Blending Corporate Governance with. Information Security

Transcription

1 Blending Corporate Governance with Information Security WHAT IS CORPORATE GOVERNANCE? Governance has proved an issue since people began to organise themselves for a common purpose. How to ensure the power of organisation is harnessed for the agreed purpose, rather than diverted to some other purpose, is a constant theme. The institutions of governance provide a framework within which the social and economic life of countries is conducted. Corporate governance concerns the exercise of power in corporate entities. The OECD provides the most authoritative functional definition of corporate governance: "Corporate governance is the system by which business corporations are directed and controlled. The corporate governance structure specifies the distribution of rights and responsibilities among different participants in the corporation, such as the board, managers, shareholders and other stakeholders, and spells out the rules and procedures for making decisions on corporate affairs. By doing this, it also provides the structure through which the company objectives are set, and the means of attaining those objectives and monitoring performance." However, corporate governance has wider implications and is critical to economic and social well being, firstly in providing the incentives and performance measures to achieve business success, and secondly in providing the accountability and transparency to ensure the equitable distribution of the resulting wealth. The significance of corporate governance for the stability and equity of society is captured in the broader definition of the concept offered by the World Bank: "Corporate governance is concerned with holding the balance between economic and social goals and between individual and communal goals. The governance framework is there to encourage the efficient use of resources and equally to require accountability for the stewardship of those resources. The aim is to align as nearly as possible the interests of individuals, corporations and society." On 21 May 2003, the Commission adopted an Action Plan announcing measures to modernize company law and enhance corporate governance in the European Union. In the Action Plan, the Commission announced that it would confirm the collective responsibility of board members for financial statements and key non- Page 1 /10

2 financial information, increase transparency in intra group relations and transactions with related parties and improve disclosure about corporate governance practices. With regard to the responsibility of board members, the prevailing principle in Europe is - in contrast to the US - collective responsibility for the financial statements. As can be seen from the Action Plan on Company Law and Corporate Governance, the Commission intends to clarify the application of this principle and to extend it to key non-financial information. Further corporate scandals have confirmed a need to clarify that all board members are collectively responsible for financial statements and key non-financial information and that all board members have to be held accountable for their actions and proper conduct of their responsibilities. This is a main difference with Sarbanes Oxley Act where CEO and CFO are personally responsible. On this point, we must notice that in Germany, half of the supervisory board seats of large companies (more then 2,000 employees) are filled by labor representatives. This gives labor control rights over corporate decisions and leads to a kind of negotiated management where labor has voice as an alternative to exit. Many companies are organized in group structures. However, intra group transactions and the group s transactions with related parties often lack transparency seen from the perspective of investors, shareholders and other stakeholders. This can make it difficult for them to assess the true risks of investing in the companies. In relation to transactions within a group and with related parties, the Commission will consider how further improvements can be made in line with International Financial Reporting Standards. Corporate governance practices used differ across Member States. Enhanced disclosure about these practices could provide a useful insight into what happens in practice and to promote best practices. In its Action Plan, the Commission therefore proposed that listed companies should publish an annual corporate governance statement. The main objective would be to collect all relevant information concerning corporate governance elements and practices in listed companies in one single place. This should allow shareholders, investors and other stakeholders to assess whether the company pursues good corporate governance. A recent Business Roundtable report, Securing Cyberspace: Business Roundtable's Framework for the Future asserted that Information security requires CEO attention in their individual companies and as business leaders seeking collectively to promote the development of standards for secure technology. Page 2 /10

3 Boards of directors should consider information security an essential element of corporate governance and a top priority for board review." PRINCIPLES Information security is an important part of the overall business risk and the external business environment that must be intimately understood by the stewards of the business. In establishing this approach, there are five principles that will help guide executive thinking. 1. CEO Involvement The first principle is that the CEO must get involved in the understanding of the security program, the measurement of that program and the relation that program has to business operations. The CEO must take the lead in requiring regular reporting, evaluation and review of information security strategies and execution. He or she must engage with management teams throughout the enterprise to discuss what the security results look like, how security might impact the business, and how risk might be created or alleviated. He must then provide an overall assessment of the organization s security performance, including what is being done well, and what is being done to correct previously identified deficiencies. This assessment must be communicated to the board as well as to shareholders, stakeholders and employees. 2. Organizational Understanding of Information Assets The second principle is that the organization itself has to understand that information assets must be thought of as being as measurable and as tangible as buildings and plants and other valuable business infrastructure. Day-to-day policies and procedures need to reflect the fact that it is up to the organization to protect these assets in the same way. The policies and the procedures that the company creates have to be well thought out, so the culture is built with the understanding that there is some level of risk involved with the normal day-to-day business use of information assets. These assets need to be cared for and protected accordingly. Appropriate individuals within a security management infrastructure must be given both authority and accountability; one without the other is not sufficient. Today, the majority of information security officers are often given authority without accountability. For corporate security to be a serious endeavor, these managers must be empowered. Moreover, organizational cultural politics must be overcome so that the newly empowered security executives can engage with business leaders. The IT group can t fix information security alone; modeling risk enterprise requires a broad Page 3 /10

