What is governance?
According to ISACA, governance “ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives.”
While management “plans, builds, runs and monitors activities in alignment with the direction of the governance body”, according to ISACA’s definition, governance sets the policies, procedures, practices and organizational structures that ensure the execution of strategic goals. Identity and access governance sets the framework within which identity and access technology and processes are implemented. By shifting the focus to control rather than execution, governance is also the ideal approach to manage identity and access in an outsourced environment like the cloud.
Why does governance matter?
Good governance ensures that there is a consistent approach to risks and compliance across different lines of business and multiple laws and regulations. It can reduce costs by avoiding multiple ad hoc approaches to compliance and risk management. Identity and access governance ensures, in a consistent and efficient manner, that only authorized people have access to their confidential and regulated data.
The governance process leads the organization to evaluate risks in terms of their likelihood and business impact, and then to decide on the best approach to manage those risks. For example, choosing how to authenticate individuals accessing a system is a trade-off between the risk of impersonation, the value of the information and cost of the different authentication technologies. Where the impact, in terms of losses, would be high, it may make sense to choose a stronger (and more expensive) form of authentication than a username and password. Where the impact is low, a cheaper but less effective authentication process may be more appropriate. Governance provides a way to make this kind of decision effectively and consistently.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.