Governance can be exercised in the way of establishing an information security organizational structure and steering committees, developing Information Security Action Plans and allotting the necessary funding for Information Security activities, defining roles and responsibilities of the IT Security team alongside the reporting lines, setting performance measurement indicators and establishing a diversity of IT/business committeesAll government organizations must adapt a governance framework which is primarily focused on how the information security activities of the organization are directed and controlled in terms of tools, personnel and business processes to ensure that information security is adequately managed and applied to the information assets in order to meet the organizational objectives.
Guidelines For Implementing The Governance Framework
Achieving better governance starts with the business, and more specifically with understanding its strategy and goals. IT Security should be involved early in the business strategy definition process. The IT Security goals set out in the IT strategy plan should clearly support the achievement of one or more business goals. It is the responsibility of the Information Security Committee (ISC) in collaboration with the Functional Heads to ensure that the IT security strategy is aligned with the business strategy. This could be achieved through:
After aligning the IT security goals with the business goals, it is important to implement required set of efficient and effective IT governance and management processes through selecting the most critical process based on business priorities, assign process owners, develop metrics and monitor the achievement of process as per set objectives.
Effective Governance is determined by the way the IT Security team is organized and where the IT security decision-making authority is located within the organization. It is crucial to establish the right management structure to ensure there is proper collaboration between business and IT security department.
This could be achieved through:
Successful implementation of governance in government organizations requires the effective usage of their IT enabled investments throughout the economic life cycle of the projects based on the Action Plan using best practices of project management as required through;
Whilst the CIA conducts assessments and reviews to ensure that the organization conforms with the Baseline Security Standard and other statuary regulations. The HOO is ultimately responsible for managing and governing information security activities in their respective organizations. However, designated representatives including Information Security Officers, Chief Innovative Officers, and all other staff have distinct roles to play as specified in the Information Security Handbook. To conform to same, it is essential that,
Address
Sri Lanka CERT,
Room 4-112, BMICH, Bauddhaloka Mawatha,
Colombo 07, Sri Lanka.
Phone
+94 11 269 1692 / +94 11 269 5749
+94 11 267 9888
Email
cert@cert.gov.lk