There can be no excuse for failing to take steps to protect corporate information and systems.
Organisations share a universal risk from information security breaches. Both internal and external breaches and abuses cause widespread and long-lasting damage to profits. However, the impact on an organisation's reputation can be much greater, so stakeholders and investors need to pay more attention and take deterrent measures.
Widening corporate governance requirements now recognise that effective control of information, through assessing the value of IT and information security, is an essential responsibility of senior managers and boards.
Deloitte &Touche has identified huge communication gaps between board members responsible for reporting business risk and those to whom responsibility for IT security is delegated.
Department of Trade & Industry figures show that only 28% of UK businesses make all employees aware of their role in business security. Such responsibilities cannot rest solely with the IT department.
The board must create a culture that combines knowledge of risk, business and technology. Such knowledge can be obtained by creating an information security management system and an information governance solution tailored to the situation.
Effective information management should address control of IT processes and the related security mechanisms.
An information governance system should provide the foundations to establish the company as a trusted and reliable organisation from an IT perspective.
Information governance enables organisations to benchmark their position against best practice standards and to demonstrate that they recognise the value of protecting information. It ensures that staff recognise this value by providing training and awareness.
Most organisations' measures are a piecemeal collection of controls, infrequently or insufficiently monitored. A governance system should ask:
- Are all your significant information risks identified and countermeasures in place?
- Have you secured top management support and commitment to address information governance?
- Do you have the necessary policies, procedures and working practices to control information effectively?
- Is your information culture well established so that everyone understands the importance of reliable information and how to spot unusual activity?
- How quickly can you marshal your defences?
A governance system will be an organisation's key tool to satisfy stakeholder concerns about information control mechanisms. The emergence of global best practice standards and increasing legislation enables firms to assess current arrangements and plan improvements.
Central planks of good information governance working practices include adherence to data protection requirements, information security management employing the ISO 17799 framework, and guidelines such as Control of IT Processes employing Cobit (Control Objectives of IT & Related Technologies & Governance) best practice standards.
ISO 17799 provides the board with a framework to develop, implement and measure information security management. It refers to the need for a risk assessment, security controls and legal and technical compliance. It acknowledges the legal significance of protecting data and privacy and stresses the need for regular IT health checks to ensure compliance.
Implementing an IS management system is a duty that requires the commitment of the board. Nearly 70% of breaches take place within the organisation, often caused by mistakes or through lack of training.
It is likely to become a regulatory requirement to demonstrate that an effective system of internal control for information assurance exists. Organisations must take steps now to establish best practice. Inadequate security, such as a failure to adhere to the Data Protection Act legislation, could be construed as corporate negligence.
Yag Kanani is partner in charge of information security services at Deloitte & Touche. He will deliver a keynote speech at Infosecurity Europe