Improving IT security by implementing better governance

As agency executives look to implement and reinforce cybersecurity as part of their overall IT and programmatic priorities, an important OMB policy and industry implementation framework can provide context and support by enabling sound IT governance.

a man grouping items by shape

In the face of ever-increasing cybersecurity risks, significant attention is being paid to improving agencies' preparedness and response to vulnerabilities and threats throughout the public sector. Two ways to go about supporting those activities involve addressing cybersecurity from a risk-based framework and engaging top-level leadership in addressing security as a strategic priority. A third complementary imperative involves establishing an overall IT governance structure that includes cybersecurity as a key enabler to achieving programmatic outcomes.

Fortunately, agencies have a number of tools at their disposal to enhance their governance framework.

1. OMB policy drivers for IT governance

At the end of 2008, the Office of Management and Budget reaffirmed and clarified the organizational, functional and operational governance framework required within the executive branch for managing and optimizing the effective use of IT. OMB Memorandum 09-02 established an IT governance framework that addresses the management structure, responsibilities and authorities of heads of departments and agencies and their CIOs in planning, acquiring, securing, operating and managing IT systems and assets within the department or agency.

The memo requires that agencies designate an executive-level CIO who reports to the head of the organization and has formal and full responsibility for all requirements set forth in statutes, regulations and public laws. That CIO also has ultimate responsibility for the governance, management and delivery of IT mission and business programs at the agency and must have an effective operative means of meeting that responsibility.

Furthermore, the CIO has the authority to set agencywide IT policy, including all areas of IT governance such as enterprise architecture and standards, IT capital planning and investment management, IT asset management, IT budgeting and acquisition, IT performance management, IT risk management and IT workforce management. The authority also extends to IT security and operations and IT information security, working with the agency chief information security officer and other security officials.

In August 2011, OMB issued related guidance in memo 11-29, which updated policy regarding the CIO's role in IT governance and explicitly discussed information security as part of the CIO's responsibilities. Taken together, those two OMB memos provide a strong framework for incorporating security considerations into overarching IT governance and strategy. That approach allows agency leaders to properly assess security risks in the context of risks and benefits from IT initiatives more broadly and from the programs that leverage IT and require good security to be successful.

2. An industry framework for implementation

One way to achieve the objectives of strong IT governance is to incorporate the COBIT 5 framework as a guide to implementing sound IT governance at the enterprise level. COBIT, which stands for Control Objectives for Information and Related Technology, serves as a business framework for the governance and management of enterprise IT and clearly defines IT governance as distinct from IT management. According to the COBIT 5 framework: "Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision-making; and monitoring performance and compliance against agreed-on direction and objectives."

Furthermore, "management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives."

As technology use continues to increase the spread and impact of IT and cyber vulnerabilities and incidents, so do the tools and techniques to improve controls to protect key enterprise resources. The COBIT 5 framework is one of those tools. (COBIT 5 currently consists of the framework, two enabler guides, four professional guides, and COBIT 5 Online Collaborative Environment.) Moreover, COBIT 5 is one of the informative references contained in the National Institute of Standards and Technology's Cybersecurity Framework.

COBIT 5 is built on five basic principles and includes extensive guidance on enablers for governance and management of enterprise IT. Enterprises can use COBIT 5 framework principles to create optimal value by governing IT in a holistic manner, implementing comprehensive risk management and security controls, and ensuring that those controls are defined and implemented at a level appropriate to the increasing complexity of the enterprise.

The COBIT 5 framework delivers to its stakeholders the most complete and up-to-date guidance on governance and management of enterprise IT, as depicted in the graphic below.

COBIT5

Image: ISACA

COBIT has proved to be very effective for implementing IT governance and detailed security controls globally at all sorts of institutions and a number of federal and state government agencies, including the Department of Veterans Affairs.

3. Sound IT governance can make a significant difference

In light of the constant changes in the IT environment, all enterprises should look to IT governance to secure information from the moment it is created to the time it is destroyed. That is why, in the past decade, IT governance has moved to the forefront of enterprise efforts to effectively manage and appropriately protect IT systems and assets, contributing to the success of risk-based security and supporting strategic decisions made by C-level executives across the public and private sectors.

Note: A version of this article also appears on the IBM Center for the Business of Government website.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.