Infosecurity will this week host a mock courtroom trial
to demonstrate thatthe boardroom has ultimate responsibility for information
security breaches.
The trial will be based on a fictionalised account of the real
theft of thousands of credit card account details. In the dock will
be the chief executive, the chief information officer, the chief
information security officer and other suspects.
Paul Williams, former president of the Information Systems Audit
and Control Association, will defend the CIO's role. "Ultimate
responsibility for information security rests with the board and
the chief executive, " he said. "This cannot be delegated. It is up
to them to set the policies and to monitor their
implementation."
Williams said security was more than the "box-ticking" exercises
demanded by regulations such as
Sarbanes-Oxley and
PCI DSS. "I am
not convinced more regulation helps," he said. "Jail means that all
else has failed."
He said regulations such as PCI DSS were the application of
common sense. "The basic principles are simply good housekeeping
for anyone who processes credit card data," he said. "Of course you
should encrypt customer data, and use firewalls to stop
attacks."
Williams said regulations had sharpened boards' focus on IT
security, but many were still ignorant of all that it entails.