NIST SP 800-39FPD Appendix F
APPENDIX F
GOVERNANCE MODELS
APPROACHES TO INFORMATION SECURITY GOVERNANCE
Three approaches to information security governance can be used to meet organizational needs: (i) a centralized approach; (ii) a decentralized approach; or (iii) a hybrid approach. The authority, responsibility, and decision-making power related to information security and risk management differ in each governance approach. The appropriate governance structure for an organization varies based on many factors (e.g., mission/business needs; culture and size of the organization; geographic distribution of organizational operations, assets, and individuals; and risk tolerance). The information security governance structure is aligned with other governance structures (e.g., information technology governance) to ensure compatibility with the established management practices within the organization and to increase its overall effectiveness.
Centralized Governance
In centralized governance structures, the authority, responsibility, and decision-making power are vested solely within central bodies. These centralized bodies establish the appropriate policies, procedures, and processes for ensuring organization-wide involvement in the development and implementation of risk management and information security strategies, risk, and information security decisions, and the creation inter-organizational and intra-organizational communication mechanisms. A centralized approach to governance requires strong, well-informed central leadership and provides consistency throughout the organization. Centralized governance structures also provide less autonomy for subordinate organizations that are part of the parent organization.
Decentralized Governance
In decentralized information security governance structures, the authority, responsibility, and decision-making power are vested in and delegated to individual subordinate organizations within the parent organization (e.g., bureaus/components within an executive department of the federal government or business units within a corporation). Subordinate organizations establish their own policies, procedures, and processes for ensuring (sub) organization-wide involvement in the development and implementation of risk management and information security strategies, risk and information security decisions, and the creation of mechanisms to communicate within the organization. A decentralized approach to information security governance accommodates subordinate organizations with divergent mission/business needs and operating environments at the cost of consistency throughout the organization as a whole. The effectiveness of this approach is greatly increased by the sharing of risk-related information among subordinate organizations so that no subordinate organization is able to transfer risk to another without the latter's informed consent. It is also important to share risk-related information with parent organizations as the risk decisions by subordinate organizations may have an effect on the organization as a whole.
Hybrid Governance
In hybrid information security governance structures, the authority, responsibility, and decision-making power are distributed between a central body (i.e., the parent organization) and individual subordinate organizations. The central body establishes the policies, procedures, and processes for ensuring organization-wide involvement in the portion of the risk management and information security strategies and decisions affecting the entire organization (e.g., decisions related to shared infrastructure or common security services). Subordinate organizations, in a similar manner, establish appropriate policies, procedures, and processes for ensuring their involvement in the portion of the risk management and information security strategies and decisions that are specific to their mission/business needs and environments of operation. A hybrid approach to governance requires strong, well-informed leadership for the organization as a whole and for subordinate organizations, and provides consistency throughout the organization for those aspects of risk and information security that affect the entire organization.
