Mastering the Elements of Cybersecurity Governance: A Personal Account
As the sun rises on a beautiful Wednesday morning, I find myself once again on the path to achieving my goal of becoming an ISC2 certified in cybersecurity professional. Today, I am excited to share with you my insights on governance elements in the world of cybersecurity.
Every organization has a purpose, whether it is to provide raw materials, develop software applications, construct buildings, or offer goods and services. To achieve these objectives, organizations must make critical decisions, establish rules and practices, and develop policies and procedures to guide them towards their goals. This is where governance comes in.
Governance involves the implementation of systems and structures that an organization uses to achieve its goals, while adhering to the laws and regulations created by governments to enact public policy. In my journey, I have learned about four essential elements of governance in cybersecurity.
First, regulations and laws are laid down rules that organizations must follow to avoid being fined or penalized. These can vary in different parts of the world. For example, in my home country, Nigeria, the Nigeria Data Protection Regulation(NDPR) is a law that governs data privacy, safe conduct for transactions involving the exchange of personal data, and ensures that Nigerian businesses remain competitive in international trade. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 governs the use of protected health information(PHI) and carries a fine or imprisonment for individuals and companies found to be in violation of its rules. The General Data Protection Regulation (GDPR) was enacted by the European Union to control the use of personally identifiable information (PII) of its citizens and those in the EU, with provisions that apply penalties to companies who handle such data.
Secondly, organizations use multiple standards as part of their information systems security programs, both as compliance documents and as advisories or guidelines. The International Organization for Standardization (ISO) develops and publishes international standards on various technical subjects, including information systems and information security, as well as encryption standards. The National Institute of Standards and Technology (NIST) is a US agency under the Department of Commerce that publishes various technical standards, including IT and information security standards, for free. The IETF (Internet Engineering Task Force) and IEEE (Institute of Electrical and Electronics Engineers) also create standards on how computers communicate with each other across the globe.
Thirdly, policies are often written at different levels across the organization. They are formed by applicable laws and specify which standards and guidelines the organization will follow. Policies are broad but not usually detailed, and they establish context and strategic direction and priorities. High-level governance policies are used by senior executives to shape and control decision-making processes. Cybersecurity professionals play a vital role in expanding policies from a statement of intent and direction into step-by-step instructions or procedures.
Finally, procedures define the explicit, repeatable activities necessary to accomplish a specific task or set of tasks. They provide supporting data, decision criteria, or other explicit knowledge required to perform each task. Properly documenting procedures and training personnel on how to locate and follow them is necessary for deriving the maximum organization benefits from procedures.
As a cybersecurity professional, I would be actively involved in critical decision-making processes in an organization, driving growth and protecting valuable organizational information. Understanding the governance elements is essential in ensuring this growth and success.
In conclusion, I took a knowledge check to test my knowledge and was pleased to see that I had a solid understanding of the governance elements in cybersecurity. I hope that my journey and insights have been informative, and I look forward to sharing more about my cybersecurity journey with you in the future. Happy reading!
