Posted: July 15, 2016
Governance noun | gov·er·nance | \’gə-vər-nən(t)s\
The way that a city, company, etc., is controlled by the people who run it
Source: Merriam-Webster’s Learner’s Dictionary
What’s it all about?
Just for fun, try doing a search on “Governance.” After reviewing page, after page, after page of the search results, you may find something like the following:
“Governance is an essential component for the long-term strategy and direction of an organization with respect to the information security policies and the risk management program. Governance requires executive management involvement, approval, and ongoing support. It also requires an organizational structure that provides an appropriate venue to inform and advise executive, business and information technology management on security issues and acceptable risk levels.” Source: www.cio.ca.gov
Still confused? Me too. Let’s try to simplify this a little.
So, why is governance important?
Well, without it there would be total anarchy. Okay, maybe not total anarchy but governance provides the connection of the company goals with the Information Technology goals. Have you ever encountered a case where an Information Technology initiative had no bearing on the company’s strategic business goal? Governance defines the goals, the standards of operations, the requirements to be meet, and the assignment of responsibilities. So, it’s the set of rules that need to be followed by the company.
Companies today are subject to many regulations governing data privacy, retention and destruction, financial accountability, and recovery from disasters. Governance is defining structure around how a company aligns Information Technology strategy with the business strategy. Think of it as defining how the company will adhere to a particular compliance standard. The standard may be for the Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), the National Institute of Standards and Technology (NIST) Cybersecurity Framework, or some other standard.
Does your company have a well-defined governance framework?
Many of the companies I’ve worked with have either had nothing in place or, if they did have something, it was outdated and/or incomplete. Without a documented, up-to-date framework, a company will be unable to meet compliance requirements.
The implementation of the Information Technology governance framework can be an overwhelming task. It requires internal expertise on business objectives, information technology, current processes, and the support or buy-in of executive management. The task also requires an in-depth understanding of the requirements of the standard to be addressed.
Where do we start?
Governance starts with policies. Policies serve as the principles, rules, and guidelines adopted by the company that enable it to reach and manage its long-term goals. Policies are supported by procedures. Procedures are the specific methods or actions used to meet the policy requirements.
The creation of Information Security Policies addressing requirements related to the physical and logical security of sensitive information is only a start. There are requirements related to hiring and termination practices, network security, incident response including data breach, change management, and security awareness training. Information Security Policies are an essential part of a company’s security program. In fact, it is a mandatory part of the program.
I’ll visit how to break down your policies and procedures and how they apply to various standards in more detail in an upcoming blog. Stay tuned!
In the meantime, if you have any questions or concerns regarding governance or need assistance with any policy or procedure development, please feel free to reach out to us at firstname.lastname@example.org.
Donald Heisch is an Information Security Consultant at CompliancePoint and has over 40 years of experience in information security and technology. Donald’s focus is on information security policy development for client’s compliance with the Payment Card Industry (PCI), the Health Insurance Portability and Accountability Act (HIPAA), and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.