adam's notes

Governance and Accountability

Governance is creating and monitoring effective policies and procedures to manage assets and ensure compliance with industry regulations and local, national, and global legislation.

  • manages legal risks such as:
    • regulatory compliance requirements
    • contractual obligations
    • public disclosure laws
    • breach liability
    • privacy laws
    • intellectual property protection and licensing agreements
    • interpret legal requirements into operational controls to avoid legal trouble and protect the organization

Governance Boards

A governance board is a group of senior executives and external stakeholders with responsibility for setting strategy and ensuring compliance.

  • responsibilities
    • setting strategic objectives, policies, and guidelines for security practices and risk management
    • oversee the implementation of security controls
    • work closely with risk management teams to ensure compliance with relevant laws and regulations
    • evaluate the security program’s overall effectiveness

Centralized vs. Decentralized Governance

  • centralized security governance
    • decision-making authority primarily rests with a single core group or department
  • decentralized security governance
    • distributes decision-making authority to different groups or departments
      • facilitate security-focused decisions based on localized needs and priorities
    • each unit has greater control over the allocation of security resources
      • to allow greater adaptability and tailoring of security capabilities
  • Hybrid governance
    • aims to balance the advantages of centralized oversight and decentralized implementation
    • specific security processes and decisions are centralized
    • others are delegated to business units or departments
      • to facilitate the development of standardized policies at the enterprise level while providing flexibility and local control as warranted

Committees and Boards

Governance committee is a group of leaders and subject matter experts with responsibility for defining policies, procedures, and standards within a particular domain or scope.

  • focus on specific issues
  • provide in-depth analysis, recommendations, and operational support to the governance board

Committee vs Board

Governance boards and governance committees serve distinct roles within an organization’s governance structure.

  • Governance boards are typically composed of high-level executives and external stakeholders
  • governance committees are typically comprised of subject matter experts and operational leaders

Government Entities and Groups

  • Government-level governance committees are often represented by specialized agencies
AgencyDescription
Regulatory AgenciesRegulatory agencies establish and enforce security standards, regulations, and guidelines. They oversee compliance with laws related to specific sectors such as finance, healthcare, telecommunications, and energy.
Intelligence AgenciesIntelligence agencies gather and analyze information to identify and counteract potential security threats and provide this information to national-level government groups to steer national policy and military strategy.
Law Enforcement AgenciesLaw enforcement agencies enforce laws and regulations related to public safety and security. They investigate and prosecute criminal activities, including cybercrimes and terrorist activities.
Defense and Military OrganizationsDefense and military organizations are responsible for safeguarding national security and protecting the country from external threats. They develop strategies, policies, and capabilities to address physical security, border control, and defense-related cybersecurity.
Data Protection AuthoritiesData protection authorities focus on protecting personal data and privacy rights. They enforce data protection regulations and provide guidance on the best practices for securing personal information.
National Cybersecurity AgenciesNational cybersecurity agencies focus on protecting critical infrastructure, government networks, and national cybersecurity interests. They develop cybersecurity strategies, coordinate incident response, and provide guidance on cybersecurity practices for government entities and private organizations.

Data Governance Roles

  • Owner
    • A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset
    • identifies what level of classification and sensitivity the data has, decides who should have access to it, and what level of security should be applied
    • provides strategic guidance to ensure that security policies align with business objectives
  • Controller
    • In privacy regulations, the entity that determines why and how personal data is collected, stored, and used
    • closely relates to GDPR
    • can be
      • individual
      • public authority
      • agency
      • or other body
    • ensures that data processing activities adhere to all legal requirements
  • Processor
    • In privacy regulations, an entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector
    • responsible for processing personal data on behalf of the controller
    • often represents cloud service providers (CSP)
      • but could also be represented by vendors and business partners
    • must
      • maintain records of their processing activities
      • cooperate with supervisory authorities
      • implement appropriate security measures to protect data
    • ensures that data is handled securely and in accordance with the rules established by the owner and controller roles
  • Custodian
    • aka data steward
    • is responsible for the safe custody, transport, storage of the data, and implementation of business rules
    • usually represented by IT department
    • role
      • implements and enforces the security controls established by the data owner and controller
      • reports any issues indicative of a security incident

Graph View

Backlinks