Introduction 45

In order to develop a conceptual framework for IT/IS security governance it is necessary to consider the structure of organisations, the planned allocation of duties and the lines of authority. It is also necessary to consider the tasks and risks to be avoided or managed and whether those risks are organisation-wide or are restricted to specific functions. All these matters are discussed in this chapter before developing a conceptual model.

In IS/IT security governance, the trade-off between IS/IT security needs and financial support from the Board is vital to sustain and maintain the IS/IT investment in business. Corporate governance regulations reflect the legal relationships between shareholders and directors and the legal relationships between the Board of Directors and employees including the CEO.

Most countries have adopted the Anglo-American corporate structure with one Board supported by special purpose advisory committees such as risk management, audit and remuneration. The corporate governance regulations and listing requirements usually require a majority of independent directors on the Board and the predominance of independent directors on committees.

Strictly speaking, all directors, even executive directors, are elected by the shareholders but as the Board itself or even the CEO has control of the nomination of people to be elected there is some concern that the intent of the law may be frustrated. This was one of the concerns that prompted corporate governance regulations. In the Malaysian Code of Corporate Governance, the Board of directors has power to determine the Board’s authority, Board size and committees, independent advice and company’s management in accordance with the purpose, objectives and strategies of the company (Berhad, B.M, 2011).

Some countries, notably Germany and China, have adopted the two board system– a supervisory board is placed above the Board of directors which is charged with the running of the company.

The differences between the two systems have some effects on the distribution of power among individuals but, for the purposes of this thesis, the main interest is in the group which has effective control and decision-making power and, hence, has responsibility for whatever happens within the company.

Under either system, the Chief Executive Officer, whether called CEO, Managing Director, President or whatever, is employed to “execute” the decisions of the Board. To do this he is also a member of the Board although under corporate governance regulations his participation in some of the Board committees is restricted or even banned. The listing requirements, Paragraph 15.09, of the Malaysian Code of Corporate Governance states that “all of the Audit Committee members must be non-executive directors, and with a majority of them being independent directors” (Berhad, B.M, 2009, p 1503). Even though the CEO and Chief Financial Officer of Malaysian publicly listed companies are not allowed to be members of the Audit Committee, their inputs, where necessary, should be included in the meeting agenda, this was referred in Paragraph 15.19 of the listing requirements.

Most Boards nowadays have a risk management committee whose duty it is to identify and assess all risks facing the company and to advise on policies and procedures to avoid or to mitigate those risks. In some companies it seems that the handling of IT/IS risks is assigned to this committee but in others a separate committee has been set up. Again, for the purposes of this thesis the committee structure does not affect the responsibility of the Board but it may affect the channels of communication and how they operate (William, 2007). It appears that some authors in the IT/IS field see the risk management committee as the group to be informed.

It is presumed that although the organisational chart in Figure 3-1 is related specifically to Malaysian publicly listed companies, it is generally applicable to other types of organisation and other countries because any organisational chart is broadly similar to Figure 3.1.

In the typical corporation, the CEO has several subordinates comprising senior managers or executives who have specific functionalities in accordance with the nature of the business and industry type, such as Chief Operating Officer, Chief Marketing Officer, Chief Information Officer and Administrative Officer. Boards normally consist of a Chairman, Managing Director/CEO, Finance Director, Marketing Director and Non-Executive Directors, as illustrated in Figure 3.1. However, it is important to remember that the centre of all authority and responsibility is the Board, acting formally as the Board in a properly constituted meeting. Members of the Board as individuals have no powers unless they have been specifically given by the Board.

The Board of directors which is elected by the shareholders, has powers, authorities, responsibilities and accountabilities to oversee, not manage in detail, day-to-day business. Their responsibilities include,

determine the organisation’s mission, select, support and review the executive and their performance, ensure effective organisational planning, manage resources effectively, determine and monitor the organisation’s products, services and programs and enhance the organisation’s public image

(McNamara, 2011) (Online).

As addressed by McNamara, the guidelines given on Board’s responsibilities are similar for profit and non-profit organisations. This chapter will present a generally applicable IS/IT security governance framework which can be adopted by any type of organisation. The aim of this conceptual framework is to provide ways to help the managements of corporations, particularly in the area of roles and responsibilities in IS/IT security governance. The following discussion is based on Figure 3.1.

