Security and risk governance. An operational model

Transcription

1 Security and risk governance An operational model

2 Table of Contents Ecosystem not Enterprise Segregation of duties Operating model Organizational structure Governance The benefits Forward steps Ecosystem not enterprise Gartner predicts that by 2017, the proportion of IT corporate spending that which will be spent outside the internal IT organization will rise from 38%, at present, to over 50%. 1 Changes to the business model and underlying IT functions are driving the need for a clearer, better approach to information security governance. One that s increasingly flexible in its response and quicker in dealing with business change and the need for innovation. Adoption of cloud services part of the change is driven by organizations desire to reduce costs, increase flexibility, and quickly adapt to future business requirements. The result: Organizations no longer own the end-to-end operations of their IT organizations. The assets belong to, and are under control of, a remote third party. The data held in that infrastructure is still owned by the organization, so it remains legally responsible for it. Still, the data is processed out of the organization s direct control and potentially in multiple geographic locations. The increasing demand for mobility and access to any data, at any time, at any place, and on any device has coincided with the increased use of personal devices. Moreover, this access is no longer restricted to employees. Partners, third parties, and customers also need access to core system information. This means your organization s data may be processed and held externally, and used on noncorporate devices, all of which is out of your direct control. Yet, this data is still your organization s lifeblood, and it s still the organization s responsibility to ensure full compliance with regulatory and privacy-related requirements. So, what are the new governance requirements and resulting risks arising from this New Style of Business? With an ever more technologically advanced business operation, organizations face even more sophisticated high-tech cyber threats. The news is full of recent cyber events, resulting in significant financial impacts and personal consequences after attacks within global businesses. As a consequence, there is a greater need to manage new risks. An organization can only plan for appropriate defense strategies to manage and prevent cyber breaches by understanding these risks and balancing them against the business opportunity that change enables. This requires an information governance structure in which everyone knows who is responsible for what, who reports to whom, and what steps need to be taken to defend against and respond to a cyber-attack. It s essential to lay out your organization s structure to manage these elements and ensure that today s business requirements are reflected in a business-led security governance and management structure. This enables your organization to be prepared to face today s cyber risks and handle them appropriately. 1 content/assets/events/keywords/ symposium/sym25/gartnersym24-executive-report2.pdf 2

3 Segregation of duties To ensure companies have a clear structure that separates the groups who define guidelines versus those who are responsible for their execution, regulators are increasingly asking for a Three lines of defense model. Figure 1: Three lines of defense Oversight Guidance (What) Execution (How) The first line of defense is the execution layer This is where the definitions about how things get done are laid out and where controls are executed. Operational excellence is at the center of all their activities. These employees deal with day-to-day operations and establish a clear picture of how controls are executed. Typically the group includes roles shown in Table 1. Table 1: Types of roles in the execution layer Function Responsibility control owner Lines of business Business Corporate functions Business CIO and IT security Technology Third parties Externals All employees on the execution layer must be authorized and vetted, even though they may not be directly employed within the organization. This may also include third parties employed by the organization, as they often have valuable information that could jeopardize the company s security, if compromised. The second line is the guidance layer This is where definitions about what needs to be done are established and controls defined. Control efficiency is at the center of their activities. These employees deal with the general security framework, used by the execution layer, as a base for their own definitions and baselines. Their duty is to develop clear guidelines for an effective and efficient framework, designed for maximum effectiveness. This is largely a chief information security officer function and includes responsibility for: Security strategy and policy definition Governance and structure 3

4 Monitoring, analysis, and response Risk remediation programs The third line is independent oversight This is where auditors, or other outside control functions, provide the oversight function. This means ensuring an organization is upholding preagreed standards and doing what it said it will do. The auditor s job is to oversee the execution layer and ensure the organization follows the framework designed by the guiding layer. Auditors provide independent assurance and oversight of operations and processes to ensure the organization is in compliance with the security framework and regulatory requirements. An auditing line also ensures guidelines are enforced consistently across all sections of the organization. Operating model No organization is complete without a clearly defined operating model that describes the interfaces and who does what. Information risk management, always a business topic, has become increasingly prominent since the World Economic Forum listed cyber risk high up in its risk reports. 2 Because the topic has business relevance, the organization s business side must also deal with it. This led to top managers being asked about their cyber-risk level/ appetite. And, with a major part of cyber security still related to IT, it s important to separate operational IT tasks from governance activities within the business. This approach is in line with segregating duties as described earlier. Cornerstones of this operating model are: A business centric approach with clear information ownership on the business side. IT employees often see data without knowing its relevance in the business context. This means that they can t handle the data correctly and appropriately. The three lines of defense model is fully applied with a clear segregation of duties between execution and guidance, and a fully independent oversight with defined interfaces. Transformation of cyber security away from an IT focus to a business- and value-focused risk topic. 2 _/ docs/wef_riskresponsibility_ HyperconnectedWorld_ Report_2014.pdf 4

