One main objective of the European Cyber Security Act is to inform business and consumers about the security of ICT products, processes and services, through certification schemes. This webinar provides solid information about the present status of the Act's implementation.
GRC: Be Connected! – Information Security Governance
16 February 2021 – Cyber Security Coalition
GRC: Be connected!: about information security governance
The third session in the GRC: Be connected! series focuses on the context of information security through governance. The use of COBIT is strongly advocated in this!
In information security, a key role is played by the Chief Information Security Officer (CISO). Filip De Wolf, Director of Approach Belgium, paints an in-depth picture of the many and diverse skills this person has to master. So many and diverse, that finding them all in one person would be as rare as spotting a white raven. Starting from the Wikipedia definition, De Wolf describes the CISO as a senior level executive, his success dependent on the culture and governance in the company. Reporting to the CEO often results in getting things done faster! And do manage expectations.
The required skills are executive in nature (business acumen, identify the crown jewels), policy related (policies must be realistic, understandable and in line with legal), and risk management expertise. Furthermore, people management and communication soft skills are crucial. Including being stress resistant, and willing to call your CxO anytime, even at 2am if needed (and without fear of being kicked out). And even more skills (project and change management, etc. etc.). Too many skills? His advice: start an office of the CISO, bringing together these skills. And do get people – including top management – involved through tests and exercises (without actually organizing an attack on your own company, of course).
In ‘A perspective on security & risk governance’, Karine Goris, Head of Digital Security, IT Risk & DRP at Belfius, proposes a ‘four steps’ approach to define a security governance that works in your company. Every step concludes with a ‘checklist’.
It starts with the absolute necessity of ‘know your business’. Security must understand the context of the business (strategy, operations, assets) and the risks involved, including the real risk appetite (as this determines your mandate). Do keep abreast with changing business models and related attacks.
Next you outline a framework, mapping the business risks on information security principles. Express this in your company’s ‘mission, vision and values’, followed by an information security policy, and a charter. Make sure that all of this is understandable, validated by the board and visible throughout the company.
Having set the scene, the third step relates to defining the information security process. Do your risk assessment and bring everything together as input in your processing. This processing requires technology-based controls, but also people and process controls! And this processing must show itself as being effective and efficient, through output for assurance dashboards. This allows for corrective measures.
Step four provides a reflection moment, as a step-up to continuous improvement. That is, you start all over again.
The third presentation had Prof. Georges Ataya, Solvay Brussels School of Economics & Management, explaining how COBIT performs exquisitely as a ‘digital governance framework for information security activities’. As an express train, Prof. Ataya expounded in an introductory COBIT course how this ‘mother of all frameworks’ can bring value to information security. With value creation through benefits optimization, risk optimization and resources optimization. Following a general overview, he discusses how stakeholder drivers and needs cascade down to governance and management objectives (e.g. risk optimization). He ties in how the ‘plan, build, run, monitor’ approach and the seven governance components are applicable for each governance and management objective.
Furthermore, Prof. Ataya points out that introductory documents on COBIT are available for free (PDF format): ‘COBIT 2019 Framework: Governance and Management Objectives’ and ‘COBIT 2019 Framework: Introduction and Methodology’.
Other blog posts
This session of the Privacy Focus Group provides a valuable and practical primer for acquiring more insight in the issue of international data transfers after Schrems II and Brexit.
The webinar teaches you that information security must be handled in a structured way. Three Coalition members explain how frameworks such as CISM, NIST and ISO 27001 certification can support you in your role as CISO.
Audits strengthen business operations, yet many organizations are fearful of the process, rather than seeing the benefits of audits. In this webinar, you get better insights in the auditing process and how you can use audits to strenghten and mature your overall risk programme.