Both my research, and my practical experience, that I acquired as chief security officer, security advisor, or IT auditor has shown a mutual connection between the security of operations, and corporate governance. The security and audit methodologies suggest fulfilling such sub goals that contribute to the fulfillment of the strategic goals of the company. On every area of corporate operations these sub goals can easily be translated to practical, understandable tasks that can be assigned to members of the staff, working in these different areas. Reasonably chosen security measures are able to support even the market success of the companies, while, on the other hand, strategic goals can be used to justify originally security-related objectives.
Vice versa, on the other hand, governance goals can support security. In order to have management understand the benefits of the security goals, to have them accept these goals, the relation of these goals to the success of the company has to be proven. This idea came from my everyday practice: How could I get budget for building the secure network in a bank?
The content of this article is a part of my keynote lecture presented at (ISC)2 SecureCEEBudapest Conference (Hungary, 2015, 21st April), where the following topics have been addressed:
A way towards establishing an interconnection between governance and security
- the main attributes of my methodology
- a useful definition for a measurable and predictable
- operational security and
- information security
- risk management support
- the excellence criteria – criteria of excellent governance
- the problem of inducing managements’ involvement
- examples for applying the excellence criteria and the pillars
A way towards establishing an interconnection between governance and security
To establish such a methodology, first I had to define operational security with clear connections to strategy and methodological help in realizing the strategic goals.
To establish an interconnection between governance and security, top management must take responsibility to identify strategic goals, to provide for their fulfillment, to make the mission of every employee: to serve these goals.
The details of the solution: to find conditions for strategic goals or, at least, for everybody in the staff to find lower level sub goals at her / his level and, to these goals: activities necessary to its fulfillment such as preventive activities, detective activities and corrective measures.
The main attributes of my methodology
Which are the main issues of my methodology?
It defines a useful, measurable and predictable operational security and information security.
It helps finding sub goals serving strategy and operational objectives for staff.
My proposed goals I call as excellence criteria. These, with different weights, can be necessary conditions to the strategic goals. Sufficiency cannot be stated, of course.
For identifying objectives and such measures that contribute to their fulfillment we need aspects – viewpoints, and possibilities for classifying them. Thus we will be able to compare their importance to each other. Such aspects are my so-called pillars of operation: organization, regulation, and technics.
One of my most important tools is an asset, and effort-related risk definition, that can be used to compare the significance of the different problems.
A useful definition for a measurable and predictable operational security and information security
My proposed definition for a measurable and predictable operational security is: An organizational, regulatory and technical system, to be established in a company, by the means of identifying strategy-related operational objectives and operational activities that contribute to the fulfillment of these objectives. Such a system, that satisfies at least some of these criteria, the excellence criteria, according to the priorities of top management, or those of their delegates in the business areas, in a predictable, measurable, and scalable way.
Usually these criteria cannot all be fulfilled at the same time, or, at least, not to the same extent. Top management, or its delegates, the business areas have to determine, which criterion is more, and which is less important in fulfilling a strategy’s goal, or a business-related sub goal. Top management has to evaluate which business is more important in a given situation, and then this “weight” can also be taken in consideration, when the systems analyst, or information security expert, or other coordinator describes the result.
Information security has to be derived from the operational security. Thus the information system of a company can be considered to be secure, if this information system supports the operational security in a measurable and predictable way.
It should be noted, that from the above comments follows, that the priority of the individual systems, and, in turn, that of their components, depends on the strategic priority of the operational process, it supports. Operational processes can be either business processes, or such operations supporting processes as e.g. HR, security, finance, etc.
Risk management support
To this approach to operational security we need a goal-related risk definition. This goal can be strategic-level, or can be such a sub goal, that contributes to the fulfillment of a strategic goal. The other novelty of my risk notion is, that the asset, that has a role in fulfilling this goal is also expressively shown. Thus my risk is such a value, which is assigned to a pair of corporate asset, and operational objective, a goal of the operations of the company.
This risk is directly proportional to:
- the strategic / business importance of this asset, in achieving this operational objective, this goal – this importance is the so-called “distance” of the asset from this goal
- the probability of the occurrence of an event threatening the business use of this asset and
- the vulnerability of this asset.
The excellence criteria – criteria of excellent governance
Criteria of excellent governance can be classified in many ways. One of the possibilities to divide them into two groups: operational excellence criteria and asset handling excellence criteria.
The benefit of both groups is that if we approach strategic goals through these criteria, then we get “ground” level, practical goals and activities.
