Executive Summary
IT Governance is difficult for most organizations to initiate and maintain as an ongoing process, particularly for
medium and small institutions. There are many subject experts, vendors, and consultants that cater to
implementation, but the inherent difficulties and complexities make the implementation of it an elusive goal for many.
Since Governance is by definition strategic and focused over long timeframes it is not designed to deal with
unexpected and potentially costly IT security threats. The author proposes a modified process to respond to
mitigating threats that require funds exceeding the annual IT security budget. I call this micro Governance.
Definitions of IT Governance
IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and
their performance and risk management. Various bodies of authority on the subject publish similar definitions of IT
Governance, each with its own emphasis of intent. Four prominent authorities define IT governance on their web
sites as follows:
- ISACA: ...provide the leadership, organizational structures and processes that ensure that the enterprise's IT sustains and extends the enterprise's strategies and objectives.
- ITGI: ...an effective IT governance framework that addresses strategic alignment, performance measurement, risk management, value delivery and resource management.
- Forrester: ...The act of establishing IT decision structures, processes, and communication mechanisms in support of the business objectives and tracking progress against fulfilling business obligations efficiently and consistently.
- MIT Sloan School of Management: IT governance is the process by which firms align actions with their performance goals and assign accountability for those actions and their outcomes.
The three predominant frameworks for implementing IT Governance are provided by ISACA, ITIL and ISO. In a more
granular view, the ISO 38500:2008 guiding principles are organized into three prime sections, specifically, Scope,
Framework and Guidance. The framework comprises definitions, principles and a model. It sets out six principles for
good corporate governance of IT:
- Responsibility
- Strategy
- Acquisition
- Performance
- Conformance
- Human behavior
Significance of IT Security Governance for Compliance
Compliance violations may attract all manner of liability directly affecting a governance committee, such as fines and
confinement for SOX, revocation of interconnection agreements with electrical utilities for NERC CIP, and violation
notices from third party auditors for COBIT.
Examples of well known regulatory frameworks and compliance standards are:
Financial - SOX, Bill 109, Basel II, PCI, SAS 70
Electrical Infrastructure for North America - NERC CIP
Privacy - PIPEDA, Red Flag, GLB
Industry Best Practices - COBIT, ITIL
Insufficient IT Governance Impedes the Security Team
In dynamic network environments, security issues can quickly appear where there are insufficient funds planned to
mitigate new security risks. An active IT Governance process is invaluable to deal with such issues. Insufficient IT
Governance
- Slows decision making.
- Inhibits communication of risk and associated potential financial loss between the IT Security team and executive management.
- Inhibits attaining unplanned, sufficient IT security funding.
Barriers to implementing IT Governance
Well known barriers to attaining IT governance are:
- The all encompassing scope of any Governance is a daunting challenge to face.
- Expensive.
- Time consuming.
- IT security risk can be very difficult to quantify.
- The executives may find it difficult to request additional funds particularly where the IT security team has done an excellent job and there are no expensive security vulnerabilities.
- A false sense of security makes cost justifying security budgets difficult.
- A Governance committee may get bogged down over confusion arising between identifying the content of compliance frameworks with compliance objectives.
- Turf wars over accepting / relegating ownership of responsibilities for various aspects of IT compliance.
- Maintaining longevity of the IT Governance process.
ITSecurity micro Governance as a Practical Alternative
A simplified alternative to the barriers mentioned above creates a bite-sized micro process which will provide the
following value to a corporate entity:
- Minimizes the liability of executives with respect to their fiduciary responsibilities for IT Governance.
- Facilitates communications between the Governance Body and the IT Security Team regarding cost justification of unplanned or insufficient budget.
- Provides a regular opportunity for the Security Team to convey top priorities with requests for expedited executive authorization.
- Provides a regular opportunity for executives to convey business priorities that affect IT related risk directly to those responsible for physically managing those risks.
- Minimizes decision time and frustration levels by identifying bite sized issues.
Steps to Implement IT Micro Governance
- IT Security should identify the top priority IT security risk(s) that require immediate decisions / funding by the executive team.
- Estimate the ROI or potential cost avoidance by mitigating the risk(s).
- Formally create a micro-Governance process to address the risk(s).
- Engage a third party advisor to expedite the process.
- Create a virtual (temporary) team to manage each risk management process.
- Assign other management and employees as appropriate to the virtual team.
- Identify a timeline to complete the project.
