Sam Dekay

Who’s In Charge Here? The Problem of Information Security Governance

The Federal Financial Institutions Examination Council (FFIEC) Information Security booklet does not ignore the issue of InfoSec governance.  Indeed, the booklet states that “Senior management should designate one or more individuals as information security officers.  Security officers should be responsible and accountable for administration of the security program.  At a minimum, they should directly manage the risk assessment process, development of policies, standards, and procedures, testing and security reporting processes….the information security officers should report directly to the board or to senior management.”  Once again, as with the “Interagency Guidelines,” the FFIEC injunctions seem focused upon providing a management structure that ensures chain-of-command reporting and accountability; they do not constitute a governance framework that necessarily promotes a comprehensive and consistent information security program.

Who’s in charge here?

Professional information security organizations and governmental oversight agencies provide only a minimal degree of assistance concerning the formulation and implementation of an InfoSec governance structure.  Certain themes emerge from review of this material:

  • Information security governance is subordinate to, and perhaps a component of, the broader issue of Information Technology governance. The assumption seems to be that if an organization develops a robust IT governance structure, information security will be included within this structure;
  • The primary purpose of information security governance is accountability; the coordination and comprehensiveness of an organization’s InfoSec program is, at best, a secondary consideration;
  • Governmental agencies are reluctant to impose governance requirements because of the diverse needs and resources of regulated institutions.

But, in view of the tendency in many organizations to disperse information security throughout business units and IT areas, the question yet remains:  “Who’s in charge here?”  What organizational structures will contribute to the formulation of a comprehensive, cohesive security program?


  1. SecurityExec Aug 8, 2008 at 5:35 pm | Permalink

    I think it’s great that such an article has been written. Despite having a somewhat vested/biased interest on the topic (I am a security executive) I think there are some very relevant points that are compounding the problem of governance (and, ultimately, the overall effectiveness of information security.) Governance and accountability are arguably what’s needed most to help truly achieve better information security across the board. Unfortunately, as we’ve seen too often, the regulatory agencies, lawmakers, and industry itself shy away from establishing accountability. It’s much easier (politically) to continue to focus on the technology rather than address the real issue. Business leaders are always going to look for the path of least resistance – hence the reason we’re seeing a lot of companies revert to positioning security and risk managers/executives down the corporate ladder, usually back into the technology ranks. Until someone steps up (the regulators/agencies should have been leading the way on this long ago considering their increasing talk about the need to improve security of financial information) the business world simply isn’t going to accept more responsibility or accountability than it absolutely has to. That directly translates into security, privacy, and risk management reverting back to operational and technology-specific roles rather than being at the level needed for efficacy – closer to the executives and Boards of Directors.

  2. Bouch Aug 19, 2008 at 2:05 pm | Permalink

    I work for a federally funded research and development center that has to abide by a variety of government regulations, such as the NISPOM that clearly identifies roles within information security. In short, the ISSO’s are the hands on computer security folks separate from the regular IT staff. They report to the ISR’s who work on the policies, procedures, and certifications. The ISR’s are the pawns of the ISSM who oversees the entire security posture similar to a CISO. However, these government regulations are not enforced within the private sector. Hopefully, as corporations keep being infiltrated and sensitive customer information is leaked publicly, the citizenship will stand up for a universal information security standard for private corporations.

Post a Comment

Your email is never published nor shared. Required fields are marked *