ISACA Geek Week August 8 10, 2016 · ISACA Geek Week August 8 – 10, ... •Adherence to laws, regulations, standards, ... Customer video conferencing (i.e. interactive

ISACA Geek Week

August 8 – 10, 2016

Building a Digital Governance Program

Stacy Wiedman

[email protected]

TODAY’S AGENDA

Building a Digital Governance Program- an approach for implementing within a large organization. Discussion of critical aspects for a successful program .

• What is Digital Governance?

• Digital Governance Benefits

• Group Structures

• Digital Governance Policy

• Digital Standards

• Monitoring & Oversight

• Social Media

• Tips

What is Digital Governance?

The ultimate goals of governance are to empower and accelerate an agency’s ability to

make informed digital services decisions and to help an agency achieve the goals named in the Digital Government Strategy. - Federal Government Digital Services Advisory Group

Digital governance is a framework for establishing accountability, roles, and decision-

making authority for an organization’s digital presence - which means its websites, mobile sites, social channels, and any other Internet and Web-enabled products and

services.– ActiveStandards.com

Digital governance is a discipline that focuses on establishing clear accountability for digital strategy, policy, and standards. A digital governance framework, when effectively

designed and implemented, helps to streamline digital development and dampen debates around digital channel “ownership.” -Managing Chaos: Digital Governance by

Design, Lisa Welchman

Digital Governance Program Basics

DIGITAL GOVERNANCE

PROGRAM

Policy Digital Scope

Digital Standards

Executive Support

Group Structure

Digital Oversight

Define what your organization needs & clearly articulate it

Digital Governance Benefits

• Aligned priorities • Coordinated services • Clarity of decision making process • Clear accountability • Adherence to laws, regulations, standards, and policies • Effective delivery

• Capability to meet business needs in the correct timeframe

• Supportability • Interoperability • Cost effective

• Ability to leverage 3rd party relationships • Consistent and high quality digital client /prospect

experience

Co

mm

un

icat

ion

an

d

Aw

aren

ess

How to build a program

• Gather a core team • Assess what exists today

– What is working/ what is not working well

– Who is doing what

• Determine objectives of a new program

• Develop the group structure • Share- receive feedback-

update • Execute!

Repeat, as needed

Assess your current group structure

• Where do the digital resources sit in the organization

• all in IT; pockets of the organization, only in the web steam, etc.

• Develop a RACI Chart (Responsible, Accountable, Consulted, Informed)

• Think of YOUR organization, WHO wants to know, WHO needs to

know, WHO wants/needs to contribute

GROUP STRUCTURE

Digital Team

Corp. Marketing

Business Unit Marketing

Corp. IT

Business Unit IT

Risk Compliance

Digital Strategy

Development and Maintenance of Strategy

Digital Policy

Digital Policy creation

Digital Policy monitoring

Digital Policy enforcement

Digital Standards

Determination of needed standards

Standard creation

Standard approval

Standards monitoring

• Centralized into one

team (typically

Marketing,

Communications, or IT)

• Consistent Messaging

• Clear Ownership

• Standardized tools

• Can create bottle-necks

and inefficiency

• Can be slow to innovate

and keep current with

technology

GROUP STRUCTURE

• Multiple areas of digital expertise

• Ability to focus on business unit needs

• Duplication of efforts

• Lack of consistency • Power struggle • Many tools can lead

to complexity for integration

• Can lead to confusing user experience

GROUP STRUCTURE

• Business units continue

to build their own

capacity based on

specific needs

• Central and strong digital

team directs the

enterprise effort

• Excellent leadership and

collaboration skills are

critical

GROUP STRUCTURE

One Option

Digital Governance Committee

Corporate Risk Committee

Provides overall leadership and direction Approves policies and all digital related

guidelines, procedures, and standards

Head of Digital

Primary Digital Governance

oversight

- Linkage into other digital

processes (risk

assessments, project

management, etc.)

- Create Digital Governance

Policy

- Digital standards

management

- Monitoring oversight

Working Group

Working Group

Working Group

Provides oversight & strategic direction

Resolve escalations

Communication & awareness of Digital Governance program

Digital Governance

Council

Subject matter experts from

relevant corporate functions and

business units focus on specific

topics.

E.g. Policy creation, Execution of

standards, Digital projects, Solution

development, etc.

Interested parties and

digital stakeholders

provide input on new

standards, policies,

and procedures, and

disseminate

information to and

from the Committee

Another Option

POLICY • High level rules are needed to guide teams on content • Mandatory content requirements need to be

documented • Enforcement is difficult to do without a policy

High level management direction; WHY do I need to do this? Example: Privacy Policy, E-mail Policy

Minimum acceptable level or rules; WHAT is required? Example: Server Security Standards

Additional advice or recommendations; Helpful information Example: Employment Discrimination Guidelines

Process flow or instructional details; How do I do it? Example: Software Request Procedures

DIGITAL GOVERNANCE POLICY Scope - Clearly list what is in and out of scope

Governance Structure/ Management Authority

Roles and responsibilities (may be defined in a Charter)

Reports to the XX Committee

Digital Standards

Who creates, who approves, where are they published, etc.

