isaca geek week august 8 10, 2016 · isaca geek week august 8 – 10, ... •adherence to laws,...
Post on 28-Aug-2018
217 Views
Preview:
TRANSCRIPT
ISACA Geek Week
August 8 – 10, 2016
Building a Digital Governance Program
Stacy Wiedman
swiedman@gmail.com
TODAY’S AGENDA
Building a Digital Governance Program- an approach for implementing within a large organization. Discussion of critical aspects for a successful program .
• What is Digital Governance?
• Digital Governance Benefits
• Group Structures
• Digital Governance Policy
• Digital Standards
• Monitoring & Oversight
• Social Media
• Tips
What is Digital Governance?
The ultimate goals of governance are to empower and accelerate an agency’s ability to
make informed digital services decisions and to help an agency achieve the goals named in the Digital Government Strategy. - Federal Government Digital Services Advisory Group
Digital governance is a framework for establishing accountability, roles, and decision-
making authority for an organization’s digital presence - which means its websites, mobile sites, social channels, and any other Internet and Web-enabled products and
services.– ActiveStandards.com
Digital governance is a discipline that focuses on establishing clear accountability for digital strategy, policy, and standards. A digital governance framework, when effectively
designed and implemented, helps to streamline digital development and dampen debates around digital channel “ownership.” -Managing Chaos: Digital Governance by
Design, Lisa Welchman
Digital Governance Program Basics
DIGITAL GOVERNANCE
PROGRAM
Policy Digital Scope
Digital Standards
Executive Support
Group Structure
Digital Oversight
Define what your organization needs & clearly articulate it
Digital Governance Benefits
• Aligned priorities • Coordinated services • Clarity of decision making process • Clear accountability • Adherence to laws, regulations, standards, and policies • Effective delivery
• Capability to meet business needs in the correct timeframe
• Supportability • Interoperability • Cost effective
• Ability to leverage 3rd party relationships • Consistent and high quality digital client /prospect
experience
Co
mm
un
icat
ion
an
d
Aw
aren
ess
How to build a program
• Gather a core team • Assess what exists today
– What is working/ what is not working well
– Who is doing what
• Determine objectives of a new program
• Develop the group structure • Share- receive feedback-
update • Execute!
Repeat, as needed
Assess your current group structure
• Where do the digital resources sit in the organization
• all in IT; pockets of the organization, only in the web steam, etc.
• Develop a RACI Chart (Responsible, Accountable, Consulted, Informed)
• Think of YOUR organization, WHO wants to know, WHO needs to
know, WHO wants/needs to contribute
GROUP STRUCTURE
Digital Team
Corp. Marketing
Business Unit Marketing
Corp. IT
Business Unit IT
Risk Compliance
Digital Strategy
Development and Maintenance of Strategy
Digital Policy
Digital Policy creation
Digital Policy monitoring
Digital Policy enforcement
Digital Standards
Determination of needed standards
Standard creation
Standard approval
Standards monitoring
• Centralized into one
team (typically
Marketing,
Communications, or IT)
• Consistent Messaging
• Clear Ownership
• Standardized tools
• Can create bottle-necks
and inefficiency
• Can be slow to innovate
and keep current with
technology
GROUP STRUCTURE
• Multiple areas of digital expertise
• Ability to focus on business unit needs
• Duplication of efforts
• Lack of consistency • Power struggle • Many tools can lead
to complexity for integration
• Can lead to confusing user experience
GROUP STRUCTURE
• Business units continue
to build their own
capacity based on
specific needs
• Central and strong digital
team directs the
enterprise effort
• Excellent leadership and
collaboration skills are
critical
GROUP STRUCTURE
One Option
Digital Governance Committee
Corporate Risk Committee
Provides overall leadership and direction Approves policies and all digital related
guidelines, procedures, and standards
Head of Digital
Primary Digital Governance
oversight
- Linkage into other digital
processes (risk
assessments, project
management, etc.)
- Create Digital Governance
Policy
- Digital standards
management
- Monitoring oversight
Working Group
Working Group
Working Group
Provides oversight & strategic direction
Resolve escalations
Communication & awareness of Digital Governance program
Digital Governance
Council
Subject matter experts from
relevant corporate functions and
business units focus on specific
topics.
E.g. Policy creation, Execution of
standards, Digital projects, Solution
development, etc.
Interested parties and
digital stakeholders
provide input on new
standards, policies,
and procedures, and
disseminate
information to and
from the Committee
Another Option
POLICY • High level rules are needed to guide teams on content • Mandatory content requirements need to be
documented • Enforcement is difficult to do without a policy
High level management direction; WHY do I need to do this? Example: Privacy Policy, E-mail Policy
Minimum acceptable level or rules; WHAT is required? Example: Server Security Standards
Additional advice or recommendations; Helpful information Example: Employment Discrimination Guidelines
Process flow or instructional details; How do I do it? Example: Software Request Procedures
DIGITAL GOVERNANCE POLICY Scope - Clearly list what is in and out of scope
Governance Structure/ Management Authority
Roles and responsibilities (may be defined in a Charter)
Reports to the XX Committee
Digital Standards
Who creates, who approves, where are they published, etc.
