A First Model for Information Security Governance

It is based in two core principles:

1. It covers the 3 well known level of management. Everyone on the pyramid have to be involved;
2. Across these three levels, there are very distinct actions. Each level of the pyramid is composed by different actors, with different backgrounds.

So there is the need of technical and economic actors to work together to ensure a good ISG.

The ISG model should help in doing the right things right

The best practices are at the base of the pyramid, and the feed the direct control loop and the vertical part of the model. From the point of view of the security manager there are questions to answer:

1. How do I know what the right things are?
2. Suppose that I know, how do I know I am doing it right?

A best practice is a general terms that comprehend a big set of documents that tells how you should address some situation considering experience coming from different domains, experts and scenarios. Can be seen as the consensus of experts in the field of Information Security. Many standards exists, and each of them has different scopes and objectives.

• ISO 27000 family.
• COBIT. It is a big manual for management guidelines,
• NIST SP 800-*.
• CSC. Inspired the reference point of Italian Cybersecurity Agency
• NIST CSF
• ENISA

The vertical elements are five: directives, control, risk management, organization and awareness. They are verticals because they comprehend all three layers.

Security Policy documents are required from standards and best practices. Directive layer provides guidelines compliant with the standards. In order to properly support the direct process we need to document all the aspect at the three layers; at each level the right amount of granularity has to be used.

An important part in all the documents that are defined in ISG is the part in which there are compliance clauses, they specify what actions we have to take to verify that we are compliant. The compliance clauses will compare in every document we consider, starting from the CISP, down to the sub-policies and procedures.

The definition of the control starts from what are indicated in the standard ISO 27002; in the 18.2 section, the standards says that the ISG has to be compliant with the security policies and standards; so at the end, it is important to define the compliance verification process.

Managers should regularly review the compliance of information processing and procedures, within their area of responsibility with the appropriate security ppolicies, standards and ant other security requirements.

It says that, periodically, you should revise not only the direct part, but also the control part. So the control part has to be monitored to include potentially uncovered camera.

There is no single methodology to define the compliance policy because the definition of a policy if dependent on the context. Given the fact that the policy depends on the context, also the compliance clause depends on it. However there are some guidelines.

First of all we can control only the things that we can measure; typically the measurement process is done by an auditing procedure (verification point by point of correctness); this lead to the notion of auditing the risk, that is related to the ISMG. The general metrics that regulate the Direct Control loop in ISG is the risk.

The risk is a measurement, quantitative or qualitative of the level of security that can be tolerated

It is important to relate, as soon as possible, the compliance clauses to the notion of risk. Of course the concept of risk has different levels of granularity in different layers. The compliance clauses can be used also to estimate the risks, so the two concepts are strictly related and work together.

The risk management is the third vertical level, and by definition it is:

The process to identify and assess all potential risks as well as introducing controls that should mitigate all these risks to acceptable low levels

From this point of view, the risk could be decomposed in two main variables (two factor risk model):

• The frequency or probability of something bad happens
• The consequences of the issue that may happens

It is possible to act on those two dimension in an join way or a independent way; so we have to identify which is the impact if the bad things happens and how to reduce the probability of the bad event or how to mitigate the effects of the bad event.

Practically speaking we say that the risk can be quantified using the following formula: \(\text{Risk} = \text{Likelihood} \times \text{Impact} = (\text{threat} \times \text{probability}) \times \text{impact}\), representing the risk in a graphical way:

A risk reduction is possible via three actions:

1. Reduce the impact, put in place mechanism like replication, redundancy and similar.
2. Reduce the probability of the incident, via maintenance for example.
3. A combination of both aspects, moving on the diagonal of the heat map.

In the ISO 27002 there is a particular statement that regards the risk management, it says that risk management is essential to identify the security requirements. Potentially all the identified risks create consequences on the company, but practically not all of them could not be managed, mitigate a risk is not cheap: sometimes there can be a direct cost, or there can be indirect cost given by re-training or time consumption.

Not addressing the risk means that you accept that if the risk happens there will be consequences that can cause economic losses (also this is an indirect cost).

In order to work properly in risk management We have to start from the bottom:

• Operational Level quantify the risk in terms of compromission of technical items;
• Tactical Level link the compromission of a machine with the service provided;
• Strategical Level indicate the loss of money and reputation

This levels regards the way information security is organized is very important. It is fundamental to structure people to their role and give them the right level of responsibility; the business function have to be organized in a certain way in order to be functional in a direct control process. In ISO 27002 there is some guidelines on Organization of Information Security.

There are two elements to consider, the base: where you physically do the security activities (operational levels), and the part that provides indication and checks if the indication are followed.

This picture represent how to structure the organization of the Information Security Governance. The operational management (controlled) talks directly with the operational level of the pyramid, in this section we put all the people that actually do something to ensure the protection of the system. The Compliance Management (controllers) is composed by all the people that controls that all the action are compliant with policies and directive and that are actually done.

Awareness start from the top and has to be enforced going bottom, this means that at each level the definition of awareness should change and be appropriate.

• In the Operational Level awareness means being aware of all the policies and of the motivations, communicating the needs and the problems to other employees
• In the Tactical Level awareness means being conscious of the relation between the target settled by the management and what the operational level needs to do.

A global awareness can be established through a SETA program, the aim of this program is to try to train everybody with the purpose of working securely. The objective is to achieve three objectives:

• Awareness, to achieve in the short terms. Gives the notion of what you should do. It is achieved via posters, news letters etc (dissemination)
• Training, it is achieve in medium terms. How to do, via seminars, lectures, and practical exercises.
• Education. Gives the motivation behind the actions.