I’ll be the first to admit that buzzwords like “information security governance,” “cyber security organizational structure,” and “information security organizational structure” can sound like trendy but otherwise meaningless concepts. My goal is to explain what information security governance is in a way that helps you not only understand the goals of information security governance, but how it can help you address and align the various compliance requirements your organization may be subject to. This article will discuss IT compliance requirements and how implementing an information security governance model can help you meet your requirements through IT and cybersecurity compliance frameworks in a more streamlined and efficient manner.
What is An Information Security Governance Framework?
And what is the difference between governance and compliance? The day-to-day business of an organization includes the management of people, objectives, and company strategy. The way in which a company is managed is defined through its governance model. When it comes to your information security strategy, an information security governance framework is how security is implemented and managed within an organization.
Compliance can be thought of as the “what” – as in what requirements you are obligated or trying to achieve. An information security governance framework can be thought of as the “how-to” – that is, how to meet industry standards for cybersecurity and IT compliance frameworks. A good information security governance framework should define a company’s standards, policies, and procedures in a way that addresses a broad range of the organization’s IT compliance requirements.
Why is Information Security Governance Important?
Businesses have competing objectives and priorities. Sales and revenue, profit margins, and client satisfaction should land at the top of the list of any organization’s priorities. However, in today’s world of increased reliance on information technology, you compromise each of those priorities if information security is not integrated into every aspect of your business, embedded in every conversation, and considered a key component of your business and product strategy. Enter information security governance. If you want to be able to compete in today’s technology-focused world, you need an information security governance framework, if for no other reason than to mitigate the risk of being in the news about the next data breach.
In addition to an organization’s priorities to keep the lights on, businesses often have competing compliance requirements. Many of our clients come to us because they need a SOC 2 report – either to satisfy a contractual obligation or to better position themselves in the marketplace. After the first year, it is not uncommon for our clients to start asking how they can also satisfy other IT compliance requirements their clients are asking about. As more companies outsource services and technology, the need for increased compliance and proof of that compliance also increases. The requirements run the gamut, but HIPAA, HITRUST, and GDPR tend to top the list. As an independent auditor, we are able to issue different compliance attestation reports to help our clients demonstrate their compliance with the different, but similar, IT and cybersecurity compliance requirements.
What Are the Benefits of Information Security Governance?
I work with companies of all sizes operating at different levels of maturity when it comes to information security. Many of our clients are start-ups that know information security is important, but couldn’t define an IT control to save their life – they’re too focused on trying to get their innovative product off the ground, and make a few dollars along the way. Some of our other clients have been in business for quite some time, but have been patching together IT security controls to meet different requirements over time and are left with competing priorities, redundancies, and inefficiencies across their internal controls.
The benefits of information security governance are that it helps to align priorities, eliminate redundancies, and reduce inefficiencies. When implemented correctly, an information security governance framework takes into consideration a company’s strategy, operations, and compliance requirements, and provides a structure to manage the objectives of each in a balanced and organized manner.
What Are Compliance Frameworks?
You are likely familiar with the well-known IT compliance frameworks, or acronym soup as we like to call them. SOC 1, SOC 2, HIPAA, HITRUST, NIST 800-53, NIST 800-171, NIST CSF, CMMC, FEDRAMP, PCI, ISO 27001, GDPR, CCPA…does it ever end? There are a number of IT compliance frameworks considered to be leading industry standards. It can be overwhelming, and frankly frustrating, to navigate. Each was designed with different, but similar, objectives in mind.
For example, SOC 2 was developed as a mechanism for service organizations to demonstrate they have controls in place to mitigate risks to the service they provide. SOC 2 criteria were designed by the American Institute of Certified Public Accountants (AICPA). On the other hand, HIPAA was created specifically to provide national standards for maintaining the security and privacy of electronic health information. The requirements under HIPAA are sourced from federal legislation as implemented by the U.S. Department of Health and Human Services (HHS).
Based on the specified objective, the standards and requirements are tailored to meet the stated compliance framework. In the SOC 2 vs. HIPAA example, both frameworks address information security risk, and a SOC 2 report can be a great baseline for the controls that need to be in place to demonstrate HIPAA Security Rule compliance, but there are additional controls that should be considered specific to HIPAA.