Operational excellence criteria are:
- risk management excellence,
Asset handling excellences are:
Criteria of excellent governance – operational excellence
An operational activity is effective, if its result(s) complies with the pre-planned requirements that had been accepted by every relevant party.
An operational activity is efficient, if it is performed in a pre-planned, documented, and cost/ effective way, concerning the optimal use of human and material resources, and the way of problem solving.
A company operates in a compliant way, or, shortly, the operations of a company complies with the compliance criterion, if it complies, in a documented way, to any requirement of those authorities that have authority to regulate any aspect of the activities of the company.
The operations of a company are reliable, if it is organized in such a way, that it provides for the preliminary agreed service(s) in such a manner, that supports the work of the staff according to the best professional practice.
Risk management excellence is a strategy-driven managing of risks that are related to
- a given goal,
- to an asset, which is able to serve this goal,
- to the effort, that the staff of the company has to exert, related to this asset, in order to contribute to the achievement of this goal.
The importance of the individual excellence criteria with respect to each other should always be evaluated by the top management / business delegates, Taking the strategy of the company into consideration, they have to decide, which criterion is more important in the given situation.
The distance of an asset from a goal has already been mentioned. This same notion can be used here, too. Evaluation of goals, assets, and other factors, according to their strategic importance means, that the responsible officials of the company have to take into consideration the distance of these factors either from each other, or from other factors, as the situation demands.
The functionality of the information system of a company is adequate, if it serves the staff in such a way, that they can fulfill their job requirements in the best possible way.
The order is by definition adequate, if top management takes up the responsibility for the well-being of the institution:
For the determination of such a strategy, that contributes to the market success as well, as possible.
The responsibility for its continuous maintenance.
In order to fulfill the strategic goals lower level goals, have to be identified. “order” can be such a goal. Examples for useful sub goals of order:
- regulatory sub goals are, e.g.:
- documentation, business continuity management planning, dynamic inventory, -change / -release management, procedural guidelines.
- organizational sub goals are, e.g.:
- education, separation of duties, meaning job / role descriptions.
- technical sub goals
- organizational + regulatory sub goals are, e.g.:
- organized operational processes g. organized application development at the department IT,
- document throughout lifecycle of every product, planned test process
Criteria of excellent governance – asset handling excellence criteria
Confidential asset handling means, that those, and only those employees have access to it, who have a given task to do with it.
The integrity of an asset is said to be preserved, if its handling or processing does not change it inadvertently.
Availability of an asset means, that if it has a role in a given matter, then it is available to every competent employee, who is competent in this matter, in a planned, predictable, and documented way, according to the preliminary agreements on its accessibility, that have to refer to every qualitative and quantitative prescription, that are relevant in the matter.
CISA Review Technical Information Manual
ed.: Information Systems Audit and Control Association, Rolling Meadows, Illinois, USA
– personal involvement: I have been member of the CRM Quality Assurance Team, 1998
COBIT® and related materials 1998, (COBIT = Control Objectives for Information Technology), Copyright © IT Governance Institute®
- COBIT® 1 Framework, Management Guidelines, Maturity Models, Copyright © IT Governance Institute® , 2007
- COBIT 5.0 Vol. I – The Framework” and “COBIT 5.0 Vol. IIa – Process Reference Guide © 2011 ISACA, working paper
- Enabling Processes – COBIT 5 An ISACA Framework, Copyright © 2012 ISACA
– personal involvement: I was member of the Subject Matter Expert Group
The 27000 family:
- International Standard ISO/IEC 27000 First edition 2009-05-01, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Reference number: ISO/IEC 27000:2009(E) Copyright © ISO/IEC 2009
- International Standard ISO/IEC 27001 – 2nd edition: Oct. 1, 2013
- and the others in / outside the family
A short sample from my publications:
- Building a Corporate Risk Management Methodology and Practice
EuroCACS 2002 – Conf. for IS Audit, Control and Security Copyright 2002
- 2010: “IT GRC versus Enterprise GRC
but: IT GRC is a Basis of Strategic Governance”; EuroCACS 2010
- 2011: Enterprise Governance against Hacking. Procds. of the 3rd IEEE
International Symposium on Logistics and Industrial Informatics – LINDI
2011 August 25–27, 2011, Budapest, Hungary
- 2011: Serving Strategy by Corporate Governance – Case Study: Outsourcing of Operational Activities; Procds. of 17th International Business Information
Management Association – IBIMA November 14-15, 2011, Milan, Italy, ed. Khalid S. Soliman