In a previous blog, we covered the importance of getting senior management endorsement of a basic framework. In this (and following blogs) we will delve into some practical steps in implementing or strengthening your security governance program.

If you have your customised governance statement (signed by senior management) you are in a great position. Many have found that reviewing the document with management has already started some great conversations and started to highlight some initial priorities. This document will continue to serve as the basis for all your actions going forward but also help you to explain why... why you have a certain item in your budget for next year should directly relate to one of the approved functions in the core framework.

If you need help with customising the governance statement document to your needs feel free to reach out on the contact us page and someone will be in contact to help.

Management Systems working for you!

The foundation of a great vs mediocre implementation of any framework is the "system" you use to maintain your compliance and track/audit controls in place. You can of course use various free solution out there but over time manual process' and tracking might get in the way of progress.

We highly recommend using OneTrust governance platform Privacy, Security and Data Governance Software | GDPR, CCPA, ISO (onetrust.com)

Marketed as a Privacy, Security & Data Governance platform, this is a module-based platform that offers exceptional value for Small/Medium business, those larger organisation in the "enterprise" user number tier might get hit with a higher price tag but the value this platform will bring is well worth it.

OneTrust Management will use the power of technology and automation to support you on your compliance journey. Here are a few of the modules that might interest you and how this will align:

Vendor Risk Management

This vendor management module allows you to set up (and schedule) regular web-based questionnaires (templated or custom) to assess and automatically re-assess those vendors you onboard.

Enterprise Policy Management

This module is fairly new to the suite of modules but allows you to list and track all Standards/Policies/Procedures with a gallery of some basic templates to choose from. For our purposes, we will be using this module to track and ensure policies are kept updated and are reviewed at least annually.

IT Risk Management

Risk Register to enable the tracking of ALL Risks (not just IT), this can be relational (to a vendor) or standalone with time-based tasks available under each risk to allocate and track various tasks.

Incident Response

Incident register to track and manage all security incidents.

Awareness Training

Over 30 Training modules available, choose the training you need (start small) and track compliance.

Other - we've included this as some might find these modules handy to bolt on if they have the need:

Cookie Compliance - manage consent on your public website

Data Mapping - manage your RoPA (record of processing activities)

Audit Management - internal audit readiness tool

Reach out the OneTrust direct for pricing. Show the folks there your governance statement and they should be able to build you a package that suits your needs and budget.

In the next blog, we will start looking at policies.

Until then.

Enjoy!

The CarbonVector Team