Author: Mustafa Fikret Ottekin, Consultant – Cyber Security
Probably the most common and serious mistake of managements regarding the governance of information security is delegating too much responsibility to the IT Department. This mistake is usually due to the belief that information security is a “mostly technological” problem which should be solved by mostly technological people, the IT experts. Well, this is not exactly the case. Let’s try to draw the line correctly between the responsibilities of the management and the responsibilities of the IT department here.
I would like to focus on two separate stages of information security governance process: Risk analysis and risk mitigation.
Risk analysis begins with the valuation of institution’s assets in the most objective and realistic manner possible. Values of assets are deeply rooted in the value of information they process, which is proportional to the cause the information serves. In other words, the value of assets depend on the value of business or function they facilitate. At this stage, the responsibility of the management is designating the due value and priority of each business conducted by the institution, including related information. That task may be performed by the management alone. Neither IT experts nor the information security advisors may substitute the management at this stage. Yet, the values of all other (software, hardware, facility, etc.) assets may be derived by IT people following that first stage of business valuation.
The second stage I want to take a look at is risk mitigation, where the security controls are applied on the daily life of the institution. Security controls may be divided into two categories:
- Controls safeguarding confidentiality (All sorts of access control)
- Controls safeguarding availability (Information backup and business continuity measures)
Access control may be broadly defined as assuring access to information on a “need-to-know” basis. In that respect, the management has to designate which information may be accessed by whom. That designation is almost equal to deciding which task should be executed by which personnel or department. Again, neither IT experts nor the information security advisors may substitute the management to make that decision. After the “need-to-know” basis is established by the management, the IT department may assume responsibility to apply that base consistently to application access control, network access control, physical access control etc. security controls.
Similarly, management has to decide the tolerable durations of interruption about access to information for all crucial business processes. The IT department may use that information to define and acquire the necessary information backup and business continuity systems.
To sum up, the management would define the security principles and the IT department would define the security controls that would apply these principles to the daily, ongoing execution of all business processes. (And the Internal Audit department, where available, would validate the proper implementation and operation of security controls…) Along the information security governance process, management would also provide the budget required to implement the security controls and assure due execution of Internal Audit procedures.
Finally, the similarity between the forces present in “segregation of duties”; legislation, execution, jurisdiction and management, IT department and audit may be noticed easily. It may be concluded that correct application of “segregation of duties” in the domain of information security governance, in order to assure due security and functioning of an institution, is indisputable.