Governance
and Compliance

optimal governance

in information security

Information systems represent over 20% of the annual budget of a company. Thus, it is essential that they are adapted to the company’s context and business objectives.

The current technological context and growing security risks encourage organizations to adopt a structured, responsive and accountable security program.

The “Information Security Governance” or “IT Governance” refers to information security management tools and security systems regulation mediums that were put in place by a company to achieve its goals.

As such, the security governance is a continuous process being an integral part to the culture of a company, integrating risk management and strategically aligned with its business objectives. It sets the rules of tactical and operational security, such as the establishment of appropriate controls. It provides therefore a compliance with applicable standards and consistency in the implementation of the normative framework.

Whether you are subject to the NIST 800-53, ISO 27000 or PCI DSS (Payment Card Industry Data Security Standard), many companies must comply with specific requirements and adopt best practices in information security. Establish policies, guidelines and procedures is the starting point of the governance framework, by developing a comprehensive security program to ensure the appliance of the principles, safety measures and security controls within your business.

The table below illustrates the PDCA (Plan-Do-Check-Act) method, which allows to establish the foundations of a first ISO / IEC 27001 perimeter and adopt the tools needed to maintain a governance framework.

Our services

gouvernance-4

Governance

gouvernance-3

Normative Framework

gouvernance-2

Audits and assessments

gouvernance-1

Risk Management

gouvernance-5

Security Architecture

WANT TO KNOW MORE?

Governance

An effective governance framework requires that a long term security program is broadly defined, based on key elements of information security. These aspects should be assessed, understood and integrated. The definition of a governance framework will include organizational structure, normative framework, risk management tools and security architecture.

The organizational structure of information security governance is the foundation of any security program. It ensures that the governance framework will be based on a standardized infrastructure and accomplished by key stakeholders. Thus, the organizational structure is established by identifying the roles and responsibilities of the different departments and by defining them. Obviously, the business objectives, the mission, the tools in place and the maturity level in terms of information security will be key elements to a strategic and sustainable governance framework.

Normative Framework

The implementation of the regulatory framework is a crucial step in the establishment of a governance framework. Internal policies1, guidelines2 and procedures3 of an organization are the reference tools used by stakeholders to perform their designated roles and responsibilities. Employees being the key players in the application of rules, it is essential that they understand the nuances and comply with them.

Our policy writing specialists rely on the best safety standards of information, such as ISO / IEC 27001 and 27002. In addition, they ensure that the normative framework of our customers is consistent with normative aspects of the information technology law, observing personal and confidential information protection laws and other specific rules specific to each organization.

Audits et Assessments

All organizations don’t have the same level of maturity in information security. They are at various stages of the process of understanding their security posture, exposure and mitigation of risk and remediation.

In many cases, the activities leading to the implementation of a governance framework must be carried out in a first step to better understand the position of our customers and target objectives. Indeed, security programs “health checks”, audits and penetration tests can be done. Each preliminary activity aims to give the facts and adjust the security program according to the needs, business objectives and challenges of each organization.

Risk Management

Risk management is based on different methods. Although traditional analysis methods exist (mehari etc.), these methods prove to be very complex, costly, subjective and their results are not always conclusive.

The OKIOK vision of risk management is based on the method of key controls and security architecture, a proven methodology that enables fast reading of the company’s posture, taking into account a set of essential controls in an information security environment. A security key control generally have a significant influence on the risk posture. Key controls are drawn from a reference market such as ISO 27002, ISO 27033, NIST and ISF.

Once the standard identified and selected, the analysis determines a reduced number of key controls, selected based on their maximum impact on the risk and it is from this restricted "repository" that it is possible to measure the maturity of these key controls according to a similar maturity scale Cobit4.

Security Architecture

Implementing a security architecture (OSA) is part of the key controls method and allows to optimize the evolution of key and complementary controls while maintaining their maturity, by the implementation of business services and design patterns.

Thus, like the image of a marquee where the entire structure rises when the fabric is hoisted up to the main pillars, the enhancement of the maturity of key controls systematically causes the raising of complementary controls.

The security architecture is defined and then implemented step by step to meet the needs of the normative framework and risk management.

Request a presentation – Governance and Compliance

Take control of identities and accesses!
Once for all : Take control of identities and accesses! Fill out the form below, one of our Rep will contact your shortly.

* Champs requis
×
WANT TO KNOW MORE ?

Start typing and press Enter to search