The goal of any security effort is to protect your business operations whether they are in-house or outsourced to a third-party vendor. This protection should be evaluated and improved over the time. And to achieve this goal, security governance is required to guarantee that the security efforts align with the organization’s overall business objectives. This means security should support the mission, not block it, ensuring that countermeasures help the organization achieve its goals.
Security governance refers to the framework and practices an organization uses to evaluate, support, and direct its information security efforts.
Now, let’s walk through these farmeworks and practices that you could be involved in:
Organizational processes
Security governance should address security risks related to the organizational processes of acquisitions, divestitures, and governance committees.
Acquisition
When your organization acquire another organization, your organization take full control over the acquired organization and your organization inherit any security risks the acquired organization face. Those risks are generally related to:
– Security weaknesses in hardware equipments.
– Flaws in software.
– Poort design.
– Services outsourced to third parties with insufficient security guarantee.
– Contracts with suppliers without protecting the supply chain.
If the acquiring organization did not apply the security governance priniciples where the risks should be evaluated properly and clear security requirements is established before acquisition, this acquiring organization would inherit the above risks. And as a rule, the security requiements for the acquired organization should always meet or exceed the securiy of your existing infrastructure.
Divestiture
Although divestiture is the opposite of acquisition, it could inherit risks to the selling organization. For example, if your organization did not apply the security governance priniciples where the assets must be sanitized before being sold, your organization would face the risk of data leakage.
Note: sanitization here is making sure that no residual confidential data (e.g., HR records, client data) on the asset remains accessible to the other party.
Organizational roles and responsibilities
Here’s a clear breakdown of common organizational roles and responsibilities related to information security governance.
Senior Manager
The board of directors or chief executive officer (CEO) represent the senior management.
Senior manager is a strategic role and responsible for approving security policies, allocating resources, ensuring compliance, promoting security awareness, overseeing incident response, and aligning security with business goals.
Even though senior managers are ultimately responsible for security, they are not the implementers of security solutions. In most cases, their responsibility is delegated to security professionals within the organization.
CISO
The Chief Information Security Officer (CISO) is a tactical role and responsible for leading the organization’s information security strategy, managing risk, ensuring compliance, and overseeing the implementation of security policies and controls. CISO reports directly to the senior management.
System Owner
System owner is a technical and operational role and responsible for developing system security plans, maintaining the plan, ensuring training, and identifying, implementing, and assessing security controls. Simply, a system owner is responsible for the system’s security posture throughout its lifecycle.
For general systems (e.g., email servers, databases), the IT department usually assigns a system owner from its ranks. If a system serves a specific department (e.g., HR system, payroll system), then the head of that business unit often serves as the system owner. For custom-developed or mission-critical systems, the person overseeing the system’s lifecycle (development to decommission) might assume ownership.
Note: The administrator operates and maintains the system but does not own it.
Data Owner
Data owner is a technical and operational role and responsible for defining how data should be handled, who can access it, and what security measures must be applied based on its classification and business value.
Data owner is usually a senior leader. For example, the Head of HR might own employee records, or the Chief Financial Officer (CFO) might own financial data. When the data is department-specific (e.g., marketing analytics, customer service logs), the manager of that department may serve as the data owner.
Custodian
A custodian is the individual or team responsible for the implementation, operation, and safeguarding of information systems or data as instructed by the owner — but without decision-making authority over that data or system. For example, an IT administrator managing file server access and ensuring backups are up-to-date is a data custodian.
Security Analyst
A security analyst continuously monitors security systems, investigates suspicious activity, and helps respond to incidents to ensure the organization remains protected from cyber threats.
Security Engineer
A security engineer is responsible for designing, building, and maintaining the technical security technologies and controls, such as firewalls and encryption, that protects an organization’s systems, networks, and data from cyber threats.
Auditor
A security auditor is responsible for reviewing and auditing security processes and systems to identify gaps, ensure compliance, and verify whether the security policy is properly implemented.
User
An User is the individual who directly interacts with and uses the organization’s systems, applications, or data to perform their daily tasks, but does not manage or secure those systems.
Security Control Frameworks
Security control frameworks are structured sets of guidelines, best practices, and requirements that organizations use to establish, implement, manage, and improve their information security programs. Popular security control frameworks are:
ISO
International Organization for Standardization (ISO) defines standards for industrial and commercial organizations.
ISO 27001 helps organizations protect their information systematically and cost-effectively through the adoption of an Information Security Management System. The standard specifies the requirements for implementing and maintaining an effective ISMS to safeguard against information security risks.
ISO 27022 offers best-practice guidance that supports ISO 27001 on how to select, implement, and manage information security controls based on the organization’s risk environment.
NIST Cybersecurity Framework
It is developed by the U.S. National Institute of Standards and Technology (NIST), and provides structured guidelines to manage and reduce cybersecurity risk for organizations. NIST Cybersecurity Framework is commonly adopted by U.S. federal agencies and contractors.
COBIT
The Control Objectives for Information and Related Technologies (COBIT), is commonly used as an audit framework for evaluating the governance and management of enterprise IT in an organization.
SABSA
SABSA is a security architecture framework and methodology focused on business-driven, risk-based enterprise security. It helps organizations design and manage security architectures that align with business objectives, not just technical requirements.
PCI DSS
PCI DSS is a security standard developed to protect cardholder data and reduce credit card fraud. It applies to any organization that stores, processes, or transmits payment card information (Visa, MasterCard, AMEX, etc.).
FedRAMP
Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that provides a standardized approach to ensure that cloud services used by U.S. federal agencies meet consistent, government-approved security requirements.
Due Care/Due Diligence
Due Care is taking reasonable and expected actions to prevent harm or minimize risk. It’s about acting responsibly once you’re aware of a risk. For example, if you know that sensitive data is stored on laptops, due care is encrypting those laptops and training employees on secure usage.
Due Diligence is taking thorough and proactive steps to identify and understand risks before making decisions. It’s about research and planning before acting. Typically applies to evaluating risks during acquisitions, vendors, or launching new systems. For example, before selecting a third-party cloud provider, you perform due diligence by assessing their security certifications, incident history, and compliance posture.