Figure 3Figure 3.1. A general organisational structure IS/IT security governance framework for any types of organisation

The ultimate decisions on adopting IS/IT security controls and counter-measures are in the hands of Boards with reference to the cost-benefit analysis/return of investments results in respect to the responsibility and security requirements. To illustrate the importance of achieving security processes in terms of responsibility and security requirements within organisations, the model of “A

  BOARD OF DIRECTORS  CHAIRMAN  MANAGING DIRECTOR/CEO  Directing action  Monitoring action  CEO  CORPORATE   COMMITTEE  RISK MANAGEMENT  PA  Chief Operating  Officer  Sales Staff  Chief Marketing   Officer  Area Sales  Supervisor  Chief Information 

Officer (CIO)  Admin Officer 

Production  Staff  Programming  Staff  IT  Technical  IT Manager  Purchasing  Supervisor  Accountant  Clerical  Staff  Operation  Supervisor  Accounting  Staff 

Responsibility Relationship between Two Agents” by Strens et al (2003) is considered, it requires identifying security requirements in the first place before delegating the responsibilities, where agents can be people, an individual to a department or the whole of the organisation. In Strens et al.’s model,

the two agents of the relationship were identified as, first, the giver of the responsibility and second, the holder of the responsibility.

The authors stated that “equal consideration must be given to both human and technical issues if the design of the IT systems is to meet the real requirements of the organisation and be supportive of people in their works” (Strens et al., 1993, p 143). In their responsibility model, Strens et al (1993) proposed the two important factors, namely, responsibilities and obligations within IS/IT security implementation. Strens et al viewed that responsibilities cannot be delegated but obligations can be delegated, from giver to holder. As obligations such as security tasks are delegated the person to whom

the tasks are delegated becomes responsible for their performance. This leads to the creation of a hierarchy or network in which the obligations delegated become more detailed as we move down from board level to the operational levels.

Strens et al., define responsibility as following criteria, “a) who is responsible to whom;

b) the state of affairs for which the responsibility is held;

c) a list of obligations held by the responsibility holder (how the responsibility can be fulfilled); d) the type of responsibility (these include accountability, blameworthiness, legal liability)”

(Strens, et al., 1993, P. 144). As responsibility cannot be delegated the model by Strens et al imposes a duty on the person responsible to “supervise” the performance of the obligations. This, in turn, imposes a duty on the “operator” to provide appropriate information, e.g., to report. The set of relationships implied by Strens et al can be easily fitted to the organisational chart in Figure 3.1.

A responsibility relationship for certain tasks is discharged according to the “obligations” such as directing, supervising and monitoring (Strens et al, 2003, p 146). It is important to highlight that for

Strens et al responsibility refers to for a state of affairs and obligation refers to do something that will change or maintain that state of affairs (Strens et al, 1993, P. 144).

Let us consider an example. In Figure 3.1, the IT Manager may have responsibility over the programmers for protecting the integrity of Accounting Information Systems from misuse, alteration and modification in the databases applications. In order to fulfil this responsibility, the IT Manager must discharge certain obligations such as to establish and apply security internal controls (e.g., network logs, log-on databases logs, transaction files) and monitor the intended activity. The identification of the responsibility and obligations over the relationship would help the person responsible (such as the IT Manager) to report back to the CIO, then to the CEO and ultimately to the Risk Management Committee and Audit Committee. After receiving managerial reports (including any proposals for improvement) from the management level, the Board or the relevant committee would revise the risk assessment and consider the needs for security mitigations according to the alignment between the use of IS/IT for business operations and the need for security controls/counter-measures over its risk. If there were a misalignment in the relationship, this may create gaps, the Board may perceive this as unnecessary and the security internal controls missions and risk management operational strategies can be frustrated. The financial constraints may not be the issue if the corporation has a clear IS/IT security mission to ensure the IS/IT investment is protected and maintained for sustaining growth and wealth creation (National Cyber Security Summit Task Force, 2004).