An Introduction to Governing for Enterprise Security

What does it mean to govern for enterprise security or, stated differently, to govern an organization to achieve and sustain acceptable or adequate security? And why is the SEI’s Networked Systems Survivability Program interested in this topic?

Our working definition of Governing for Enterprise Security is directing and controlling an organization to establish and sustain a culture of security in the organization's conduct (beliefs, behaviors, capabilities, and actions).¹

Governing for Enterprise Security (GES) builds on and expands commonly described forms of governance. These include corporate governance, enterprise governance, and information technology (IT) governance.

Definitions of corporate governance typically include the relationships and incentives among boards of directors (or equivalent), senior executives, shareholders, and key stakeholders toward ensuring fiscal accountability, clear responsibility, and accurate reporting. Terms included in some definitions include probity (complete and confirmed integrity), due diligence, and standard of due care.

Corporate governance and enterprise governance overlap when the definition is expanded to include the "structure through which the objectives of the enterprise are set, and the means of attaining those objectives and monitoring performance are determined" [OECD 99, 04]. Structures and means may include, for example, policies (and their corresponding standards, procedures, and guidelines), strategic and operational plans, awareness and training, risk assessments, internal controls, and audits.

IT governance addresses the actions required to align IT with enterprise objectives and ensure that IT investment decisions and performance measures demonstrate the value of IT toward meeting these.

While these definitions apply most often to commercial, for-profit corporations, they can also be interpreted and appropriately tailored for government, education, and non-profit institutions as well as organizations of any size.

Most senior executives and managers know what governance means and their responsibilities with respect to it. Our intent is to help them expand their governance perspective to include security, incorporating enterprise-wide security thinking into their organizations' day-to-day governance actions.

Motivation

The need to address security within organizations is growing in the public awareness. Customers are demanding it as concerns about privacy and identify theft rise. Business partners, suppliers, and vendors are starting to require it from one another, particularly when providing mutual network access. There is a wide range of current and pending U.S. national and international legislation that calls for organizations to exercise due diligence and demonstrate an acceptable standard of due care in how they manage their computing infrastructures and the information that such networks and systems create, transmit, and store, particularly when connected to the Internet. There are an ever-growing number of standards, guidelines, checklists, and assessment instruments with which organizations are expected to demonstrate some level of compliance. Certainly the U.S. federal government has recognized the potential impact of security breaches on critical infrastructures in its National Strategy to Secure Cyberspace, published in 2003, which contains a wide range of recommendations calling for improvement.

An organization's ability to mobilize to achieve and, more importantly, sustain a desired security state starts with executive sponsorship, enacted and sustained by governance. Those who lead, manage, set strategy, and are held accountable for an organization's success set the direction for how enterprise security is perceived, prioritized, managed, and implemented. If the responsibility for enterprise security is relegated to a role in the organization that lacks the authority, accountability, and resources to act and enforce, the enterprise security state will mirror this.

In many of the SEI's software engineering improvement initiatives, we find that executive awareness, understanding, and education are essential to achieve and sustain any level of improvement such that it becomes part of normal business conduct. To achieve widespread community improvement in security, we need to address this topic.

Coming Attractions

In a series of articles, we intend to examine some of the following elements of governance with respect to their role in governing for enterprise security. We will select those that have the greatest influence on achieving and sustaining an acceptable level of security (and what this means).

Awareness and understanding —Governing boards and senior executives are aware of and understand the criticality of governing for enterprise security.
- Protection of shareholder (or equivalent) value: They understand what actions are necessary to protect shareholder/stakeholder value with respect to enterprise security (such as protecting reputation and brand, and protecting customer privacy).
- Customer satisfaction: They understand what enterprise security actions are necessary to retain current customers and attract new customers (such as sustained marketplace confidence in comparison to competitors).
Strategies and plans —Strategies and plans for enterprise security demonstrate how they support business objectives.
- Investments: Investments in enterprise security are aligned with and allocated so as to meet strategies and plans, taking risks into account (see risk management below). Costs are optimized.
- Reporting: Status against plans is regularly reported, up to the board. Performance against measures is monitored. Corrective action is taken when necessary.
Policies —Policies, standards, guidelines, procedures, and measures for enterprise security exist and are regularly reviewed and enforced.
Responsibilities —Responsibility and corresponding accountability and authority for enterprise security are clearly defined.
Controls —Internal security controls are defined to effectively protect assets. Assets may include information, hardware, software, processes, services, physical facilities, knowledge, and people.
Risk management —Risks to critical assets are identified and managed consistent with the enterprise's appetite and tolerance for risk. Asset protection investments are made commensurate with risk.
- Liability—The enterprise understands its liability and exposure when connected to the Internet, and takes necessary due-diligence actions to minimize liability risk and exposure.
Oversight—The enterprise is regularly evaluated and audited to ensure an acceptable level of compliance to requirements, both internal and external, such as regulations, standards, audit criteria, market sector requirements, and security requirements and objectives.
Public disclosure —The enterprise is open to public disclosure of its security state, where such disclosure is required.

