Information Security Governance Practices

We introduce several common information security governance practices in the following sections and describe them in greater detail in other chapters (conveniently cross-referenced, of course!).

Third-party governance

Organizations commonly outsource many IT functions (particularly call-center or contact-center support and application development) today. Information security policies and procedures must address outsourcing security and the use of vendors or consultants, when appropriate. Access control, document exchange and review, maintenance hooks, on-site assessment, process and policy review, and service level agreements (SLAs) are good examples of outsourcing security considerations.

Service-level agreements (SLAs)

Service-level agreements (SLAs) establish minimum performance standards for a system, application, network, or service. An organization establishes internal SLAs to provide its end-users with a realistic expectation of the performance of its information systems and services. For example, a help desk SLA might prioritize incidents as 1, 2, 3, and 4, and establish SLA response times of ten minutes, 1 hour, 4 hours, and 24 hours, respectively. In third-party relationships, SLAs provide contractual performance requirements that an outsourcing partner or vendor must meet. For example, an SLA with an Internet service provider might establish a maximum acceptable downtime which, if exceeded within a given period, results in invoice credits or (if desired) cancellation of the service contract.

See Chapter 7 for more on Service Level Agreements.

Identity management

Identity management is accomplished through account provisioning and de-provisioning (creating and disabling user accounts), access control, and directory services. Its purpose is to identify a subject or object (see “Uncovering Concepts of Access Control” in Chapter 4) within an application, system, or network.

A Public Key Infrastructure (PKI) is an example of a component of an identity management system that facilitates authentication, non-repudiation, and access control, using digital certificates.

See Chapter 4 for more on identity management, and see Chapter 8 for a complete discussion of PKI.