Security/Privacy Protection Controls consistency is critical to mitigating organizational risk. Risk mitigation begins at the highest level of an organization. It is a combination of three key things—governance, accountability, and culture. Implementing an organizational governance process will bring myriad benefits, including lower costs, greater control, and overall increased efficiency and effectiveness. A benchmarked framework (such as NIST Cybersecurity Framework) identifies the steps that are needed to perform this value delivery and how to measure its impact and ongoing effectiveness. Given the uniqueness of enterprises across the government, the framework is the appropriate tool to use that offers security and privacy standards. The framework allows, even requires, customization to fit the enterprise it serves, as opposed to standards, which command compliance (ISACA, 2015a).
Accountability is an often overlooked component of security and privacy protection. Individuals at every level of the organization must be held accountable. Policy and best practices should inform decisions-making from the boardroom to the break room in all aspects of information technology from the strategy to end-user actions. Effective risk management demands strategic leadership, and the responsibility and accountability for security must be placed directly in the hands of the board and senior management executives. In many enterprises, security is seen as a low-level technical (or even IT) issue rather than a strategic requirement. However, accountability and responsibility is ineffective unless it is shared at the lowest level. Accountability, which in cyber means each employee has specific security responsibilities. Providing users with tools, information and training to improve their personal security habits and practices leads to improved organizational resiliency.
Finally, culture is critical to insuring consistency in security/privacy protection. No security policies, standards, guidelines or procedures can foresee all of the circumstances in which they are to be interpreted. Therefore, if stakeholders are not grounded in a culture of security, there is potential for improper actions. The culture determines what an enterprise actually does about security or privacy and not what it says that it intends to do. An effective security culture supports the protection of information while also supporting the broader aims of the enterprise. A culture of security is not an end in itself, but a pathway to achieve and maintain other objectives, such as proper use of information. The greatest benefit of a culture of security is the effect it has on other dynamic interconnections within an enterprise. It leads to greater internal and external trust, consistency of results, easier compliance with laws and regulations and greater value in the enterprise as whole.
ISACA. (2015a). Getting Started With Governance of Enterprise IT (GEIT). Rolling Meadows, IL: ISACA