Characteristics of Effective Security Governance¹

1. Much of the content in this article is excerpted and updated from previously published work [Allen 05, Allen 06a, Allen 06b, Allen 06c].

Abstract

Notes

1. Much of the content in this article is excerpted and updated from previously published work [Allen 05, Allen 06a, Allen 06b, Allen 06c].

2. This article does not specifically address the security or protection of physical assets such as facilities, equipment, and information in physical form, although many of the guidelines are applicable for these types of assets.

3. See also [Allen 05] and “Security Is Not Just a Technical Issue”. [Allen 06b].

4. Some organizations have both a CSO and CISO, with a separation of duties between facilities and personnel security, and information/IT security. As organizations realize, however, that the security of their physical facilities, processes, and personnel is impacted by IT systems and devices, and vice versa, they are integrating the CISO and CSO responsibilities into either a consolidated CSO position or into the Chief Risk Officer (CRO) role [ITCI 06]. This guide uses the term CSO, but this role is intended to encompass the CISO and could be replaced by the CRO. Alternatively, if an organization has both a CSO and CRO, they both participate in the development and sustainment of the ESP, with the CSO taking the lead in implementing the security requirements of the risk management plan, with oversight by the CRO.

5. This builds on and modifies a similar presentation found in an article by Harris [Harris 06].

6. Zero tolerance means that systems are regularly monitored for unauthorized changes. If discovered, such changes are immediately investigated or backed out of operational configurations and a post mortem review is performed to ensure this does not recur. Refer to "Prioritizing IT Controls for Effective, Measurable Security” [Kim 06].

7. CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.

The Alliance for Enterprise Security Risk Management. “Convergence of Enterprise Security Organizations.” Booz Allen Hamilton, November 8, 2005.

Gerdes, Michael. Review comments to [Allen 05], May 2005.

International Organization for Standardization. Information technology—Security techniques— Code of practice for information security management. ISO/IEC 17799:2005(E), Second edition, June 15, 2005.

International Organization for Standardization. Information technology—Security techniques—Information security management systems—Requirements. ISO/IEC 27001:2005(E), First edition, October 15, 2005.