According to the National Institute of Standards and Technology (NIST), Information Security Governance involves establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.

Information Security Governance, essentially, encompasses good risk management, robust reporting controls, comprehensive testing and training, and steadfast corporate accountability. It provides strategic direction for cybersecurity activities and ensures that the cybersecurity objectives laid out by an organization are achieved.

A good Information Security Governance process can transform an organization and bring one or more of the following cybersecurity dividends –

• Structured, focused, and prioritized allocation of time, money, and efforts.
• Better compliance with the organization’s information security policies.
• Better predictability and lesser uncertainty.
• Better decision-making that is structure-based than opinion-based.
• More ammunition in terms of due diligence performed by the organization leads to a better stand when faced with legal consequences.
• Clear accountability and better information protection.

To aid the implementation of good Information Security Governance, a strong foundational framework is essential. Such a framework should support and seamlessly interweave with business objectives. A cybersecurity framework arms organizations with the ability to protect themselves from evolving cyber threats. A good cybersecurity framework’s primary focus includes:

• Familiarize and harmonize cybersecurity approaches and provide a common language.
• Establish the optimum level of cybersecurity tailored to the organization’s specific environment and needs.
• Allocate a sufficient cybersecurity budget towards the implementation of the framework.
• Effectively impart knowledge of cyber risks to top management.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework is an internationally recognized policy framework that provides a strong foundation atop which good Information Security Governance can be built. It helps organizations improve their ability to prevent, detect, and respond to cyberattacks.

The NIST Cybersecurity Framework’s core structure includes:

• Identify
• Protect
• Detect
• Respond
• Recover

Identify

As part of the Identify Function, an organization should aim to understand the business context that it operates in. What are the most critical functions of the organization? What are the resources that are absolutely critical for the proper functioning of each of these areas? What are the cybersecurity risks that pose threats to these critical functions and their seamless operation? With these questions asked, an organization develops an understanding of how it can effectively manage the specific cybersecurity risks that it faces.

Protect

As part of the Protect Function, an organization should aim to contain the impacts of threats that can materialize and harm the operation of its most critical functions. An organization can do this effectively by employing cybersecurity safeguards and protections to ensure that its critical functions can continue to deliver.

Detect

As part of the Detect Function, an organization should aim to detect adverse cybersecurity incidents in a timely manner. In order to achieve this, an organization should employ detective and monitoring controls that take into consideration threat inputs from well-known and reputable sources as well as the organization’s own custom alerts and inputs.

Respond

As part of the Respond Function, an organization should aim to contain the impacts of adverse cybersecurity incidents that have been detected by the organization. An organization should look at strengthening its cybersecurity incident response strategies and capabilities in order to achieve this.

Recover

As part of the Recover Function, an organization should aim to recover and restore the organization to normal operations after an adverse cybersecurity incident has occurred and its threat has been dealt with. An organization can achieve this by investing in its resilience capabilities and recovery planning.

Best Practices

Organizations aiming to implement good Information Security Governance can look to the following best practices for guidance –

• The organization must develop a comprehensive information security policy which must encompass all critical and necessary cybersecurity areas and critical functions across the organization. The focus of the policy documentation must be technical, physical, and administrative.
• The organization must define clear roles and responsibilities which are coordinated and aligned with internal job functions and external partners. These roles and responsibilities must then be enforced by the organization’s policies and procedures.
• Employees of the organization, including all levels of management, must be trained and made aware of their roles and responsibilities.
• The organization should treat Information Security Governance as an enterprise-wide issue that is risk-based and an inherent business requirement.
• Corporate management must be engaged, accountable, and willing to commit adequate resources to implementing good Information Security Governance.
• The organization commits to a development lifecycle that is well-planned and develops specific, measurable metrics that are tracked and reported to top management on a periodic basis. Plans, strategies, and practices must be updated, ongoing, based on performance metrics and their results.
• The organization must ensure that legal and regulatory requirements are kept in sight and incorporated at all times.