Article Posted on behalf of Vo Ballard of Cask, LLC. - If the word ‘governance’ sounds like a high level concept that is only applicable to high level managers, chances are you may be missing the cornerstone of a framework that guides and directs the why and how your organization conducts business.
If you think that security governance consists of voluminous manuals that talk about security controls and how to apply them, then you may be missing the greater scope of your responsibility as a security professional.
Every organization has a vision and a strategic framework that defines its purpose and guides the direction it will take to reach its goals. A security governance framework provides similar guidance, and when implemented properly, is tightly interwoven throughout the organization to support the corporate strategic vision. Security governance is more than a set of regulations and policies that must be implemented – it supports all areas of business interaction and information exchange to protect and conduct transactions safely and securely from the boardroom to the operations floor. Trained personnel, appropriate tools, and defined business processes are needed to build out a sustainable framework.
Suppose your organization realigns and instead of being buried beneath layers of management, your division is now a new line of business for the company. Your management is very aware of the importance of information security, so now you, as senior manager, are required to report your risk and security status to the C-level executives. You could begin by gathering information from executives and peers on what reports are required and what metrics should be gathered, but you need to ensure you are presenting an accurate picture of risk and security posture resulting from your new division.
Now, do you find yourself wondering where to begin?
You begin by verifying that current outcomes support the goals and objectives of the business. Do the products meet the needs of internal and external stakeholders? Do they provide meaningful information that is useful for planning and decision making? Have the needs of the stakeholders evolved due to changes in the environment, and if so, have you incorporated those requirements to continue to meet their needs?
Take a look at the elements of each business process. This can be accomplished by putting together a team that is familiar with the processes of the business. They should start by interviewing all personnel supporting each process and documenting the current step-by-step method. This accomplishes several things:
- It highlights differences in what is procedurally documented and what is in practice
- It highlights gaps and failures in each process
- It identifies workarounds that have been implemented to facilitate the processes
Understanding the current actions that support the processes promotes growth in understanding WHY it is being done that way, which in turn aids in:
- Identifying where efficiencies can be gained: what should be retained, what is redundant, what should be discarded, what should be re-engineered
- Identifying sources of metrics to support reporting requirements
Once all areas are explored, subsequent meetings should be held to engage stakeholders to ensure inputs and outcomes are valid, useful, and meaningful, and that new requirements are understood and met.
The outcome of these activities provide your organization with a clearer understanding of your business processes, with an emphasis on areas of risk and areas that need improvement. Also, your organization gains insight into value added areas that may need to be highlighted and incorporated into your metrics collection, thus improving your reporting.
So while it may seem that the processes have nothing to do with securing information, take another look:
- You now have a better understanding of your processes so you can identify your essential business functions.
- You know where your areas of risk are and where security practices and measures need to be improved.
- You have a better picture of how effective security awareness efforts have been.
- You know what is important to your clients and how to provide a better service.
To learn more about our Cask's Cyber & Information Security Capabilities, please visit http://www.caskllc.com/what-we-do/cis/