The Following Is A List Of Best Practices For Implementing And Managing In Information Security Governance Within An Organization. Essay Example

Information Security Governance

Information Security Governance
Information Security Governance (ISG) is part of enterprise governance that ensures that objectives are met, provides strategic direction, managing risks appropriately, monitoring success or the failure of enterprise security programme, and using organizational resources responsibly. Information security covers all aspects of information and information handling. Information security Governance is contrasted with IT security which is basically concerned with security of information within network infrastructure domain boundaries. A successful ISG in an organization ensures that availability, integrity, confidentiality, identification and authentication, accountability, authorization and privacy of data and information related to reputation and security of an organization. In an organization, information security governance needs teamwork where all members of staff are aware of information confidentiality importance. This framework ensures that data and information is secure with accuracy and that the recorded and shared information is in compliance with all lawful and legal procedures and proper set of guidelines and rules (Moulton, Rolf, & Robert, 2003).
For information security governance to be successful, senior management should address the following: policy development should set direction for security policy creation with business input. Provide oversight for security development and control framework consisting of procedures, practices, measures, and standards after the policy has been approved by organizations’ governing body and the related responsibilities and roles assigned. Senior management should ensure that roles, authority and responsibilities are communicated clearly and understood by all. It should also institute a process to help in implementing incident response and intrusion detection. And ensure that security is considered as a fundamental part of life cycle process of systems development and expressed explicitly during phase of the process.
Information security major goal is reducing the organization adverse impacts to acceptable level of risk. Information security covers all the information processes, electronic and physical; regardless, they involve technology and people or relationship with customers, trading partners and third parties. It guards information assets from risk of loss, misuse, un-authorized disclosure, operational discontinuity, damage and inaccessibility. Some of the outcomes that will be delivered to the organization through the implementation of this program include: protection from increasing potential for legal or civil liability due to absence of due care or information inaccuracy. The framework and structure will optimize limited security resources allocation. It will provide accountability for protecting information in the process of business critical activities such as, acquisitions and mergers, regulatory response, and business recovery process. It will deliver a firm foundation for process improvement, effective and efficient risk management, and rapid incident response in relation to securing organizations information. Reduced uncertainty and increased predictability of business operations by reducing risks related to information security to acceptable and definable levels. Provide assurance of policy compliance and effective information security policy in the organization. A level of assurance that important decisions are not made based on faulty information. Reducing operational costs through the provision of predictable outcomes hence mitigating the risk factors that can interrupt the process, and an increase in the organizations share value (ISACA, 2013)

- The organization should implement procedures and policies based on risk assessments in order to secure information assets
- The organization should periodically conduct risk assessment of its information assets as part of risk management program.
- The organization should have in place a security management structure to explicitly assign individual roles, accountability, authority, and responsibilities.
- The organization should periodically conduct evaluation and testing of the effectiveness of information security procedures and policies.
- The organization should use best security practices guidance like ISO 17799 to measure the performance of information security.
- The organization should develop plans and also initiate some actions to provide enough information for facilities, networks, information and systems.
- The organization should also create and execute a remedial plan action to address any deficiencies in information security.
Information Security governance (ISG) is the responsibility of senior executives and board of directors. It must be a transparent and integral part of enterprise governance and should be aligned with IT framework. Senior executives have the responsibility of responding and considering to the sensitivities and concerns raised by information security, the board of directors is expected to make information security a fundamental part of governance, integrated with already in place processes to govern other fundamental organizational resources. The following should be addressed by the senior management (Brotby, 2006).
- Strategic alignment of the information security with business strategies so as to support the objectives of the organization.
- Risk management by appropriate measures execution to mitigate and manage risks and reduce to an acceptable level potential impact on information resources.
- Resource management by making use of information security infrastructure and knowledge effectively and efficiently.
- Performance measurement by monitoring, measuring and reporting metrics of information security governance to ensure that the organization achieves its objectives.
- Value delivery through optimization of information security investments in support of the objectives of the organization.

References

Brotby, K. (2006). Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition, IT Governance Institute, USA
Moulton, Rolf, & Robert C. (2003). Applying Information Security Governance. Computers and Security, Elsevier Ltd., UK
ISACA. (2013). Information Security Governance: Guidance for Information Security Managers. Accessed March 5, 2015 from <http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Information-Security-Governance-Guidance-for-Information-Security-Managers.aspx>