Information is the key to success in the contemporary era. Just as there are two sides of a coin, there are two perspectives of a cyber-attack. On one hand, attackers seek information to take advantage of potential flaws in an organization’s architecture, processes, and design; exploiting these flaws to make money. The prime targets in the organization are its information-based assets. On the other hand, organizations safeguard information to protect it from getting stolen and misused. Thereby, information can be secured by governing an information security system. 

With the rising sophistication, the threats to information-based assets are much higher than in the past. With the advancement of technology, tools to gain unauthorized access have also become powerful. This increases the need to secure information as an asset.

This article uncovers information security governance in FinTech, and provides deep insights into its characteristics, principles of good governance, and an integrated security governance framework. The content in this article is based on the extensive research work behind our book titled ‘Understanding Cybersecurity Management for FinTech’ published by Springer this year.

What is information security governance?

Information security governance combines information security, and governance. Let us define these two terms separately first. Information security ensures that personal, private, confidential, and sensitive information is protected. Governance is the set of responsibilities and practices exercised by responsible individuals in an organization. 

A comprehensive definition of information security governance is: Information security governance is the practice of securing information and managing cyber risks to protect any kind of information required for effective working of the organization, in compliance with the information security policy and risk management strategy.

Importance of securing organizational information

Information security is an important part of enterprise-level security governance. It interacts with information technology (IT) operations, IT projects, and IT governance, where IT operations are considered current state of IT and IT projects are considered future state of IT.

Figure 1 demonstrates the basic structure of information security governance in an organization. At the top-level of the enterprise exists corporate governance, which evaluates the standards and policies. It also directs the middle- and low-level management consisting of: IT governance, information security, IT operations, and IT projects. On the contrary, the bottom-up approach monitors the governance activities for the corporate governance. 

Figure 1: Information Security Governance

Overall, information security governance performs following activities:

  • Promotes valuable information security practices with a clear direction from top to bottom
  • Controls the risk appetite of the enterprise by considering different domains, such as legal, finance, information technology, and regulatory compliance
  • Creates an overall information security activity that reflects organization’s needs and risk appetite levels
  • Monitors corporate governance policies and standards for managing information security governance standards

Characteristics of effective information security governance

Effective information security governance has several characteristics, such as: involving appropriate organizational personnel, a governance framework, risk management, deliverables, and tackling changing risk levels.

  1. Appropriate organizational personnel: Appropriate organizational personnel includes: a board of directors, executive management, business managers, and internal auditors. These personnel are involved in designing governance policies, implementing them throughout the organization, and performing internal auditing so compliance with governance standards can be validated. These individuals lead from the front to: provide an insight into the corporate culture, provide leadership, and dedicate resources; while also contributing to the implementation of information security activities, validating them, and recommending improvements. 
  2. Governance framework: A governance framework provides guidelines for the board of directors and executive management to develop an audit plan. These frameworks help the organization to operate in a structured, consistent, and effective manner – such that it can be explained easily to all stakeholders, regulatory agencies, service providers, and other parties in the business. Well planned governance frameworks can help guide future business changes and activities. 
  3. Risk management: Like all business risks, technical risks are equally important. Deploying a risk management tool to analyze, assess, mitigate, monitor, and review risks is important to establish a threshold to tackle risks on time. Some of the risks are avoided, some are accepted, some are transferred, while the rest are mitigated. It all depends on the risk appetite policy of the organization. Since every organization has different risk levels and different financial resources to tackle risks, the mitigation measures vary. However, maintaining proper resources and finances to mitigate risks is the key for every organization. 
  4. Deliverables: Information security governance produces qualitative and quantitative deliverables. Qualitative deliverables are useful in measuring management activities, whilst quantitative deliverables are used for tracking capabilities not feasible with qualitative measures. Quantitative deliverables could include: several policies and standards delivered, number of security events, and result of corporate training and security programs. This does not diminish the value of qualitative deliverables. In general, a mixture of both qualitative and quantitative deliverables are used in an organization. 
  5. Tackling changing risk levels: Risk management is used by the authorities to tackle risks, set up a risk appetite for the organization, and cope with the changing nature of risk levels. The risk appetite policy is updated with changing technological and informational assets. These changes are validated with an audit plan.

