Effective security governance fails if it is not integrated into an overarching information security strategy, supported by senior management and the board, and linked with business and IT objectives. Characteristics of an effective security governance function Successful or end state security governance functions have the following characteristics:
Defined risk tolerance parameters for the organization
Defined risk assumption framework and who can assume risk
Governance responsibilities and practices exercised by the board and senior management provide strategic direction, ensure that information security objectives are achieved and ensure risks are managed appropriately. Board communications should occur at least once a year. All major risks or gaps reported or disclosed to the board should be submitted with action plans for resolution or at a minimum, with the next steps to resolve gaps. Information security needs to be owned by senior management, with issues vetted before going to the board. Establish a broad and easily understood measurement for information security risk decisions (i.e. a risk assumption model or framework). Address the risk assumption and risk tolerance issues early with senior management and get your risk assumption framework approved by the board. When dealing with contested security issues, or when escalating security risk issues to senior management, assume that your audience does not understand information security. Your narrative messages should be short—preferably one page and no longer than two pages. Talk in business risk terms and terminology. Be factual: issues must be dealt with in a straightforward manner. Do not sugar coat or exaggerate issues. Fear, uncertainty or doubt should not be used. Jargon should be explained or not used at all. Senior management should be updated at least three times a year on the general risk posture of the organization and outstanding high-risk security issues that are being monitored. Security governance is only successful when it is integrated into an information security strategy and supported by your board of directors.