Governance and Corporate Culture

Ensuring your organization, management
and employee make security a priority

The Governance and Corporate Culture component of the Integrated Information Security approach takes aim at identifying if the client appropriately ensures its organization commits to engraining Information Security (IS) into its corporate structure, priorities and daily operations.

The objective is to identify where the topic of information security sits within the structure of how the company makes decisions, sets priorities, monitors performance, and communicates to clients / staff / stakeholders. A key area of focus will also be to determine to what extent the client uses performance reporting and analysis to provide decision-makers with the information required to assess the state of information security and make the required decisions.

Critical information to be gathered will include strategic documents relating to corporate planning and priorities, TORs for governance committees, organizational priority documents, management accountability frameworks, decision-making guidelines, corporate messaging regarding priorities, corporate messaging regarding information security, and messaging regarding tactical information security measures. In addition, the client will be asked to provide information to the assessment team regarding the existence of an enterprise or corporate risk profile.

The corporate culture component will aim to identify how the organization, its management teams, and employees view information security and how Security is promoted in daily practices, key functions and behaviors to effectively secure information. The first objective of this section will be to help determine if information security is woven appropriately into the culture of the organization, if the culture of the organization allows information security to be taken seriously, and if a true 'top-down' commitment is in existence. The second objective is to determine if the required level of awareness exists with staff and management regarding the topic of information security. This includes assessing the organization's overall understanding of the general topic, how it impacts the company, the consequences if a data breach occurs, their own responsibilities, existing laws/regulations / internal policies, who is responsible for what within the organization, and the appropriate measures to be taken.

Some key objectives include:

Primary

  1. Identify where the topic of Information Security (IS) is situated with how the client makes decisions, sets priorities, plans, monitors performance, and communicates to clients, staff, and stakeholders?
  2. Does the client have an organized and systematic approach to appropriately guide the components of Information Security?
  3. Determine if information security is woven appropriately into the culture of the organization, if the culture of the organization allows information security to be taken seriously, and if a true 'top-down' commitment exists that supports an IS Program?
  4. Determine if the required level of awareness exists with staff and management regarding the topic of information security?

Secondary

  1. What is the client's governance structure and is IS a part of it?
  2. How corporate decisions are currently made and are IS an appropriate consideration?
  3. The client's broader approach to performance measurement?
  4. To what level is IS reported and measured with appropriate metrics?
  5. Does the Culture of the client reflect Information as a priority?
  6. How effective is management's Communication on IS?
  7. How is Information Security approached from a Training and Awareness perspective?
  8. What roles, responsibilities and accountabilities exist for IS with the management. team and key personnel?
  9. What dedicated resources are available to support the IS Program?
  10. What policies and procedures exist and how are they managed?

Stakeholders we work with from your organization:

It is important to the data gathering process that the appropriate management and other accountable representatives attend the data gathering meetings to ensure the required information to support an effective analysis is available. It is recognized that certain client representatives may have multiple responsibilities and terminology may vary, therefore, it is critical to make prior preparations with the Project Lead during the Introduction Meeting to ensure representatives with the following accountably attend this meeting:

  • Project Lead
  • Executive Responsible for Information and/or Corporate Security
  • Chief Security Officer or Manager
  • Executive Responsible for Training
  • Executive Knowledgeable of Org Governance and Decision Making
  • Human Resources and Training & Learning
  • Executive Knowledgeable of Organizational Performance Measurement and Risk Management
  • Representative responsible for Privacy
  • Executive Knowledgeable of Organizational Priority setting and strategic planning
  • Executive Knowledgeable of Organizational Policy and Procedural management
  • Representative responsible for Electronic Information and Cyber Security
Unite Interactive