✍️ Get Writing Help
WhatsApp
Our customer support team is here to answer your questions. Ask us anything!
Agent
👋 How can we help with you?
💬 Hi, how can I help?

Information Security Governance

/ Uncategorized / By

Information Security Governance
S.H. von Solms l R. von Solms
Information Security
Governance
1 3
S.H. von Solms
University of Johannesburg
South Africa
basievs@uj.ac.za
R. von Solms
Nelson Mandela Metropolitan University
South Africa
rossouw@nmmu.ac.za
ISBN: 978-0-387-79983-4 e-ISBN: 978-0-387-79984-1
DOI 10.1007/978-0-387-79984-1
Library of Congress Control Number: 2008931013
# Springer ScienceþBusiness Media, LLC 2009
All rights reserved. This work may not be translated or copied in whole or in part without the written
permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York,
NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in
connection with any form of information storage and retrieval, electronic adaptation, computer
software, or by similar or dissimilar methodology now known or hereafter developed is forbidden.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if they
are not identified as such, is not to be taken as an expression of opinion as to whether or not they are
subject to proprietary rights.
Printed on acid-free paper
springer.com
Prologue
This book is based on many years of teaching, research and consultation in the
field of Information Security. Between the two of us, we have in excess of 30
years of experience in this field.
During this period, we published and presented many research papers in this
field internationally. Both brothers played a significant role in Technical Committee 11 (Information Security) of IFIP, the International Federation for
Information Processing, both as Working Group Chairs and as Executive
Committee members of TC 11.
We have seen Information Security develop from a purely technical
discipline, with responsibility stopping with the technical IT staff, to a
discipline which is now internationally accepted as an integral part of good
Corporate Governance, with responsibility stopping with the Board members of the company. Furthermore we have experienced the development
of the environment from a situation where there were basically no regulatory framework, to an environment where more and more legal and
regulatory prescriptions are dictating the implementation and proper handling of Information Security.
All these developments had resulted in the eventual arrival of Information
Security Governance, the subject of this book.
As discussed in this book, we see Information Security Governance as the
complete environment created and managed to ensure the confidentiality,
integrity and availability of the company’s information. This include everybody, from the Chairperson of the Board to every end-user.
Again, based on our experience, we know that this book will add value
over a wide spectrum of potential users – from Board members who can
evaluate their responsibilities in Chapters 1, 2 and 3, to Information
Security Managers, IT Managers and CIOs who can use some of the
specific guidelines provided, to create a proper Information Security Governance environment.
v
The book will also be very useful as a text book on both under- and postgraduate level, in both Science and Business courses. We trust that you will find
this book very useful.
Both of us also give all the glory to our Lord and Saviour, Jesus Christ, who
made all this possible, and who still guides our daily activities.
Johannesburg S.H. (Basie) von Solms
Port Elizabeth Rossouw von Solms
May 2008
vi Prologue
Abstract
In any company, information has become the lifeblood of the company. In most
such companies, if not all, this information is captured, stored, processed and
transmitted using IT systems. These systems are continuously exposed to a wide
range of threats, which can result in huge risks, eventually compromising the
confidentiality, integrity and availability of such information.
The big challenge today is to ensure that a company’s electronic information
is protected against possible risks which can arise against this information.
A wide range of legal and regulatory prescriptions make this challenge even
greater.
Information Security is the discipline used to ensure such protection, and
Information Security Governance is the complete environment existing in a
company to ensure this protection.
Information Security Governance involves all stakeholders in a company,
from the Chairman of the Board to the youngest departmental secretary.
This book introduces the concept of Information Security Governance in a
non-technical, but very usable way.
The first 3 chapters position Information Security Governance in relation to
Corporate Governance and Information Technology Governance, and clearly
identify accountability roles. It clearly indicates that Information Security Governance is an integral part of good Corporate Governance, and that the buck for
Information Security Governance stops with the Board of the company.
In Chapter 4 a model for Information Security Governance is introduced,
based on international best practices. These best practices, COBIT and ISO
27002, and their role in Information Security Governance, are discussed in
detail in Chapter 5.
Chapters 6, 7, 8, 9 and 10 discuss each of the components of the model,
introduced in Chapter 4, in detail. These components are:
The Information Security Policy Architecture
Compliance and Control in Information Security Governance
Risk Management in Information Security Governance
Organizing the Information Security function in a company
Information Security Awareness.
vii
The last chapter, Chapter 11, provides a methodology, based on the full
content of the book, to establish a sound Information Security Governance
Program in a company.
