As been mention before, in security governance board members in the organisation accountable. It mean board members has the responsibility on their company security governance to prevent from cyber risk. Even though the board member has the authority to perform the information security but they lack in understanding the security issue. To have clear-cut insight and control of objectives, performance and risk-threat level, an organisation need to use certain security governance framework depend on the company suitability.
Security governance must be joined into other operations and control frameworks within financial services institutions. There are many security governance framework that an organisation can choose from. One of the most used and trusted security framework is NIST Cyber Security Framework. Others security framework include ISO 27002:2013, CIS Critical Security Controls and Software Assurance Maturity Model (SAMM).
Among other security framework, NIST Cyber Security Framework provides solid groundwork which good security governance can be put together. This can helps organisations to advance the ability to prohibit, encounter and respond to the cyber risk.
The NIST Cyber Security Framework core structure can be divided into five function which are identify, protect, detect, respond and recover. The identify function, the organisation should be able to know what kind of business they operates in. What are the most demanding component of the organisation. What are the cyber risk that give threat to the organisation? With all these questions, the organisation can grasp the information and used it to manage the cyber threat they encounter.
The protect function, the organisation should be able to control the effect of threats that can worsen the operation crucial part. The organisation can recruit a cyber security safeguards and protections to guarantee that the organisation crucial functions can continue to deliver.
For the third function in the NIST Cyber Security Framework is detect. In detect function the organisation need to find and detect conflicting cyber risk incident from time to time. The company can recruit for example a detective to observe the threat from a well-known sources and also company own custom alerts and inputs.
For the respond function, the organisation need to control the effect of the conflicting cyber risk incident that have been detected by the organisation. The organisation have to take charge in strengthening the company strategies and capabilities as a respond to the cyber risk incident.
The last function in the NIST Cyber Security Framework is recover. In recover function, after the cyber threat incident occurred and the risk has been handle with, the organisation should focus on the organisation recovery and restore to it normal operation.
As a conclusion, the security governance framework can help set up the ideal level of cyber security adapted to the organisation’s environment and needs. It also can help assign a enough cyber security budget toward the implementation of the framework.