How Do I Build An Information Security Governance Framework?
First and foremost, you need to identify the compliance, regulatory, and contractual requirements your company is subject to. To start, here are some good questions to ask:
- Did we sign a contract with a new client promising to deliver a SOC 2 report by year-end?
- Do we process and/or store electronic protected health information (ePHI)?
- Do we do business in the European Union or offer goods or services to individuals or businesses in the EU? What about California?
- Are we trying to win a Federal government contract?
- Are we a public company? Do we process financial transactions on behalf of our clients?
- Are one or more of our clients asking if we have ISO 27001 certification?
The way you answer these questions helps you identify the various IT compliance frameworks you may be subject to. For example, if you process and/or store ePHI, you may be required to demonstrate your compliance with HIPAA or HITRUST. If you are looking to enter the Federal contracting space, you should research whether you will be subject to FEDRAMP, CMMC, one of the NIST frameworks.
Once you have identified your requirements, you can select the appropriate framework or frameworks that will help you meet your IT compliance objectives. The IT compliance standards that you are subject to can serve as the basis for your information security governance framework. Each IT compliance standard will help you identify the minimum standards you are required to meet through your information security policies and IT controls, and in turn, helps to define those policies and controls. If you are subject to multiple IT compliance standards, further analysis is required to understand how you can design your information security governance framework to bring together common requirements under multiple compliance requirements, while ensuring the unique requirements of each are also met.
What Is An Example of Information Governance?
Going back to our SOC 2 vs. HIPAA example, consider the requirements for information system authentication under each standard, and compare to authentication requirements under PCI, which is an IT compliance framework designed specifically for entities that process and store credit card data:
(Information sources for the data in the infographic above: SOC 2 Source, HIPAA Source, PCI Source)
The requirements are written differently, but all address a similar objective to verify that a user accessing a system is properly authenticated. As you can see, the requirements under SOC 2 and HIPAA are more generally stated, while the requirements under PCI are more specific. If your organization is required to be compliant with each of these frameworks, your information security governance model would consider the requirements under each standard and establish a policy around user authentication that requires the most specific elements to be met. Similarly, you would then implement a control around user authentication that requires a unique user ID, password, and multifactor authentication, so that all frameworks are met using the most stringent criteria, rather than implementing three separate controls aligned to each framework.
If you are just starting out on your IT compliance journey, SOC 2 is a good place to start. It is a comprehensive, but flexible, framework. It is less rigid than other frameworks, which allows you to self-define controls that meet the Trust Services Criteria. You can then design your SOC 2 policies and controls in a way that allows you to incorporate other IT compliance standards as needed.
Note that this is where hiring a dedicated security/compliance resource or external consultant may be beneficial. It’s not uncommon for us to see our clients bootstrap security and compliance for the first year or two, but the reality is that as you grow, your IT compliance requirements are also likely to grow and become more complex, so experts in this field can be a valuable asset to your company. Alternatively, implementing a governance, risk, and compliance tool may be beneficial.
Summary – Why Do You Need An Information Security Governance Framework?
In summary, it’s important to remember that the goals of your information security governance framework should be to not only help you meet your IT compliance obligations, but to do so in the most efficient way. When IT compliance requirements are addressed in an ad hoc manner, redundancy is bound to result, as is inefficiency and the opportunity for missed requirements. Taking a holistic, top-down approach will help you to effectively manage IT compliance within your organization.
Not sure where to start? Contact Linford & Company and we can help you sort through the acronym soup that is IT compliance. We are well versed in all of the IT compliance frameworks and help our clients navigate their requirements and demonstrate compliance in as efficient a manner as possible.
Maggie spent nearly 10 years in KPMG’s IT Advisory and Attestation practice before joining a financial technology company as the Risk and Compliance Director. She has overseen numerous SOC 1 / SOC 2 audits and other IT Compliance audits and has vast experience implementing risk management and IT compliance solutions. She is Certified in Risk and Information Systems Control (CRISC) and obtained a Bachelor of Science in Business Administration, Finance, from the University of Colorado at Boulder.