ISACA Journal - 2012 Volume 2

Feature

ed gelbstein, Ph.D., has worked in IT for more than 40 years and is the former director of the United Nations (UN) International Computing Centre, a service organization providing IT services around the globe to most of the organizations in the UN System. Since leaving the UN, Gelbstein has been an advisor on IT matters to the UN Board of Auditors and the French National Audit Office (Cour des Comptes) and is also a faculty member of Webster University, Geneva, Switzerland. He is a regular speaker at international conferences covering audit, risk, governance and information security and is the author of several publications. Gelbstein lives in France and may be contacted at ed.gelbstein@gmail.com.

Strengthening Information Security
Governance
Do you have
something
to say about
this article?

Visit the Journal pages of the ISACA web site ( www.isaca. org/journal), find the article, and choose the Comments tab to share your thoughts.

Go directly to the article:

The IT Governance Institute (ITGI) and ISACA were among the first to issue guidelines for the governance of information security, and their various publications1, 2 have been complemented by other governance frameworks, including the yet-to-be issued international standard ISO 270143 and the latest revision of the Information Security Forum (ISF) Standard of Good Practice. 4 Other frameworks have been proposed by industry advisory services such as Gartner Group. 5

All of these are welcome support for a domain that has become increasingly visible and sensitive. In the last couple of years, it has become evident that no organization can avoid being influenced by the tsunami of innovative technology, with ever shorter life cycles.

When Bill Gates and Paul Allen, the founders of Microsoft, dreamt of having a computer on every desk and in every home, they were right, but it took some 30 years to get there. When Apple introduced the iPad tablet, the demand had no precedent in the IT industry, as it became, almost overnight, a must-have gadget. IT departments and security managers were caught unprepared and resorted to a “you cannot have one—it is policy” statement that did not win them many friends in the executive suite. Besides, no organization is invulnerable to attacks on its information.

Suspected culprits include a wide range of actors, ranging from the individual hacker to organized groups (such as Anonymous), and other unidentified but highly competent groups suspected of having a measure of state support, assorted spies (industrial and other), organized crime, and insiders.

Significant security breaches recently included Wikileaks, fraud at UBS London and the insertion of the Stuxnet malware in the uranium enrichment facilities in Iran. These, of course, are only the tip of the proverbial iceberg. Cyberattacks of one form or another are a daily occurrence, and many are simply not reported in the media, as their severity is not sufficient to make headlines.

However, as installers of burglar alarms
know very well, unless their insurance company
insists they do so, most people will have an alarm
installed after being burgled. Does information
security governance fall in the same category?

STATe OF ISg: nOT A PrIOrITy, POLITeLy IgnOreD
AnD LIMITeD reSOurCeS

The purpose of information security governance
(ISG) is stated clearly enough in various
frameworks and can be summarized as
evaluating, directing and monitoring information
security to:
• Ensure business needs are met
• Strengthen information assurance
• Ensure information risks have identified owners
• Reduce the risk of noncompliance
• Reduce the risk of litigation
• Achieve sustainable confidentiality, integrity
and availability (CIA)

Information technologies, including security components, have many common elements shared among organizations almost regardless of the nature of their activity. This is true for servers, storage and networks, applications such as enterprise resource planning (ERP) and customer relationship management (CRM), and services such as e-mail and remote access.

However, organizational culture and the degree to which information risk is accepted mean that their individual security needs vary greatly. At one extreme are the critical information infrastructures on which society depends (e.g., utilities, emergency services, national security) and at the other extreme there are those among which, if they had a significant incident, the impact would not propagate beyond their walls—i.e., nobody would notice and, at worst, their reputation may be dented for a short time.

This article reflects the findings of audits performed in the last few years in the not-for-profit sector and discussions with peers during information security conferences in Europe, the Middle East and Africa as well as other professional gatherings. While the sample may not