Governance, policies, and incident management
We are going to talk about what makes an entity (or company, association, or whatever you want to call it).
Governance
We can define corporate governance as “a toolkit that enables management and the board to deal more effectively with the challenges of running a company. Corporate governance ensures that businesses have appropriate decision-making processes and controls in place so that the interests of all stakeholders are balanced.” (This definition is taken from https://www.itgovernance.co.uk/.)
A strong corporate governance framework can assist you in meeting the requirements of laws and regulations such as GDPR, that is, the European privacy law.
GDPR, for example, requires data controllers and processors to verify compliance with its standards through specific documentation, such as applicable logs, rules, and procedures.
Throughout this book, I will use examples from GDPR, although there are several other legislations around, such as LGPD (the Brazilian privacy law) or CCPA from California, and many more about to come. But GDPR is, with the UK variant, an umbrella for roughly 400 million people in 28 countries and therefore, the most popular.
Using IT governance aspects will assist you in creating and maintaining proper policies and procedures to help satisfy your data privacy obligations.
IT governance is a component of corporate governance that aims to improve overall IT management and get more value from investments in information and technology.
IT governance frameworks have the following functions:
- Assisting entities in efficiently managing their IT risks and ensuring that information and technology operations are aligned with their overall business objectives
- Showing demonstrable achievements in relation to broader business plans and goals
- Complying with applicable legal and regulatory duties, such as those outlined in GDPR
- Assuring stakeholders that your entity’s IT services are trustworthy
- Facilitating a higher return on IT investment
- Following any business governance or public listing guidelines or procedures
According to ISACA (https://www.isaca.org), we can break IT governance (ISO 38500) into five different domains:
- Value delivery
- Strategic alignment
- Performance management
- Resource management
- Risk management
Consider that there are several frameworks and methodologies to comply with IT governance, such as ISO 27001, NIST, ISO 27000 (aka ITIL), COBIT, ISO 31000, ISO 38500, and ISO 22301. Since we are dealing with a security compliance framework, it would be better to stick to the most popular, that is, ISO27001 and NIST, alongside ISO 27701 (privacy framework).
Policies and procedures
Policies and procedures are the documents that describe how your business is run in the information security industry.
A policy is a set of rules or guidelines that your entity and its employees must follow in order to comply:
- Policies provide answers to the questions of what employees do and why they do it
- A procedure is a set of instructions for implementing a policy
So, what exactly is a policy?
A policy is defined as a set of rules or guidelines that your entity and employees must follow in order to achieve a specific goal (i.e., compliance).
What is the function of a policy?
An effective policy should outline what employees must and must not do, as well as directions, principles, and decision-making guidance. It should answer the questions What? and Why?. Both are related to the meaning of a policy and it’s important to understand what a policy is and why it is needed.
What exactly is a procedure?
A procedure is the inverse of a policy; it is the instructions on how to implement a policy:
- It is the step-by-step guide for implementing policies, outlined previously
- A policy defines a rule and a procedure defines who is expected to do what and how
- Procedures provide answers to questions such as how, when, and where
What is the importance of documented policies, procedures, and protocols?
Too many businesses regard policies and procedures as a necessary evil, failing to consider their purpose. It’s not about following best practices or becoming a soulless corporate entity; the goal of policies and procedures is to explain what management wants to happen and how it will happen.
I’ve come to believe that the primary difference between a small and medium business is not found in quantifying a company’s maturity by revenue or employee count, but rather in whether or not management has taken the time to develop, implement, and maintain policies and procedures.
So far, this definition has not disappointed me; companies with mature policies, procedures, and systems are easier to audit, have a better understanding of their security posture and risk, and appear to be operating far more sustainably than those that haven’t paid much attention to governance.
Objections about policies and procedures
Once management understands the definitions of policies and procedures, they will no longer ask, “What are policies and procedures?” or “What is the purpose of a policy?” and instead proceed to ask, “Why do I have to write policies and procedures?”
Management in small businesses generally has the same set of objections to writing down a set of policies and procedures, all of which are related to difficulty, company culture, and time constraints. But keep in mind that the benefits outweigh the inconvenience of policies and procedures. The goal of policies and procedures is much more than simply writing down some rules.
It’s difficult to create policies and procedures.
But it’s extremely difficult! Yes, but also no. Most businesses that do not have mature policies and procedures are doing fairly well; otherwise, they would not be in business. It’s certainly easier to define security from the start, but that doesn’t mean it can’t be simple to start with what you’re doing now and refine it later.
Sometimes, the real objection isn’t how difficult it is to write down policies and procedures, but how afraid most people are of writing down how they’re doing things incorrectly. Begin with where you are, and then be realistic about where you want to go. You may not be keeping up with best practices in some areas, but if you let embarrassment keep you from putting policies in writing, you’re missing the point. Knowing exactly what you’re doing now allows you to determine what you should be doing tomorrow. It’s how you can create a real budget, identify real enterprise risks, and respond effectively when something goes wrong.
But no worries, we’ll deep dive into these things later.
Incident management
The goal of the incident management procedure is to restore normal service operation as soon as possible and to minimize the negative effect on business activities while maintaining agreed-upon standards of service quality. The incident management process’s goals are to do the following:
- Ensure that standardized processes and procedures are utilized for effective and timely incident response, analysis, recording, continuous improvement and reporting
- Increase incident visibility and communication to business and IT support personnel
- Improve the business view of IT by taking a professional approach to addressing and communicating problems as they might arise
- Align incident management efforts and priorities with business priorities
- Maintain satisfaction among users with IT service quality
So, we conclude a very rapid journey on the essential topics concerning governance. Let’s move on to an interesting topic, differences of NIST.
