How to Address Enterprise-Shared Risk
Information Security Governance Framework
- As-is baselining. The as-is baselining study identifies the current state of information security for the organization. This study is designed to assess information security functions against a framework of applicable industry and compliance drivers. Additionally, it is designed to identify the strengths and weakness of how the organization currently addresses information security across the enterprise and includes both management and functional perspectives.
- Benchmarking. The benchmarking study provides a strong understanding of how information security functions were solved by similar organizations. This examination provides awareness of potential pit falls and proven strategies for avoiding them. The study also identifies possible efficiencies for implementing information security functions. Key to this exercise is the identification of best practices for how to address specific information security requirements and industry drivers.
- “To-be” information security strategy. The strategy leverages the results of the benchmarking and as-is baseline studies to formally establish the information security program vision, goals and objectives. Additionally, the strategy captures the organization’s overall information security value chain and process, along with a high-level road map for implementing the program and achieving the stated program goals and objectives.
- Information security operating model. The operating model identifies and formalizes the organizational structure for the information security program. It includes the identification of all key stakeholders, a determination of what role they should play in the overall program, as well as identification of where they sit within the larger program. Additionally, this structure includes an interaction model that illustrates how and when key stakeholders communicate, as well as the key management and functional processes and how they work.
- Information security policy. The policy identifies the specific organizational roles and responsibilities that support all information security activities, and captures the accepted information risk posture for the organization.
Implementing an information security governance framework is more than just building the individual components. These components must be developed and implemented in a coordinated manner with buy-in from senior leadership across the organization. The enterprise-wide accepted risk posture and baseline should set and drive all other information security and risk management activities.