Information Security Governance
An Essential Element of Corporate Governance
Information Security Governance is top-of-mind for organizations around the globe today. Defined, Information Security Governance (ISG) is a subset of Corporate Governance dealing with the policies and internal controls related to information resources and their security.
Corporate scandals, coupled with legislation such as Sarbanes-Oxley, California SB 1386, Gramm-Leach Bliley (GLBA), and Health Insurance Portability and Accountability Act (HIPAA), have prompted shareholders to demand better accountability from public firms.
In response, organizations are looking at the implications of their overall Corporate Governance strategy. This examination has led to an understanding that information security is not just a technical issue that can be addressed by the CIO. It is a Corporate Governance issue that must be addressed by CEOs and Boards of Directors, then implemented and enforced across all levels of the organization.
The New Reality
Until recently, organizations have struggled to find a consistent framework to guide their ISG efforts.
To remain competitive, organizations are extending deeper stakeholder access to their information and services. But increasing accessibility puts individual privacy, information confidentiality and the integrity of transactions at greater risk of theft, alteration or fraud. This delicate balancing act between business growth and regulatory compliance has proven to be quite a challenge.
Industry Mobilization
In December 2003, the U.S. Department of Homeland Security mobilized efforts to address this issue by co-hosting a National Cyber Security Summit in Santa Clara, California. The immediate outcome was the formation of the National Cyber Security Partnership (NCSP) and five NCSP task forces, including a blue ribbon Corporate Governance task force.
The Corporate Governance task force, co-chaired by Entrust Chairman and Chief Executive Officer Bill Conner, was formed to create a private sector framework for organizations to improve ISG on a voluntary basis. In April 2004, the task force released a report that provides an ISO 17799 standards-based ISG framework, along with tools and recommendations that can help guide organizations in assessing and resolving information security issues, complying with various privacy regulations, and ultimately helping improve national cybersecurity.
A Call to Action
In its report, the Corporate Governance task force calls upon all organizations to make ISG a corporate board-level priority. The key focus is to begin the process, with the subsequent goal of systematic improvement of performance over time.
The report also includes a number of recommendations for government and industry action, including:
organizations should adopt the ISG framework described in the report to embed cyber security into their Corporate Governance process
- organizations should signal their commitment to Information Security Governance by stating on their Web site that they intend to use the tools developed by the Corporate Governance task force to assess their performance and report the results to their board of directors
- all organizations represented on the Corporate Governance task force should signal their commitment to information security governance by voluntarily posting a statement on their Web site
- TechNet, the Business Software Alliance, the Information Technology Association of America, the Chamber of Commerce and other leading trade associations and membership organizations should encourage their members to embrace Information Security Governance and post statements on their Web sites
- all National Cyber Security Summit participants should embrace Information Security Governance and post statements on their Web sites, and if applicable, encourage their members to do so as well
- the Department of Homeland Security should endorse the Information Security Governance framework and its core set of principles, and encourage the private sector to make cyber security part of its Corporate Governance efforts
- the Committee of Sponsoring Organizations of the Treadway Commission (COSO) should revise the Internal Controls-Integrated Framework so that it explicitly addresses Information Security Governance
The ISG Framework
The ISG framework was specifically crafted by the task force to provide a model for delivering:
- effective information security controls over information resources
- effective management and oversight of the related information security risks
- minimum controls required to protect an organization's information and information systems
- a mechanism for overseeing the entire information security program
Through the framework, the Corporate Governance task force helps organizations understand:
- the responsibilities and functions of each member of an organization, including the Board of Directors/Trustees, Senior Executive, Executive Team Members, Senior Managers and all employees
- the essential components of an ISG program - with detailed guidance specified in the security practices of ISO/IEC 17799 - including assessment, policies and procedures, training, testing, remediation of risks, detection and response to incidents and business continuity planning
- reporting and independent evaluation best practices
Entrust: A Trusted Advisor in Information Security Governance
For over a decade, Entrust has been a leader and innovator in the information security market. In addition to our work with the Corporate Governance task force, Entrust has provided trusted ISG advisory leadership through a number of other industry initiatives:
- Entrust co-chaired a Business Software Alliance (BSA) committee which, on October 8, 2003, unveiled an industry-validated approach to Information Security Governance. Read more about how Entrust helped to lead this effort.
- In November 2003, the U.S. House Subcommittee on Commerce, Trade and Consumer Protection called upon Entrust to testify on where the private sector stands in its efforts to secure its information systems, and on what the House Subcommittee could do to help accelerate Information Security Governance. Download Entrust's full testimony.
- Also in November 2003, Entrust chairman and CEO Bill Conner delivered a keynote address at the East-West Institute Worldwide Security Forum in Brussels, Belgium, where he outlined a number of collaborative information security initiatives for governments and industry that are necessary to combat the growing threats of terrorism and cyber warfare.
- In February 2004, Entrust co-founded the Cyber Security Industry Alliance (CSIA), a non-profit corporate-membership organization, whose mission is to improve cyber security through a number of public policy initiatives, including improving the corporate governance of information security.
This leadership experience, coupled with industry-proven Identity and Access Management solutions and professional services, makes Entrust uniquely qualified to help organizations establish good Information Security Governance practices that are in 'lock-step' with recommendations made by the Corporate Governance Task Force and, in turn, ISO 17799 standards.
Learn more about how Entrust solutions and professional services can help your organization embrace Information Security Governance best practices. 