Security governance is the senior management buy-in, support, oversight, and monitoring to support the security objectives.
The industry-leading organisations known for their effective security practices are those with strong security governance. Their leadership places high importance on security, defines company-level objectives that support security, and sets the 'tone at the top' that cascades down across the organisation to align all employee's behavior to those objectives.
In the absence of leadership and governance, security is a topic that often falls down the list of priorities. The best outcome of effective security is to avoid negative outcomes. That makes it hard to measure and recognise the benefits. Security is also a cross-functional objective, that can't work effectively in a silo. All employees and functions play a role in information security. Formal security governance practices ensure security it is given appropriate priority, resources, and support to achieve the objectives.
Define and communicate objectives for the organisation, that should include security and operational objectives. These can be communicated to employees through all-hands meetings, during employee onboarding, posted on the intranet, and/or through updates sent to all employees.
Define the RACI
Who is Responsible, Accountable, Consulted and Informed (RACI) with respect to the 24 information security practices? You might have a CTO/COO as the overall responsible owner, or the accountable owner with a security or compliance analyst taking the lead. Information security is not a silo operation of the business. You’ll need formal responsibilities or at least people consulted and informed across respective functions. This includes human resources, customer support, engineering, operations, and the senior leadership team for overall governance.
Establish policy areas and responsibilities
The specific policies required for the information security requirements are covered in Part 2. At this stage, it’s about defining the functional areas and overall owners of each policy area. Polices are often perceived as a “traditional” practice no longer relevant in tech culture. Policies play an important role in empowering teams and individuals by setting out the key requirements, expectations, and boundaries that enables them to use initiative and discretion while covering the non-negotiables.
Each policy should consider:
- Overall accountable owner;
- Responsible owner for monitoring and enforcement;
- Specific functional roles that support the policy objectives; and
- Groups of users like specific teams, third parties, all employees and other stakeholder groups that have defined responsibilities to support the policy.
For the CDR, the key policies to establish include; Access Control, Network Security, Acceptable Use, Change Management, Incident Management, Information Classification, and Handling, Backup, Retention, and Disposal, and the CDR Policy.
Governance meetings perform the function of oversight, monitoring, and general management of the information security function (among other functions). This can include approving outputs of the security and compliance activities like the risk and control assessments, penetration tests, third-party audits, monitoring key performance and risk indicators, and generally supporting the objectives through a high-level involvement.
These governance meetings can include the Board of Directors, Senior Leadership Team, a Security, Risk, and Compliance (SRC) Committee, Team Management Meetings, and company-wide or all-hands meetings. We’ve covered this topic in more depth in our Best Practices - Governance post.
Organisational security posture
There are two key areas that are from the 24 information security practices, that play an important role in the information security capability. The Acceptable Use Policy and Security and Privacy Awareness Training. These play an important role in supporting general awareness and a company-wide approach to information security. Most security breaches have a human element so these practices are incredibly important.
Although it’s no longer a must-have to have security experts in-house, organisations that are well supported by security experts are in a better position to prepare for and respond to security events. The modern approach to this can involve a good relationship with your penetration test provider, using security consultants to support, or the modern CISO-as-a-service model that has security experts on retainer to call on as needed.
Business planning is a ubiquitous practice that varies a lot in the way it’s conducted. The purpose in this context is to ensure the business strategy, operational resources, and objectives fit together and support each other. For the CDR specifically, it may be setting the target date for accreditation, arranging the necessary people and time commitments, and planning the steps and activities necessary. In most of the projects we support like this, there’s a tipping point reached that recognises the priority needs to be higher, resources increased, or other intervention actions to really get it moving. Prior to that, it falls behind other competing priorities.
If you're wondering what this looks like "on paper" - get in touch with our team <firstname.lastname@example.org>. We're happy to share examples and guide you through how this may look for your business.
The CDR Perspective
The CDR Schedule 2, Part 1 requires the following in relation to defining and implementing security governance in relation to CDR data:
- (1) An accredited data recipient of CDR data must establish a formal governance framework for managing information security risks relating to CDR data setting out the policies, processes, roles and responsibilities required to facilitate the oversight and management of information security.
- (2) The accredited data recipient must clearly document its practices and procedures relating to information security and management of CDR data, including the specific responsibilities of senior management.
- (3) The accredited data recipient must have and maintain an information security policy that details:
- (a) its information security risk posture setting out the exposure and potential for harm to the accredited data recipient’s information assets, including CDR data that it holds, from security threats; and
- (b) how its information security practices and procedures, and its information security controls, are designed, implemented and operated to mitigate those risks.
- (4) The accredited data recipient must review and update the framework for appropriateness:
- (a) in response to material changes to both the extent and nature of threats to its CDR data environment and its operating environment; or
- (b) where no such material changes occur—at least annually.
AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2). We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.