Information is the key to success in the contemporary era. Just as there are two sides of a coin, there are two perspectives of a cyber-attack. On one hand, attackers seek information to take advantage of potential flaws in an organization’s architecture, processes, and design; exploiting these flaws to make money. The prime targets in the organization are its information-based assets. On the other hand, organizations safeguard information to protect it from getting stolen and misused. Thereby, information can be secured by governing an information security system. 

With the rising sophistication, the threats to information-based assets are much higher than in the past. With the advancement of technology, tools to gain unauthorized access have also become powerful. This increases the need to secure information as an asset.

This article uncovers information security governance in FinTech, and provides deep insights into its characteristics, principles of good governance, and an integrated security governance framework. The content in this article is based on the extensive research work behind our book titled ‘Understanding Cybersecurity Management for FinTech’ published by Springer this year.

What is information security governance?

Information security governance combines information security, and governance. Let us define these two terms separately first. Information security ensures that personal, private, confidential, and sensitive information is protected. Governance is the set of responsibilities and practices exercised by responsible individuals in an organization. 

A comprehensive definition of information security governance is: Information security governance is the practice of securing information and managing cyber risks to protect any kind of information required for effective working of the organization, in compliance with the information security policy and risk management strategy.

Importance of securing organizational information

Information security is an important part of enterprise-level security governance. It interacts with information technology (IT) operations, IT projects, and IT governance, where IT operations are considered current state of IT and IT projects are considered future state of IT.

Figure 1 demonstrates the basic structure of information security governance in an organization. At the top-level of the enterprise exists corporate governance, which evaluates the standards and policies. It also directs the middle- and low-level management consisting of: IT governance, information security, IT operations, and IT projects. On the contrary, the bottom-up approach monitors the governance activities for the corporate governance. 

Overall, information security governance performs following activities:

Characteristics of effective information security governance

Effective information security governance has several characteristics, such as: involving appropriate organizational personnel, a governance framework, risk management, deliverables, and tackling changing risk levels.

Principles of good governance

Based on the discussion on information security governance and characteristics of an effective governance, there is a need to design principles for a good governance. This section introduces some exemplary practices for good governance: 

Integrated governance framework for FinTech

There are three main views of an integrated governance framework: architecture, domain, and presentation.

Table 1: Requirements of the integrated security governance framework

View Requirements
  • Clear relationships among domains
  • Partitioning the domains in enterprise security
  • Consider every participant of the enterprise security
  • Characteristics of business information
  • Cost and benefit analysis
  • Sub-divisions of security controls and strategies
  • Bird-eye view of security governance framework
  • Structured presentation of every object in enterprise security

The security governance framework consists of three domains: community, security, and performance, as shown in Figure 2. Every domain has several objects that perform the functions. There are two relationships among the domains: harmonization and flywheel. The harmonization category governs the relationships between three domains and deals with social, organizational, and human factors of enterprise security. The flywheel category governs the relationship between performance and security domain and deals with the virtuous cycle of enterprise security. 

The framework integrates government, shareholders and management, media and customers, and employees and suppliers to perform four major tasks. The government creates the standards and policies that the enterprise works in compliance with, media and customers endorse security programs, employees and suppliers are bound to agreements with the enterprise, and shareholders and management align themselves with the security standards and policies of the enterprise.

The community domain contains shareholders and management who give directives and are directly affected by the profits and losses in the enterprise. The performance domain performs cost and benefit analysis based on the availability of resources and their competitive value – as every resource brings a competitive value to the business. The security domain deals with risks and their value to impact the security of the enterprise. It also consists of an enterprise strategy to produce value to resources.

What’s next 

This article introduces the fundamentals and importance of securing information in an organization. It presents the characteristics and good practices to design an integrated security framework. The next article of the Understanding cybersecurity management on FinTech series explores cybersecurity threats in FinTech.

This content was originally published here.