By Ravi Dhungel
NIST publication (800-100) defines “Information security governance can be defined as the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.”
Cyber security governance is the responsibility of the board of directors and senior executives. The control of critical resources requires information security to be an intrinsic part of governance. Until recently, the focus of security has been on protecting IT systems that process and store the vast majority of information. This approach is too narrow to accomplish at the organizational level. Process assurance and overall protection is now required. This requires a good cyber security governance structure. Information security is not only a technical issue, but is also governance challenges with a myriad of risks for management and accountability.
When establishing cyber security programs, the foremost initiative is to establish a cyber security governance structure. Governance establishes policies, procedures, and processes to manage and monitor the organization. Legal, operational, and environmental requirements are understood and inform the management of the cyber security risks. We shouldn’t confuse security management with security governance. The security management is a day to day operation, whereas security governance is the oversight of security programs.
Action items for establishing cyber security governance programs requires:
● Strategic integration - To what extent is the cyber security strategy integrated with other organizational strategies and incorporated beyond the organization? How can banks leverage the value of cyber security to their customers?
● Develop policies and procedures - Organizational cyber security policies are established and communicated. Policies such as Acceptable Use Policies (AUP) and Employee Privacy Statements (EPS) are a bedrock to establish governance processes. The policies for data asset classification, as well as ownership are critical. It ensures the accountability and oversight. Incident response procedures are important on investigating cyber security incidents.
● Establish roles and accountability - Cyber security roles and responsibilities are coordinated and aligned with internal roles and external partners. The functional role of the security is different; establishing the Chief Information Security Officer (CISO) roles and security team with clear accountabilities and responsibilities are important. There are several governance stakeholders common to most organizations that span the business. These stakeholders include senior leadership, a CIO, information security personnel, and a Chief Financial Officer (CFO), among others. The specific requirements of each role may differ with the degree of information security governance centralisation and size of the organisation.
● Identify legal and regulatory requirements - The governance should identify legal and regulatory requirements regarding cyber security, including privacy and civil liberty obligations. Payment Card Industry Data Security Standard (PCIDSS) regulations is one of the industry regulations to secure customer data of digital cards.
● Establish governance and risk management process - The organisation understands the cyber security risk to organizational operations (including mission, functions, image, or reputation), organisational assets, and individuals.
● Support and review information security programs - Multi-year funding of the cyber security programs and yearly reviews are important from a governance perspective. Executive level governance structure to support this is very important. Policies, such as acceptable use policies, employee privacy statements, incident response, and communication plans should be developed. To exercise information security governance, boards and senior executives must have a clear understanding of what to expect from these programs. Governance teams should sign off on Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs).
● Board of directors - Cyber Security and privacy literacy is essential for the board of directors. Information security officers should be frequently invited to present on cyber security risks. Many companies have started to recruit a cyber security professional in their board of directors as the digital threats continue to rise.
Depending on organizational preferences, the assessment of cyber security governance can be done by a qualitative or quantitative process. This will help to assess the effectiveness and maturity of cyber security governance in an organization and should be an ongoing process.
Due to the high profile organizational failure in the Western world, regulators and legislators have created a complex array of laws and regulations to enforce governance, transparency, and accountability of high level executives. Nepal Rastra Bank (NRB) along with line agencies of the Government of Nepal and legislative bodies should develop directives, guidelines, and laws to address the requirement for governance structure to manage cyber security programs in financial institutions. Cyber security incidents in Nepal have provided an opportunity to engage in a broader aspect of privacy and cyber security. The current incidents should be taken as a lesson learned. Establishing governance processes are the first step towards developing resilient cyber security programs in Nepal.
(Former Major of Nepal Army, Mr. Dhungel is a global cyber security practitioner who is the Chief Information Security Officer at www.esrtech.io and can be reached at email@example.com.)