Related
The role of King IV in good corporate governance
Justine Krige 1 Aug 2022
Do you have a cyber incident response plan?
19 Dec 2019
With increasing obligations on companies to comply with various laws and codes, it is becoming more important for them to partner with businesses that too adhere to high levels of good governance. So much so, that good governance practices have become an enterprise-level priority for keeping strategic partners and customers who are the lifeblood of every business.
This is according to Charl Ueckermann, CEO at AVeS Cyber Security, who says companies are also increasingly being expected to be able to show how they’ve implemented their IT governance in order to retain business with organisations that prioritise governance.
“Organisations expect their partners to have good IT governance in place. That’s because good IT governance ensures not only that the partner’s IT investments support its business objectives, but also means that the company is effectively managing its risks and meets compliance regulations. Organisations want to partner with companies who are compliant and don’t impose any unwanted risks,” he says.
Citing an example, he says that AVeS Cyber Security has been commissioned to implement an IT Governance Framework and prepare IT security policies and operational procedures for one of South Africa’s most prominent law firms. The firm had been asked by one of their strategic customers, a major South African bank, to show how they’ve implemented their IT governance. AVeS Cyber Security has an in-depth understanding of the corporate governance context for information security compliance, specifically from a business operations and IT implementation perspective.
“Our client comes from a history of infrastructure, which the bank appreciates. However, given that they deal with people’s information, it is important for the bank to know how and where the firm implements governance principles to protect the confidentiality, integrity and availability of information assets. We started with a comprehensive Information Security Risk Assessment, and are targeting the assessment’s outcomes, which include the governance and remediation of information security systems, as one project.
“We are looking at the business holistically: the people in the organisation (their individual roles, cultures and ethics, skills, training and awareness), the governance framework (with its recommended policies and prioritised processes), as well as technology (which involves all the documented procedures, workflows and forms). All of these must align back to the company’s business requirements.”
During the assessment, AVeS Cyber Security uncovered some critical issues and has made several recommendations amongst which include updating the Information Security Policy based on ISO 27002. The firm had few defined IT Operational Procedures, and AVeS Cyber Security is preparing and implementing revised and comprehensive IT Operational Procedures, covering all critical activities of IT in line with the updated Information Security Policy and the company’s security requirements.
The year-long project kicked off in August 2018. To date, AVeS Cyber Security has prepared the IT Governance Policy; the IT Strategy Plan until 2020; an inventory of IT assets, and a high-level Information Security Policy, amongst other tasks. During the first quarter of 2019, some of the issues to be tackled include the management of vulnerabilities and policies around the transfer of physical media, access control to company systems, privileged access rights, cryptographic controls, the security and control of off-site equipment, and supplier security.
“These are all crucial elements that must be addressed to achieve good IT governance. Yes, technology is integral to achieving this. However, technical solutions are not a complete answer, governance is. Governance encompasses the technology, people and processes across the business to ensure that it is managing risks effectively and is compliant with the codes and legislation that pertain to their industry as well as the industries in which their clients operate.
“While creating a business that is compliant, accountable, resilient and transparent, this also offers clients the peace of mind that they have partnered with a service provider that protects their information pro-actively and subscribes to the highest standards of IT governance,” concludes Ueckermann.