Friday, December 23, 2011

Information Security Governance - Involving the Board

IT security is greater than the sum of its parts, having grown from a tool that proactively protects an organization to a process that involves risk management and corporate accountability. In light of rising levels of disruptive and misanthropic cyber-activity, executive management, along with members of the board, must become actively involved in the governance aspect of this most fundamental of investments.

This section considers the following topics:

  • Examining the need for executive involvement

  • Elements requiring executive participation

Examining the Need for Executive Involvement

The well-regarded CSI/FBI annual survey draws respondents from a wide cross section of industry and government in an attempt to bring awareness and a sense of urgency to IT and business executives.

The 2004 survey confirms that IT securityrelated issues are still highly prevalent90% of respondents experienced breaches the preceding year. Nearly two-thirds of those 90% suffered greater than two attacks, and more than half of those respondents experienced in excess of ten breaches each. Financial losses stemming from the attacks were experienced by 80% of respondents, at an average cost of nearly $2 million per company.

The ground that is used in the formation of sound business arguments for enhanced security has shifted. No longer is the focus solely on what is technically possible and economically optimal. The discussion is now centered on less quantifiable components that include trust relationships, competitive advantage, and the hazards inherent in system unreliability, to mention a few. ROI modeling must still be performed to ensure that alarmism does not constitute the foundation of security business proposals. But the fear looms ever large, as reported judiciously in newspapers around the globe, that a lack of comprehensive security could spell untold disaster for organizations. While business reality is typically far removed from alarmism, the ever-present news coverage illustrates the cyber-security issues that are at play in the media today; it can be a challenge not to overreactor underreact.

Organizations need to take a wider view of security. They need to fundamentally determine the level of risk they can tolerate and then make security infrastructure investments accordingly. Apportioning a percentage of the overall IT budget to security is no longer a viable option. While that process can be effective in determining the amount an organization might be willing to invest, it does not necessarily ensure the level of security a company might require.

Establishing a secure IT infrastructure requires technical and business executives to evaluate and quantify an organization's critical assets, ascertain the risks to them now and in the future, and ultimately develop a security strategy that is consistent with the organization's business requirements.

Consistent, reliable, and uninterrupted business operability is the root of the discussion. The process of ensuring that an organization is able to concentrate on its core business without suffering undue distractions at best, or critical loss of intangibles at worst, suggests strongly that an organization's executive management must be actively engaged in determining the complete business case for network security.

Elements Requiring Executive Participation

Public companies are required to comply with stringent rules governing regulatory financial filings, making it incumbent upon organizations to ensure the verity of their financial statements. The sanctity of the data behind each entry on a financial statement must be above reproach. Certain ramifications of the Sarbanes-Oxley Act of 2002 (also known as The Public Company Accounting Reform and Investor Protection Act of 2002), including Section 404, the Management Assessment of Internal Controls, and relevant pieces of other legislation are explored in the jurisprudence section of Chapter 11.

It is important to note that legislation in and of itself does not alter an organization's tolerance for risk. But various laws can encourage discussion across a wider range of concerns, including, but not limited to, the following items:

  • Ensuring regulatory adherence, including the sanctity of financial reporting

  • Addressing specific corporate and national homeland security concerns

  • Buffeting business relationships with both customers and suppliers

  • Using security to enhance corporate standing by addressing the following issues:

    - Trust

    - Reliability

    - Perceived or potential vulnerability

Executive management can actively address governance concerns in a number of possible ways, including the following:

  • Establishing the fundamentals of internal security policy, which are addressed in Chapter 5, "Policy, Personnel, and Equipment as Security Enablers," and Chapter 10, "Essential Elements of Security Policy Development," to ensure that policy is aligned with required expectations.

  • Continually checking the pulse of the security program, as follows:

    - Use third-party audits to assess a program's continued relevance.

    - Ensure that issues or recommendations reported by security auditors are appropriately handled.

    - Determine whether current vulnerabilities are sufficiently recognized.

    - Determine whether the program is set to proactively address unforeseen issues.

    - Ensure that the company reviews its security posture against industry peers and best in class.

    - Mandate that any organization with which the company elects to establish formal IT connections meets a minimum level of security before any information is transmitted.

    - Ensure that the board can reasonably state that the organization is effectively and proactively protected.

Possible ramifications from a security breach can be many. Various interest groups have been formed to address the escalating concerns, one of which is the corporate governance task force of the National Cyber Security Partnership (NCSP), composed of executives culled from industry and government. The task force developed a program that businesses could use to effectively integrate IT security into their corporate governance processes. A series of recommendations was published in 2004 that, if implemented, would establish a standard for IT security across domestic organizations. The task force's strongest recommendation, based on the potential negative ramifications of insufficient security, is to bring the discussion of IT security to the board. It would allow directors and executive management to realistically measure their organization's tolerance for risk while correspondingly weighing the need for sustainable corporate and geographical homeland security.

No comments:

Hasleo Data Recovery FreeV3.2 - Free as in Freeware - Permanently from Hasleo Software "Hasleo Data Recovery FreeV3.2 100% Free Data Recovery Software...