Governance

Achieving better governance starts with the business, and more specifically with understanding its strategy and goals. IT Security should be involved early in the business strategy definition process. The IT Security goals set out in the IT strategy plan should clearly support the achievement of one or more business goals. It is the responsibility of the Information Security Committee (ISC) in collaboration with the Functional Heads to ensure that the IT security strategy is aligned with the business strategy. This could be achieved through:

• Clear business goals, communicated to the entire organization
• Early involvement of IT security in business strategy process
• Align IT security goals to business goals
• Derive IT security strategy from business strategy

After aligning the IT security goals with the business goals, it is important to implement required set of efficient and effective IT governance and management processes through selecting the most critical process based on business priorities, assign process owners, develop metrics and monitor the achievement of process as per set objectives.

Effective Governance is determined by the way the IT Security team is organized and where the IT security decision-making authority is located within the organization. It is crucial to establish the right management structure to ensure there is proper collaboration between business and IT security department.

This could be achieved through:

• Head of the organization [HOO] providing leadership and spearhead initiatives to create and maintain an Information Security Culture within the organization. The responsibility for governance rests with the Head of the organization as he/she is responsible for evaluating, directing and monitoring the governance processes as per stakeholder requirements.
• Appointment of an Information Security Officer (ISO) for the organization who will serve as the principal advisor on matters relating to information security and shall develop the Information Security Objectives, Information Security Programs and action plans whilst ensuring operations comply with the statuary regulations.
• Ensuring the Chief Innovation Officer (CIO) is empowered with Information Security. If the organization does not have a capable candidate to handle the ISO function the CIO can be assigned the role of the ISO through providing adequate training in order to ensure that he/she is able to protect the organization’s information assets.
• Chief Internal Auditor (CIA) is empowered to Lead and Report on Information Security Audit Activities to auditing the implementation of information security initiatives, assessing the organization’s compliance with Baseline Security Standard (BSS), and reporting information security related findings to the Audit and Management Committee (AMC) for further remediation if any.
• Establishment of an Information Security Committee (ISC) to Oversee and Lead Information Security Activities. The ISC responsible for reviewing and approving all Information Security controls and action plans, assets classification schemes, security policies, incident response plans and disaster recovery plans developed by the ISO and shall monitor the implementation of such plans. The Committee should consist of the HOO, ISO, CIO, CIA, and key information and IT asset owners. HOO should chair the Committee.
• Establishment of a Risk Management Committee (RMC), directly reporting to the HOO which has the responsibility of overseeing the risk management of the organization with respect information and IT assets. RMC should identify and evaluate risks in relation to assets and should propose appropriate controls to ISC to take necessary actions to mitigate the risks. RMC shall include Process Owners (sectional heads), Asset Owners, and the ISO. Deputy Head of the organization shall be the chairperson of the RMC.

Successful implementation of governance in government organizations requires the effective usage of their IT enabled investments throughout the economic life cycle of the projects based on the Action Plan using best practices of project management as required through;

• Organizational objectives should be analyzed to identify dependencies on information security, and then link information security objectives to overall organizational activities.
• The IT security strategy should be an IT blueprint of the business strategy plan. The IT Security goals set out in the IT strategy plan should clearly support the achievement of one or more business goals.
• Information security strategies or action plans, programs, projects and activities should be designed in a such a way that those initiatives intrinsically linked with organizations objectives and governing principles and approved by the Head of Organization.
• Budgets are to be allotted for information security activities embedded in the action plans.

Whilst the CIA conducts assessments and reviews to ensure that the organization conforms with the Baseline Security Standard and other statuary regulations. The HOO is ultimately responsible for managing and governing information security activities in their respective organizations. However, designated representatives including Information Security Officers, Chief Innovative Officers, and all other staff have distinct roles to play as specified in the Information Security Handbook. To conform to same, it is essential that,

• Metrics shall be set and monitored to ensure successful implementation of the Baseline Security Standard considering the organization’s level of maturity thereby identifying gaps and ensuring corrective action is to be taken as required.
• To ensure that individuals adopt and execute upon their roles and responsibilities, a process of formal evaluation and regular process of review is to be implemented as part of performance management.