Governance resources on NoticeBored blog

Click the banner for the site map of NoticeBored.com, the information security awareness service

Information security governance

ITGI (IT Governance Institute) is an ISACA spin-off. We made good use of their Board Briefing on IT Governance, Information Security Governance: Guidance for Boards of Directors and Executive Management, Information Security Governance: Guidance for Information Security Managers and the latest IT Governance Global Status Report in preparing the information security governance awareness module.

IT Governance, a manager’s guide to data security and BS 7799 / ISO 17799 (3rd edition) by Alan Calder and Steve Watkins (~US$170 from Amazon) is reviewed elsewhere on this site. IT Governance is Alan’s consultancy business supporting organizations seeking to deploy best practice information security and project management solutions.

“Governing for enterprise security means viewing adequate security as a non-negotiable requirement of being in business. If an organization’s management does not establish and reinforce the business need for effective enterprise security, the organization's desired state of security will not be articulated, achieved, or sustained. To achieve a sustainable capability, organizations must make enterprise security the responsibility of leaders at a governance level, not of other organizational roles that lack the authority, accountability, and resources to act and enforce compliance.” Read loads more good stuff on CERT’s security governance pages: there are implementation guides, presentations and podcasts.

Build Security In also promotes the concept that information security is management’s concern, not (purely) a technical issue. “Governance and management of security are most effective when they are systemic, woven into the culture and fabric of organizational behaviors and actions. They create and sustain connections among principles, policies, processes, products, people, and performance. This means that security must come off the technical sidelines and not be relegated to software development and IT departments. Boards of directors, senior executives, and managers all must work to establish and reinforce a relentless drive toward effective enterprise security.” There’s a detailed bibliography on information security governance too, and lots more to read.

To what extent are CSO/CISOs accountable for the organization’s information security? Bill Brenner of CSO Magazine takes the line that CSO/CISOs should consider insurance and legal protection against being dismissed after a serious incident. Larry Ruffin, US Interior Department CISO, was quoted by Government Executive thus: “How do you take control, when you don't [have authority over] the funds or maintain clear authority to make decisions?” [Good governance implies that whomsoever makes key business decisions should be held personally accountable for their decisions and should be allocated sufficient resources to fulfil their obligations.]

One of the NoticeBored deliverables was a procedure for defining information security roles. We recently published a ‘worked example’ defining roles and responsibilities for contingency planning (including business continuity and disaster recovery) on ISO27001security.com

A scenario in one of the NoticeBored case studies was inspired by the case of Terry Childs, as reported by the San Francisco Chronicle, InfoWorld and Paul Venezia. Terry was arrested for allegedly tampering with computers belonging to the San Francisco city government. At first following his arrest, he refused to disclose the network admin password meaning that no-one was able to manage the network since Terry had sole control - that hints at the information security governance issue discussed in the NoticeBored case study.

A neat presentation and webcast by George Spafford brought out the value of integrating IT security processes with general IT operations, risk, change and configuration management, and through to business strategy, through ITIL IT service management.

We published a case study expounding the business value of implementing ISO/IEC 27002 on our IsecT website. The case reveals some surprising linkages between information security management and general business management, plus several indirect benefits that are seldom mentioned elsewhere.

A factsheet from the UK Institute of Directors advises non-executive directors on (a) how to go about asking questions to the Board or other managers about IT strategy and security; and (b) the types of question worth asking. [Our favorite is “Has your business assessed the risk of getting a reputation for slackness in security?”!]

Defining and promoting your information security policies through security awareness, training and education activities are essential for Sarbanes-Oxley compliance. A review of your information security policies is one of the first steps in a SOX audit. If the auditors then ask how management can be sure that employees comply, are you ready for them? Tools such as SecureAware can certainly help ...

Information Security Governance - A Call to Action advises organizations to incorporate information security into corporate governance efforts. “... executives must make information security an integral part of core business operations. There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance.”

Logica CMG reports on the relevance of information security to corporate governance, backed by a research study of UK plcs.

IT governance

IT Governance - How top performers manage IT decision rights for superior results by Peter Weill and Jeanne W. Ross of MIT (~$23 from Amazon) is based on academic studies of IT governance. Read our book review here or check out this precis by the authors on an Australian CIO magazine site. A thought-provoking and useful book if somewhat narrow in its interpretation of IT governance.

Australia Standards released a forthcoming standard on IT project governance as a free PDF for public comment.

