Governance and Compliance
The best way to strengthen information security is to create a framework for IT governance. Effective security governance is managed as an organizational-wide issue that is planned, managed and measured in all areas throughout the organization. In IT Governance, leaders are accountable for and are committed to providing adequate resources to information security. A core set of principles to guide the framework for governance should include:
- Conduct an annual cybersecurity evaluation, review the evaluation results with staff, and report on performance.
- Conduct periodic risk assessments of information assets as part of a risk management program.
- Implement policies and procedures based on risk assessments to secure information assets.
- Establish a security management structure to assign explicit individual roles, responsibilities, authority, and accountability.
- Develop plans and initiate actions to provide adequate cybersecurity for networks, facilities, systems and information.
- Treat cybersecurity as an integral part of the system lifecycle.
- Provide cybersecurity awareness, training and education to personnel.
- Conduct periodic testing and evaluation of the effectiveness of cybersecurity policies and procedures.
- Create and execute a plan for remedial action to address any cybersecurity deficiencies.
- Develop and implement incident response procedures.
- Establish plans, procedures and tests to provide continuity of operations.
- Use security best practices guidance to measure cybersecurity performance.
The process of establishing and maintaining a framework for IT governance, provides assurance that cybersecurity strategies support business goals, objectives, adheres to policies, standards, internal controls, and provides assignment of authority, roles and responsibilities in an effort to manage risks.