What Is Governance & CyberSecurity Governance?
While governance includes oversight, it is a broader concept. Governance refers to the structures, systems, and practices an organization has in place to:
- assign decision-making authorities, define how decisions are to be made, and establish the organization’s strategic direction;
- oversee the delivery of its services; the implementation of its policies, plans, programs, and projects; and the monitoring and mitigation of its key risks; and
- report on its performance in achieving intended results and use performance information to drive ongoing improvements and corrective actions.
A simplified governance framework is presented in Figure 1.
A Simplified Governance Framework
Much has been written about what constitutes good governance, and “good practice” guides have been published in recent years by a number of organizations, including audit offices. (See, for example, the Australian National Audit Office’s 2014 Better Practice Guide Public Sector Governance: Strengthening Performance Through Good Governance.)
While this Practice Guide does not explore all aspects of governance in the public sector, it is useful to highlight the basic principles that support good governance, and therefore oversight, too.
The basic principles of good governance are:
These five principles are briefly defined in Figure 2.
Figure 2 – Principles of Good Governance
Accountability is the obligation of an individual, a group, or an organization to answer for a responsibility that has been conferred.
Leadership is setting the “tone at the top,” which plays a crucial role in encouraging an organization’s personnel to embrace good governance practices.
Integrity is acting in a way that is impartial, ethical, and in the public interest. Integrity is reflected in part through compliance with legislation, regulations, and policies, as well as through the instilling of high standards of professionalism at all levels of an organization.
Stewardship is the act of looking after resources on behalf of the public and is demonstrated by maintaining or improving an organization’s capacity to serve the public interest over time.
Transparency is achieved when decisions and actions are open, meaning that stakeholders, including the public and employees, have access to full, accurate, and clear information on public matters.
Source: Modified from Public Sector Governance: A Guide to the Principles of Good Practice, Office of the Auditor General of British Columbia.
It is also useful for auditors to have a clear understanding of the distinct roles played by both oversight bodies and management. As a general principle, the roles of an oversight body should be segregated from those of management. To illustrate this principle, Table 1 presents the usual roles of boards of directors and management in public sector agencies, boards and authorities.
Oversight bodies are expected to play their respective roles without getting involved in the organization’s day-to-day management. Members of oversight bodies should also be independent from management in order to avoid real or perceived conflicts of interest.
Table 1 – The Separate Roles of Boards of Directors and Management
Source: Adapted from B. S. Bader (2008), “Distinguishing Governance from Management,” Great Boards, Vol. VIII, No. 3.
In general, governance is the set of responsibilities and practices exercised by those responsible for an enterprise (e.g., the board and executive management in a corporation, the agency head for a Federal agency) with the goal of providing strategic direction, ensuring that objectives are
achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.4 Risks and resources can be associated with different domains (e.g., information technology or IT, finance, legal and regulatory compliance, information security), and different domains require specialized expertise in order to manage risks. Thus,
enterprise governance frequently is organized by domain.5
Cyber security governance refers to the component of enterprise governance that addresses the enterprise’s dependence on cyberspace in the presence of adversaries.6 Cyber security governance thus encompasses information systems security governance; whether information systems security governance can be identified with information security governance depends
upon how narrowly or broadly the enterprise construes information security.7 However, while aspects of information security governance may address information outside of cyberspace, the flow of information between the non-cyber and cyber realms is so prevalent that in general it is
preferable for cyber security governance to encompass information security governance.
The ComplianceForge Hierarchical Cybersecurity Governance Framework™ (HCGF) takes a comprehensive view towards the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care. This framework addresses the interconnectivity of policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. The Secure Controls Framework (SCF) fits into this model by providing the necessary cybersecurity and privacy controls an organization needs to implement to stay both secure and compliant.
The ComplianceForge Integrated Cybersecurity Governance Model™ (ICGM) takes a comprehensive view towards governing a cybersecurity and privacy program. Without an overarching concept of operations for the broader Governance, Risk & Compliance (GRC) / Integrated Risk Management (IRM) function, organizations will often find that their governance, risk, compliance and privacy teams are siloed in how they think and operate. These siloed functions and unclear roles often stem from a lack of a strategic understanding of how these specific functions come together to build a symbiotic working relationship between the individual teams that enables quality control over people, processes and technology.
The ICGM utilizes a Plan, Do, Check & Act (PCDA) approach that is a logical way to design a governance structure:
- Plan. The overall GRC process beings with planning. This planning will define the policies, standards and controls for the organization. It will also directly influence the tools and services that an organization purchases, since technology purchases should address needs that are defined by policies and standards.
- Do. Arguably, this is the most important section for cybersecurity and privacy practitioners. Controls are the “security glue” that make processes, applications, systems and services secure. Procedures (also referred to as control activities) are the processes how the controls are actually implemented and performed. The Secure Controls Framework (SCF) can be an excellent starting point for a control set if your organization lacks a comprehensive set of cybersecurity and privacy controls.
- Check. In simple terms, this is situational awareness. Situational awareness is only achieved through reporting through metrics and reviewing the results of audits/assessments.
- Act. This is essentially risk management, which is an encompassing area that deals with addressing two main concepts (1) real deficiencies that currently exist and (2) possible threats to the organization.
- Policies & Standards
- Policy Lifecycle Management
- Risk Assessment
- Risk Evaluation
- Risk Monitoring
- Risk Mitigation
- Change Management
- Project Evaluation
- Architecture Review
- Configuration Management
Approach to Governance:
- Creating and promoting a positive culture
- Verifying the investment in and alignment of cybersecurity
- Mandating and assuring the cybersecurity program
- Requiring reports on the cybersecurity program
Governance Desired Outcomes:
- Strategic alignment of cybersecurity with business strategy
- Better risk management
- Better resource management
- Better performance measurement
- Improved value delivery
NACD Essential Practices ( https://www.nacdonline.org)
The National Association of Corporate Directors, NACD
- Place cybersecurity on the board's agenda
- Identify and support cybersecurity leaders
- Ensure the effectiveness of cybersecurity policy
- Assign cybersecurity to a key committee and support it
Cybersecurity Goverance Requirements:
- Risk management methodology
- Comprehensive strategy
- Security structure
- information-focused strategy
- Security policies
- Security standards
- Monitoring processes
- Continued evaluations and updates
CGTF Approach to Governance
- Conduct an annual cybersecurity evaluation
- Conduct a periodic risk assessment
- Implement policies and procedures
- Implement a security management structure
- Develop plans and initiate actions
- Treat cybersecurity as an integral part of SLC
- Provide Cybersecurity awareness training and education to personal
- Conduct periodic testing and evaluation
- Create a plan for remediation
- Develop incident response procedures
- Establish continuity of operations
- Use security best practices guidance
ISO/IEC 27014:2013 - IT -Security Techniques - Governance of Information Security
- Establish organization-wide cybersecurity
- Adopt a risk-based approach
- Set the direction of investment decisions
- Ensure conformance with requirements
- Foster a security-positive environment
- Review performance against business outcomes
Evaluate - Direct - Monitor - Communicate - Assure