17. Governance Elements
Government is who rules; governance is how they rule (Rule implementations).
Any business or organization exists to fulfill a purpose.
To complete the objective requires that decisions are made, rules and practices are defined, and policies and procedures are in place to guide the organization in its pursuit of achieving its goals and mission.
Laws and regulations guide the development of standards which cultivate policies which result in procedures
- Procedures are the detailed steps to complete a task that support departmental or organizational policies.
- Policies are put in place by organizational governance, such as executive management, to provide guidance in all activities to ensure that the organization supports industry standards and regulations.
- Standards are often used by governance teams to provide a framework to introduce policies and procedures in support of regulations.
- Regulations are commonly issued in the form of laws, usually from government (not to be confused with governance) and typically carry financial penalties for non-compliance.
Regulations and Laws
Regulations and associated fines and penalties can be imposed by governments at the national, regional, or local level.
Examples:
- Health Insurance Portability and Accountability Act (HIPAA) of 1996 controlled protected health information (PHI) in the United States.
- General Data Protection Regulation (GDPR) controlled Personally Identifiable Information (PII) in the EU.
Standards
Organizations use multiple standards as part of their information systems security programs, both as compliance documents and as advisories or guidelines. (In simple terms: Standard means standard like facts, this is this cannot change that.)
It has a wide range of issues and ideas that may provide assurance that an organization is operating with policies and procedures that support regulations and widely accepted best practices.
Examples:
- The International Organization for Standardization (ISO) develops and publishes international standards on a variety of technical subjects, including information systems and information security, as well as encryption standards.
- Many of the standards issued by NIST (National Institute of Standards and Technology) are requirements for U.S. government agencies and are considered recommended standards by industries worldwide.
- Thanks to the Internet Engineering Task Force (IETF), there are standards in communication protocols that ensure all computers can connect with each other across borders, even when the operators do not speak the same language.
- The Institute of Electrical and Electronics Engineers (IEEE) also sets standards for telecommunications, computer engineering, and similar disciplines.
Policies
- Policy is informed by applicable law(s) and specifies which standards and guidelines the organization will follow.
- Policy is broad but not detailed.
- It establishes context and sets out strategic direction and priorities.
- Governance policies are used to moderate and control decision-making, to ensure compliance when necessary, and to guide the creation and implementation of other policies.
- Policies are often written at many levels across the organization. High-level governance policies are used by senior executives to shape and control decision-making processes.
- Policies are implemented, or carried out, by people; for that, someone must expand the policies from statements of intent and direction into step-by-step instructions, or procedures.