Management Reporting
List frequency of management reports and who received them
Policy Exceptions
Approval; regular review cycle
Other Items of Importance may be included
See next page
DIGITAL GOVERNANCE POLICY Other Items of Importance - add relevant high level mandates/requirements – or link to
other policies with related information
– Domain Management
– Content Management
– Mobile Management
– Social Media Management
– Accessibility
– Technical Security
– Language Translation
– Web-linking to other sites
– Intellectual Property
– Privacy
– Records Management
Scope Definition - Example
Included in Policy Scope Excluded from Policy Scope Company external web sites requiring a user name
and password
Electronic mail
Company external informational web pages –
product and services information, helpful tips, etc.
Microsoft SharePoint internal solutions
Third party authenticated or unauthenticated web
sites or applications displaying our brand or logo
Intranet web sites that are available
within the company network only
Third party sites containing a link to an external
company web site
Intranet authenticated applications
Company sponsored social media pages, points of
presence, or posts (i.e. Facebook, LinkedIn, etc.)
Interfaces and file transmissions
Company images, multi-media, and content
accessible externally
Instant messaging used within the
company internal network
Company mobile applications, mobile web, text,
alerts
Customer video conferencing (i.e. interactive
agent) or text chat
eSignature
Customer facing forms
Standards – Risk Assessment
Does this standard: Impact Category:
High Medium Low
- impact revenue generation, transaction processing, or financial statements
revenue Significant Direct Impact
Direct Impact
Indirect, limited impact, or no impact
- provide direction to ensure legal or regulatory compliance
regulatory Yes - contains required instructions
Potentially No
- determine how the Corporate brand is represented
brand Direct negative impact
Indirect impact
No
- provide direction to avoid adverse media publicity or other reputational risks
reputational Significant Direct Impact
Direct Impact
Indirect, limited impact, or no impact
- involve capturing, storing, or protection of customer data or non-public information
privacy/ security
PII or confidential Tracking data
No
- address system data integrity and availability to our customers utlizing digital assets
technology Significant Direct Impact
Direct Impact
Indirect, limited impact, or no impact
If any one criteria is ranked as “high”, the high rating applies to the entire standard
Risks
Regulatory violation
Legal violation
Negative public perception
Customer dissatisfaction
Customer liability
Data Breach
Incorrect or inaccurate
information
Unavailability
Design Content/
Publishing
Compliance
Development/ Infrastructure
Strategic • Digital Governance • Social Media • Human Resources
•Privacy – GLBA - COPPA •ADA •Industry specific
•Model Audit Rule -Insurance •FINRA •FFIEC •Fair & Responsible Banking
• User Experience/ User Interface • Web Design • Copyrights and Trademarks
• Brand • Content Management Framework • Language Translation • Domain Management
• Code Standards for web • Testing - Release & Change
Management • Information Security • Digital Architecture
HIGH RISK ENTERPRISE DIGITAL STANDARDS
FFIEC Guidance Social Media Risk Management -December 2013 (Federal Financial Institutions Examination Council) Requirements: 1. Governance structure 2. Written policies and procedures 3. Risk management process for selecting and monitoring third-party
relationships 4. Employee training program 5. Monitoring & oversight program 6. Audit & Compliance involvement 7. Regular reporting to senior management Risk Assessment • Know your organizational social media strategy • Know your social media inventory – points of presence • Know monitoring/community engagement
SOCIAL MEDIA
Develop a Social Media Policy A social media policy should consolidate the high level aspects uncovered during the risk assessment:
• Who defines and approves the Social Media strategy
• Lists the purpose of the organization's use of social media, high level objectives, presence, and approaches
• Who is responsible for compliance and content • Lists the rules of engagement • How will rules, regulations, and compliance obligations be met • Defines community management program • States requirements and acceptable “Employee use of social media”
SOCIAL MEDIA
There is a difference!
Digital Governance Monitoring & Oversight
Define WHO will perform monitoring Oversight should be performed by a separate group than monitoring Tools are extremely helpful web crawlers rogue domains/sites brand infringement broken links compliance checking – privacy, web links, etc. Are broken links important to fix? Hurt user experience, credibility, search engine optimization How does monitoring and oversight add value?
• Executive support is key
– Ability to influence others and the authority to make things happen
• Don’t get in the weeds
• Assist in development of standards
– Allow subject matter experts to have clear ownership and responsibility
• Understand your digital assets
• Start small and increase with maturity
Managing Chaos – Digital Governance by Design, by Lisa Welchman
Taming the elephant in the room: Why digital governance is job one for today’s C-suite
Digital Services Governance Recommendations
http://ithandbook.ffiec.gov/
Consulting Firms (EY, KPMG, Accenture, PwC, etc.)
QUESTIONS/ RESOURCES
top related