Information Security & Information Governance – how they work together
Information (data) security, cybersecurity and IT security all usually refer to the protection of computer systems and information assets by suitable controls, such as policies, processes, procedures, organizational structures and software and hardware functions. The type and extent of controls depends on the scope and maturity of the business function (usually the Security Department) applying the controls, or, depends on the specialisation/focus of the team, such as Perimeter/Firewall or Identity Management. Each function tends to have a different perspective of information security, compared to other functions, due to their focused specialisation.
A close parallel is the health profession. You see a GP doctor when unwell, and are referred to a specialist who knows much more than your GP about a particular field of expertise. I know that my GP would not want to perform open heart surgery at all. And equally, a heart specialist would not have up-to-date and practical knowledge of all areas of the body. Tinea treatment? – see somebody else please.
In other words, people specialise in a particular aspect of their work. You can’t be an expert in everything. People prioritise – for example, in busy times, a SysOp will not be as vigilant with security when their primary role is to keep the sales /finance system up and running for all users.
This is exactly how Information Security Systems operate. For example, an Information Security Management System (ISMS) such as ISO27001 or the NIST Cybersecurity Framework offers great best-practice information security methods. While an ISMS operated by the Security function will have a security-centric focus, and provide protection from their perspective, it may not integrate completely with Privacy, Legal, Risk and other functions. As a result of these different specialisations, gaps in coverage can arise. And unfortunately for organisations, is often the risks that they are unaware of that hurt the most.
This is where the benefits of Information Governance are most apparent – as IG provides a framework for these business functions that have a valid interest in information protection. These functions, such as Security, Privacy, Legal, Risk, Audit, Records Management and individual operational Business areas, often operate as silos to good effect vertically but with poor integration horizontally. Information Governance is where the horizontal connections are structured, made, and reinforced, using suitable controls such as the familiar sounding ‘policies, processes, procedures, organizational structures and software and hardware functions’. The Sedona Conference has defined Information Governance as ‘an organisation’s coordinated, inter-disciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information value’.
Overall, comprehensive and effective security comes about from covering all of the risks that exist against the assets you want to protect. Despite the three character length, ‘All’ is a big word.
In the end, it’s down to appropriately protecting your assets. To protect, you need to know what assets you are protecting, you need to know what threats exist, and you need to know that your protection methods cover all angles. Information Governance provides for orchestrating all of the protection functions together.
By Richard Kilpatrick
Richard is a highly experienced consultant in information technology, focusing on realistic data governance, security and privacy. Richard has led programs of work to discover and classify data across multiple business units, within banks, telcos, health and media. In this article, he outlines the difference between Information Security and Information Governance, explaining why IG frameworks are essential for the successful orchestration of specialised security systems.
Connect with Richard on LinkedIn.