Security governance is a broad and deep topic requiring sustained focus on many important strategic and customer facing activities. Risk, responsibility, integrity, trust and ethics are just a few of the areas of responsibilities faced by senior management on this topic, with each requiring significant thought about assumptions, communications and responses that affect most ” or all ” parts of the organization.
What is interesting with all of these areas is the high degree of integration between them. In most cases, one area requires support from all of the others. Few are standalone islands, due in large part to the integration of e-mail, enterprise-wide support systems and embedded supply chains. The good news is that tremendous leverage can occur between integrated systems when implemented successfully and managed responsively.
Strong security practices can also be implemented across an organization ” in most cases, incremental costs are lower than paying settlement claims and re-establishing corporate credibility after a security breach or loss.
Governance decisions set the stage for building the security architecture that leads to the selection of technology ” topics that are covered in the next sections.
Best Practice | Criticality | Frequency | Participants | Activity Results |
---|---|---|---|---|
Is access to specific information limited to people who need to know or use it? | High | Quarterly | Management, security | Direct linkage of information to people based on business need |
Have security assumptions at all levels of the organization been verified ? Are they linked to business need? | High | Six months | Management, security, finance, marketing | Integrated security plan based on business need and investment availability |
Does the organization adhere to best practices in responsibility, integrity, trust and ethics? | High | Six months | Management, security, finance, human resources | Public and employee trust resulting in higher revenues and market share |
Does the organization have reasonable policies in place for employee monitoring and privacy? Are they written? | High | Six months | Management, security | Reduced confusion about what is private and not private at work |
Are plans in place to communicate good and bad news with customers and shareholders? | Medium | Quarterly | Management, finance | Confidence in management ability to accomplish goals and manage problems |
Are effective safeguards in place to protect customer information? | High | Quarterly | Management, sales, marketing | Few customer complaints about improper disclosures of private information |
Have the risk assumptions for the organization been confirmed? Are they still accurate? | High | Six months | Management, security, finance | Lowered risk levels due to accurate analysis and avoidance planning |
Are risk compliance tools in place and are they being used? | Management, security, finance | Predictable, reliable processes to determine and reduce risk |