Governance 101: Back to Basics

Gov 101

In this blog, let’s go back to the basics and talk about what governance is and how you can use it to ensure that the information that reaches your executive team is complete, accurate and timely.

What is governance?

Enterprise governance is the set of processes and practices utilized by executive management to ensure that all of the regulations required by your organization are documented, assessed and managed properly. The process includes defining controls and frameworks, managing governance documentation, reviewing compliance, assessing risk, and establishing and tracking exceptions.

What is the goal of governance?

Enterprise governance activities are designed to enable your organization to make and prioritize strategic decisions and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively. Governance documentation ensures that your policies and regulations are properly documented and reviewed and allows you to assess compliance and mitigate risks based on potential exceptions.

What are some of the common frameworks and controls related to governance?

A critical part of every GRC program is managing the frameworks and associated controls that you are required to adhere to. Some of the more common categories are:

  • Healthcare - Healthcare organizations are typically required to comply with HIPAA or other country-specific frameworks based on their possession of Personal Health Information (PHI). Many utilize proprietary frameworks like HITRUST to help them demonstrate compliance. Additionally, many healthcare organizations process credit cards and are subject to PCI DSS.
  • Government - Government organizations are typically required to comply with various NIST requirements. These include the NIST Cybersecurity Framework (CSF) as well as frameworks like the NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations.
  • Education - Education organizations include both K-12 and higher education institutions like universities. These organizations typically hold a lot of Personally Identifiable Information (PII) on their students, faculty, and staff. While there are some local requirements on PII like the General Data Protection Regulation (GDPR) or California S.B. 1386, we typically see these organizations opting for broader compliance frameworks like the NIST Cybersecurity Framework (CSF) or ISO 27001. More recently, we’ve worked with a number of higher education organizations looking to comply with the newly adopted GLBA Standards for Safeguarding Customer Information.
  • Public Utility - Some public utility organizations are run by their local governments and are subject to similar requirements as outlined above. We also frequently work with utility organizations in this space that are required to comply with the North American Electric Reliability Corporation's Critical Infrastructure Protection (NERC CIP) requirements.
  • Technology - Technology organizations are typically looking to adopt broader compliance frameworks like ISO27001 or the NIST Cybersecurity Framework (CSF). Many will also be subject to compliance with the General Data Protection Regulation (GDPR) if they are doing business in the European Union (EU) and compliance with PCI DSS if they process customer credit cards. Where these organizations are directly servicing customers, we also frequently see requirements for third-party attestations of compliance that are typically based on the AICPA SOC 2 Trusted Services Criteria (TSC).
  • Non-Profits - Non-profit organizations typically don't have many regulatory requirements. While some may take credit cards and are subject to compliance with PCI DSS, most are typically looking to adopt broader compliance frameworks like ISO27001 or the NIST Cybersecurity Framework (CSF).

What does the governance process entail?

1. Defining and managing frameworks and controls

The first step in creating a governance program is to define and manage your organization’s frameworks and controls. SimpleRisk offers a direct integration between the ComplianceForge Secure Controls Framework (SCF) and SimpleRisk, and enabling it allows you to select from 185 different frameworks that have been mapped to over 1,000 security and privacy related common controls, such as ISO 27001, NIST CSF, PCI DSS, GDPR, COBIT, COSO and more. The SCF is a Common Control Framework, a super set of proprietary security and privacy oriented controls that were created and then analyzed against other frameworks in order to map any overlap. When using common controls, there is the advantage of being able to test one control with all of the associated frameworks, which is a huge time saver for organizations that need to comply with different frameworks.

2. Tracking governance documentation

Regardless of which industry your organization falls into or which frameworks you adhere to, you will need a single repository to store all of your policies, guidelines, standards, and procedures. In fact, many of the current security control frameworks, like PCI DSS and HIPAA, have requirements to ensure that your policies have been documented and are accessible to your employees. This documentation should link it to various frameworks and controls and should be reviewed on a regular cadence to ensure it stays current.

3. Defining exceptions to policies and controls

Occasionally a person, system, application, or process may not comply with all of an organizations’ policies and controls. When this occurs, the level of risk needs to be analyzed to determine whether it is worth accepting or whether it needs to be mitigated in some way. If risk reduction is necessary, the risk should be managed using our standard risk management processes. If, however, it is determined that this exception is worth accepting, the authorization and justification for that decision needs to be tracked and reviewed on a regular basis. If an auditor questions your exceptions, you can easily provide documentation that your organization was aware of the exception to your policy, the exception was justified, the decision was approved by management, and a cadence was established to regularly review the exception.

We hope this high level explanation has helped provide some insight into the steps involved in effectively managing your organization’s governance. For more information about how SimpleRisk can help establish your governance program, visit our Governance Solution page.

If you’d like to learn how SimpleRisk integrates governance, risk management and compliance together in a way that’s easily digestible by both security practitioners and business stakeholders alike, we offer several options:

  • Download SimpleRisk Core and install it in minutes to begin utilizing our free and open source platform.
  • Start a 30 Day Trial for free unlimited access to your own dedicated instance of SimpleRisk with all of the SimpleRisk Extras.
  • Schedule a Demo for a live demonstration of the application, covering topics such as using SimpleRisk to manage your risks, governance, compliance, risk assessments, and reporting.
  • View a recorded demo where CEO and SimpleRisk creator, Josh Sokol, covers all of SimpleRisk’s functionality, various use cases and pricing in 40 minutes.
control framework governance