Today, more than ever, with the increasing number of cybersecurity attacks on government organizations and threats of data breaches to the privacy of government officials and their staffs, and government contractor staffs, strong IT Governance based on sound IT risk management is critical to restoring confidence in the security and privacy protections provided.
Government stakeholders need assurances that this is being done to protect the security of key government systems (e.g., our military systems, tax systems, payment and entitlement systems, critical infrastructure systems, etc.) and protecting the privacy of information held by the government (e.g., healthcare and financial data which are currently prime targets for malicious actors). In order to do this, a holistic approach is needed that embodies IT Governance, Security and Privacy based on IT Risk Management – all working in concert and all essential for success. The government currently has many of these policies laid out in separate documents, several of which are identified below – key for moving forward is a framework that integrates the policies within an overall enterprise governance approach.
IT Governance – provides the consistency, processes, standards, and repeatability needed for effective IT operations at the lowest possible cost within compliance requirements. IT Governance must be part of Enterprise Governance, a discipline that addresses all stakeholder needs, conditions and options to ensure they are evaluated for determining balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.
IT Risk Management – identifies the alignment of critical business processes with supporting technology systems. IT Risk Management serves to focus IT Governance and security and privacy investments in the areas contributing most to mission success. IT Risk Management must be a part of Enterprise Risk Management (ERM), a discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprise-wide, strategically aligned portfolio view. ERM contributes to improved decision making and supports the achievement of an organization’s mission, goals, and objectives.
Information Security focuses on using business drivers to guide cybersecurity activities while considering cybersecurity risks as part of the organization’s risk management processes, and includes technology, processes, policies, and people specified under the family of controls outlined.
Privacy – within a secure enterprise, privacy controls allow only properly designated personnel to access information governed under privacy laws, and encompass efforts to protect an individual’s ability to determine how their personal information is collected, used, stored, and disclosed. Information security and IT Governance directly impact the success of a privacy program. Privacy cannot exist without information security. Privacy must be considered in all information security programs.
 COBIT5®, ISACA, 2012 http://www.isaca.org/cobit/pages/cobit-5-framework-product-page.aspx.
 Improving Government Decision Making through Enterprise Risk Management, IBM Center for The Business of Government, Douglas W. Webster and Thomas Stanton, 2015.
Posted by: Delicana, Flora Mae