Governance
While the COMPLIANCE function identifies requirements an organization must adhere to (e.g., laws, regulations, frameworks, contractual agreements, internal dictates, etc.), the GOVERNANCE function provides ongoing oversight to hold stakeholders accountable. The primary focus of the GOVERNANCE function is to ensure the organization maintains ongoing capabilities to be secure, compliant and resilient.
GOVERNANCE FUNCTION
As part of that oversight role, the GOVERNANCE function is generally tasked with the following responsibilities:
- Coordinate with the COMPLIANCE function to track applicable laws, regulations, frameworks and other obligations that GOVERNANCE must address.
- Define control objectives to meet applicable compliance obligations, as defined by the COMPLIANCE function.
- Identify applicable secure practices the organization should/must align with (e.g., framework selection).
- Work with executive leadership (e.g., CEO, Board of Directors, etc.) to write cybersecurity policies.
- Establish standards that have organization-specific criteria (e.g., password strength, Multi-Factor Authentication (MFA) requirements, etc.).
- Publish the organization's policies and standards.
- Review deviation requests from published standards.
- Propose compensating controls when control deficiencies exist.
- Gather stakeholder feedback for new or proposed changes to policies and/or standards.
- Put together end user training material for awareness training purposes.
- Maintain the organization's centralized "risk register" that is a list of known deficiencies from:
- Assessments;
- Audits;
- Incidents; and
- Other means that identified deficienies with the organization's cybersecurity progaram.
- Orchestrate metrics/analytics reporting.
- Generate cybersecurity-specifc reporting deliverables for executive leadership (e.g.., Quarterly Business Reviews (QBRs), board meetings, etc.).
** SPONSORED CONTENT **