5 Figure 2: Operating model cornerstones Customers/clients/units Unit 1 Unit 2 Unit 3 Unit 4 Unit n Service functions HR Legal Finance Compliance IT Oversight Audit Regulator Third parties Relationship management Policies Risk monitoring Strategies Risk reporting Framework Remediation control Target state KRIs & KPIs Control framework Education & awareness Organizational structure There is no silver bullet or one all-encompassing organizational structure. Every organization has its own business environment. However, there are some fundamentals that need to be covered, even though they may be altered to match an organization s specific needs. Examples include: IT functions should focus on IT security and all aspects (the How ) of the day-today operation. Focus areas include, for example: Identity and access management Vulnerability management Threat management Logging and monitoring Security events and incidents handling Risk controls execution Business functions, clients, or customers should incorporate their own element of cyber security and provide interfacing people capable of articulating the importance of data, access requirements, and regulatory and specific privacy requirements relevant to their business. The central organization dealing with cyber risk resides outside of IT, and reports resulting risks independently through established governance channels and escalation paths. The responsibilities cover guiding, monitoring, and reporting, as described in the operational model. 5

6 Governance It s important to choose the right governance body for cyber security and risk topics early in the process. The goal is to provide clear direction and accountability. It ensures direction comes from the top down and that the objectives are aligned with business requirements, avoiding a bottom-up, technology-driven approach to cyber security and risk. The governance body should oversee the cyber status, monitor agreed actions and remediation, and escalate to the next management level if required. Organizations usually have a range of committees and governance teams. So, there s no need to reinvent the wheel and create additional boards just for the sake of having a dedicated one. If a board with senior representation already exists, use it. Adapt the Terms of Reference of the existing body and ensure cyber security and risk become a standing agenda item. Very often, existing risk boards, operational management boards, and finance committees provide a very good home for the cyber security and risk topic. During times of constant change, this structure will enable decisions to be made by key stakeholders, which will gain greater acceptance. By following this approach, cyber security and risk will emerge from being a business inhibitor to an enabler. The benefits The benefits of segregating duties and having a clear business structure can be easily recognized. The transformation away from focusing on technology security toward business- and value-focused cyber-risk management brings a structure where roles, responsibilities, and duties are much clearer. It s easy to see who is responsible for what and who the go to person is. This is particularly important in the event of a breach or cyber-attack, as it s essential for a company to be prepared and ready. To react swiftly, while knowing who is responsible for what; and who should react, monitor, inform, and report; is essential to manage the situation successfully. This new clarity will benefit your organization in additional ways: It promotes operational excellence. This is encouraged by segregating duties and ensuring employees have a clear understanding of their duties. It will save the organization money through a stricter adherence to standards and regulations, and make sure cyber security and risk is a front-line issue. It enables adopting the New Style of Business in a secure way, which supports business flexibility. It also helps to have a clear governance structure that includes security at the beginning when adopting new solutions, rather than as an afterthought. And, with employees and IT having a better understanding of their responsibilities, it will become easier, as everyone understands what s required when new ideas are introduced. 6

7 These models create transparency and as a result, when properly executed, reduce risk to what may become a board-level issue later on. Organizations who know their risks and threats are much more likely to prevent ugly cyber surprises and better manage through such crises, in the event of such an eventuality. Forward steps About the Author Andreas Wuchner CTO Security Innovation The demand for greater flexibility from today s business will be enabled by disruptive technologies such as cloud and mobility. This will lead to changes in how and where an organization will store its data. Often, it will be held with a third-party provider, outside the organization s direct control. This will introduce a new set of risks to be managed. To ensure your organization is prepared to face and handle the risk appropriately, a business-led security governance and management structure will be required to plan the appropriate defense strategies, and manage and prevent cyber breaches. 7

8 Learn more at About DXC DXC Technology (NYSE: DXC) is the world s leading independent, end-to-end IT services company, helping clients harness the power of innovation to thrive on change. Created by the merger of CSC and the Enterprise Services business of Hewlett Packard Enterprise, DXC Technology serves nearly 6,000 private and public sector clients across 70 countries. The company s technology independence, global talent and extensive partner alliance combine to deliver powerful next-generation IT services and solutions. DXC Technology is recognized among the best corporate citizens globally. For more information, visit DXC Technology Company. All rights reserved. DXC_4AA6-1216ENW. October 2016