This book should be very useful for Board members, Executive Management, Business System Owners, CIOs, IT Managers, Information Security
Managers, Risk Managers and everyone involved with information security
programs in a company.
viii Abstract
Contents
1 An Introduction to Corporate Governance . . . . . . . . . . . . . . . . . . . . . 1
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Corporate Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.3 What is Corporate Governance? . . . . . . . . . . . . . . . . . . . . . . . 1
1.4 Who are the Players in Corporate Governance? . . . . . . . . . . . 2
1.5 The Dynamic Nature of Corporate Governance . . . . . . . . . . . 3
1.6 International Best Practices for Corporate Governance . . . . . 4
1.7 Corporate Governance and Risk Management . . . . . . . . . . . . 4
1.8 The Components of Corporate Governance . . . . . . . . . . . . . . 6
1.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Information Technology Governance . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 What is IT Governance?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3 IT Governance and Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.4 A Best Practice Guideline for IT Governance . . . . . . . . . . . . . 11
2.4.1 The Structure of COBIT . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4.2 The Use of COBIT in a Company. . . . . . . . . . . . . . . . . 12
2.4.3 The 34 High-Level Processes of COBIT . . . . . . . . . . . . 13
2.5 The Components of IT Governance . . . . . . . . . . . . . . . . . . . . 14
2.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3 Information Security and Information Security Governance . . . . . . . 17
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2 Information Security as a Multi-Dimensional Discipline . . . . 17
3.3 The Multi-Dimensional Character of Information Security . . 18
3.3.1 The (Corporate) Governance Dimension . . . . . . . . . . . 18
3.3.2 The Risk Management Dimension . . . . . . . . . . . . . . . . 19
3.3.3 The Organizational Dimension . . . . . . . . . . . . . . . . . . . 19
3.3.4 The Policy Dimension . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.5 The Best Practice Dimension. . . . . . . . . . . . . . . . . . . . . 20
ix
3.3.6 The Certification Dimension. . . . . . . . . . . . . . . . . . . . . 20
3.3.7 The Ethical Dimension . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.3.8 The Legal/Regulatory Dimension . . . . . . . . . . . . . . . . . 21
3.3.9 The Insurance Dimension . . . . . . . . . . . . . . . . . . . . . . . 21
3.3.10 The Awareness Dimension . . . . . . . . . . . . . . . . . . . . . 21
3.3.11 The Measurement/Monitoring/Metrics Dimension . . 21
3.3.12 The Management Dimension . . . . . . . . . . . . . . . . . . . 22
3.3.13 The IT Forensics Dimension . . . . . . . . . . . . . . . . . . . . 22
3.3.14 The Technical Dimension . . . . . . . . . . . . . . . . . . . . . . 23
3.4 The Interdependency of the Different Dimensions of
Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.5 What is Information Security Governance?. . . . . . . . . . . . . . . 24
3.6 Information Security Management and Information Security
Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.7 Best Practices for Information Security Governance. . . . . . . . 26
3.8 Positioning Information Security Governance in Relation to
Information Technology and Corporate Governance . . . . . . . 26
3.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4 Introducing the Information Security Governance Model. . . . . . . . . . 29
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2 The Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.3 A Diagrammatic Representation of the Model for Information
Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.3.1 The Core Part of the Model . . . . . . . . . . . . . . . . . . . . . 31
4.3.2 The Expanded Part of the Model . . . . . . . . . . . . . . . . . 32
4.4 The Core Part of the Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.4.1 The Core Principles of the Model . . . . . . . . . . . . . . . . . 33
4.4.2 The Direct and Control Principle in More Detail. . . . . 34
4.5 Revisiting Information Security Governance (ISG) and
Information Security Management (ISM) . . . . . . . . . . . . . . . . 37
4.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5 The Use of Best Practice Standards and Guidelines in Information
Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
5.2 What is an International Best Practice (Code of Practice) for
Information Security Governance? . . . . . . . . . . . . . . . . . . . . . 40
5.3 Using COBIT as a Framework for Information Security
Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.4 COBIT and Information Security . . . . . . . . . . . . . . . . . . . . . . 41
5.4.1 Control Objective DS 5.4 User Account Management. 41
5.4.2 DS 5.6 Security Incident Handling . . . . . . . . . . . . . . . . 42
x Contents
5.4.3 DS 5.9 Malicious Software Prevention, Detection and
Correction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.5 Other Information Security-Related COBIT High-Level
Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.6 ISO 27002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.7 The Background of ISO 27002. . . . . . . . . . . . . . . . . . . . . . . . . 44
5.8 More About ISO 27002 and ISO 27001 . . . . . . . . . . . . . . . . . . 45
5.9 The Use of ISO 27002 in a Company. . . . . . . . . . . . . . . . . . . . 45
5.10 ISO 27002 and Risk Management . . . . . . . . . . . . . . . . . . . . . 46
5.11 The Use of ISO 27001 in a Company. . . . . . . . . . . . . . . . . . . 47
5.12 The Structure of ISO 27002 . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.13 ISO 27002 and COBIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.14 A More Detailed Look at ISO 27002 . . . . . . . . . . . . . . . . . . . 49
