Security and Governance Program Is \"A Set

¶ … security and governance program is "a set of responsibilities and practices that is the responsibility of the Board and the senior executives." This is the procedures by which the company ensures information security in the organization. The program consists of desired outcomes, knowledge of the information assets, and process integration (ITGI, 2013). Security of information is important because of the value of information, especially proprietary, in today's business world. The biggest differentiator between governance and IT security is that the latter is about the physical constructs of the IT program but governance incorporates everything include spoken communication so any form of information creation or handling.

The first thing is the desired outcomes. The company has to know what it wants to accomplish with this program. Ideally there is alignment between the information security strategy and the organization's overall strategy. There should be risk management, so understanding the different risk and then taking steps to mitigate them. Performance management allows for the program to be evaluated, so that needs to be built into the program as well.

Thus, the ITGI recommends that the first step is to put information security on the Board's agenda. This is because leadership on this issue has to come from the top, with investments and visible support. The security leaders need to know their roles with respect to information security. The ITGI recommends that there is a committee to take charge of the project and the Board is able to measure and review organizational performance on this key issue. One of the things that makes governance programs work is when, culturally and structurally, having adequate security is viewed as a non-negotiable requirement of being in business (ITGI, 2013).

What is important is that there is an overarching security plan and process. The ITGI notes that in many organizations the security function become compartmentalized but that organization can improve their security by focusing on organization-wide integration of the security program. This will ensure that the organization has a consistent level of performance and that it has consistent measures to evaluate the security of the organizations information.

The objectives for the program should include the following: that information is available and usable when required, that systems are resistant to attacks, that information is only viable to those who need to know, it cannot be modified by unauthorized parties, and that exchanges between enterprise can occur if needed. The CIO needs specifically to develop the procedures and measures for the system, including the roles and responsibilities, and that there is also a training program that can be used with this organization to ensure that governance and security is something that the entire organization is focused on.

2.

Ran what down throats? Don't be stupid. If you want to learn about the company you're running, just ask like a civilized human being. Leave the offensive crap at the door when you talk to me. EISP is enterprise information security policy and IISP is issue-specific security policy. I briefed you on these when we implemented them last month, and you gave your approval. Let's go over it again.

Enterprise information security policy is the security policy that covers the entire organization. It's how we do things. The architecture of our information security is what comes out of that policy, because it reflects who we protect our information. Issue-specific security is just that, it covers specific issues that might arise. When those issues are unique, we sometimes have to do security a little differently, usually by adding onto the EISP.

IISP covers a lot of different things. It can encompass e-mail security or Internet security for example. So where EISP is the basic goals, objectives, software and processes that drives security for the whole company, IISP represents the specific policies for given issues. Where EISP is something we have set and will revisit occasionally, IISP are policies that need to be more flexible, evolving to meet our security needs as they change. So IISP is a lot of what the IT security people do. That's what the people in the organization see the most because we have been training people on ways to keep our information secure, so we do not lose our competitive advantage by having sensitivity information in the broader world. We are teaching people things about password security, how and when to use our networks with their own devices, and things like that.

As for why you should care, well when I presented this to the Board they were quite concerned about security breaches, so the fact that your bosses care is a good starting point. The performance of the company depends on the information we have so when that gets compromised we all lose. We're trying to protect the company's most important assets.

3. I would ask how he knew I was thinking about information security. That was pretty smart of him to read my mind like that. But yes, there are two things in particular that apply to the whole organization. The first is leadership and the second is the role that other offices play in implementing IS.

On the first, when we develop and implement and information security strategy, we will need suppose, both resource and vocal, from the C-suite. Information security has to be part of the organization culture, because information governance relates to all forms of communication, from all people. It is specially what goes on outside the confines of the IT department. So the entire organization needs to have guidance on information security in order to minimize the number of potential vulnerable points that the organization has.

The second is that the other offices all play a critical role in implementing information security. They should -- they are among the most vulnerable since they actually have sensitive information and are visible targets for things like industrial espionage. The C-suite people must not only lend resource and moral support, but they have to be trained in all aspects of information governance in particular. This is necessary so that the entire elongation has a strong culture of information security, understanding the risks and how to mitigate those risks. It is important as well that these individuals in particular do not become part of the problem. The COO is exactly somebody we need to work with closely on IT security and governance, so what needs to be conveyed the most at this point is that security is critical and that the COO needs to sit down with us in the next few days and we'll go over what we need from operations, especially in terms of the procedures and measures that are part of the information governance program. I would also want to impress upon the rest of the C-suit that they all play key roles in governance as well, and I will be meeting with all of them in the coming weeks to discuss how they are going to help improve the quality of information governance in this organization.

4.

Servers crash. So the big thing we need to do is to ensure that the servers are secure and that there is more than one server. I back up important personal information three ways, so the organization should have a standard like that as well. SO this is two issues -- multiple servers and added server security. Multiple servers is a critical issue, so that where there I a key server that we work with, that there is another backup server in a different location that we are also storing information on. This gives us a hedge against hardware failure.