A big misunderstanding we see every day when working with clients is that security can be ensured by buying a device, or implementing a software, or changing one small thing. However, security is an ongoing process- it's an attitude. With constant threats emerging, IT security governance is imperative. Our VP of Compliance dedicates this edition to fully understanding IT Security Governance!
What is IT Security Governance?
Security governance is the glue that binds together all the core elements of cyber defense and effective risk management. Without it, dangers persist and the resulting compromise of assets is inevitable. Moreover, senior leadership is unaware of their organization’s risk exposure, for which they will ultimately be held accountable. Security cannot exist in a vacuum and must be part of a larger risk management strategy, driven by the organization’s business goals, objectives and values.
Organizations must be aware of their risk tolerance threshold, or “level of acceptable risk.” This threshold may vary by asset grouping. For example, an organization may tolerate a certain amount of risk when the impact is considered low, but may be very risk averse regarding anything that might adversely impact its reputation. Governance is the mechanism by which those risk-related values are reflected in direction and judgment that shape business plans, information architecture, security policies and procedures, as well as operational practices.
However, providing direction without having any means to ensure that it is followed is meaningless. Thus, compliance is the critical feedback loop in security governance. It ensures that everyone is working according to plan, as a team, to deliver business activities and ensure the protection of assets within the context of risk management and security strategy and direction. Where that is not possible, it ensures that variances that result in risk exposures are made known at the leadership level, so that they can either decide to accept these risks, or provide mitigating direction and the resources necessary to address them
Acceptable security and governance of information assets can no longer be achieved on an ad hoc basis in today’s digital world, nor can it be achieved by deploying technical solutions alone. Instead, organizations need a more holistic approach, applying effective risk management and good governance throughout the organization, with the key values of visibility, accountability and responsibility exercised at all levels (All levels!).
Senior management has a critical part to play in making risk-based decisions, issuing direction and ensuring that adequate resources are available to execute that direction. This is only possible if senior management is engaged and informed through a robust compliance and reporting process—with external support where required.
10 Steps to Achieve a Sound IT Governance Program for Your Organization:
- Governance must take a “top down” approach from the boardroom to the cubicles.
- Develop and implement a risk management approach, which ensures alignment to your overall business strategy, requirements, and processes.
- Create a dedicated Risk Review Board, which will meet annually, or when a significant change may be taking place.
- Be sure to clearly define and identify all roles that pertain to IT and Security. Be sure to appoint a corporate IT security authority, preferably with a different reporting chain than those responsible for IT operations.
- My favorite: Establish and implement an audit and review compliance framework, ensuring that its goals and objectives are known throughout the organization (don’t forget to review the outcome with your Risk Review Board).
- In conjunction with the lines of business, identify the assets and critical information and the threat and associated risk.
- Develop and implement a series of security controls and associated procedures, with responsibility and accountability as defined in the RACI model for risk management.
- Training! Create, deploy and ensure participation in a mandatory security awareness program, so that personnel understand their responsibilities, and what the risk management and security controls are intended to achieve, and why.
- Review on an ongoing basis to make adjustments as necessary to ensure that risks are being effectively managed in a balanced manner that accommodates business needs.
- Call Digital Edge, we are here to help in all your IT Governance and Compliance needs!