信息来源:ISTROOP
Introduction
Be Aware and Understand
Shifts in Perspective
Definitions and notes
References
Other sources
--------------------------------------------------------------------------------
Introduction
What does it mean to govern for enterprise security or, stated differently, to govern an organization to achieve and sustain acceptable or adequate security? And why is the Networked Systems Survivability Program interested in this topic?
Our working definition of Governing for Enterprise Security is:
Directing and controlling an organization to establish and sustain a culture of security in the organization's conduct (beliefs, behaviors, capabilities, and actions).1
Governing for Enterprise Security (GES) builds upon and expands commonly described forms of governance. These include corporate governance, enterprise governance, and information technology (IT) governance.
Definitions of corporate governance typically include the relationships and incentives among boards of directors (or equivalent), senior executives, shareholders, and key stakeholders towards ensuring fiscal accountability, clear responsibility, and accurate reporting. Terms included in some definitions include probity (complete and confirmed integrity), due diligence, and standard of due care.
Corporate governance and enterprise governance overlap when the definition is expanded to include the "structure through which the objectives of the enterprise are set, and the means of attaining those objectives and monitoring performance are determined." [OECD 99, 04]. Structures and means may include, for example, policies (and their corresponding standards, procedures, and guidelines), strategic and operational plans, awareness and training, risk assessments, internal controls, and audits.
IT governance addresses the actions required to align IT with enterprise objectives and ensure IT investment decisions and performance measures demonstrate the value of IT towards meeting these. Refer to the supporting notes below for expanded definitions of corporate, enterprise, and IT governance.
While these definitions speak most often to commercial, for-profit corporations, they can also be interpreted and appropriately tailored for government, education, and non-profit institutions as well as organizations of any size.
Most senior executives and managers know what governance means and their responsibilities with respect to it. Our intent here is to aid them in expanding their governance perspective to include security, incorporating enterprise-wide security thinking into their and their organizations' day-to-day governance actions.
Motivation
The need to address security within organizations is growing in the public awareness. Customers are demanding it as concerns about privacy and identify theft rise. Business partners, suppliers, and vendors are starting to require it from one another, particularly when providing mutual network access. There is a wide range of current and pending US national and international legislation that calls for organizations to exercise due diligence and demonstrate an acceptable standard of due care in how they manage their computing infrastructures and the information that such networks and systems create, transmit, and store, particularly when connected to the Internet. There are an ever growing number of standards, guidelines, checklists, and assessment instruments with which organizations are expected to demonstrate some level of compliance. Certainly the US federal government has recognized the potential impacts of security breaches on critical infrastructures in its National Strategy to Secure Cyberspace, published in 2003, which contains a wide range of recommendations calling for improvement.
An organization's ability to mobilize2 to achieve and, more importantly, sustain a desired security state starts with executive sponsorship, enacted and sustained by governance. Those who lead, manage, set strategy, and are held accountable for an organization's success set the direction for how enterprise security is perceived, prioritized, managed, and implemented. If the responsibility for enterprise security is relegated to a role in the organization that lacks the authority, accountability, and resources to act and enforce, the enterprise security state will mirror this.
In many of the SEI's software engineering improvement initiatives, we find that executive awareness, understanding, and education are essential to achieve and sustain any level of improvement such that it becomes part of normal business conduct. In order to achieve widespread community improvement in security, we need to address this topic.
Coming Attractions
In a series of articles, we intend to examine some of the following elements of governance with respect to their role in governing for enterprise security. We will select those that have the greatest impact on and benefit for achieving and sustaining an acceptable level of security (and what this means).
Awareness and understanding - Governing boards and senior executives are aware of and understand the criticality of governing for enterprise security:
Protection of shareholder (or equivalent) value: They understand what actions are necessary to protect shareholder/stakeholder value with respect to enterprise security (such as protecting reputation and brand, and protecting customer privacy).
Customer satisfaction: They understand what enterprise security actions are necessary to retain current customers and attract new customers (such as sustained marketplace confidence in comparison to competitors).
Strategies and plans - Strategies and plans for enterprise security demonstrate how they support business objectives:
Investments: Investments in enterprise security are aligned with and allocated so as to meet strategies and plans, taking risks into account (see risk management). Costs are optimized.
Reporting: Status against plans is regularly reported, up to the Board. Performance against measures is monitored. Corrective action is taken when necessary.
Policies - Policies, standards, guidelines, procedures, and measures for enterprise security exist and are regularly reviewed and enforced.
Responsibilities - Responsibility and corresponding accountability and authority for enterprise security are clearly defined.
Controls - Internal security controls are defined to effectively protect assets. Assets may include information, hardware, software, processes, services, physical facilities, knowledge, and people.
Risk management - Risks to critical assets are identified and managed consistent with the enterprise's tolerance for risk. Asset protection investments are made commensurate with risk:
Liability - The enterprise understands its liability and exposure when connected to the Internet, and takes necessary due diligence actions to minimize liability risk and exposure.
Oversight - The enterprise is regularly evaluated and audited to ensure an acceptable level of compliance to requirements, both internal and external, for example, regulations, standards, audit criteria, market sector requirements, and security requirements and objectives.
Public disclosure - The enterprise is open to public disclosure of its security state, where such disclosure is required.
We intend to add to this list and welcome your feedback on its scope, content, and whether or not we are addressing concerns that are meaningful to your organization.
Over time, we will define and transition an improvement strategy and framework that will allow organizations to effectively govern for enterprise security, guided by the work of ISACA, ITGI, IIA3, the National Cyber Summit Corporate Governance Task Force, and other relevant institutions and constituencies, as well as lessons learned from our own OCTAVE
