Information Security Jobs: Governance and Risk Management

By Peter H. Gregory

Management needs to be in control of its information security systems, processes, and personnel. Governance is the approach that facilitates this control. Risk management is the activity that reveals risks in the organization that must be dealt with.

Alignment to organization

For security management to be effective and relevant, an organization’s security program and its mission, objectives, and goals must be aligned. The key reason for this is that security should be a business enabler, facilitating the organization’s efforts to fulfill its mission and achieve its objectives and goals.

Risk management

Risk management is the set of life-cycle activities that identify risks and take appropriate action with each. These activities follow:

  • Risk assessment: A risk assessment is an up-close look at specific systems, processes, suppliers, or perhaps the entire organization. All plausible risks are identified, and the following key characteristics for each risk estimated:

    • Probability: the likelihood that a given threat will be realized

    • Impact: the degree of influence on the organization when the threat is realized

    • Recovery effort: the effort required for the organization to recover from threat realization

    • Asset value: The value of the asset, if the nature of threat realization requires its replacement

    • Mitigating controls: Changes that can be made to reduce the probability, impact, or recovery effort

  • Risk treatment: When a risk assessment has been completed, management has an important task ahead: to make formal decisions on what to do about each identified risk. Their choices are

    • Acceptance: Management decides that the level of risk is acceptable, and that nothing needs to be done to reduce the probability or impact of the identified risk.

    • Mitigation: Management chooses to implement something that will reduce the probability, impact, or recovery effort associated with a risk.

    • Avoidance: Management chooses to discontinue the activity associated with the risk.

    • Transfer: Management decides to transfer the risk to another party, usually by purchasing an appropriate insurance policy, such as cyber risk insurance.

Security governance

In the context of information security, governance means enacting policies, standards, guidelines, procedures, and controls to ensure that desired outcomes are met.

  • Policies: Formal statements that describe what actions and behaviors are required, and which are forbidden, in an organization. Following are some example policy statements:

    • Employees shall not share login credentials with any other persons inside or outside the organization.

    • Employees shall not use personally owned devices for storing, processing, or managing company information without management approval.

  • Standards: Formal statements that describe how security policy will be carried out.

  • Guidelines: Statements that provide ideas on how policies and standards may be implemented.

  • Processes and procedures: Step-by-step descriptions of work activities carried out by various personnel in the organization.

  • Controls: Specific instances of policies, standards, and key steps in processes and procedures that management has determined are essential for the proper operation and security of business processes and information systems.

Internal and external audit

Organizations in many industries are subject to external audits, as well as required to perform internal audits. The purpose of an audit is to assess the effectiveness of an organization’s policies, standards, and controls.

An audit may or may not include an examination of information systems, including their configurations, programs, and access permissions.

Data classification

Data classification is a set of standards, procedures, and controls to ensure the proper handling of sensitive information. Data classification is usually implemented by defining levels of sensitivity, along with detailed explanations on permitted and required handling of data at each level.

The intention of data classification is the protection of information at a level corresponding to its sensitivity. It would be a waste of resources to protect all internal information as though it were top secret. On the other hand, protecting all information as confidential would not adequately protect the most sensitive information.

Personnel security

Personnel security represents the set of security-related activities that take place throughout the employee life cycle. These activities include

  • Screening: A background check to ensure that the candidate’s employment history, education, and professional licenses are verified, and that the candidate is free of unwanted criminal convictions.

  • Onboarding: The employee signs documents, including nondisclosure, intellectual property, noncompete, and security policy acknowledgement, documents. Other essential activities include security awareness training and instruction on other policies.

  • Periodic assessment: Annual re-affirmation of compliance to security policy and other key policies.

  • Transfer and promotion: Completion of onboarding activities required for new positions.

  • Termination: Return of all hardware and information assets, reaffirmation of nondisclosure, intellectual property, and other agreements.

Security awareness training

Training personnel on security policies, procedures, and safe computing is an essential part of every organization’s overall defense against harmful security incidents. Known as security awareness training, employees are educated on the organization’s security policies and practices.

Many laws and regulations require security awareness training, so organizations usually need to keep accurate records on who has received this training.

Many security awareness training programs include quizzes, to ensure that employees understand what is expected.

Other concepts

Several security-related concepts are part of every security professional’s vocabulary. These concepts guide you on the proper management security issues you’ll encounter:

  • CIA Triad: Confidentiality, integrity, and availability — the three pillars of security. Everything the InfoSec profession does to protect an organization’s assets and information comes down to these.

  • Defense in depth: A strategy for protecting important assets by surrounding them with layered defenses. An intruder would need to defeat several defenses to successfully reach the protected asset.

  • Single point of failure: Systems or teams in which a key component has no backup or alternative path. The firewall is a single point of failure because the entire system would fail if the firewall failed.

  • Fail open/fail closed: The result of a control if it fails.