Information is the key to success in the contemporary era. Just as there are two sides of a coin, there are two perspectives of a cyber-attack. On one hand, attackers seek information to take advantage of potential flaws in an organization’s architecture, processes, and design; exploiting these flaws to make money. The prime targets in the organization are its information-based assets. On the other hand, organizations safeguard information to protect it from getting stolen and misused. Thereby, information can be secured by governing an information security system.
With the rising sophistication, the threats to information-based assets are much higher than in the past. With the advancement of technology, tools to gain unauthorized access have also become powerful. This increases the need to secure information as an asset.
This article uncovers information security governance in FinTech, and provides deep insights into its characteristics, principles of good governance, and an integrated security governance framework. The content in this article is based on the extensive research work behind our book titled ‘Understanding Cybersecurity Management for FinTech’ published by Springer this year.
What is information security governance?
Information security governance combines information security, and governance. Let us define these two terms separately first. Information security ensures that personal, private, confidential, and sensitive information is protected. Governance is the set of responsibilities and practices exercised by responsible individuals in an organization.
A comprehensive definition of information security governance is: Information security governance is the practice of securing information and managing cyber risks to protect any kind of information required for effective working of the organization, in compliance with the information security policy and risk management strategy.
Importance of securing organizational information
Information security is an important part of enterprise-level security governance. It interacts with information technology (IT) operations, IT projects, and IT governance, where IT operations are considered current state of IT and IT projects are considered future state of IT.
Figure 1 demonstrates the basic structure of information security governance in an organization. At the top-level of the enterprise exists corporate governance, which evaluates the standards and policies. It also directs the middle- and low-level management consisting of: IT governance, information security, IT operations, and IT projects. On the contrary, the bottom-up approach monitors the governance activities for the corporate governance.
Overall, information security governance performs following activities:
- Promotes valuable information security practices with a clear direction from top to bottom
- Controls the risk appetite of the enterprise by considering different domains, such as legal, finance, information technology, and regulatory compliance
- Creates an overall information security activity that reflects organization’s needs and risk appetite levels
- Monitors corporate governance policies and standards for managing information security governance standards
Characteristics of effective information security governance
Effective information security governance has several characteristics, such as: involving appropriate organizational personnel, a governance framework, risk management, deliverables, and tackling changing risk levels.
- Appropriate organizational personnel: Appropriate organizational personnel includes: a board of directors, executive management, business managers, and internal auditors. These personnel are involved in designing governance policies, implementing them throughout the organization, and performing internal auditing so compliance with governance standards can be validated. These individuals lead from the front to: provide an insight into the corporate culture, provide leadership, and dedicate resources; while also contributing to the implementation of information security activities, validating them, and recommending improvements.
- Governance framework: A governance framework provides guidelines for the board of directors and executive management to develop an audit plan. These frameworks help the organization to operate in a structured, consistent, and effective manner – such that it can be explained easily to all stakeholders, regulatory agencies, service providers, and other parties in the business. Well planned governance frameworks can help guide future business changes and activities.
- Risk management: Like all business risks, technical risks are equally important. Deploying a risk management tool to analyze, assess, mitigate, monitor, and review risks is important to establish a threshold to tackle risks on time. Some of the risks are avoided, some are accepted, some are transferred, while the rest are mitigated. It all depends on the risk appetite policy of the organization. Since every organization has different risk levels and different financial resources to tackle risks, the mitigation measures vary. However, maintaining proper resources and finances to mitigate risks is the key for every organization.
- Deliverables: Information security governance produces qualitative and quantitative deliverables. Qualitative deliverables are useful in measuring management activities, whilst quantitative deliverables are used for tracking capabilities not feasible with qualitative measures. Quantitative deliverables could include: several policies and standards delivered, number of security events, and result of corporate training and security programs. This does not diminish the value of qualitative deliverables. In general, a mixture of both qualitative and quantitative deliverables are used in an organization.
- Tackling changing risk levels: Risk management is used by the authorities to tackle risks, set up a risk appetite for the organization, and cope with the changing nature of risk levels. The risk appetite policy is updated with changing technological and informational assets. These changes are validated with an audit plan.
Principles of good governance
Based on the discussion on information security governance and characteristics of an effective governance, there is a need to design principles for a good governance. This section introduces some exemplary practices for good governance:
- Accountability and responsibility: Every stakeholder in the enterprise must be accountable for the activities performed by them. This principle ensures that individuals are doing their best to achieve the organization’s objectives. Top management should ensure accountability and responsibility throughout the organization.
- Transparency: Every stakeholder shares some information in the form of documents, reports, or financial statements that reveals the outcomes of their activities. This ensures transparency in the enterprise.
- Strategic decision-making: Investments support governance objectives. Security governance ensures that information security is integrated with existing organization processes to make strategic decisions.
- Risk management: Based on resources and assets in the organization, risks are identified, analyzed, monitored, and mitigated. Risk-centric security governance helps identify the risk appetite of the organization by considering compliance, liability risks, operational losses, disruptions, and reputation harm.
- Performance review: Security governance impacts the overall objectives and goals of the enterprise. It must review performance through financial statements, audit reports, and risk management reports to find areas of improvement.
- Conformance with requirements: Security governance must conform to internal and external requirements. External requirements include mandatory legislation, regulations, standards, and contracts. Internal requirements include organizational goals and objectives. Conformance is monitored through security audits.
Integrated governance framework for FinTech
There are three main views of an integrated governance framework: architecture, domain, and presentation.
Table 1: Requirements of the integrated security governance framework
The security governance framework consists of three domains: community, security, and performance, as shown in Figure 2. Every domain has several objects that perform the functions. There are two relationships among the domains: harmonization and flywheel. The harmonization category governs the relationships between three domains and deals with social, organizational, and human factors of enterprise security. The flywheel category governs the relationship between performance and security domain and deals with the virtuous cycle of enterprise security.
The framework integrates government, shareholders and management, media and customers, and employees and suppliers to perform four major tasks. The government creates the standards and policies that the enterprise works in compliance with, media and customers endorse security programs, employees and suppliers are bound to agreements with the enterprise, and shareholders and management align themselves with the security standards and policies of the enterprise.
The community domain contains shareholders and management who give directives and are directly affected by the profits and losses in the enterprise. The performance domain performs cost and benefit analysis based on the availability of resources and their competitive value – as every resource brings a competitive value to the business. The security domain deals with risks and their value to impact the security of the enterprise. It also consists of an enterprise strategy to produce value to resources.
This article introduces the fundamentals and importance of securing information in an organization. It presents the characteristics and good practices to design an integrated security framework. The next article of the Understanding cybersecurity management on FinTech series explores cybersecurity threats in FinTech.