Governance

Our drive

Governance is simply describing what should be done to do things right :

• Introducing a 4 eyes principle (seggregation of duties / separation of duties).
• Introduce administrative controls to prevent having people with the wrong profile, incompetent, enough experience (ensuring diploma's are real / ensuring experience declared is correct / checking Certifications have been successfully obtained / ... ).
• Telling people what they should do in specific circumstances (installing software, reporting incidents, mobile usage, ....)
• ...

Often, Governance is seen as a bureaucratic useless set of Tasks. Governance should be seen as the way of working of the company to ensure long term survival.

Understanding & experience always pay back

Diploma's, certifications, ... are always elements to take into consideration. However, the key to a working & efficient governance is the good understanding of the purpose & the objectives by the people. Simple (Lean !) processes clearly help to avoid people feeling bored. Sound corner stones such as "competence + experience + common sense" are mandartory to avoid people feeling useless or fighting against a Windmill.

A common term used in Security is Policy or Rule instead of "what should be done" ... and "yes" Goverance will define rules to follow. However, defining rules, policies, regulations, procedures, ... does not garanty those will be executed. We can help you ensuring that the process (you) defined are consitent & in-line with the expected Security posture of the Company. We can also help to ensure that those policies / processes / ... do not contain "non-sense", impractical scenarios, ...

Better to do things than not doing those. Having agreed upon, written down processes, policies, regulations, ... describing what is the purpose, what actions are expected within your Organization. A copy-paste from the "BEST-IN-CLASS" might not be what you company requires. You need to have expectations that are according to your Organization maturity level & expectation. An SMI should not try to imitate a Bank or an International organization or a Ministery.

Formalism

NIST CyberSecurity Framework, ISO-27.xxx, CMMC 2.0 ... they all cover numerous different aspects, needs, legal environments, ...

We practice Risk management from Vulnerability assessment to Second line or Audit support. We are using those frameworks on a daily basis. You may want to choose a lightweight solution or you need to be able to justify the complete deployment of a solution accorss the organisation.

We can help you with the setting up of a the whole project :

• From defining the perimeter & the best Security position to adopt (or just advice on how to improve the security position);
• Identify weak / soft spot in the Security position of the organisation;
• Chose the right framework;
• Write consistent policies across the organisation
• ...