Day 34 — Hello Governor

Today I focus on our Information Security Governance

This Sprint I’ve focused on building toward HIPAA compliance, and after a week I can say I’m not nearly as far as I’d hoped.

BUT! I also have made really good progress and made some great strides. Perhaps most importantly, I’ve learned a lot. Here’s where I stand today based on our controls:

Progress on Administrative Controls

Building Good Governance

From Aptible:

Governance is the architecture of processes that creates oversight and accountability in your security management program. It’s a meta-set of security decisions and actions that enable the “management” part of your security management program.

Today’s Problem to Solve:

How might we establish our commitment to security and to build trust with our customers and the wider community?

Today’s Results

Today was a bunch of small activities around our ISMS governance. None of them individually took that much time, but it added up. We already have the baseline version of our ISMS in place, so today’s work was mostly focused on the additional work that is specified in our control policies.

1— ISMS Metrics

I started by defining the core metrics we would track. I wanted to start simple, so I identified these:

• % of employees who were properly onboarded and off-boarded
• % of employees who complete security training
• % who have signed a security policy and procedure agreement
• % of applicable devices properly enrolled in device management
• Number of security incidents

2 — Roles & Responsibilities

Determining roles & responsibilities for our security team is an important process of establishing good governance. While most of these activities will initially fall on me, we’ll start to build out these functions to share the love.

Here’s a high-level view of the org chart:

High-Level Security Org (credit: Aptible)

3— Documentation Control

Documentation control boils down to good documentation practices to ensure we do what we say we’re going to do.

For this, I added a “Version Control” section to each of the excel files I’ve created so far this week. It’s nothing fancy, but over time we’ll use this to ensure we track all changes and store them in a secure place of record. I’m storing everything in Google Drive right now.

Version Control for our Documentation

4 — Legal & Contractual Log

This lays out our legal and contractual responsibilities in the market. HIPAA has been the driving force for this work, though there are additional frameworks we’ll need to consider depending on the demographic (e.g., COPPA if we have users under 13), geography (e.g., GDPR if we’re in the EU), and market (e.g., FERPA when we re-launch in schools).

Our Legal & Contractual Log

5 — Asset Management (People & Devices)

This was just wrapping up our asset log with people and devices. Since the devices will be used to store sensitive data, we need to be sure they’re tracked and inventoried.

What’s Next?

Tomorrow I wrap up this Sprint with Human Resources Security — mainly all the training we’ll need to complete internally.

I’m quickly realizing I’ll need at least another week to finish these administrative controls, so I’ll also get re-organized and inventory the work that’s left.