NIST SP 800 100 Information Security Governance

With the increasing complexity of the IT infrastructure and a continuously changing security threat and risk environment, organizations today are required to manage as well as govern the Information Security. Properly managing and governing of the Information Security support to reduce the risks and ensure the organization’s capability to do their business in a secure way. This article is about the outline of information security governance in accordance with the special publication of the NIST, called, Information Security Handbook: A Guide for Managers.

NIST Definition Of Information Security Governance

information security goverence

Information Security Governance includes its own requirements, activities, challenges, and sorts of structures. It also includes a defining role in determining key roles and responsibilities in the Information Security. In addition, impacts the policy development, oversight and ongoing monitoring activities of Information Security. In order to guarantee a certain level of support of business missions & the proper implementation of the security requirement, each organization should create a formal structure of information security governance. Let us begin with the information security governance requirements.

Information Security Governance Requirements 

The United States Congress and OMB (Office Management and Budget) have introduced a set of laws, directives, and regulations that oversee establishment & implementation of the information security practices. The organization must create clear reporting needs that fulfil the legislative requirements, directives, and regulations formed by Congress. The organization should modify the practice of their information security governance based on their own missions, operations & needs. 

Examples of the key legislative acts, which define entire governance requirements are:

  • The Government Performance and Results Act (GPRA)
  • The Paperwork Reduction Act (PRA)
  • The Federal Financial Management Improvement Act (FFMIA)
  • The Clinger-Cohen Act
  • The Federal Information Security Management Act  (FISMA)

Information Security Governance Components

Organizations should incorporate their activities of information security governance with the entire activities and structure of the organization by guaranteeing the proper participation of the enterprise officials in overseeing the security control implementation throughout the enterprise. The key activities, which enables the integrations are:

  • Strategic planning
  • Organization design & development
  • Establishment of the roles & responsibilities
  • Integration with organization architecture
  • Documentation of objectives of security policies and guidance

The following diagram depicts the relationship among the above-mentioned components:

infosec governance componets

Image source: NIST SP 800 - 100

Information Security Strategic Planning

The organization requires to create a strategic plan for the program activities and create an annual performance plan that covers each program activity in terms of their budget. The strategic plan should be refreshed for every three years. The organization should incorporate the information security into their strategic planning process by creating and documenting the information security strategies, which directly support their strategic & performance planning activities.

The enterprise information security strategy should:

  • Establish a complete framework to facilitate the development, assessment, institutionalization, and enhancement of the organization’s information security program.
  • Support the entire organization strategic & performance plans with this content visibly noticeable to these higher-end sources.

Information Security Governance Structure

Structure of information security can be considered in various ways. The two basic structure models are: 

1.Centralized Structure

infosec centralized structure

2.Decentralized Structure

Decentralized Structure

In reality, organizations usually adopt the hybrid model, which includes centralized structure model at one end and decentralized structure model at the other end since it is quite rare to implement the governance completely based on centralized or decentralized structure. 

Key Governance Roles & Responsibilities

FISMA provides the detailed roles and responsibilities of the key governance. As we have discussed the key roles and responsibilities in the information security in our blog, An Introduction To Information Security - Roles & Responsibilities, here we listed some sample responsibilities of the governance roles. 

Agency Head

Some of the FISMA assigned responsibilities are:

  • Guaranteeing that the information security program is properly created, documented, & implemented to offer security for entire networks, systems, and data, which support the organization’s operations.
  • Guaranteeing that the information security processes are incorporated with strategic & operational planning processes in order to defend the mission of the organization.
  • Guaranteeing that the senior agency officers provide the essential authority to defend the assets and operations under their control

Chief Information Officer

Some of the FISMA assigned responsibilities are:

  • Designating a SAISO (Senior Agency Information Security Officer).
  • Developing & maintaining an enterprise-wide information security program.
  • Developing & maintaining security policies, procedures & control techniques for addressing requirements.

Senior Agency Information Security Officer

Some of the FISMA assigned responsibilities are:

  • Primarily performing the duties of information security.
  • Training & supervising personals with important responsibilities for the information security.
  • Periodically testing & analysing the effectiveness of the security policies, procedures & practices.

Chief Enterprise Architect

Some of the FISMA assigned responsibilities are:

  • Leading organization architecture development & implementation efforts
  • Collaborating with business lines within the organization to guarantee proper incorporation of the business lines into enterprise architecture
  • Participating in the activities of the organizational strategic planning & performance planning to guarantee proper incorporation of enterprise architecture

Related Roles

The following are the responsibilities of the some of the primary senior administration roles:

  • Inspector General (IG) – Works to evaluate the information security practices of the organization and identifies vulnerabilities & the possible requirements to adopt security measures. 
  • Chief Financial Officer – Reviews the cost goals of major security investments and reporting the financial management information.
  • Chief Privacy Officer / other designated official with privacy responsibilities – Works to keep a proper balance between the privacy and security needs and works to guarantee that one is never compromised for the other.
  • Physical Security Officer/other designated official with physical security responsibilities – Responsible for the entire implementation & management of the controls of physical security across the organization, to comprise incorporation with controls of information security. 
  • Personnel Security Officer/ other designated official with personnel security responsibilities - Responsible for the entire implementation & management of the controls of personnel security across the organization, to comprise incorporation with controls of information security. 
  • Acquisitions/Contracting – Responsible for handling contracts and supervising their implementation

Integration With Enterprise Architecture

The organization needs to integrate the security into their organization architecture development life cycle. This integration support to comply with the OMB requirements and offer the following benefits:

  • Reduce the reporting burden
  • Incorporation of security data
  • Preservation of security needs

Information Security Policies & Guidance

Information security policy is one of the basic components of the information security governance. If there is no policy, then governance possess no rules and substances to enforce.
Organization information security policy must address the basics of information security governance structure, such as:

  • Information security roles & responsibilities.
  • Statement of the security controls baselines.
  • Statement of rules for beyond the baseline.
  • Behaviour rules, which organization users are expected to follow.

Ongoing monitoring

It is important to constantly review the information security governance to ensure the following things:

  • Ongoing information security activities are offering proper support to the organization mission.
  • Policies & procedures are up-to-date and aligned with developing technologies.
  • Controls are obtaining their proposal purpose.

The key ongoing activities, which assist in supervising and enhancing the information governance activities of the organization are:

  • Plans of Action & Milestones
  • Measurements & Metrics
  • Continuous Assessments
  • Configuration Management
  • Network Monitoring
  • Incidents & Events Statistics

Information Security Governance Challenges

The following are the some of the challenges that organization is likely to experience in its process to create an information security governance:

  • Balancing widespread requirements, creating from various governing bodies.
  • Maintaining currency.
  • Balancing legislation & agency-specific policy.
  • Prioritizing available funding based on the recruitment.

On the whole, information security governance offers a framework for creating as well as maintaining the security program, which will advance with the enterprise it supports. 


    All Comments (0)

    No one has commented yet.



Leave a comment