ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Steps to Enforcing Information Governance and Security Programs

Steps to Enforcing Information Governance and Security Programs

T. Sean Kelly
| Published: 10/23/2017 3:06 PM | Category: Security | Permalink | Email this Post | Comments (1)

In my recent Journal article, I covered how organizations can leverage information governance (IG) programs to enable change and instill a culture of security. With today’s reality of increasing global data privacy regulations and unrelenting data breaches, sound data management and security are more important than ever before. In the face of these challenges, one of the most effective things organizations can do is enable true change, weaving security and privacy into the fabric of their cultures. Once that has been achieved, enforcement of the established programs and policies is equally important so that the hard work was not futile.

Maintaining change and enforcing adoption of new processes is critical to shaping a culture of security that grows and strengthens over time. When employees understand that participation with training programs or cooperation with new policies will boost their performance ratings or compensation, they are much more likely to adopt and commit to the changes. Some guiding best practices can be put in place at the outset of an IG initiative that will support long-term enforcement. These include:

  • Cross-functional support—To be successful, IG must be a cross-stakeholder initiative with sponsorship from legal, compliance, security, IT and records departments.
  • Executive sponsorship—An IG project simply cannot be successfully implemented —or enforced—without C-level involvement.
  • Change management—The course of changing business processes should be rooted in compliance—change becomes a major challenge in large organizations where a wide range of priorities and personality types exist.
  • Training—Computer-based training on new technologies and policies should be mandatory for all users, and it should include education around the implications of security breaches, the cost they impose on the organization and how to prevent them.
  • Strategic technology implementation—Every technology evaluation that impacts the company’s data in any way should involve the legal and/or e-discovery team in addition to records, IT and compliance.

In many cases, it is not that employees are ambivalent about security. Once they have been educated about the overall importance of security to the long-term health of the company, most employees comply with new policies and embrace the newly formed culture.

Read Sean Kelly’s recent Journal article:
Instilling a Culture of Security Starts With Information Governance,” ISACA Journal, volume 5, 2017.


Re: Steps to Enforcing Information Governance and Security Programs

I agree with the point you made about performance ratings and compensation. It seems that until all members of the organization realize the not adhering to governance policy will directly and negatively affect their livelihood, it will lack it's desired affect. Even the constant threat to the organization as whole does not always reverberate all the way down the org chart.
Matthew684 at 12/5/2017 10:36 AM