4 mandate and cooperation between groups inside the organization who may not have traditionally worked together. Policies and procedures must make it plain that everyone who has any interaction with the corporate data assets has specific responsibilities, as well as the authority and the authorization, to proceed to protect those assets and to manage the risk inherent in using them. 3. Integrating Data Storage with the System Lifecycle People would traditionally say, That s the financial management system, or That s the HR system, and then create lifecycle management around those applications without necessarily thinking about the individual data assets that reside on that system. We must begin to follow the information and not the system. If this were better understood, the process of information security would likely be different. Information management and information security must become better aligned and integrated into the way the organization develops, installs, deploys, uses, maintains, monitors and validates the systems that house them. 4. Systems Must Be Tested The concept of governance demands that we evaluate the information security services that have been implemented and find a way to validate that they are working. Testing needs to be done periodically and, as a formal way of responding to defects breaches and violations needs to be established. There also needs to be a way to evaluate and correct deficiencies, as well as a mechanism to communicate the fact that remediation has taken place. Just as you cannot secure what you don t know, you can t establish confidence that information security services are functioning without testing and reporting. Also important is the speed in which a deficiency is remediated and effectively addressed. Information security governance suggests that the company must have a security knowledge management capability not only to understand IT risk, but also to be able to test readiness. Security knowledge management is the ability to transform raw data into information, and information to knowledge. Information security governance suggests that organizations must establish an incident response capability to deal with crisis. This crisis center operates in a continuous mode just like the commander s central command center in a field of battle. Once this knowledge is obtained, then it is possible to translate that into remedial action to deal with the deficiencies and the information security challenges. Then, just like a field commander who might continually exercise troop readiness, company executives can continuously evaluate enterprise response capability by launching exercises to validate information security readiness. Page 4 /10

5 5. Comparative Analysis The fifth principle, every bit as important as the others, is that it is vital for organizations to analyze where they stand in their information security governance efforts compared to others in their industry. The strategy is to have the ability to make informed, strategic decisions as to the company s place in the pack by knowing what others in the industry and the marketplace are doing with respect to securing their information and by studying standards and best guidance. This enables the organization to decide what its investment and commitment to information security should be, above and beyond any established mandatory minimums, based on a risk analysis. One might look at maximums instead, choosing to be ahead of the pack and using information security governance superiority as a competitive advantage. This idea of leveraging information security as a competitive advantage is a valid strategy for some companies. Alternatively, the company might make an informed decision to be a laggard in this area, establishing the bare minimum and using the capital instead to seek competitive advantage in other areas. Anyhow, this is clearly a business decision to be taken at the highest level in the company SHIFTS IN INFORMATION SECURITY PERSPECTIVE To implement these principles, information security stakeholders need to make significant shifts in their perspective. Such shifts allow them to ask the right questions, make better decisions, and select actions appropriate to the effective governance of enterprise security. These shifts are summarized below: From Security is a technical problem : Technical network (hardware, software, infrastructure) Technical requirements (protect the perimeter) Technical assets (desktops, laptops, servers, databases) Technical specialty (in the realm of IT and system administrators) To Security is an enterprise-wide problem : Enterprise network (people, processes, business units) Enterprise requirements (privacy, asset protection) Enterprise assets (customer data, employee data, communication) Enterprise core competency From Security has a technical owner : IT is the driver, owner, and primary benefactor. Page 5 /10

6 Technical personnel are assigned to security. The CSO (Chief Security Officer) is considered a technical advisor To Security is owned by the business : The enterprise is the driver, owner, and primary benefactor. Business personnel understand security and have security responsibilities. The CSO is considered an advisor to the business. From There is an explicit focus on security : Security is sporadically singled out for attention, investment, and justification. Risk assessment is applied to security as a special case. Security is on the agenda to comply with regulatory requirements. To Security is transparent : Security is a requirement of conducting business, considered in normal planning and business conduct cycles. A more secure state results from effective risk management capabilities. Existing security controls meet compliance requirements. From Security is an expense : The benefit of security is not measured or is hard to measure. Return on security investments is not required or quantifiable To Security is an investment : The benefit of security is measurable, measured, and regularly reported. Return on security investment is required and quantifiable in business terms From The goal is security : The focus of security efforts is on threat, vulnerability, and protection. There is no articulated, desired security state. There is a potentially excessive deployment of security technologies undertaken in a piecemeal approach. To The goal is business continuity and ultimately resiliency : The focus of security efforts is on impact, organizational continuity, and preserving trust. Adequate security that meets business objectives is the desired state. Page 6 /10

