Organizations, both government and commercial, continue to increase in size and complexity, as well as in the way they derive value for their customers. As these organizations grow and mature, the departments and business units that comprise them increasing rely on supporting IT systems, networks and shared infrastructure to send and receive critical information. This reliance on shared and interconnected IT infrastructure, although necessary to help drive growth and to support the achievement of the overall mission, also introduces a new concern:  enterprise-shared risk.


Background

The concept of enterprise-shared risk is a concern for organizations that are relatively large and complex, or those that support a number of different business functions (i.e., value chains). These types of organizations are ultimately susceptible because they are comprised of numerous departments and business units that provide differentiated services. As a result, the organization’s different business units typically support distinct value chains and, more specifically, they have very different tolerance levels for risk acceptance (i.e., risk profiles).
     
For example, one business unit’s value chain might support academic research and development aimed at public dissemination, while another business unit’s value chain might be tied to selling and managing finance and investment portfolios. Because the two business units (although under the same umbrella organization) support distinct business requirements and needs, they have very different risk profiles. The risk profile for the business unit focused on academic research is most likely to be very low, as the business unit’s end goal is to distribute and share information and academic research to the public. As a result, this business unit would not focus on information security, nor would it want to allocate significant resources to the management and implementation of supporting information security controls. On the other hand, the risk profile for the business unit focused on finance and investment portfolio management would be much higher, as it is most likely to be very concerned about the protection of the confidential and private financial information that it handles. Logically, this business unit would stress the need for strong information security, and especially the need to employ effective information security controls on the network and IT systems that process the sensitive financial information.
     
There are numerous examples of when different business units, under the same larger organization or enterprise, support very different value chains and, consequently, have different risk profiles. Although this situation is common, the majority of organizations do not realize the potential negative impact a service delivery model being supported by shared IT infrastructure can have (and continues to have) on the ability of the organization to fulfill their overall mission effectively and efficiently.
     
The potential negative impact of different business unit’s managing unique risk profiles is illustrated when those business units leverage common IT infrastructure, or components of shared IT infrastructure. As a result, the funding, resources and energy spent by the business unit that has identified a need to manage to a higher risk profile are nullified. Through the “least-common-denominator” concept, a potential adversary levels the playing field by compromising the business unit with the lowest level of information security controls, and then traverses the network to ultimately compromise the business unit processing the targeted sensitive and confidential information. Under this scenario (illustrated in figure 1) nearly all of the efforts by the respective business units that managed to a higher risk profile (and who employ robust information security controls) are unable to stop the adversary from compromising their critical information. This scenario creates the potential for considerable cost and resource inefficiency affecting the entire enterprise.


Information Security Governance Framework

A proven approach to address enterprise-shared risk is to implement an information security governance framework that addresses the inherent business value of uniformly protecting information and information processes to a common baseline. Its key discriminator is that it focuses on the integration and coordination of information security activities across all component’s of an enterprise, with the goal of enabling the organization’s mission.
     
Executing an information security governance framework begins with the identification of the greatest information risks across the enterprise (with a focus on the identification of shared risks). Leveraging an “as-is” baselining assessment and an industry-specific benchmarking study (if desired), a tailored information security strategy, integrated with the overall organizational mission, can be generated for mitigating the identified risks. The resulting strategy identifies the key programmatic priorities and lays the foundation for the operational tempo of the business—all aligned under a clear policy and supported by a strong operational model. The framework enables executives and managers to make educated trade-off decisions, balancing the costs and benefits of pursuing a specific information risk posture.
     
There are five key components of a highly effective information security governance framework that every organization should address:
  1. As-is baselining. The as-is baselining study identifies the current state of information security for the organization. This study is designed to assess information security functions against a framework of applicable industry and compliance drivers. Additionally, it is designed to identify the strengths and weakness of how the organization currently addresses information security across the enterprise and includes both management and functional perspectives.
  2. Benchmarking. The benchmarking study provides a strong understanding of how information security functions were solved by similar organizations. This examination provides awareness of potential pit falls and proven strategies for avoiding them. The study also identifies possible efficiencies for implementing information security functions. Key to this exercise is the identification of best practices for how to address specific information security requirements and industry drivers.
  3. “To-be” information security strategy. The strategy leverages the results of the benchmarking and as-is baseline studies to formally establish the information security program vision, goals and objectives. Additionally, the strategy captures the organization’s overall information security value chain and process, along with a high-level road map for implementing the program and achieving the stated program goals and objectives.
  4. Information security operating model. The operating model identifies and formalizes the organizational structure for the information security program. It includes the identification of all key stakeholders, a determination of what role they should play in the overall program, as well as identification of where they sit within the larger program. Additionally, this structure includes an interaction model that illustrates how and when key stakeholders communicate, as well as the key management and functional processes and how they work.
  5. Information security policy. The policy identifies the specific organizational roles and responsibilities that support all information security activities, and captures the accepted information risk posture for the organization.    

 

 Implementing an information security governance framework is more than just building the individual components. These components must be developed and implemented in a coordinated manner with buy-in from senior leadership across the organization. The enterprise-wide accepted risk posture and baseline should set and drive all other information security and risk management activities.



Summary

An information security governance framework is a powerful, results-oriented, strategic approach to identify and address enterprise-shared risk. By building the necessary components with an integrated framework to address the shared risks to an organization, organizations can design a program with repeatable processes that lowers risk exposure to an acceptable baseline level. For organizations concerned with proactively managing risk in an uncertain, ever-changing threat environment, implementing an information security governance framework is a must.