Cyber security governance is the management system by which an organization directs and controls cyber security. Governance framework determines who is authorized to make what decisions and how accountability will be established for outcomes. Governance processes provides oversight to ensure that risks are adequately mitigated. Security governance program focused to establish and maintain a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all to manage risk.
The objectives of an organization may vary with type business organization doing though the following are the major objective of governance program:
Protect the reputation of the organization and its stakeholders by maintaining cyber safe environment.
Protect the organization’s market share and stock price (although it is not appropriate for education and non-profit organizations, NGOs etc.)
Ensure an effective security organizational structure void of conflicts of interest and with sufficient authority and adequate resources
Governing security policies that address each aspect of security strategy, controls and regulation
Ensure a complete set of standards for each policy to ensure that procedures and guidelines comply with policy
Ensure risk management processes are established, maintained and monitored for proper technology risk management.
Govern the IT implementation & operations of the organization and protect its critical assets
The success or failure of the organization security program is properly monitored by establishing metrics and monitoring processes to ensure compliance, provide feedback on effectiveness, and provide the basis for appropriate management decisions
Govern the conduct of users and ensure technology resources are used responsibly (educational and other policies that may apply to use of technology resources, data handling, etc.)
Ensure compliance requirements are met.
Cyber Security Organization Structure
An Organization of Information security or cyber security is structured management framework directs, monitors and controls the implementation & operation of information/cyber security within Organization. The Information/cyber security organization is the structure created by organization leadership and includes formal organizational charts, documented policies and directives. Where the overall organizational strategy recognizes information security as an important goal, the structure will reflect this in terms of design and people. This structure clearly defines roles and responsibilities for Information/Cyber security within organization following various sort of reporting models based on criticality and sensitivity of information being handled by the organization. Following are some good practices associated with establishing organization structure for information/cyber security:
The Chief Information Security Officer (CISO) shall report as possible as up in organization hierarchy.
All information/cyber security responsibilities should be clearly defined and allocated.
Stakeholder should be assigned with adequate authority to manage their information security roles effectively.
Clear segregation of duties should be maintained that a process may not be completed by one person only.
ISO should be provided with appropriate level of management support, resources, and funding to manage the information/cyber security implementation and operation.
Chief Information Security Officer
The CISO (chief information security officer) is a senior-level executive responsible for developing and implementing an information security program, which includes procedures and policies designed to protect enterprise communications, systems and assets from both internal and external threats. The chief information security officer’s duties may include conducting employee security awareness training, developing secure business and communication practices, identifying security objectives and metrics, choosing and purchasing security products from vendors, ensuring that the company is in regulatory compliance with the rules for relevant bodies, and enforcing adherence to security practices.