Management Reporting

List frequency of management reports and who received them

Policy Exceptions

Approval; regular review cycle

Other Items of Importance may be included

See next page

DIGITAL GOVERNANCE POLICY Other Items of Importance - add relevant high level mandates/requirements – or link to

other policies with related information

– Domain Management

– Content Management

– Mobile Management

– Social Media Management

– Accessibility

– Technical Security

– Language Translation

– Web-linking to other sites

– Intellectual Property

– Privacy

– Records Management

Scope Definition - Example

Included in Policy Scope Excluded from Policy Scope Company external web sites requiring a user name

and password

Electronic mail

Company external informational web pages –

product and services information, helpful tips, etc.

Microsoft SharePoint internal solutions

Third party authenticated or unauthenticated web

sites or applications displaying our brand or logo

Intranet web sites that are available

within the company network only

Third party sites containing a link to an external

company web site

Intranet authenticated applications

Company sponsored social media pages, points of

presence, or posts (i.e. Facebook, LinkedIn, etc.)

Interfaces and file transmissions

Company images, multi-media, and content

accessible externally

Instant messaging used within the

company internal network

Company mobile applications, mobile web, text,

alerts

Customer video conferencing (i.e. interactive

agent) or text chat

eSignature

Customer facing forms

Standards – Risk Assessment

Does this standard: Impact Category:

High Medium Low

- impact revenue generation, transaction processing, or financial statements

revenue Significant Direct Impact

Direct Impact

Indirect, limited impact, or no impact

- provide direction to ensure legal or regulatory compliance

regulatory Yes - contains required instructions

Potentially No

- determine how the Corporate brand is represented

brand Direct negative impact

Indirect impact

No

- provide direction to avoid adverse media publicity or other reputational risks

reputational Significant Direct Impact

Direct Impact

Indirect, limited impact, or no impact

- involve capturing, storing, or protection of customer data or non-public information

privacy/ security

PII or confidential Tracking data

No

- address system data integrity and availability to our customers utlizing digital assets

technology Significant Direct Impact

Direct Impact

Indirect, limited impact, or no impact

If any one criteria is ranked as “high”, the high rating applies to the entire standard

Risks

Regulatory violation

Legal violation

Negative public perception

Customer dissatisfaction

Customer liability

Data Breach

Incorrect or inaccurate

information

Unavailability

Design Content/

Publishing

Compliance

Development/ Infrastructure

Strategic • Digital Governance • Social Media • Human Resources

•Privacy – GLBA - COPPA •ADA •Industry specific

•Model Audit Rule -Insurance •FINRA •FFIEC •Fair & Responsible Banking

• User Experience/ User Interface • Web Design • Copyrights and Trademarks

• Brand • Content Management Framework • Language Translation • Domain Management

• Code Standards for web • Testing - Release & Change

Management • Information Security • Digital Architecture

HIGH RISK ENTERPRISE DIGITAL STANDARDS

FFIEC Guidance Social Media Risk Management -December 2013 (Federal Financial Institutions Examination Council) Requirements: 1. Governance structure 2. Written policies and procedures 3. Risk management process for selecting and monitoring third-party

relationships 4. Employee training program 5. Monitoring & oversight program 6. Audit & Compliance involvement 7. Regular reporting to senior management Risk Assessment • Know your organizational social media strategy • Know your social media inventory – points of presence • Know monitoring/community engagement

SOCIAL MEDIA

Develop a Social Media Policy A social media policy should consolidate the high level aspects uncovered during the risk assessment:

• Who defines and approves the Social Media strategy

• Lists the purpose of the organization's use of social media, high level objectives, presence, and approaches

• Who is responsible for compliance and content • Lists the rules of engagement • How will rules, regulations, and compliance obligations be met • Defines community management program • States requirements and acceptable “Employee use of social media”

SOCIAL MEDIA

There is a difference!

Digital Governance Monitoring & Oversight

Define WHO will perform monitoring Oversight should be performed by a separate group than monitoring Tools are extremely helpful web crawlers rogue domains/sites brand infringement broken links compliance checking – privacy, web links, etc. Are broken links important to fix? Hurt user experience, credibility, search engine optimization How does monitoring and oversight add value?

• Executive support is key

– Ability to influence others and the authority to make things happen

• Don’t get in the weeds

• Assist in development of standards

– Allow subject matter experts to have clear ownership and responsibility

• Understand your digital assets

• Start small and increase with maturity

Managing Chaos – Digital Governance by Design, by Lisa Welchman

Taming the elephant in the room: Why digital governance is job one for today’s C-suite

Digital Services Governance Recommendations

http://ithandbook.ffiec.gov/

Consulting Firms (EY, KPMG, Accenture, PwC, etc.)

QUESTIONS/ RESOURCES