- Identify a mechanism to test the degree of success of the mitigation.
- Identify a timeline to report the degree of success back to the IT Governance Committee.
- Assess whether ROI or cost avoidance goals were sufficiently met. *
- Mandate longevity for the micro Governance process by directing the virtual team to continue monitoring the process and reporting to the Governance Committee.
- Integrate the process into the IT security operations / administration processes and disband the virtual team.
It is difficult to obtain data that captures the prevention of a security threat based on a specific action taken. One
empirical yet evidentiary based method is to compare the frequency of similar threats before and after mediation
steps are implemented.
Example Situation - The Problem Statement
- A CIO of a fictitious company identifies weak identity management as a significant risk to the privacy and integrity to corporate information as well as to SOX compliance.
-
The problem has recently arisen due to several factors:
- The external corporate auditors introduced new IT audit control points for monitoring unauthorized and attempted unauthorized accesses to critical servers and critical applications.
- Corporate cost cutting has caused a reduction in the staff levels of the security administration group.
- A cost cutting reorganization has dramatically changed employees' roles and need to access various servers and applications.
- The group of recently terminated employees which include IT security administrators has raised the potential threat of malicious activity from x-employees plus a diminished capacity for the corporation to adequately administer access privileges.
- There are insufficient funds for a comprehensive upgrade to the identity management infrastructure to ensure reasonable compliance for SOX.
- The problem is further obfuscated as the lack of any major security breach makes it appear to senior executives that there are no security threats.
- Nonexistent IT Governance means decision making about the new risk will be delayed until the next year's budget cycle.
IT micro Governance Solution
- If the corporation does in fact have an IT Governance committee that is amenable to reacting quickly with micro Governance decisions, then the CIO can identify to the Governance committee the business risks relating to weak identity management.
- The governance committee works with the CIO to estimate the cost to the corporation in the event of a security event at $5,000,000 per incident.
-
They build a business case modeled upon the chance of a security event occurring once per year.
- The CIO estimates the first year annual cost to technically mitigate the risk at $100,000 and $50,000 annually thereafter.
- The first year mitigation cost / annual loss expectation is $100,000 / $5,000,000 or 2% and 1% thereafter.
- The Governance committee decides the return is acceptable.
- The IT Governance committee formally creates a specific task force and IT micro Governance process to mitigate the identity management risk.
- They engage a third party advisor to expedite the process, so that an aggressive date of fully tested implementation is 6 months.
- They appoint virtual team leaders to manage each risk management process. The team leaders are comprised of two members of the IT Governance committee, the CIO, three members of the IT security team, 6 business line managers, a member of HR and a member of the CFO's team. They also have external security consultants and auditors to assist with testing and evaluating the effectiveness of the new process.
- The virtual team leaders assign other employees to implement the project and to create an ongoing process to monitor, manage, and report on the proposed identity management process.
- The team creates a detailed project plan to complete the project.
- The third party consultants and auditors work with the team right from the beginning to design processes and mechanisms to test and report on the degree of success of the new identity management process.
-
The virtual team and IT Governance committee creates a schedule for reporting / feedback / direction meetings as oversight for the new process, including:
- Evaluating the degree of success of the initial implementation.
- A subset of the virtual team continues to monitor and report to the Governance Committee.
-
The ROI or cost avoidance business model is re-evaluated in terms of:
- Was risk correctly estimated?
- Is there an ongoing evaluation of the degree of risk reduction?
-
Can the new process and its budget be integrated into IT security operations / administration.
Can the virtual team be disbanded?
Conclusion
Keep it simple.
Sources of Information - Governance Authorities
- ISACA (Information Systems Audit and Control Association) www.isaca.org
- ITGI (IT Governance Institute) www.itgi.org
- Gartner Group www.gartner.com
- IBM www-935.ibm.com/services/us/index.wss/offering/its/a1031003
- SANS (SysAdmin, Audit, Network, Security Institute) www.sans.org/reading_room/whitepapers/casestudies/corporate_governance_and_information_security_1382
- The IT Metrics and Productivity Institute http://www.itmpi.org/default.aspx?pageid=198
- MIT Sloan School of Management http://web.mit.edu/cisr/working%20papers/cisrwp349.pdf
About the Author
Ron Lepofsky B.A. SC. (Mech Eng), CISSP is the President of ERE Information Security and Compliance Auditors. www.ere-security.ca
|