We intend to add to this list and welcome your feedback on its scope, content, and whether or not we are addressing concerns that are meaningful to your organization. Please send your remarks to Julia Allen at jha@cert.org.

Notes on definitions of governance

Corporate Governance

The Organization for Economic Development (OECD) defines corporate governance as follows:

"Corporate governance involves a set of relationships between a company's management, its board, its shareholders, and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. Good corporate governance should provide proper incentives for the board and management to pursue objectives that are in the interests of the company and its shareholders and should facilitate effective monitoring." [OECD 99, 04]

Definitions of corporate governance are sometimes constrained to address financial reporting, the accountability of Boards of Directors (or equivalent), CEOs and other senior executives, and responsibilities to shareholders.

The recently published Corporate Governance Task Force Report Information Security Governance: A Call for Action [CGTF 04] defines corporate governance as "the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed."

Enterprise Governance

The Information Systems and Control Audit Association (ISACA) and the Information Technology Governance Institute (ITGI) define enterprise governance as follows. There is a degree of overlap between this definition and those for corporate governance:

"The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly." [ITGI 03]

This definition has also been adopted by The Chartered Institute of Management Accountants (CIMA) [CIMA 04] and the International Federation of Accountants [IFAC 04].

IT Governance

Gartner states that

"IT governance specifies the decision-making authority and accountability to encourage desirable behaviors in the use of IT. IT governance provides a framework in which the decisions made about IT issues are aligned with the overall business strategy and culture of the enterprise. Governance is about decision making per se —not about how the actions resulting from the decisions are executed. Governance is concerned with setting directions, establishing standards and principles, and prioritizing investments; management is concerned with execution." [Dallas 04]

ITGI defines IT governance as "the leadership, organizational structures, and processes that ensure that the enterprise's IT sustains and extends the enterprise's strategies and objectives." They additional state that "While governance developments have primarily been driven by the need for the transparency of enterprise risks and the protection of shareholder value, the pervasive use of technology has created a critical dependency on IT that calls for a specific focus on IT governance." [ITGI 03] Considering both of these definitions, much the same can be said for enterprise security and, in fact, ITGI has created a companion report on Information Security Governance [ITGI 01].

References

[CGTF 04]	Corporate Governance Task Force. "Information Security Governance: A Call to Action." National Cyber Security Partnership, April 2004. http://www.cyberpartnership.org.

[CIMA 04]	The Chartered Institute of Management Accountants. "Enterprise Governance —A CIMA Discussion Paper." 2004. See also [IFAC 04].

[Dallas 04]	Dallas, Susan, Bell, Michael. "The Need for IT Governance: Now More Than Ever (AV-21-4823)." Gartner, 20 January 2004.

[Hamaker 03a]	Hamaker, Stacey. "Spotlight on Governance." Information Systems Control Journal, 1, ISACA, 2003.

[Hamaker 03b]	Hamaker, Stacey; Hutton, Austin. "Principles of Governance." Information Systems Control Journal, 3, ISACA, 2003.

[Hamaker 04]	Hamaker, Stacey; Hutton, Austin. "Principles of IT Governance." Information Systems Control Journal, 2, ISACA, 2004.

[IFAC 04]	Professional Accountants in Business Committee; CIMA. "Enterprise Governance: Getting the Balance Right." International Federation of Accountants, February, 2004. See also [CIMA 04]. http://www.ifac.org.

[IIA 00]	The Institute of Internal Auditors et al. "Information Security Management and Assurance: A Call to Action for Corporate Governance." IIA, April 2000.

[IIA 01]	The Institute of Internal Auditors et al. "Information Security Governance: What Directors Need to Know." IIA, 2001.

[ITGI 01]	Information Technology Governance Institute. "Information Security Governance: Guidance for Boards of Directors and Executive Management." Information Systems Audit and Control Foundation, 2001.

[ITGI 03]	Information Technology Governance Institute. "Board Briefing on IT Governance, 2nd Ed." ITGI, 2003.

[OECD 99]	Organisation for Economic Co-operation and Development. "OECD Principles of Corporate Governance." OECD, 1999.

[OECD 02]	Organisation for Economic Co-operation and Development. "OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security." OECD, 2002.

[OECD 04]	Organisation for Economic Co-operation and Development. "OECD Principles of Corporate Governance: 2004." OECD, 2004.

About the Author

Julia H. Allen is a senior member of the technical staff within the Networked Systems Survivability Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. The CERT Coordination Center is also a part of this program.

Allen is engaged in developing and transitioning enterprise security frameworks and executive outreach programs in enterprise security and governance. Prior to this technical assignment, Allen served as acting Director of the SEI for an interim period of 6 months as well as Deputy Director/Chief Operating Officer for 3 years. Her degrees include a B. Sci. in Computer Science (University of Michigan) and an MS in Electrical Engineering (University of Southern California). She is the author of The CERT Guide to System and Network Security Practices (Addison-Wesley, June 2001).

1 The Organisation for Economic Co-operation and Development (OECD) discusses the need to develop a 'culture of security' in its Guidelines for the Security of Information Systems and Networks [OECD 02].

The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.