7/28/2019 Governance of Enterprise Security
1/32
Governance of Enterprise Security:
CyLab 2010 Report
Author: Jody R. Westby
Adjunct Distinguished Fellow, CyLabCEO, Global Cyber Risk LLC
June 15, 2010
7/28/2019 Governance of Enterprise Security
2/32
7/28/2019 Governance of Enterprise Security
3/32
2010 by Carnegie Mellon University & Jody R. Westby
All rights reserved. No part of the contents hereof may be reproduced in any form without the prior
written consent of the copyright owners.
Carnegie Mellon CyLab
Carnegie Mellon University
5000 Forbes Avenue
Pittsburgh, PA 15213
(412) 268-5090 ! (412) 268-7675 (Fax)
Dean, College of Engineering & Founder, CyLab: Pradeep K. Khosla, Ph.D.
Director, CyLab: Virgil Gligor
Adjunct Distinguished Fellow: Jody R. Westby
Jody R. Westby, Esq.
CEO
Global Cyber Risk LLC
5125 MacArthur Blvd., NW
Third Floor
Washington, DC 20016
(202) 537-5070 ! (202) 537-5073 (Fax)
Carnegie Mellon CyLab
!
""
Table of Contents
7/28/2019 Governance of Enterprise Security
4/32
Carnegie Mellon CyLab
!
"""
#$%&'!()!*(+,'+,-!......................................................................................................................................................!""!
/%%0'1"$,"(+-!............................................................................................................................................................!"1!
/%(2,!*$0+'3"'!4'&&(+!*56$%!.............................................................................................................................!7!
/%(2,!8(95!:.!;'-,%5!.............................................................................................................................................!
=>'?2,"1'!@2AA$05!.................................................................................................................................................!B!
/%(2,!,C'!@201'5!......................................................................................................................................................!D
E.! E+,0(92?,"(+!........................................................................................................................................................!F!
G20H(-'!()!,C'!I(1'0+$+?'!@201'5!.........................................................................................................!F!
J$?K30(2+9L!M2,5!()!J($09-!N!M"0'?,(0-!...................................... ............................................... ........!F!
EE.! O"+9"+3-!$+9!*(+?&2-"(+-!.........................................................................................................................!7P!
;C(!;'!/-K'9!..............................................................................................................................................!7P!
O"+9"+3-............................................................................................................................................................!77 !
*(+?&2-"(+-!....................................................................................................................................................!7F !
EEE.! :'?(AA'+9$,"(+-!......................................................................................................................................!7Q!
J"%&"(30$HC5!N!/99","(+$&!:')'0'+?'-!.........................................................................................................!7R!
J"%&"(30$HC5!...................................................................................................................................................!7R !
/99","(+$&!:')'0'+?'-!............................................. ............................................... ....................................!
7/28/2019 Governance of Enterprise Security
5/32
Carnegie Mellon CyLab
!
"1
Abbreviations
ABA American Bar Association
ASIS American Society for Industrial Security
CEO Chief Executive Officer
CFO Chief Financial OfficerCIO Chief Information Officer
CISO Chief Information Security Officer
CMU Carnegie Mellon University
CoE Council of Europe
CPO Chief Privacy Officer
CRO Chief Risk Officer
CSO Chief Security Officer
CyLab Carnegie Mellon CyLab
D&Os Directors & Officers
EU European Union
FDA Food and Drug AdministrationGLBA Gramm-Leach-Bliley Act
HIPAA Health Insurance Portability and Accountability Act
ISACA Information Systems Audit and Control Association
ISO International Organization for Standardization
ISSA Information Systems Security Association
IT Information Technology
ITU International Telecommunication Union
ITGI Information Technology Governance Institute
PII Personally Identifiable Information
PwC PricewaterhouseCoopers
R&D Research & Development
SEC Securities and Exchange Commission
SOD Segregation of Duties
U.S. United States
7/28/2019 Governance of Enterprise Security
6/32
Carnegie Mellon CyLab
!
7
About Carnegie Mellon CyLab
Carnegie Mellon CyLab is the largest university-based research and education center for computer and
network security, information security, and software assurance. CyLab is located in the College of
Engineering at Carnegie Mellon University and has U.S. campuses in Silicon Valley and Pittsburgh. ForeignCyLab programs are located in Japan, Greece, and Portugal.
Recognizing that technology issues today are increasingly impacted by legal/regulatory requirements and
operational considerations, CyLab leverages its cross-university involvement with faculty, researchers, and
students from Carnegie Mellons:
! Information Networking Institute;
! Department of Electrical and Computer Engineering;
! Engineering and Public Policy Department;
! School of Computer Science;
! Software Engineering Institute;
! Tepper School of Business;
! Department of Statistics; and the
! Heinz School of Public Policy and Management.
CyLab also brings in first-tier governance, legal, and policy expertise through its Distinguished Fellows. The
CyLab research team includes over fifty faculty researchers and over one hundred graduate students.
CyLab is a bold and visionary effort, which establishes public-private partnerships for the research and
development (R&D) of new technologies for sustainable, resilient, and trustworthy computing and
communications systems. Through its Governance Surveys, CyLab extends the universitys sphere of
influence in the governance of enterprise security to boards of directors and senior management.
7/28/2019 Governance of Enterprise Security
7/32
Carnegie Mellon CyLab
!