Information security may be put in place mostly at the IT level, but to work well it must go right to the top, says security expert Basie von Solms.
The visiting South African security governance specialist and president of the IFIP (International Federation of Information Processing) was speaking to a NZ Computer Society meeting earlier this month.
IT security must be initiated and controlled by the board or top management of the organisation, said the security governance specialist from the University of Johannesburg. Von Solms is currently writing a book on information security governance. He has also published a number of scholarly papers on the subject.
For security control, the results of various security measures taken – both positive and negative – must be reported up the chain to the top echelons. These are the people who are increasingly being asked to take personal responsibility for any failure to manage information assets competently, says von Solms.
If the responsibility for the security of information on computers and networks is seen as resting entirely with ICT, then “you may be doing information security management, but not [it’s] governance,” he says.
The security expert sees the structure of information security governance as a triangle. The three sides are: direct — the order from the boardroom to apply certain standards to information security; execute — the detailed means by which this is achieved; and control — the information flow back to the board on how well those security measures are working.
The direction is issued in high-level terms and detail is added in as it moves down through the layers of management, by way of policies, standards and procedures. Execution of the procedures at an ICT level leads to output data, which then moves back up the organisational structure, in the “control” step. It is then, progressively, summarised into high-level statements for executive consumption.
Emerging standards supply a framework for new information security policies and procedures. For example, the CobIT ICT governance framework provides 11 “detailed control objectives” within its information security process. This, in turn, is one of CobIT’s 34 high-level processes that cover the whole of ICT.
There is also ISO17799, which is evolving into ISO27002, and is a code of practice for information security. The complementary ISO27001 specifies an information security management system. But these standards, although useful, are to do with security management, and this is only part of the governance picture, says von Solms.
A number of New Zealand government agencies now use ISO17799 as a guide, even if they are not yet being formally certified against it, said representatives at the NZCS meeting. One problem is that it requires an audit function separate from the ICT staff and advises that there be a service-level agreement between them.
Local practitioners question whether NZ organisations are big enough to put this in place, but von Solms says the two functions could reside in “one person wearing two hats”.
There was also concern about the quality of security measures that external partners, who provide services to an organisation, might have in place.
However, von Solms suggests the adoption of security standards have a “ripple out” effect that influence partners. “The influence we have is to say to suppliers, for example: ‘We will let you directly access our systems and do business with us electronically, but you have to be certified to the same standard as we are.’”
An important aspect of governance structure is security awareness among users, he adds. “Awareness” campaigns are often dismissed as poor substitutes for firm rules and actions, but awareness is an important component of security governance, von Solms argues.
It is much easier to keep to standards if users are adequately informed about them. Indeed, he suggests a policy be adopted that “you don’t let people have a logon to your system unless they have been given basic information security awareness.”