Cybersecurity governance and information governance (incl. Data privacy)

Cybersecurity governance deals with the formal and strategic management of an organisation’s cyber-presence, the risks involved and the implementation of directive (governance) controls (i.e. to protect the organisation against cyber threats). As part of BDO’s value offering we focus on:

  • Strategic alignment. An IT strategy must be aligned with the organisational strategy, and, in view of that, the cybersecurity strategy should also be aligned with the IT strategy. BDO can assist in the assessment and measurement of the degree of alignment between these different strategies.
  • Cybersecurity governance. The governance of cybersecurity derives its objectives and purpose from the cybersecurity strategy. It implies that cybersecurity governance is aligned with the cybersecurity strategy and executes its goals. Cybersecurity governance concerns itself with cybersecurity related risks, and dictates a cybersecurity governance framework to deal with organisation-specific risks. Over and above the establishment of a framework, based on an international security standard, governance is formalised in the form of:
    • Directive controls. Policies, procedures and standards should dictate the manner in which automated (technical) and manual controls are enforced across the organisation.
    • Automated (technical) controls. Technical controls (configurations) are mostly embedded in software applications and hardware, and can automatically prevent and/or detect cyber threats and correct incidents, where possible and applicable.
    • Manual controls. Manual controls are executed by humans and are complementary to automated controls – e.g. the review of system and security logs.
    • Process controls. Process controls assist in protecting an organisation from careless, costly, or uninformed decisions or behaviours and ensure that the right things are getting done, at the right time, and hence producing the right results.

BDO can assist in the auditing or implementation of cybersecurity strategies and governance frameworks, based on international standards and guidelines. We believe in practical approaches that make sense to your organisation’s specific needs and circumstances.

Information and Data Privacy Governance deal with the organisation, classification and protection of data and information (incl. personal / private data). South Africa’s Promotion of Access to Information Act (PAIA) and Protection of Personal Information Act (POPI), as well as the EU’s General Data Protection Regulation (GDPR), require that all organisations dealing with personal data and information comply with certain privacy regulations. Given that many organisations now provide critical services to other organisations, demanding that their data is protected against privacy breaches, BDO can assist service organisations to obtain an independent assurance report (ISAE 3000 report), expressing an opinion on the privacy controls at the service organisation. A service organisation can then provide BDO’s report to their clients, who may rely on and gain comfort from the opinion expressed in the independent privacy report. BDO can also be contracted in an advisory role to advise on or to develop privacy control frameworks.

The enforcement of privacy controls is therefore mandatory. Some of the data privacy and information governance services that BDO provides are:

  • Data privacy strategy and implementation. Every industry is unique, and your business’ data privacy obligations are derived from the industry you are operating in. Certain industries are highly sensitive for data breaches – e.g. the healthcare and the finance sectors. BDO can assist you to come up with an appropriate strategy to implement an adequate and effective privacy framework.
  • Data mapping. An organisation can only protect the data that they know about. Unidentified data cannot be protected, leaving an organisation vulnerable to unauthorised data disclosures and breaches. BDO can assist to identify and map structured data (e.g. in formal system/ERP databases) and unstructured data (e.g. user data files), by running automated discovery tools. After data has been mapped, BDO can assist a client to identify the relevant controls needed to protect the identified data.
  • Data privacy assessments. BDO can assist with privacy assessments and/or audits, providing assurance on an organisation’s privacy practices and controls. Normally our clients want to demonstrate to their clients/customers that they exercise due care in protecting their personal data. BDO usually uses the ISAE 3000 audit standard to express an independent audit opinion on our clients’ data privacy control frameworks. Our clients, again, use these reports to establish trust with their clients/customers.
  • Privacy officer consulting. Both POPI and GDPR require the appointment of “Privacy Officers”, under certain conditions. BDO can assist with the establishment of these roles, their mandates and job descriptions.
  • Data and information governance assessments or implementation. Data and information governance is an all-inclusive approach to strategically manage and protect organisational data and information by implementing processes, roles, controls and metrics that treat data and information as a valuable business asset. The governance of data and information includes the entire life cycle of data and information – from generation (cradle) to the destruction of it (grave) or, to put it differently, from data input, processing, output, storage to destruction. Data and information governance balances the risk that data and information present (e.g. unauthorised disclosures) with the value that data and information provide (e.g. business intelligence). BDO can assist in the audit or implementation of data and information governance processes.