Krishna Raj Kumar,
CISA, CISM, is a senior
consultant with Barrington
Consulting Group based
in Halifax, Nova Scotia,
Canada. He has worked
as an information security
manager for more than 15
years within the financial
and governmental sectors of
the Caribbean, where he last
held the position of executive
manager, information security
in the Government of the
Republic of Trinidad and
Tobago.
Information Security Management
for Governments
The establishment of common
controls and enterprisewide security
program development, coordination,
implementation and management is
the maturation of IS security from a
secondary activity to an executive-level
operational concern. The key question
is: Are not only US government
agencies, but also other governments
and businesses globally now going
to use these new requirements as the
impetus of change needed to accelerate
the needed improvement in their
security readiness and capabilities? 1
For many governments of developing nations,
information security has not yet become an
initiative of priority and, as a result, information
security may not be supported by the executive in
a manner that encourages the measurement and
administration of controls that may be necessary
to protect the information that is processed,
stored and transported by the government’s IT
systems. The risk associated with not having
basic information security controls in place is
not always seen as more significant than the
initiatives that can gain political mileage. In
many cases, the role of information security
management (ISM) is often assigned to a single
individual, or a very small team, who reports to a
senior manager or executive who may have little
or no focus on information security.
This article seeks to share a simple model that
can be used for ISM in governments. It is meant to
assist the IS manager who may be facing challenges
in establishing a program that may not be visible
or supported by the priorities of the government
environment in which the information security
manager works.
The scope of the information security leader in
government needs to be across all of government.
An effort to restrict this scope for political or
other reasons could compromise the security of
information stored, transported and processed
by the government. There should be one point of
contact for information security at an executive
level, and this person must be able to act quickly,
at short notice and in a manner that can protect
the entire government—within the boundaries of
the most senior approval.
The controls recommended in ISO 27001:2005,
Information technology—Security techniques—
Information security management systems—
Requirements, should be implemented in a manner
that is applicable to the environment and within
budget. A record of all controls that are necessary,
but are not achievable within the current budget,
should be maintained, and this record should be
used to plan each new budget thereafter.
Do you have
something
to say about
this article?
Visit the Journal pages
of the ISACA web site
( www.isaca.org/journal),
find the article, and
choose the Comments
tab to share your
thoughts.
ISM
ISM should be treated as a specialized function
within smaller governments. The information
security leader should have direct reporting lines
to the head of the government agency responsible
for either IT risk management or IT operations.
ISM MODEL
Figure 1 depicts an ISM model for smaller
governments:
• Performance measurement—Before
implementing information security controls,
it is a good idea to identify the processes that
are necessary and to establish a system that
will allow the success of the processes to be
measured using defined benchmarks against
specific control objectives. These processes
and methods of measurement are available
through COBIT 4. 1; however, the value of
implementing COBIT can be lost if regular,
periodic assessment and measurement are
not done.
• Development—At least 30 percent of effort
should be allocated toward development in
each of the seven pillars (discussed in more
detail later).
• Budget—The information security budget can
be continuously justified by asking the executive
sponsors pertinent questions such as, “Would
it be useful to be able to measure how well the
enterprise protects its information?”