7 Security costs and risks are in business objectives is the desired state. Security costs and risks are in balance. THE FIVE AREAS OF RESPONSIBILITY An organization that will be successful in implementing an information security governance program needs to divide the work across five areas: 1. The Board of Directors. The program must be very clear about the board s responsibilities. It will assign strategic oversight to the board, and ensure that the strategic oversight is aligned with the actions taken by the executive management team. 2. The CEO. CEO responsibilities will be clearly defined in regard to accountability and authority. The CEO is the top executive and the only one in a position to oversee compliance. It is the CEO s role to assign the responsibility to make sure that accountability and authority are in place. The CEO is also there to set the tone and drive the culture of information security. 3. Executive Committee. The executive committee will be responsible for ensuring that the security programs being put in place are actually aligned with operational and business goal risks. Not too much, and not too little. They must make certain that money is not being wasted on unneeded security and that security is not placing an undue burden on the organization and adversely affecting operations and business objectives. 4. Senior Managers. Senior management will have responsibility for day-to-day monitoring of risks within their area of responsibility. They re accountable for the mechanisms implementing the policies coming out of the security program and for ensuring that operations are secure. 5. Employees. Each individual employee must be aware of the challenges of information security. Ultimately, security is a very personal matter, so each member of the enterprise should have an understanding of information security and why it s important. They should know their individual roles, so they can report accurately through channels. Just as we are trained to ask an un-badged person we see walking through our building, so too should we, as individuals, be taught to challenge information security deficiencies that we encounter. Page 7 /10

8 BUILDING A SECURITY ARCHITECTURE According to our principles, the security architecture must address all components of the enterprise security program not just the technical components: Strategic alignment Business Enablement Process enhancement Security Foundation Security Effectiveness 1. Strategic Alignment Key Components We need an executive level sponsorship for the architecture; it has to be enterprise wide and mandatory in order to have an enterprise wide approach to risk. A current status of the enterprise approach to Information assets risk will provide the Information Security Culture to Page 8 /10

9 gauge what the architecture has to be to be effective and how it will be received. How ready is the organization to adapt to change? Is the architecture going to be a significant change from where they are today? How much has the corporate approach to Information Security been considered? What are the business issues, and strategies that are defined that require an organized approach to IT security? The more the architecture requirements can be directly tied to the business the better. Is there legislation or regulations that are pushing the organization tin a certain direction? The architecture should be an obvious progression from the business requirements and justifiable as such. It should not be based on the current wants that is more typical with technology selection but on the business reason why. 2. Business Enablement Requirements must be people, process and technology driven We must have a consistent application of solution models We must do a zone analysis for end-to-end transaction integrity Security Plans practically applied to all aspects of a business operation network, applications, processes, etc. 3. Process enhancement Key security standards, model and criteria proactively championed through existing enterprise-wide management processes Center of Excellence (COE) approach o Breadth of coverage end-to-end transaction o Depth subject experts o Facilitator roles versus owner Incentive concept to promote security staff as enablers versus roadblocks Roles and responsibilities clearly defined and championed 4. Security Foundation Active executive participation Owner, custodian, stakeholder alignment Assigned responsibility, accountability and authority Security Life Cycle Page 9 /10

10 Business and IT alignment Security process and management fundamentals/foundations/baseline versus wants 5. Security Effectiveness Focus on a few critical objective indicators that truly enhance visibility Internal audit alignment Communication of successes/failures Service Level Agreements (SLA) for customer satisfaction IT Return on Investment (ROI) Critical vendor maintenance contracts Metrics for day-to-day operations Reporting timelines Existing balanced scorecard system CONCLUSION Information security is not a technical issue, but rather a corporate governance responsibility that involves risk management, reporting on controls, testing, training and executive accountability. Without the active engagement of business unit leaders, executive management teams and boards of directors, a sustainable information security program cannot exist. This is no longer a technical problem relegated to the bowels of the enterprise. This is a challenge that requires a coherent information security management framework that aligns with the set of policies and internal controls used by enterprises to establish a culture of compliance and that will support the implementation of information security programs across all industries. The time to embrace information security governance is now. Integration of information security into the core of enterprise management and governance must come about. And, focusing on security experience management will allow us to begin to manage security from a business perspective. Yves LE ROUX CISM, ITIL, CISSP Computer Associates Security Technology Strategist Tel: +33 (0) Mob: + 33 (0) Yves.LeRoux@ca.com Page 10 /10