Corporate governance consists of the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed. Information security governance is a subset of organizations’ overall governance program. Risk management, reporting, and accountability are central features of these policies and internal controls.
In this report, available in: http://www.cyberpartnership.org/InfoSecGov4_04.pdf [1], (477 K), F. William Conner, Chairman, CEO and President Entrust, Inc. and Arthur W. Coviello, CEO and President RSA Security Inc., provide a framework and guidelines to help organizations assess their performance and put in place an information security governance program.
The framework
The major elements of the ISG Framework include:
- a description of the ISG responsibilities and functions of each member of an organization, including the Board of Directors/Trustees, Senior Executive, Executive Team Members, Senior Managers and all employees;
- a description of the essential components of an information security program, with detailed guidance specified in the security practices of ISO/IEC 17799;
- each independent organizational unit should assess, remediate, and report on its information security program; additionally and where appropriate, each year an independent information security program evaluation should be completed.
Annexes
To facilitate use of the framework, the Task Force has developed several additional tools:
- the ISG Functions & Responsibilities Guide (Appendix B) provides guidance for mapping information security duties to key corporate functions and is applicable to organizations of various sizes;
- the IDEAL process (Appendix C) provides a model for organizations to use to adapt and implement the ISG framework and assessment tool within their organizations;
- the information security governance assessment tool (Appendix D) serves as a rapid evaluation tool for corporations and other business organizations to assess their current ISG practices;
- the ISG Implementation Plan for Education and Non-profit Institutions (Appendix E) examines and adapts successful recommendations for implementing the ISG assessment tool outside the corporate model.
Conclusions
Information security governance is not only a technical issue, but also a business and governance challenge that involves risk management, reporting, and accountability. Effective security requires the active engagement of executive management to assess emerging threats and provide strong cyber security leadership: the term penned to describe executive management’s engagement is corporate governance. Effective information security governance cannot be established overnight and requires continuous improvement.
The IT Governance Institute
from: http://www.itgi.org [2]
The IT Governance Institute exists to assist enterprise leaders in their responsibility to ensure that IT is aligned with the business and delivers value, its performance is measured, its resources properly allocated and its risks mitigated.
ITGI has released its landmark IT Governance Global Status Report, covering IT governance perceptions and activities worldwide.
Download the executive summary (PDF, 193K):
http://www.itgi.org/TemplateRedirect.cfm?Template=/ContentManagement/ContentDisplay.cfm&ContentID=14539 [3]