By: Kazi Nazrul Islam Cyber Security Architect.
A board of directors typically organizes itself into several committees—some standing committees and often some ad hoc committees. The exact charge of these committees varies among enterprises, but some expectations on how different committees can have an impact on cybersecurity risk reporting are described here. Standing committees typically include an executive committee to oversee the chief executive, a governance committee that provides oversight to the board, a finance or budget committee that is responsible for revenues and expenses, and an audit committee that oversees financial reporting and disclosure. Some enterprises also have a risk committee that focuses on sources of strategic, financial, compliance and operational (including cybersecurity) risk. Boards vary in their structures, but governance of cybersecurity operations typically comes from either the risk or audit committee—and sometimes both. It is typically the role of an enterprise risk management (ERM) function to establish a risk governance framework to provide these committees the information they need to provide appropriate oversight. A generic design principle to accomplish this is to use the Three Layer of Defense (3LoD) model.
The 3LoD model provides layers of management controls to protect against risk. The model evolved in the late 1990s and was codified in a 2013 paper by the Institute of Internal Auditors (IIA).55 Since then, it has become a cornerstone of most risk management frameworks and is referenced in the ISACA Risk IT Framework. 66 A description of the foundation of this framework follows.
“BOARDS VARY IN THEIR STRUCTURES, BUT GOVERNANCE OF CYBERSECURITY OPERATIONS TYPICALLY COMES FROM EITHER THE RISK OR AUDIT COMMITTEE—AND SOMETIMES BOTH.”
First Layer of Defense (1L)
These are the control and risk owners who have operational responsibility for managing enterprise risk. Typically, these owners include the personnel in IT that are responsible for the day-to-day operation of technology controls. For example, business process owners set the requirements, and IT professionals develop software and systems to meet those requirements.
Second Layer of Defense (2L)
The second line is a relatively new addition to the assurance world and encompasses risk management and compliance functions. The goal of the second line of defense is to provide checks and oversight on the responsibility of the first line of defense. This line sets the standards either explicitly, by publishing internal policies and standards, or implicitly, by its influence in an advisory function and creating issues and findings. In some enterprises, the 2L reports independently of operations and directly to the chief executive officer (CEO) or the chief risk officer (CRO).
Third Layer of Defense (3L)
The third line of defense is the internal audit, which provides independent validation of the functions of the first line and second line of defense. The 3L reports independently, outside of operations, and directly to the CEO. IT risk management can also have a 1.5 line of defense (1.5L). This function sits between the first and second lines of defense and shares roles and responsibilities of both. The 1.5L is typically a function assigned to IT risk management, because it operates inside a security function and, therefore, alongside security control operators. Because information risk management typically has a large scope of work, the amount of technology in use is often too much for a pure second line-of-defense function to oversee. In enterprises that use a 1.5L, the 2L tends to oversee checks done by the 1.5L instead of doing its own detailed checks of the first line. These lines of defense connect to the board committees to report on risk. The 3LoD traditionally aligned to the board audit committee, giving them independent oversight of the performance of the enterprise controls. As the second line of defense developed, so too did the board risk committee. Thus, 2L work products are delivered to the risk committee in a way that is similar to the 3L reporting to the audit committee.
Ref: The Institute of Internal Auditors, “The Three Lines of Defense in Effective Risk Management and Control,” January 2013, https://na.theiia.org/standardsguidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf 6 6 ISACA, Risk IT Framework, 2nd Edition, www.isaca.org/bookstore/bookstore-risk-digital/ritf2?cid=pr_2004614&Appeal=pr