Information Security Governance Papers
| Paper Title | Information security is often treated solely as a technology issue, when it should also be treated as a governance issue |
|---|---|
| The Abstract of The Paper |
In looking at the growing abundance of rules, regulations, and guidelines, it quickly becomes clear
that information security is not solely a technical issue, but a corporate governance challenge.
Businesses today face increased scrutiny when it comes to corporate governance, accountability,
and ethics. Laws such as Sarbanes-Oxley are creating a legal obligation at the CEO and board
level to pay attention to information security. Two years ago, the National Association of
Corporate Directors, in collaboration with the Institute of Internal Auditors and the government’s
Critical Information Assurance Office, published “Information Security Oversight: Essential Board
Practices.” The report advised that, “In any organization, directors need to ensure that managers
take all necessary measures to secure key information and the systems and networks that store,
manipulate, and transmit it. Furthermore, the directors need to ensure that these efforts are
continuously underway.”
Implementation of an effective IT security program is ultimately a matter of enlightened organizational self-interest. Companies are taking action to protect their own information and information entrusted to them by customers, suppliers, and other partners. They are establishing responsibility for information security in their companies and adopting programs to evaluate and address the vulnerabilities and the internal and external threats to their electronic information. However, within many organizations, two important barriers to effective computer security exist: • First, responsibility is too often delegated to the chief information officer or the chief security officer, who suffer conflicting demands with regard to IT functionality and costs and who may not be in a position to leverage the resources and authority necessary to address the problem across multiple business lines or divisions. Because all too often little attention is given to this issue at the CEO or board level, information security efforts are frequently under-funded in proportion to the risk and magnitude of the harm that incidents could produce. Responsibility for the right level of security is a business decision based on risk assessment. • Second, is the lack of a framework for action -- how to set priorities, assign tasks, get started, and monitor implementation. To aid organizations in attacking the problem, numerous guides have been developed. These documents range from detailed technical guidance to high-level principles. But there is no recognized, standard approach at an organization-wide level to help determine what should be done and who should do it. Without such an approach, firms are unclear how to allocate information security funding and energy, and how to measure the return on investment. 3 The advice of the National Association of Corporate Directors, a leading authority on corporate governance, is all the more true today. To make real progress, firms must address information security, not solely as a technology issue, but as a matter of “corporate best practices” (covering people, processes, and technology) and frame solutions in terms that are broadly relevant to business operations. |
| Web Link | http://www.bsa.org/country/Research%20and%20Statistics/~/media/BD05BC8FF0F04CBD9D76460B4BED0E67.ashx |