How to Implement Information Security Governance . 105

Effective Information Security Governance efforts are essential. A proper framework enables the BoD determine what steps their organization should take to define their Information Security direction. This supports the imple-mentation of an accurate system of internal control. A good ISG framework makes the BoD aware of both internal and external security requirements and guidelines that have been discussed. These requirements together with the guidance of industry best practices and well-regarded security standards, like ISO/IEC 17799 (2005), help the BoD establish the foundation for an effective approach to Information Security. In a sense, such requirements represent directives that the BoD and Executive Management need to con-sider to holistically address all aspects of information risk. The examination of these will allow the BoD to outline the orgaizational vision, mission and Information Security strategy successfully. These are communicated to the organization through the CISP. Once the BoD has expressed their support of Information Security through the policy, management implements Infor-mation Security in the organization to fulfill its stipulations. Security is monitored on an ongoing basis and the BoD made aware of the Information Security efforts through management reports. This allows the BoD to con-tinue to direct and control corporate Information Security efforts accurately by making the necessary adjustments to the Information Security strategy to keep it as effective as possible and minimize business information risk.

Figure 5.3: An Information Security Governance Framework

Figure 5.3 illustrates a framework for Information Security Governance, which draws attention to the major security requirements and how they all contribute guiding the BoD in terms of accurate Information Security de-cision making and the implementation of an effective Information Security Management strategy.

It is important to have a proper framework like the one proposed above to govern and manage Information Security effectively. The application of such a framework will bring accountability to people, process and technol-ogy elements through effective Risk Management and reporting mechanisms.

Such accountability is introduced by indicating who should be responsible

for what, making it possible to allocate particular Information Security tasks and responsibilities (Business Software Alliance, 2004).

5.5.3 Information Security Roles, Tasks and Respon-sibilities

An important function of Information Security Governance involves denoting the roles of various individuals in the organization to effectively implement the ISG framework and ensure its success. There is a need to identify the key role players and discuss their Information Security tasks and responsibilities in more detail.

The Role of the Board of Directors

The fundamental role of the BoD is to oversee the interests of the shareholders by directing and controlling the organization effectively and ensuring that all resources are responsibly exploited. Therefore, with regard to information as a business resource, the BoD must understand its significance and the signifi-cance of protecting it through directing and controlling Information Security efforts successfully (Corporate Governance Task Force, 2004). Additionally, the BoD must support the establishment and implementation of a robust Information Security program and receive management reports on the utility and effectiveness of the program (Corporate Governance Task Force, 2004).

This enables the BoD to ensure that their security efforts remain effective and current.

The Role of Board Committees

Board Committees facilitate the BoD in executing their duties efficiently and demonstrate that their responsibilities are being appropriately accomplished (King Report, 2001). There are various board-level committees that offer assistance to the BoD in terms of their responsibility for Information Se-curity. These committees include: the IT Oversight Committee, the Audit Committee and the Risk Management Committee.

The role of the IT Oversight Committee is to advise the BoD on an appro-priate IT strategy for the organization (IT Governance Institute, 2004). The

IT Oversight Committee ensures that organizational IT strategy supports In-formation Security, since IT is closely linked to this resource (IT Governance Institute, 2004). The IT Oversight Committee will be discussed subsequent chapters. The Audit Committee is responsible for conducting performance reviews of the system of internal control and reviews legal and regulatory compliance efforts (King Report, 2001), including that of Information Secu-rity. The Risk Management Committee advises the BoD regarding corporate accountability and management, reporting and assurance related risks (King Report, 2001). Its terms of reference include technology, operational, disaster recovery, and compliance and control risks (King Report, 2001).

The Role of the Chief Executive Officer

The Chief Executive Officer is responsible for overseeing the entire Informa-tion Security program (Corporate Governance Task Force, 2004). The CEO oversees compliance efforts and enforces accountability for such efforts (Cor-porate Governance Task Force, 2004). Furthermore, the CEO also reports compliance issues to the BoD, highlighting the level of acceptable risk, weak-nesses in current Information Security practices and plans to strengthen those practices (Corporate Governance Task Force, 2004). The CEO allocates re-sponsibility, accountability and authority for various security functions to the right organizational personnel and appoints someone as the senior Infor-mation Security officer (Corporate Governance Task Force, 2004).

The Role of the Chief Information Officer

The Chief Information Officer makes recommendations to the CEO on the strategic planning efforts affecting the administration of organizational in-formation resources (Whitman & Mattord, 2003a). The CIO converts the strategic plans of the organization into strategic plans for information and information systems (Whitman & Mattord, 2003a). The CIO collaborates with other non-executive managers developing plans of a tactical and oper-ational nature for the management of information and information systems.

These efforts entail setting the policies and procedures for Information Secu-rity (Corporate Governance Task Force, 2004).

