Security Governance, like Corporate Governance requires the oversight of key individuals on the board of directors. In the public sector, the board of directors may come from a coalition of people from the executive, judicial and legislative branches. The basic responsibility of management, whether in government or the corporate enterprise is to protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to Security Governance.
If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to monitor and audit enterprise security risk management, then we are exposing precious assets to the threats that seek to undermine, damage or destroy our livelihood.
An organization’s top management must identify, assess, decide, implement, audit and supervise their strategic risks. There should be a strategic policy at the board level to focus on managing risk for security governance. The security governance policy should mirror the deeply felt emotions of the organization or nation, to its shareholders and citizens. It should be a positive and trusting culture capable of making certain that strategic adverse risks are identified, removed, minimized, controlled or transferred.
An enterprise is subject to a category of risk that can’t be foreseen with any degree of certainty. These risks are based upon events that “Might Happen”, but haven’t been considered by the organization. Stakeholders can’t be expected to be told about these risks because there is not enough information to validate or invalidate them. However, what the stakeholders can demand, is a management system for Security Governance that is comprehensive, proactive and relevant. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and resources.
It is this Security Governance management system that which we all should be concerned and which we seek from our executives, board members and oversight committees to provide. There should be a top management strategic policy to focus on managing risk for security governance.
This risk management system should establish the foundation for ensuring that all strategic risks are identified and effectively managed. The policy should reflect the characteristics of the organization, enterprise or entity; it’s location, assets and purpose. The policy should:
1. Include a framework for governance and objectives
2. Take into account the legal, regulatory and contractual obligations
3. Establish the context for maintenance of the management system
4. Establish the criteria against what risk will be evaluated and risk assessment will be defined
A process should be established for risk assessment that takes into consideration:
- Impact, should the risk event be realized
- Exposure to the risk on a spectrum from rare to continuous
- Probability based upon the current state of management controls in place
The strategic security risks that the organization encounters will be dynamic. The management system is the mechanism by which the executives identify and assess these risks and the strategy for dealing with them. It is this system which we are concerned about and which we seek to provide in order to achieve our Security Governance.