Establishing an Information Security Governance

Information security aspects, decision-making and overall practices within an organization must be fostered through corporate governance practices. However, creating a governance framework for enacting policies in large enterprises is indeed challenging. Especially, when lots of subsidiaries belongs to an entity, the concern company is geographically distributed (multinational corporations), or heterogeneous legal obligations apply, enforcing group-wide rules is not always feasible.

Governance is all about providing strategic direction, ensuring that objectives are achieved, ascertaining that information security risk is managed appropriately and verifying that resources are used responsibly. In this blog post I want to outline how to approach a governance framework capable of enacting information security policies respecting local needs, cultural aspects and being consistent with local regulations (e.g., EU-GDPR and its national regulations).

Applicability of Corporate Policies and Sustaining Local Autonomy

Principle of Subsidiarity

Governance determines who is authorized to make decisions. A good example of a functioning and well established governance framework is the European Union. In the EU, we have one shared legislation ('a new legal order of international law'), but also national legislation within the member states.

So, not everything is directed and controlled by a central governance body or Corporate function. This is called subsidiarity principle. The subsidiarity principle is intended to ensure that decisions are taken on a local level where possible and that constant checks are made as to whether local action is justified and appropriate. Basically, it is about defining a common (information security) baseline and setting minimum standards followed by all subsidiaries.

Subsidiarity is a principle of social organization that holds that social and political issues should be dealt with at the most immediate (or local) level that is consistent with their resolution. (from Wikipedia, the free encyclopedia)

Types of Corporate Rules

There are essentially three types of documents we know from the EU: regulations (henceforth group-wide policy), directives (henceforth policy templates) and recommendations/opinions (other non-legislative documents, i.e. supporting materials).

A regulation (group-wide policy) shall have general application. It shall be binding in its entirety and directly applicable in all subsidiaries. We only need exactly one document of this type: the Group-wide Information Security Governance Policy.

A regulation is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously. (Article 288 of the Treaty on the Functioning of the European Union)

A directive (policy template) is a legal act of the European Union (Corporate function) that requires member states (subsidiaries) to achieve a particular result without dictating the means of achieving that result. Directives first have to be enacted into national law (local policies) by member states (subsidiaries) before their laws are ruling on individuals residing in their countries. Directives normally leave member states (subsidiaries) with a certain amount of leeway as to the exact rules to be adopted. Directives can be adopted by means of a variety of legislative procedures depending on their subject matter.

All entities should have the option to reject such directives, if sufficient rules are already in place (this mechanism is important to manage different levels of maturity within the organisation).

A directive shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods. (Article 288 of the Treaty on the Functioning of the European Union)

Recommendations and opinions shall have no binding force and might also include tools and other supporting materials for local policy implementation - think of an IAM (Identity & Access Management) tool provided by a central Corporate function and used by all subsidiaries that helps with implementing the policy template on access rights management. There is no obligation to use this exact tool, but it has the potential of saving costs and to create synergies among the subsidiaries.

Enacting the Group-wide Information Security Governance Policy

Board of directors (highest level of management) shall approve and sign the Group-wide Information Security Governance Policy, which forms our governance framework and sets rules on the creation, distribution and local adoption of information security policy templates and recommendations/opinions.

Next, local management shall sign a binding agreement demonstrating the committment to follow the Group-wide Information Security Governance Policy. This can be a less formal letter of commitment or intra-group agreements.

To clarify this point: this governance approach is recommended, if one single set of policies is not suitable for all subsidiaries and we want to ensure that information security decisions are taken as closely as possible to the local stakeholders with respect to local needs (taking into account local regulations and special business needs).

Corporate Role and Local Role Definitions

It is helpful to have a written document to attribute accountability and responsibility in the context of information security tasks on an operational level and policy level. This could be an Annex of the Group-wide Information Security Governance Policy.

There should be a Corporate function responsible for Corporate Information Security. This Corporate function should be facilitator between Board of directors and local information security management. Tasks are comparable to What the European Commission does in strategy and policy when we look again at the European Union (whereas the Board is similar to the European Parliament scrutinizing and approving directives based on strategic decisions).

Most importantly, it should be clarified which role has overall responsibility of approving local policies according to the governance framework (so-called policy authority). There is only one right answer: local management. Even if strategic objectives are set by directives (policy templates), final decision-making is up to the local management.

ISO/IEC 27001 Standard

It is advisable to focus on the controls stated in Annex A of the international standard ISO/IEC 27001 when creating policy templates. This does not necessarily mean that certification compliant with ISO/IEC 27001 is a strategic objective. It is more about internationally accepted information security controls. Local policies must then be adapted according to relevant local regulations and laws, but at the bottom line we have ISO controls.

Setting priorities on a strategic level is up to the board of directors (i.e., which topic needs to be addressed first).

Policy Template Creation Process

Policy templates (directives in Eurospeak terminology) shall be prepared by the Corporate function responsible for Corporate Information Security. Before publishing new or updated policy templates, coordination and cooperation among several stakeholders is essential:

• subject matter experts; e.g., information security rules regarding ISO 27001 Annex A.7 Human Resource Security should be discussed with the Corporate function responsible for Human Resources in the first place.
• information security steering committee including local information security responsibles; focus should be a suffcient geographical representation to ensure that the content is understood equally in all subsidiaries and rules are not dictated by Corporate headquarters, but jointly agreed on.
• Board of directors; focus should be on alignment with business needs and considering risk appetite. Each policy template should be approved by the board.

Policy templates should be published along with contextual information (in a single document or separately):

• instructions on how to apply the subsidiarity principle and how to the report local policy adoption decision
• motivation and overall information security objectives
• brief management summary or list of modified rules in case of an updated document revision
• an estimation on the expected impact to the subsidiary in terms of policy implementation costs
• what support can be expected by Corporate functions (tools, other supporting materials etc.)
• mapping to ISO 27001 controls

It is recommended to distribute documents in an editable and broadly accepted format like Microsoft Word in English language.

Policy Template Adoption Process

Published policy templates shall be adopted as local policies according to the binding agreement signed by local management. Local information security responsibles shall be reponsible for local policy adoption and final approval is up to the local management.

In the decision process of adopting the policy template, we have three possible results:

• policy template adoption as is (minor updates like changing terminology)
• policy template adoption with substantial modifications
• policy template adoption is refused

Justification for adaption of the policy template could be having different legal systems, legal traditions and legal processes. Justification for refusing adoption could be having a correspondant rule set already in place or essential aspects are illegal according to local laws and a new solution for increasing informtation security levels has to be evaluated locally.

There should be a standardized reporting on the adoption decision to the Corporate function responsible for Corporate Information Security. Reporting and implementation of the local policy should be performed within reasonable time. Rules that will not be adopted locally or with temporary suspension (moratorium) should be dealt with according to group-wide policy expection and information security risk processes.

There should be no specification on a binding layout format. Subsidiaries should have leeway to choose its own statutory wording and format (local look and feel). Preferably, local policies will be published in all relevant local languages.

Measuring and Reporting Performance

Based on reporting of local policy adoption and its implementation status, performance indicators shall be reported to the board periodically by the Corporate function responsible for Corporate Information Security in a consolidated form. The local implementation status can be determined following the Capability Maturity Model (CMM).

PDCA Cycle

Keep in mind to follow the PDCA (Plan-Do-Check-Act) cycle for control and continual improvement as a key principle behind all modern ISO management system standards including ISO/IEC 27001.