Governance is a blueprint for how corporations should behave while sustaining and driving performance. This blueprint helps a company bring all their internal functions together to translate into performance. Corporate governance standards ensure compliance with relevant regulatory and best practice frameworks and help to keep a company’s ethical behavior to a higher standard (stein, 2016).
Corporate governance guidelines capture the internal governance of a corporation or entity. The corporate governance guidelines document itself should be a series of strategic policies (addressing specific topics), while separate of each other, should support one another in a synergistic framework. Industry and the business operating environment within which it operates will ultimately dictate the types of items covered within the corporate governance guidelines. However, regardless of industry, the following items should almost always generally be included in corporate government documents (stein, 2016):
Statement of Purpose: A statement that should identify the functions of the board. This statement should also take into consideration the expectations of your employees, customers and more importantly the shareholders of the company (stein, 2016)
Delegations of Authority: This is where the board grants the CEO the authority to delegate downward into the corporation. This can be done without going back for board approval if the guidelines set by the board are followed (stein, 2016); and
Risk Profile: Corporations need to identify what risks they inherently have in operation and how that risk will be managed. Two important things to consider are is the financial risks and reputational risks of a company (stein, 2016).
When it comes to information security specifically, most experts recommend that a company should include some of the following key elements within their plan or relevant governance guidelines:
Cyber Threat Risk: An assessment of risk to the company and the possible damages caused by a cyber threat. This can include lost revenues, harm to company reputation and interruptions to your business. Whether or not there are violations to privacy laws for disclosing personal information as well as possible litigation (risk management, thecorporatecouncil.net).
Incident Response Plan: Included in this document is an incident response that clearly identifies an incident response team with a plan to remediate and recover from any damage done. This includes an initial assessment of the cyber attack and begin an investigation to determine the who: inside attack or third party, the weakness in your design where the breach incident occurred (risk management, thecorporatecouncil.net).
Disclosure/PR: Details of the desired amount of time and content of information to be shared with customers, regulators, and business partners (cybersecurity, thecorporatecouncel.net).
Depending on industry or the operating nature of a business, the above-mentioned items for information security could carry a higher or lesser degree of importance. For instance, companies with an active online marketplace or companies maintaining highly sensitive personal customer information will likely have a higher degree of importance attached to the three information security items noted above than a local county fair vendor in a cash transaction environment. However, with digital transformation occurring in all industries, information security guidelines and governance are working into companies of all industries and sizes.