What email address or phone number would you like to use to sign in to Docs.com?
If you already have an account that you use with Office or other Microsoft services, enter it here.
Or sign in with:
Signing in allows you to download and like content, and it provides the authors analytical data about your interactions with their content.
Embed code for: Thought Leadership Series - IT Security Governance
Select a size
IT Security Governance
Sunday, May 8, 2016
What Is Governance?
What is IT Security Governance? I was recently asked this question. Like others in my field, I started to pontificate most eloquently.
We love to answer this question with specific and formal language like:
“It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives”.
“...a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes”.
Thirty seconds into my answer, I noticed our account manager share a smirk and an eye-roll with the potential client. “What is this?” I thought. I couldn’t believe the very person who invited me to the meeting would turn his back on me and use me as comic relief!
Not to be outdone, I quickly shifted tactics. After completing my 90 second text-book description of IT Security Governance, I paused… took a dramatic breath… and continued, saying:
“Or, to put it more elegantly, IT Governance is just paying attention to stuff. And IT Security Governance is protecting that stuff.”
Whether it is a computer hard-drive, a printout of a contract, or a single record in a database stored in a remote data center, these information assets must be managed, maintained, and given attention.
The primary goal of IT Governance is a consistent and thorough understanding and approach to the ways and means the organization uses to address information assets. The term “Information Asset” is a difficult concept. It is the first definition on which the stakeholders within an organization must agree.
Information Assets can be defined as narrowly as to include only the physical resources owned or operated by the organization. The definition of Information Assets can as complex as to include not only physical and tangible resources (databases, spreadsheets, physical paperwork, etc), but also intangible resources.
Pertinent questions might be:
“Should governance address the way in which application developers produce and distribute source code?”
What procedures do we follow during the in-processing and out-processing of employees with access to sensitive corporate records?”
These are but a few of the possible items to include for consideration.
Regardless of scope, IT Governance should always address the development, documentation, and implementation of standardized policies, guidelines, procedures, and standards for the organization.
The final, and most often overlooked, goal is the true reason to implement IT Governance. It is not to save money (which is important), nor is it to meet regulatory requirements (although these needs can be helpful in budget justification). It is also not to ensure the CIA (Confidentiality, Integrity, and Availability) of information assets, a common argument made by security professionals.
The most important goal of IT Governance is to provide outstanding customer service. Many would argue that point. Often overlooked, in today’s globalized and socially connected infrastructure, the customer service of an organization is arguably the most important asset the organization can maintain.
Customer service provides a counterpoint to uncontrollable vectors of unsolicited marketing through social media tools. These can be either uplifting or detrimental to the organization. Following consistent and approved governance policies will provide a consistent and repeatable experience for the customer. This will, in turn, promote more consistent [positive] feedback for the organization.
Who Should Govern?
The Executive Team, Human Resources, and Organizational Key Players must all be directly involved in defining what IT Governance means for the organization. Great care must be taken to ensure each of these groups maintains active participation and accountability for the development, implementation, and ongoing maintenance of IT Governance.
Without this ongoing organization-wide support, the system will break down and the organization will run rampant with “Lone Wolf” behavior, where each division takes ownership of their own IT needs without including IT stakeholders.
Internal customer service within the organization ultimately enables and supports organizational agility and the ability to respond to changing demands. Potential revenue streams from unexpected avenues are not missed due to the ability to more quickly respond.
The common theme is each of these goals can assist the organization by transitioning IT away from the traditional role of “Cost Center” to the more appropriate role of “Strategic Business Tool”.noticed our account manager share a smirk and an eye-roll with the potential client. “What is this?” I thought. I couldn’t believe the very person who invited me to the meeting would turn his back on me and use me as comic relief!
The Executive Team, Human Resources, and Organizational Key Players must all be directly involved in defining what IT Governance means for the organization. Great care must be taken to ensure each of these groups maintains active participation and accountability