top of page

Governance and Compliance

IT security governance determines who is authorized to make decisions about cybersecurity risks within an organization. It demonstrates accountability and provides oversight to ensure that any risks are adequately mitigated and that security strategies are aligned with the organization’s business objectives and are compliant with regulations.



IT security governance should not be confused with IT security management, which defines and implements the controls that an organization needs to have in place to mitigate risks. Similarly, data governance in particular determines who is authorized to make decisions about data within an organization.

There are several key roles in good data governance programs. 

Data owner, Data controller, Data processor, Data custodian, Data steward and Data protection officer


A cybersecurity policy is a high-level document that outlines an organization’s vision for cybersecurity, including its goals, needs, scope and responsibilities. Specifically, it:

  • Demonstrates an organization’s commitment to security.

  • Sets the standards of behavior and security requirements for carrying out activities, processes and operations, and protecting technology and information assets within an organization.

  • Ensures that the acquisition, use and maintenance of system operations, software and hardware is consistent across the organization.

  • Defines the legal consequences of policy violations.

  • Gives the security team the support they need from senior management.

There are various types of cybersecurity policies.

bottom of page