Principles of good governance

Based on the discussion on information security governance and characteristics of an effective governance, there is a need to design principles for a good governance. This section introduces some exemplary practices for good governance: 

  1. Accountability and responsibility: Every stakeholder in the enterprise must be accountable for the activities performed by them. This principle ensures that individuals are doing their best to achieve the organization’s objectives. Top management should ensure accountability and responsibility throughout the organization. 
  2. Transparency: Every stakeholder shares some information in the form of documents, reports, or financial statements that reveals the outcomes of their activities. This ensures transparency in the enterprise. 
  3. Strategic decision-making: Investments support governance objectives. Security governance ensures that information security is integrated with existing organization processes to make strategic decisions. 
  4. Risk management: Based on resources and assets in the organization, risks are identified, analyzed, monitored, and mitigated. Risk-centric security governance helps identify the risk appetite of the organization by considering compliance, liability risks, operational losses, disruptions, and reputation harm. 
  5. Performance review: Security governance impacts the overall objectives and goals of the enterprise. It must review performance through financial statements, audit reports, and risk management reports to find areas of improvement. 
  6. Conformance with requirements: Security governance must conform to internal and external requirements. External requirements include mandatory legislation, regulations, standards, and contracts. Internal requirements include organizational goals and objectives. Conformance is monitored through security audits.

Integrated governance framework for FinTech

There are three main views of an integrated governance framework: architecture, domain, and presentation.

Table 1: Requirements of the integrated security governance framework

View Requirements
Architecture
  • Clear relationships among domains
  • Partitioning the domains in enterprise security
Domain
  • Consider every participant of the enterprise security
  • Characteristics of business information
  • Cost and benefit analysis
  • Sub-divisions of security controls and strategies
Presentation
  • Bird-eye view of security governance framework
  • Structured presentation of every object in enterprise security

 

The security governance framework consists of three domains: community, security, and performance, as shown in Figure 2. Every domain has several objects that perform the functions. There are two relationships among the domains: harmonization and flywheel. The harmonization category governs the relationships between three domains and deals with social, organizational, and human factors of enterprise security. The flywheel category governs the relationship between performance and security domain and deals with the virtuous cycle of enterprise security. 

Figure 2: Integrated security governance framework

The framework integrates government, shareholders and management, media and customers, and employees and suppliers to perform four major tasks. The government creates the standards and policies that the enterprise works in compliance with, media and customers endorse security programs, employees and suppliers are bound to agreements with the enterprise, and shareholders and management align themselves with the security standards and policies of the enterprise.

The community domain contains shareholders and management who give directives and are directly affected by the profits and losses in the enterprise. The performance domain performs cost and benefit analysis based on the availability of resources and their competitive value – as every resource brings a competitive value to the business. The security domain deals with risks and their value to impact the security of the enterprise. It also consists of an enterprise strategy to produce value to resources.

What’s next 

This article introduces the fundamentals and importance of securing information in an organization. It presents the characteristics and good practices to design an integrated security framework. The next article of the Understanding cybersecurity management on FinTech series explores cybersecurity threats in FinTech.

Would you recommend this article?

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Previous articleBuilding trustworthy AI
Next articleHow the travel industry can provide customer experiences that balance safety and convenience
Gurdip Kaur and Arash Habibi Lashkari
***Dr. Gurdip Kaur is a Risk Advisory Consultant at Deloitte Canada. She is a CompTIA certified CyberSecurity Analyst (CySA+) experienced in detecting and analyzing malicious network traffic. She is the author of the book titled “Understanding Cybersecurity Management in FinTech” published by Springer in 2021. She has also contributed to the “Understanding Android Malware Families (UAMF)” series to the IT World Canada this year. She has published several book chapters and research papers with reputed journals. She has contributed to three public cybersecurity datasets generated at the Canadian Institute for Cybersecurity, University of New Brunswick. She was awarded two gold medals in Bachelor of Technology and a silver medal for the research project on high interaction honeypots. Her research project on malware reverse engineering was selected among top 10 projects in the National Student Project Contest in 2015. She is strongly inclined towards cybersecurity, malware analysis, vulnerability management, incident reporting, and SIEM solutions. ***Dr. Arash Habibi Lashkari is an associate professor at the Faculty of Computer Science, University of New Brunswick (UNB) and research coordinator of the Canadian Institute for Cybersecurity (CIC). He has more than 22 years of academic and industry experience developing technology that detects and protects against cyberattacks, malware and the dark web. Dr. Lashkari has been awarded 3 gold medals as well as 12 silver and bronze medals in international computer security competitions around the world. In 2017, he was selected as one of the top 150 researchers who will shape the future of Canada and he won the Runner up Cybersecurity Academic Award of the year at ICSIC conference in Canada. He is the author of 10 books in English and Persian on topics including cryptography, network security, and mobile communication as well as over 90 journals and conference papers concerning various aspects of computer security. His research focuses on cybersecurity, big data security analysis, Internet Traffic Analysis and the detection of malware and cyber-attacks as well as generating cybersecurity datasets.