Security Governance – A compliance perspective
Written by Luca Grima
The risks involved in the security of information are nowadays very real and a constant cause of concern for business executives operating in today’s cyber space. As organizations maintain their competitive edge in the global economy, they must also consider the risks involved in the number of threats that are evolving exponentially and that may be exploited at any time by malicious actors online.
One of the tools available for organisations today is enforcement – achieved through the effective and meticulous implementation of information security compliance activities which play a critical role within the Security Governance function.
The primary objective of Security Governance is to help ensure that an organisation has the proper controls in place to mitigate information security risks. These controls are at the highest level defined within structured policy documents that lay the foundations for a strong and robust security vision that are clearly communicated within the organisation.
Compliance activities are executed to continuously monitor and verify that this vision is thoroughly understood and implemented by the various business functions that are processing information that needs to be continuously protected from malicious activities, especially in instances when such information is sensitive in nature and/or relates to the processing of personal data. They also ensure that other applicable requirements stemming from international industry standards that the organisation is aligned to or certified against are continuously adhered to and pertinent legislative requirements met.
Conducting security compliance checks help organizations strengthen their commitments towards information security and provide management with visibility on what is working and what is not by determining the present state vis-à-vis the requirements of applicable controls. Such assignments outline conformities and non-conformities and identify corrective actions deemed necessary to rectify issues as per specific regulations, strategies, and policies. Something to keep in mind is that being compliant is very often not enough – organizations must also be able to provide evidence of their compliant state to external assurance bodies such as third party auditors, implying that executed compliance checks are auditable and thus adequate evidence is required to be collected and preserved to illustrate conformance by depicting all measures taken to comply with required objectives.
Implementing Security Governance and instilling a compliance culture does not come overnight.. It’s a continuous process of raising awareness and learning, revising the controls in place to ensure that these are effective in the context of the information involved and adapting to today’s changing technological landscape to protect what’s most valuable for the organisation to the best extent possible.