The Role of the Chief Information Security Officer

The Chief Information Security Officer is responsible for the overall Infor-mation Security Management function (Whitman & Mattord, 2003a). Some of the CISO’s responsibilities include collaborating with the CIO on strate-gic Information Security plans, establishing tactical plans and collaborating with security managers on operational security plans (Whitman & Mattord, 2003a). The CISO plans the Information Security budget and acts as the representative for all security personnel (Whitman & Mattord, 2003a).

The Role of Data Owners (The Business Unit Leaders)

One of the responsibilities of the business unit leaders include implementing the specifications of the more detailed security policies and procedures (Cor-porate Governance Task Force, 2004). They audit the effectiveness of various security procedures and communicate the security policies and procedures to other subordinate personnel through staff training initiatives (Corporate Governance Task Force, 2004). They enforce compliance with the security policies (Corporate Governance Task Force, 2004).

These security roles and responsibilities span the entire organization, in-volving personnel in both management and governance positions, including the BoD. Information Security that is implemented correctly with the right roles assigned to the right individuals through effective Information Security Governance efforts produces several benefits.

5.5.4 The Benefits of Information Security Governance

Information Security Governance is a complex issue requiring the commit-ment of everyone in an organization to fulfill their role in protecting orga-nizational business information assets. Information Security Governance, if executed effectively, is of value to organizations in ways that exceed the mere observance of lawful conduct (Swindle & Conner, 2004). Effective Informa-tion Security Governance results in enhanced internal security practices and controls and the promotion of self-governance as an alternative to legislation (Entrust, 2004a). Sound ISG efforts have the potential to reduce auditing and insurance costs and differentiate the organization from industry competi-tors through an ongoing process of self-improvement (Entrust, Inc., 2004).

ISG is a useful function for increasing overall productivity and lowering costs by delivering strategic alignment with broad organizational strategies and risk appetites (IT Governance Institute, 2005e). This produces value for stakeholders, including governments and legislative authorities (Swindle &

Conner, 2004), by improving Risk Management efforts and enabling bet-ter performance measurements to provide assurance that information-related risks are under control (IT Governance Institute, 2005e).

5.6 Conclusion

Information Security is becoming a major issue of concern, to both the pri-vate and public sectors, including governments around the world (Corpo-rate Governance Task Force, 2004). The Corpo(Corpo-rate Governance Task Force (2004) recommends that effective governance frameworks should exist. En-trust (2004a) motivates that the acceptance and implementation of an ISG framework is an important action in securing business information. This is achieved through the protection of information systems, whilst acting in ac-cordance with legislation and improving the efficiency of business operations.

Information Security Governance enables an organization to demonstrate due care and due diligence by fulfilling the internal and external security require-ments for protecting business information assets effectively. It caters for the full scope of organizational information risks. Therefore, it is important that Executive Management, including the BoD and CEO, adopt an ISG frame-work, such as the one presented above. This will help guide the implemen-tation of an effective Information Security Governance strategy and address all aspects of business information risk. However, as dependence on IT to facilitate business operations and deliver timely and accurate information in-creases, IT’s criticality becomes a fundamental business concern. Therefore, effective Information Security Governance requires that IT be addressed at board level. This ensures that the implementation and utilization of technol-ogy resources is appropriately governed through effective IT decision making and risk management efforts. This ensures that technology-related infor-mation risks are brought to the attention of the BoD, enabling their ISG efforts to be effective in addressing every aspect of business information risk.

For this reason, IT governance must become a key function of Corporate

Governance and responsibility of the BoD.

Information Technology Governance

113

6.1 Introduction

Information Technology Governance should be a core responsibility of the BoD and Executive Management. Many organizations rely heavily on IT making it nearly impossible to continue with normal business operations or deliver timely and accurate business information without it. Therefore, IT-related risks need to be understood by the BoD and Executive Management and brought under control. This is to ensure that Information Security Gov-ernance is effective in addressing all aspects of information-related risks and that value is drawn from the organization-wide use of IT. This chapter aims to motivate the importance of IT Governance as a core responsibility of the BoD for value delivery and the management of IT-related risks, including those that affect information. The need for IT Governance is motivated by discussing the importance of comprehensive Corporate Governance practices by illustrating some general governance failures like Enron Corp. and World-Com Inc., which occurred because of board-level ignorance. The criticality of IT is discussed and various issues that inhibit its effective use in an orga-nization. The responsibilities of the BoD, in terms of IT, are examined to demonstrate what needs to be done to ensure its effectiveness in an organi-zation. The best way for the BoD to express their commitment is to ensure that IT is effective and IT-related risks are mitigate through IT Governance, which is discussed in detail to highlight its importance and relationship to Corporate Governance. Additionally, the scope of IT Governance is discussed and how it may be implemented using accepted IT Governance frameworks such as COBIT. The benefits of implementing IT Governance based on the recommendations of an accepted IT Governance framework such as COBIT are also discussed.