Governance and Compliance

Governance is one of the cornerstones of effective information security. It sets the guidelines for the secure and traceable operation of an organisation’s processes and infrastructure through clear and effective specifications. Efficient and effective compliance processes and methods are required to verify and ensure compliance with governance requirements. Of course, governance and compliance require competent management. Our experts have many years of experience in setting up comprehensive governance frameworks and developing specific information security policies. Our strengths also include auditing compliance and setting up risk-oriented management processes with Key Performance Indicators (KPI) and Key Risk Indicators (KRI).

The importance of policies

Policies, directives, guidelines and recommendations for all areas of information processing are core elements of effective security governance and should be organised in a policy framework. Without appropriate policies, efficient and effective control of information security is not possible. The development of individual policies can only be successful if they are based on a framework that takes into account all relevant requirements. The implementation of individual policies must be risk and need based. Policies have an impact on the whole organisation and must be held to a high standard.

Audits alone are not enough. But they help.

Audits are generally used to check compliance. However, they are not the only effective means of checking information security compliance. Complementary methods should always be considered. For example, well-designed key performance indicators can be used as part of a rolling audit to determine whether implemented policies are being followed. In addition, well structured and understandable self-assessments can provide targeted information and raise awareness of information security issues.

Procedure

The following three-step process has been proven in our governance and compliance engagements. It ensures that all key aspects of a security governance framework are addressed:

1. mapping of existing governance and compliance elements, their frameworks and processes. We are guided by the following rules:
   • All external and internal regulations relevant to the firm (laws, financial market regulations, client contracts) are known. They are taken into account in the processes.
   • Policies and guidelines are coordinated and consistent with each other and with other company rules.
   • Management processes are in place to ensure that policies are of the required quality and up to date. The framework is regularly reviewed and improved.
2. reviewing and assessing the effectiveness and efficiency of governance and compliance in the context of the business and its risk exposure
3. recommending measures and assisting in their design and implementation.

If required, we can also create or review individual components and documents for your existing security governance framework.

Customer benefits

Our experts will support you in implementing an effective security governance framework with their know-how and many years of experience. By disclosing and analysing the existing situation in your organisation, you will gain a good overview of the completeness and effectiveness of your information security requirements. Our consultants can help you address weaknesses and strengthen existing processes. They also draw on their extensive knowledge of national and international standards and requirements (FADP, HIPAA, GDPR, PCI DSS and many more). Of course, we also align the security governance framework with your overall corporate governance and compliance requirements.