• Home
• About
• Mission
• Governance
  • Information Security Steering - Committee Members
  • Information Security and Electronic Privacy Steering Committee
• Risk Management
• Policy and Compliance Management
• Incident Management
• Continuity of Operations Planning Management
• Security Awareness and Training Management
• Information Security Program Reporting
• Security Officers & Groups
• Events
• Library
• National Cyber Security Awareness
• Related Sites
• Legal Links
• Contact USG InfoSec

Home » Governance

Governance

Governance - the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that the information security strategies:

• are aligned with and support USG business goals/objectives
• adhere to policies, standards, and internal controls
• provide assignment of authority, roles and responsibilities

"... all in an effort to manage risk"

---

Why a Framework for IS Governance?

---

• Increasing operational risk exposure
• Growing market demand for senior leadership attention and duty of care
• Need for implementable guidance

---

To define:

---

• A structure that engages the entire system;
• Clear roles, responsibilities & accountabilities;
• Actionable steps and outcomes.

---

Characteristics of Effective Security Governance

---

• Managed as a business-wide issue
  • Planned, managed, & measured
  • Horizontally, vertically, cross-functionally
• Leaders are accountable
  • Security is everyone's responsibility
  • Visibly own their risks; conduct regular reviews
  • Adequate resources committed
• Viewed as business requirement
  • Aligns with business objectives and policies
• Risk-based
  • Reputational, operational, financial
  • Tolerances established and reviewed
• Roles & responsibilities defined
  • Clear segregation of duties
• Staff aware & trained
  • Awareness, motivation, compliance expected

---

Governance Activities

---

• Review information security organization structure
  • Help assign roles & responsibilities
  • Ensure segregation of duties
• Develop top-level policies
• Inventory information assets
  • Establish ownership & custody
• Determine standards/compliance requirements
  • Address cross border data flows & privacy

---

Result = Information Security Strategy

---

Integration Activities

---

• Categorize assets
  • Level of risk & magnitude of harm
• Oversee IT/IS risk assessments
• Select security controls & key performance indicators
  • Draw from standards & best practices
• Develop supporting plans & requirements
• Incident response, crisis communications, continuity of operations, disaster recovery, and business continuity.

---

Result = Information Security Plan

---

The University System - Office of Information Security (OIS) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.