Information security governance should not be treated like corporate governance, IT security steering committees must have the right stakeholders and the board can remain largely unaware of security issues. Those are key strategies for effective security governance, says IT security and assurance manager at Sydney Water, Stephen Frede.\nFrede said assurance and governance in IT security are often used interchangeably, but in the IT or "corporate" space there is clear separation between governance and management.\n"With the models around information security it is much less clear this is the case," Frede said. "Terminology varies quite a lot across the industry and an information security management system (ISMS) can be described by risk, management, governance, assurance and operations."\nFrede heads up the IT security and assurance team at Sydney Water and there is governance applied, but he is looking to build a more relevant information security steering committee.\n"If you are looking to put together a framework for IS there are a lot of resources like the protective security policy framework here in Australia," he said, adding a lot of the models try and come up with a "fancy representation at a high level".\n"It's not really the approach I tend to take, they are all useful and I recommend looking at them when putting together your own governance framework, but I don't think any one will match your particular organisation [as] there is so much difference between organisations."\nFrede said every framework talks about the need for senior management buy-in or "it won't work", but that may not always be necessary.\n"It's great to have support from the board, but I challenge the assertion the board needs to be deeply involved in security," he said. "Corporate governance is an established framework built up over hundreds of years and there is a strong separation between governance and management."\nA more realistic scenario, Frede said, is for the board to ba accountable or aware of a few key areas - a handful out of an average of 30 possibilities.\nFrede previously held positions at AMP, JP Morgan, Optus and as a consultant before joining Sydney Water.\n"I've never come across an organisation where the board is directly involved in IS," he said. "Despite what the standards and IS people say, I don't know how realistic an approach it is."\nOrganisational structure will profoundly affect the formation of a governance model. For example, if there are a lot of autonomous sub-units in a company, it may have separate governance frameworks for those divisions.\nFrede says this might be out of alignment, but it still may make sense. Most organisations, however, will be centrally managed.\n"If you have lots of partnerships, there may need to be separate governance that applies to these areas and the requirements may be different for organisations, but you will have a minimum set of requirements you need to insist on," he said.\n"If you're a multinational, it gets really hard. When I was at JP Morgan there was a matrix of what to do for different countries with few common areas."\nBefore you begin, determine what is important to the organisation across areas like confidentiality, data integrity, availability, control systems, fraud, privacy and transactions.\n"When developing a governance framework there are two basic approaches - a big bang project where you seek funding, or do incremental parts refining it as you go," Frede said.\n"You will probably be reporting to board, the CIO and the IS steering committee which bears a bit of work to get right. In Sydney Water I am going to change it as it's not right. We adopted an existing body with representatives from different areas of the business. It was a good idea, but we don't have representation from like minded groups like physical security and risk. We will have a dedicated IS steering committee."\nIS governance areas at Sydney Water include strategy and planning, policy development, architecture and a security calendar, which Frede said is becoming increasingly important as auditors are asking for it.\nDuring his presentation at the 2010 Security Expo in Sydney, Frede gave and example of how to put a governance framework together.\n"The board won't get involved with detail, but they will set the risk appetite. We have [an] info sec steering committee. Then you have the security team doing all the work and whole area of IS management practices."\nThe ISMS should also include a policy review where user acceptance testing is done on the policy.\n"One of the things I want to make sure is the policy we have is workable and is enforceable in practice. We create interim guidelines and ask people to follow it and make refinements around that," Frede said.\n"So we don't have to go to everyone with a lot of policies; instead, we have one document that general people in the organisation must read and we have an annual training program for people."\nThere is also a "risk repository" where staff and auditors note identified risks which are then acted upon.\n\u201cReviews and auditors will come up with risks,\u201d Frede said. \u201cFor all of those we make a decision - do we accept the risk or remediate it?\u201d\n\u201cThe default is to remediate it, but if stakeholders say the cost or disruption is too high we may accept the risk.\u201d\nAction plans and risk acceptance also sit in the risk repository.\nHow long will it take for new governance framework? Frede says any organisation can make an immediate start as an incremental approach is \u201creally small\u201d.\n\u201cA typical enterprise can put something in place from scratch within 12 months without huge resources, but that is not the end of the journey, just the beginning,\u201d he said.\nIn terms of reporting lines for the lead security manager in an organisation, Frede said that will also vary depending on the needs of the organisation.\n\u201cI am the IT security manager so I report two down from the CIO,\u201d he said. \u201cI report to infrastructure manager who reports to the CIO who reports to a general manager who reports to the CEO.\u201d\nRodney Gedda is Deputy Editor of CIO Australia. Follow Rodney on Twitter at @rodneygedda. Rodney's e-mail address is firstname.lastname@example.org. Follow CIO Australia on Twitter at @CIO_Australia.