Blending Corporate Governance with Information Security
Information security requires CEO attention in their individual companies and as business leaders seeking collectively to promote the development of standards for secure technology.
Furthermore, Boards of directors should consider information security an essential element of corporate governance and a top priority for board review.
The first principle is that the CEO must get involved in the understanding of the security program, the measurement of that program and the relation that program has to business operations.
The second principle is that the organization itself has to understand that information assets must be thought of as being as measurable and as tangible as buildings and plants and other valuable business infrastructure
The third principle is that we must follow the information and not the system.
The fourth principle is that we evaluate the information security services that have been implemented and find a way to validate that they are working.
The fifth principle, every bit as important as the others, is that it is vital for organizations to analyze where they stand in their information security governance efforts compared to others in their industry.
To implement these principles, information security stakeholders need to make significant shifts in their perspective. Such shifts allow them to ask the right questions, make better decisions, and select actions appropriate to the effective governance of enterprise security. We will explain these shifts. The next point is to divide the work across five areas of responsibility.
According to our principles, we will describe a framework addressing all components of the enterprise security program not just the technical components.
KeywordsCorporate Governance Information Security International Financial Reporting Standard Security Program Security Investment
Unable to display preview. Download preview PDF.
- [BR]Business Roundtable Report, Securing Cyberspace: Business Roundtable’s Framework for the Future April 2004Google Scholar
- [CEC]Commission Communication (COM(2003)284) of 21 May 2003 modernising Company Law and enhancing Corporate Governance in the EU.Google Scholar
- [OECD]OECD Principles of Corporate Governance: 2004Google Scholar