5.14.1 The Clause Structure of ISO 27002 . . . . . . . . . . . . . . . 49
5.14.2 Some Sub-Clauses in More Detail. . . . . . . . . . . . . . . . 56
5.15 The Certification Process Against ISO 27001 . . . . . . . . . . . . 58
5.15.1 General Requirements of the ISMS: . . . . . . . . . . . . . . 58
5.15.2 Establishing and Managing the ISMS. . . . . . . . . . . . . 59
5.16 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6 The Direct Part of the Model – An Information Security Policy
Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.2 ISO 27002 on Policy Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.3 COBIT on Policy Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
6.4 Information Security Governance-Related Documents
Produced in the Direct Part of the Direct/Control Cycle . . . . 62
6.4.1 The Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
6.4.2 The Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6.4.3 The Board Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6.4.4 The Corporate Information Security Policy (CISP) . . . 64
6.4.5 The Information Security Sub-Policies . . . . . . . . . . . . . 67
6.4.6 The Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
6.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
7 The Control Part of the Model – An Information Security Compliance
Management Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
7.2 ISO 27002 on Compliance Aspects . . . . . . . . . . . . . . . . . . . . . 73
7.3 COBIT on Compliance Aspects . . . . . . . . . . . . . . . . . . . . . . . . 74
7.4 Compliance Enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
7.5 The Traditional Approach to Control and Compliance
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Contents xi
7.6 The Compliance Management Clause . . . . . . . . . . . . . . . . . . . 75
7.6.1 Compliance Clause for the Board Directive . . . . . . . . . 75
7.6.2 Compliance Clauses for the Corporate Information
Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
7.7 Notes on the Idea of Compliance Clauses . . . . . . . . . . . . . . . . 77
7.8 An Example of an Information Security Compliance
Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
7.8.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
7.8.2 The System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
7.8.3 The Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
7.8.4 Reporting to Executive Management . . . . . . . . . . . . . . 84
7.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
8 IT Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
8.2 The History and Essence of Risk . . . . . . . . . . . . . . . . . . . . . . . 87
8.3 Risk Management and ISO 27002 . . . . . . . . . . . . . . . . . . . . . . 88
8.4 Risk Management and COBIT . . . . . . . . . . . . . . . . . . . . . . . . 88
8.5 Risk Management and Governance. . . . . . . . . . . . . . . . . . . . . 89
8.6 Definitions, Terminology and Relationships . . . . . . . . . . . . . . 90
8.7 Processes that Constitute Risk Management . . . . . . . . . . . . . . 93
8.8 Risk Analysis, Estimation and Treatment . . . . . . . . . . . . . . . . 94
8.8.1 Risk Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
8.8.2 Risk Estimation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
8.8.3 Risk Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
8.9 Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
8.10 IT Risk and the Management Levels . . . . . . . . . . . . . . . . . . . 98
8.10.1 Strategic Management Level . . . . . . . . . . . . . . . . . . . . 98
8.10.2 Tactical Management Level . . . . . . . . . . . . . . . . . . . . 99
8.10.3 Operational Management Level . . . . . . . . . . . . . . . . . 100
8.11 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
9 Organizing the Information Security Function . . . . . . . . . . . . . . . . . . 101
9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
9.2 ISO 27002 on Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
9.3 COBIT on Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
9.4 Compliance and Operational Management of Information
Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
9.5 Information Security Operational Management . . . . . . . . . . . 104
9.6 Information Security Compliance Management . . . . . . . . . . . 105
9.7 Compliance Management versus Operational Management . . 106
9.8 The Information Security Operational Management Function 106
9.9 The Information Security Compliance Management function 107
xii Contents
9.10 An Example of the Compliance Management Function . . . . 108
9.11 The Information Security Compliance Management Function 109
9.12 Putting It All Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
9.13 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
10 Information Security Education, Training and Awareness . . . . . . . . . 113
10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
10.2 Management Components of Information Protection. . . . . . 114
10.3 Target Audiences for Security Education, Training and
Awareness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
10.4 Information Security Education, Training and Awareness
(SETA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
10.5 The Conscious Competence Learning Model . . . . . . . . . . . . 117
10.6 Approaches used in Information Security Awareness . . . . . . 118
10.7 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
11 A Methodology for Establishing an Information Security Governance
Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
11.2 The Steps in the Methodology . . . . . . . . . . . . . . . . . . . . . . . . 127
11.3 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Contents xiii

For faster services, inquiry about  new assignments submission or  follow ups on your assignments please text us/call us on +1 (251) 265-5102