Information security, though often viewed as a set of technical issues, must be embraced as a corporate governance responsibility that involves risk management, reporting controls, testing and training, and executive accountability. As such, it requires the active engagement of all CEOs and boards of directors.

To this end, the Corporate Governance Task Force for the National Cyber Security Partnership was established last December to develop and promote a coherent management framework and to drive implementation of effective information security programs across all industries, organizations and educational institutions. Earlier this month, the task force unveiled its initial report, "Information Security Governance: A Call to Action," which was crafted through an unprecedented level of consensus and resource sharing among member experts from academia, government and industry.

Corporate governance consists of the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed. The task force report provides a subset of governance policies and controls that include identifying cybersecurity roles and responsibilities within executive management structures, establishing risk management and quality assurance benchmarks, creating institutionalized testing and training, and outlining best practices and industry metrics. In addition, flexible assessment tools were developed to bring accountability to three key elements of corporate governance: people, process and technology.

By using the information security governance framework, CEOs and boards of directors will create a safer business community internally and for their customers and others interconnected throughout the critical infrastructure. In aggregate, such measures serve as an executive call to action that will also help better protect our nation's security.   continued>>