Security Disciplines for Objective 1: Support

1-1. Governance

Description

For an individual justice organization, governance is the source of security policy, establishing the activities required to assess risk, set direction, and monitor the application of security tools with the objective of creating a secure operating environment. In an environment in which justice information is shared, governance is more complex and must represent the security interests and policies of multiple organizations.

Purpose

Security management encompasses a number of functions, as outlined in this document. Governance recognizes that these functions need oversight and control at a high level to assure that each is addressed appropriately. Only in this way can the benefits of a comprehensive security program be gained. Further, information sharing and joint operations are becoming increasingly important for justice and public safety organizations. That implies the need for governance structures that cross individual agencies. Consequently, governance issues deserve prominent consideration.

Principles

• Governance involves both technologists, operational management, and strategic business management.
• At the governance level, risk assessment deals with risk to the operation, its continued viability, and the critical data it maintains.
• IT management staff has the responsibility to manage security to the best standard for a given level of risk; the governance group establishes that level of risk and is accountable for setting that level appropriately.
• Governance structures for information sharing should be representative of the stakeholders.
• Governance strives for repeatable results with continual improvement.

Best Practices

• Include strategic business management, senior operational management, and senior IT management on the governance board.
• Strive for a full discussion of risk so that all participants understand what the risks are. Classify risks according to level, set a strategic plan to attack the highest priority risks, and know which risk each new security initiative is targeting. For example, see NIST Special Publication 800-63, Recommendation for Electronic Authentication, at http://fasp.nist.gov/publications/drafts.html#draft-sp80063.
• Understand what laws, regulations, and rules apply to the organization and to the information being used.
• Insist that the business purpose for each new security initiative is clear.
• Understand the total cost of ownership of each new security initiative, and make efforts to relate that cost to a return on that investment.
• Report periodically (at least annually) on progress made during the past period and the objectives set for the next period.

References

• Institute of Internal Auditors, Information Security Governance: What Directors Need to Know, http://www.theiia.org/esac/index.cfm?fuseaction=or&page=rciap2&doc_id=2945.
• Information Systems Audit and Control Association, Information Security Governance: Guidance for Boards of Directors and Executive Managment, http://www.isaca.org/Template.cfm?Section=Governance&template=/ECommerce/ProductDisplay.cfm&ProductID=110.
• IT Infrastructure Library (ITIL): Provides IT governance models.
• Control Objectives for Information and Related Technology (COBIT).