Website disclaimers and privacy policies that are intended to point out to visitors the limits of the website owner’s responsibilities in relation to the visitors’ use of the site, could be seen as an element of IT governance ... or a waste of good electrons, according to one’s point of view. Here’s an interesting one from the Brampton Bugle, with shades of Saturday Night Live’s Happy Fun Ball advertisement about it.

ISACA (Information Systems Audit and Control Association) is home to COBIT, an excellent governance framework for IT. Don’t be mistaken, COBIT is no longer just a tool for IT auditors!

In addition to the information security governance papers noted above, the ITGI publishes various other IT governance-related papers.

An IT Process Institute (ITPI) research report characterizes differences in the controls infrastructures that distinguish high- from low-performing IT departments. There is a clear link between the quality of an organization’s change management controls and its performance, and some interesting correlations with specific controls e.g. monitoring for authorized/unauthorized and successful/unsuccessful changes; having firm consequences for those who intentionally make unauthorized changes; formal processes and automation of configuration management. These in turn suggest potential metrics such as percentages of changes that are authorized and successful; percentage of unauthorized change incidents that lead to disciplinary action; and percentage of configuration information that is accurate and complete.

The McKinsey Quarterly asks “Who’s accountable for IT? Business leaders, that’s who.” [access requires free registration]. Business and IT managers need to align with organizational objectives, and business managers should be held accountable for getting good value from their IT investments.

The ITSM Portal examined a wide variety of governance frameworks and methods in the context of IT service management and IT governance.

OCEG (Open Compliance and Ethics Group) is a not-for-profit organization developing a framework for integrating governance, compliance, risk management and integrity into all business processes, thereby helping clients reduce costs and improve business performance. OCEG is driving adoption of the framework through a multi-industry, multi-disciplinary coalition, with a community to exchange information, tools and feedback for the continual improvement of the framework.

IT/development project governance is a subset of IT governance, itself a subset of corporate governance. There is an enormous volume of information on the web about governing and managing IT/development projects (just try Googling phrases such as IT.project.governance or IT.project.management). Project governance guidance from the Tasmanian State Government states the principle that “ultimate responsibility and accountability for the project must be clearly defined and accepted at an appropriately high level within the organisation. The appropriate level is that which has discretionary control over the bulk of the resources that will be expended in the project process.”

Corporate governance

The European Corporate Governance Institute has a fabulous website giving access to an excellent collection of governance codes/regulations and papers from around the world.

If you’re looking for the Cadbury report and other governance classics from the UK, USA, Canada, Australia and elsewhere, try Brown governance.

Director’s Monthly mag from NACD (the National Association of Corporate Directors) carried The Rise and Fall of Enron: Principles for Directors and Worldcom: Six Questions for Directors. NACD is holding its 2008 corporate governance conference on October 19-21 in Washington DC.

Effective corporate governance frameworks – encouraging enterprise and market confidence is a governance discussion paper from the ICAEW (Institute of Chartered Accountants in England and Wales) highlighting issues relevant to policy makers.

The Governance Focus blog covers governance very broadly and gives a fascinating insight into what’s happening in the field. Well worth a look.

A white paper from US CEO forum The Business Roundtable gives an overview of their position on corporate governance. They recommend that every publicly owned corporation should have a committee that addresses governance issues [but then confuse the matter by discussing the nominating committee - appointing suitable Board members is only one part of corporate governance].

“Enron - anatomy of greed: the unshredded truth from an Enron insider” by Brian Cruver (~$25 from Amazon). The author recounts his experience of working for Enron in its final few months. A highly personal view of what it was like to work in the high-pressured environment that eventually led to the demise of Enron in a spectacular governance failure.

Boards of Directors are well informed on their governance responsibilities by papers from the professional institutions. The Canadian Institute of Chartered Accountants poses 20 Questions Directors Should Ask About IT, the International Federation of Accountants has “Enterprise governance: getting the balance right”. Deloitte has a small collection of papers on corporate governance and accountability. The Institute of Internal Auditors published a position paper on “Internal auditing’s role in sections 302 and 404 of U.S. Sarbanes-Oxley Act of 2002” while the National Association of Corporate Directors has “Information security oversight: essential board practices”. Securing cyberspace is Business Roundtable’s contribution to the debate. With so much august information to read, directors must find it difficult to find time to actually govern their corporations.

The OECD (Organisation for Economic Co-operation and Development) has its Principles of corporate governance and an older paper Guidelines for the security of information systems and networks: towards a culture of security.

Information security governance

IT governance

Corporate governance

Related NoticeBored links collections