14 September 2022
How do you approach security governance?
Determining the right level of security governance your organisation needs to have in place will assist in controlling and directing the associated IT security practice.
When security governance runs well it efficiently coordinates the security activities of the organisation, enabling the movement of security information and associated decisions. This ultimately leads to improved business continuity.
Leaders can use security governance to communicate the types of security risks they are prepared for staff to take, plus those they are not. This will help everyone to understand their responsibility in this area and facilitate security decision making at all levels of the organisation.
What approach to security governance is best?
You may choose a formal or informal approach to directing, controlling and making security decisions. Some questions to consider regarding your approach are -
- What does your organisation do, and how important is security to its objectives?
- Is your organisation small, medium or large, simple or complex?
- Do you have resources you can make available for security governance?
- What external factors do you need to consider? For example - contractual, legal, statutory and regulatory requirements.
Whether formal or informal, good security governance should:
- Align security activities to your organisation’s objectives and priorities.
- Be considered in conjunction with your organisation’s overall governance arrangements and business priorities.
- Identify the people who are responsible for making security decisions and ensure they are empowered to do so.
- Hold those people accountable for their decisions.
- Provide feedback to decision makers on the impact of their choices.
Ultimately a pragmatic approach will clearly identify the security decisions to be made, the people that need to make them, and the information needed to make considered and appropriate choices.
Cloud security – client feedback
In our August newsletter we wrote about the dynamic nature of the Microsoft Azure environment, and how changes to existing configuration settings and the introduction of new settings by Microsoft are routine. This requires organisations and system administrators to regularly interact with Microsoft Azure to ensure risks are appropriately identified and managed.
Here’s some customer feedback we received regarding a Microsoft Azure and 365 Security Review engagement we completed for them in the last 12 months:
"After migrating all our systems to the Microsoft Azure platform from a hybrid environment, we decided to conduct a security review and audit by an independent provider to ensure the security of the new environment is appropriately established. Hence, we engaged Kaon Security for a discussion about their capability to perform an Azure and Microsoft 365 Security Review. In the initial meetings, the Kaon team helped expand our objectives, prioritise the areas we should focus on first, and ensure that the end-user experience was considered.
The report we received was comprehensive and included information on identified risks, detailed security recommendations, and an executive summary which provided key points for high level decision makers. Additional recommendations also helped to identify areas for our service providers to attend to that we hadn’t visualised.
Overall, we are very happy with the outcome of the service and interaction with the Kaon team. They were very responsive throughout our discussions, answering all questions, and providing further clarifications needed after the engagement was completed.
This exercise has considerably improved our security posture, which provides peace of mind to both ourselves and our customers."
Click below to view a short video clip about our Microsoft 365 Review Service offering and deliverables.
Contact us to discuss security governance program options and our security review services for the Microsoft cloud environment.