The importance of a good IT Governance structure
IT governance is a framework that helps you align your IT strategy with your business strategy and goals. There are tons of great examples out there like COBIT, ISO and more. GDPR will require a change in the habits of your employees. But as a company you need to establish clear guidelines and standards. It’s also very important to audit these standards to maintain compliant to both internal and external factors.
Information security policies
Part of good IT governance is having a good IT security management. It’s of great value to have strong policies compliant to current standards. Unhashed passwords in a database, no password policy or not using SSL for sensitive forms for login or payments is not accepted in a digitalizing age. The first step to create good policies is to identify the risks that threaten your assets. This can be done by verifying the Confidentiality, Integrity and Availability (CIA) of an information asset.
Writing policies is one thing, but making them understandable for your employees is another. When creating policies, go in details but I also advice to make an IT manual. This IT manual contains bullet points of the “need to knows” and “how to’s”. For example a password policy will contain all the technical specifications but the IT handbook will just state the password requirements and how the password can be changed.
Risk information management
When creating policies, create control procedures. Having policies are only as strong as long they are complied with. These control procedures state how compliance towards a policy is measured, who is responsible for the audit and so on. The key element of a procedure is how often it is performed, so again based on a risk assessment, some policies require more frequent audits compared to others.
When an audit is performed, this should be logged along side any documentation and proof of compliance or non-compliance. Non-compliance should be escalated towards higher management to take counter measures.
The link to GDPR
One of the core tasks of GDPR is to analyze and deal with risks and threats. Performing risk & threat assessments, creating a strong IT strategy with corresponding policies, controls and audits will help you raise the overall level of information security in your business and minimalize the chances of encountering security and personal data breaches.