This week talks about governance as a whole. By the end of the notes, we should have a rough understanding of what governance is and why its needed, the roles and responsibilities of different individuals, and an overview of how the popular governance frameworks/standards out there works.
Governance
The need for governance arises from a need to establish law and order within a company. It improves efficiency by ensuring participation, corruption by ensuring transparency and maladministration by ensuring accountability.
In the context of the cybersecurity of a company, governance is established through security governance, a subset of an organization’s overall governance program. It is needed to ensure that the company can effectively access emerging threats through a set of policies and internal controls.
The following table shows how security governance relates to GRC as a whole:
| GRC | How |
|---|---|
| Governance | Ensures that information security strategies supports, and are aligned with business goals |
| Risk Management | Provides an assignment of responsibility to manage risk |
| Compliance | Ensures compliance with laws and regulations through policies and internal controls |
Benefits
Information security governance improves the overall organisation of the company by optimising the allocation of resources to create a firm foundation to effectively and efficiently manage risk by ensuring accountability to safeguard information, assuring others that critical decisions are not based on faulty information. This leads to a increased predictability and reduced uncertainty of the company, resulting in an increase to their share price.
Furthermore, it protects against civil or legal liability by ensuring compliance with policies.
Roles and Responsibilities
The following table gives a brief summary of the different roles and their responsibilities:
| Role | Responsibilities |
|---|---|
| Board of Directors | Establish risk appetite & risk management |
| Executive Management | Create security guidelines that follows business objectives |
| Security Steering Committee | Review & feedback security guidelines |
| CISO | Conducts risk assessments & develops security policies |
Presenting the Business Case
After developing the necessary guidelines, a business case in a form of a formal presentation is usually proposed to senior management to gain their commitment and support. It usually consists of:
- Value proposition & Cost-benefit analysis of the project
- Justification on why the project should be done
Governance Frameworks
Governance frameworks are guidelines followed by a company to demonstrate their compliance with regulations. There are multiple frameworks aimed at different levels of an organisation’s hierarchy. The following table lists a few mentioned in the slides:
| Framework | Target | Summary |
|---|---|---|
| COSO | CEO, Financial Reporting | Shows how reliable, effective and efficient a company is based on their board of directors |
| COBIT | CIO | Guideline to help businesses develop, organise and implement strategies for information governance |
| ITIL | IT functions | Detailed set of practices to align IT services with business needs |
| ISO 27000 family | IT security functions | Recommends best security practices on information security management |
Level of Detail
The different frameworks are targeted towards different hierarchical levels, and thus have different levels of details. This picture summarises the frameworks mentioned in the table effectively:
