributes and characteristics of the desired state of security
4. Describe the attributes and characteristics of the current state of security
5. Perform a comprehensive gap analysis of the requirements to move from the
current state to the desired state of security
6. Determine available resources and constraints
7. Develop a strategy and roadmap to address the gaps, using available re-
sources within existing constraints
8. Develop control objectives and controls in support of strategy
9. Create metrics and monitoring processes to:
Measure progress and guide implementation
Provide management and operational information for decision support