IT Security Governance Framework - One Model

Blog Post created by JeffOtt Employee on Dec 5, 2017

I used to write. I used to write a lot. No, really. I did! Honest!


I was the contributing editor of Information Systems Security Journal (currently known as Information Security Journal: A Global Perspective) from 1998 to 2003.  I wrote a 12-month series on Security Governance in the Opinion and Analysis column for IT*Security Magazine. That ran from March of 2005 to March of 2006.  (Don’t even get me started on all the articles I’ve written for Bee Culture Magazine – who along with all the other articles I wrote for them, sent me to the McAllen, Texas and into Central Mexico do a series of articles on the advancement of the Africanized honeybee.  Oops… see what happens once I start talking about honeybees?) 


All of this, but when it comes to writing a blog for CA Communities, I have been stumped. Oh the irony!


So when dealing with writers block, one standby cure is to just start writing about something we know.  That is also something someone suggested in the PMO discussion community.  So, I will give it a try with a topic I've enjoyed, because if you are working with your customer on a security product implementation, it is invaluable to understand just how what you are doing for them should address key considerations or business drivers.  Let me get going here and see if I can break this block.


Coming into CA a few years back, my first couple of years were with the security team in the Global Practice. I was hired because my background and passion is IT security governance and IT security organizational development. I was tasked to develop what became the Security Roadmap Assessment.  It was based upon the ISO 17799/27001 framework and designed to help our customers better understand their organization’s maturity level and identify which areas of their security program needed to be strengthened.


The SRA used the ISO standard to capture the drivers of a healthy and effective IT security governance structure or ‘framework’. For the framework we identified three high level drivers: External, Corporate and Security Program.  In this blog post, I will take a closer look at the relationship between the strategic nature of the governance framework and the tactical day-to-day realities of the job.


Before going on, quick definitions are required for the three business drivers to an IT security framework.


External Drivers

Legislative and Regulatory Requirements – These are the many different governmental laws and regulatory rulings that are imposed on the organization.  Think Sarbanes-Oxley...

Industry Best Practices – We used to call them Best Practices, but now with adoption of ISO 27000 family of standards, we can call them 'Standardized Common Sense'.


Corporate Drivers

Security Policy – These are the governing high-level expectations of executive management for security.

Corporate/Organizational Risk Management Integration – Some IT Security Groups also manage the organization’s risk management program, others work within a larger risk management program.  Whichever it happens to be, if must be aligned with business drivers.

Compliance Monitoring – This not only includes alignment with the internal or IT audit group but bridges over to technical assessments and intrusion detection systems.


Security Program Drivers

Security Standards – This is the first adaptation of the written expectation (policy) into a technological definition that must enable secure business transactions.

Security Procedures and Guidelines – Technology and platform specific instructions for the implementation of the security policy down to the bit level (if necessary).

Metrics Definition and Reporting – What is the security group doing and how effective are they doing it?  Proper metrics will provide the numbers necessary to calculate an ROI on security.

Organizational Alignment and Staffing – Optimal placement of the security group within the organizational hierarchy is important, just as is maintaining the right balance of security staff.


OK… see, once I get started on a theme, I can get the words on the screen. That is it for this blog entry.  Next time, I will pick up and explore how these drivers and framework interact.  In the meantime, let me know if you have any questions about beekeeping!