Guidance statements will appear in bold and enclosed in brackets “[]” below the statements of the policy.
Information Governance Policy
[COMPANY NAME] ____________________________________________________________________________
Purpose
The purpose of this Information Governance Policy is to establish, document, approve, communicate, apply, evaluate, and maintain policies and procedures for an information governance program sponsored by the leadership of [COMPANY NAME]. This policy aims to ensure that [COMPANY NAME] complies with legal matters, industry-specific regulations, regional requirements, compliance mandates, security and privacy requirements, and information governance standards.
[This section should clearly state why this policy exists. Ensure the purpose aligns with your organization’s overall strategic goals and regulatory landscape.]
Scope
This policy applies to all employees, contractors, and third-party vendors of [COMPANY NAME] who interact with, manage, or access the company's information assets.
[Clearly define who and what this policy covers. Consider if there are any specific information assets or types of users that require special consideration or exclusion, and document them explicitly.]
Roles & Responsibilities
Organizational Leadership: Organizational leadership is responsible for sponsoring and supporting the information governance program. They are also responsible for approving, communicating, and maintaining the policies and procedures.
[ Leadership commitment is crucial. Ensure that specific leaders or departments are identified as owning the sponsorship of this program.]
Information Governance Manager: The Information Governance Manager is responsible for coordinating and overseeing the implementation, evaluation, and ongoing maintenance of the information governance program.
[This role may be a dedicated position or assigned to an existing role (e.g., CISO, Compliance Officer, Data Privacy Officer). Clearly define where this responsibility lies within your organizational structure.]
Employees, Contractors, and Third-Party Vendors: All employees, contractors, and third-party vendors are responsible for adhering to the information governance program policies and procedures in their respective business areas.
Policy
This policy will set the guidance for assessments, audits, and metrics utilized for applicable compliance standards, regulations, and obligations. The policy is supplemented by the other [COMPANY NAME] security policies and procedures that enable the information governance of the organization.
Independent Evaluations
[COMPANY NAME] will conduct independent audits and assurance assessments according to applicable and relevant standards, at least annually. These evaluations will be free from conflict of interest and undue influence in all matters related to them. [COMPANY NAME] will ensure that senior management exercises oversight over the independence of the evaluation process.
Compliance with Standards, Regulations, and Obligations
The frequency of the independent audits and assurance assessments will be in compliance with applicable standards, regulations, legal/contractual obligations, and statutory requirements. [COMPANY NAME] will:
Maintain and review a list of applicable standards, regulations, and other obligations (APPENDIX A).
Periodically examine the process in place for determining the applicability of standards and regulations.
[APPENDIX A is critical. Ensure it is regularly updated to reflect changes in laws, regulations, and contractual agreements.]
Audit Plan and Execution
[COMPANY NAME] will develop an audit plan that considers the findings of previous assessments and schedules annual assessments to meet the requirements of the relevant standards and regulations. The audit plan will be reviewed and approved by senior management.
At a minimum, audit and assurance procedures will include:
Functions outlining purposes, responsibilities, authorities, and accountabilities for independence, care, objectivity, and proficiency;
Audit and assurance plans;
Development policies and procedures for assessment criteria, quality assurance, supervision, and evidence collection in line with best practices;
Audit reporting to convey results and findings; and,
Follow-up activities to monitor the progress of audit findings implementation.
Reporting and Follow-Up
The results of independent audit and assurance assessments will be reported to senior management and relevant stakeholders. [COMPANY NAME] will take appropriate actions to address identified deficiencies and track the progress of remediation efforts.
Application and Interface Security Metrics
[COMPANY NAME] will define and implement technical and operational metrics in alignment with business objectives, security requirements, and compliance obligations. Actionable metrics will consider business goals, the criticality of service, security requirements, and compliance obligations. These metrics will be outlined in APPENDIX B.
[Metrics are essential for demonstrating the effectiveness of your information governance program. Tailor the metrics in APPENDIX B to be meaningful and actionable for your organization.]
Reporting
Reporting will be designed with various users in mind, such as security professionals, engineering teams, business stakeholders, and executives. To accommodate different interests, specialized views, filtering, and delivery mechanisms, the following will be implemented:
Automated collection, visualization, and distribution of reporting data.
Further analysis of data using application criticality, business units, platforms, languages, and other factors relevant to the viewer.
Comparison of actual metrics to standards to evaluate performance.
Enabled correlations and comparisons over time to identify trends.
Review
[COMPANY NAME] will review and update this policy <FREQUENCY> to ensure that it remains relevant and effective.
[Replace with a specific period (e.g., "annually," "biannually," or "as significant changes occur"). Regular review is crucial for policy effectiveness.
APPENDIX A
Standards, Regulations, and Obligations
[This appendix is crucial for demonstrating your understanding and commitment to applicable requirements. Be specific and thorough.]
| APPLICABLE LAWS AND REGULATIONS | Requirements / Notes | Responsible Party |
International | [EXAMPLE] GDPR |
|
|
Federal |
|
|
|
State | [EXAMPLE] CCPA |
|
|
Local |
|
|
|
+ |
|
|
|
[Populate this table with all relevant international, federal, state, and local laws and regulations that apply to your organization's information assets and operations.]
| APPLICABLE STANDARDS | Requirements / Notes | Responsible Party |
[EXAMPLE] NIST CSF | [EXAMPLE] GDPR |
|
|
[EXAMPLE] PCI DSS |
|
|
|
+ |
|
|
|
[List industry-specific or generally accepted security and information governance standards your organization adheres to (e.g., ISO 27001, SOC 2, HIPAA, FedRAMP).]
| CONTRACTUAL OBLIGATIONS | Requirements / Notes | Responsible Party |
[EXAMPLE] "Large Fortune 500 Bank" | "Large Fortune 500 Bank"requires an ISO 27001 as part of the MSA signed between Example Corporation and "Large Fortune 500 Bank" | ISO 27001 Certification |
|
[EXAMPLE] "Large Technology Infrastructure Provider" | Large Technology Infrastructure Provider" requires evidence that Example Corporation is effectively managing the security of data provided to Example Corporation within the MSA signed in 2021 and management of Example Corporation has agreed that an ISO 27001 certification fulfills this requirement. | Any Independent Audit report fulfills agreement |
|
+ |
|
|
|
[Include any specific information governance or security requirements stipulated in contracts with clients, partners, or vendors.]
APPENDIX B
Application and Interface Security Metrics
[The metrics defined here should directly support the objectives of your information governance program and be measurable.]
Technical Metrics
<DEFINE TECHNICAL METRICS>
Some example technical metrics include:
Count or percentage of vulnerabilities by weakness.
Count or percentage of vulnerabilities by severity.
Count or percentage of vulnerabilities by detection source (design review, code review, SAST, DAST, penetration test, VDP, or bug bounty).
Count or percentage of vulnerabilities by environment detected (pre-production vs. production).
Average time to resolution.
Count exceeding remediation service level objectives (SLOs).
Operational Metrics
<DEFINE OPERATIONAL METRICS>
Some example operational metrics include:
Count or percentage of applications using automated security testing by test type (SAST, DAST, SCA).
Count or percentage of applications that have completed penetration testing in the last “n” months.
Count or percentage of development teams or individuals who have completed application security training in the last “n” months.
Count of proactive engagements by development and business teams.
Results from surveys delivered to application security customers, such as business and development teams.
Revision History
Version | Date | Editor | Approver | Description of Changes | Format |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|