The availability, integrity and confidentiality of its data are fundamental to the long-term survival of any 21st-century organization. Unless the organization takes a top down, comprehensive and systematic approach to protecting its information, it will be vulnerable to the wide range of threats identified in this book. These threats are a ‘clear and present danger’ to organizations of all sizes and in all sectors; responsibility for information risk management, for ensuring that the organization appropriately defends its information assets, can no longer be abdicated or palmed off on the Head of IT. The board has to take action. It’s a part – and a very key part – of the board’s governance responsibility. Many (but not all) boards – to date – have shirked, or failed in – this responsibility.
‘Information security’, according to the internationally recognized code of information security best practice, ISO 17799:2005, is the ‘preservation of the confidentiality, integrity and availability of information.’
This book identifies the major information security issues facing boards and management teams and identifies how ISO 27001, the international standard of information security best practice, can give organizations a significant competitive and regulatory edge.
Information security is a governance issue, not merely an IT department functional responsibility. In an environment where it is not commercially sensible to invest in providing security against every possible risk nor where 100 percent security is affordably achievable, there are five reasons for this:
The board has to lay down guidelines as to which of the organization’s information assets are to be protected and the level to which this must be done;
The board has to prioritize, and lay down guidelines for, investment in information security;
Information security is a ‘whole business’ exercise; effective information security requires a set of controls that integrate technology, procedure and human user behaviour in such a way that the board’s security objectives are achieved. Only the board can set out the objectives and requirements for such a cross-organizational management system;
The whole organization is at risk in the event of an information security breach (eg LexisNexis); corporate reputation, corporate earnings and corporate survival are the direct responsibility of the board and the board must, therefore, ensure that appropriate arrangements are made to protect the organization from information risk;
It is the board’s direct responsibility to ensure that the organization complies with the laws of the jurisdictions in which it trades. The growing body of information related legislation is such that the board now has to be pro-active in mandating the implementation of a recognised information security management system that will ensure compliance.
The board’s job is governance and strategy and, therefore, governing strategic and operational risk is a fundamental board responsibility. There are three operational risks (operational risk is ‘the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events’[10]) related to information and communications technology that boards need to consider:
Loss of proprietary information, with resultant damage to earning power and competitive position;
Loss of customer and personal data, with resultant damage to commercial and directors’ personal reputations, as well as regulatory action, financial and punitive loss, and possible jail time for directors;
Interruptions to business continuity, with resultant damage to commercial reputation and actual trading capability.
Boards have to prioritize the risks that are to be defended against, in the light of the organization’s information assets, its business model and its overall business strategy. It has to ensure that appropriate resources are committed to realising and maintaining the risk profile that it has mandated.
Corporate governance codes throughout the world recognize that the management of operational risk is a core board responsibility.
The UK’s Combined Code requires listed companies to annually review ‘all material controls, including financial, operational and compliance controls, and risk management systems.’[11] The Turnbull Guidance explicitly requires boards, on an ongoing basis, to identify, assess and deal with significant risks in all areas, including in information and communications processes.[12] Sarbanes Oxley requires US listed companies (and, increasingly, there is a knock through effect on their major suppliers) to annually assess the effectiveness of their internal controls, and places a number of other significant governance burdens on executive officers, including the section 409 requirement that companies notify the SEC ‘on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer.’ Pillar 1 of the Basel 2 Accord aims to reduce financial institutional ‘exposures to the risk of losses caused by failures in systems, processes, or staff or that are caused by external events.’[13]
Risk assessment has, over the last few years, become a pervasive and invasive concept: a risk assessment must be structured and formal, and nowadays one is expected in almost every context – from a school outing through to a major corporate acquisition. It is certainly a cornerstone of today’s corporate governance regimes. In the context of operational risk, a risk assessment is the first step that a board can take to controlling the risk; the most important step is the development of a risk treatment plan (in which risks are accepted, controlled, eliminated or contracted out) that is appropriate in the context of the company’s strategic objectives.
If no-one else wanted it, it wouldn’t be an asset. Information, to be useful to an organization, must be available (to those who need to use it), confidential (so that competitors can’t steal a march) and its integrity must be guaranteed (so that it can be relied upon). Information risk arises from the threats – originating both externally and internally - to the availability, confidentiality and integrity of the organization’s information assets.
Headline figures dramatically illustrate the cost of security failures: the UK’s National High Tech Crime Unit (NHTCU) reported[14] that 89% of firms interviewed had suffered some form of computer crime in the previous 12 months (up from 83% in the previous year), at a cost of at least £2.4bn.
Threats to information security are wide ranging, complex and costly. External threats include casual criminals (virus writers, hackers), organized crime (virus writers, hackers, spammers, fraudsters, espionage, ex-employees) and terrorists (including anarchists). More information security incidents (involving members of staff, contractors and consultants acting either maliciously or carelessly) originate inside the organization than outside it. Baring, Enron, WorldCom and Arthur Andersen were all bought down by insiders. The indirect costs of these incidents usually far exceed their direct ones and the reputational impacts are usually even greater.
The need for determined action to deal with these risks should be self-evident.
The governance failure, though, is evident. An Ernst & Young survey[15] found that only 20 per cent of organizations strongly agreed that information security was a CEO level priority, and that only 24 per cent gave their information security departments the highest rating in meeting the needs of the organization. Ernst & Young summed it up: “ironically, this year’s survey seems to echo the sentiments of previous years, as organizations apparently continue to rely on luck rather than proven information security controls. Perhaps the remarkable thing is how little attitudes, practices and actions have changed since 1993 – during a period when threats have increased significantly. Two factors lead us to believe matters have deteriorated. First the threats are more lethal than they were in 1993. What many organizations are slow to recognize is that what they don’t know is hurting them and hurting them badly. While scaremongers focus the public’s attention upon the external threats with questionable damage guess-estimates, organizations face greater damage from insiders’ misconduct, omissions, oversights, or an organizational culture that violates pre-existing policies and procedures.
Second, there is little visible change in how security is practiced by organizations. In 1994, a respondent told us: ‘It is apparently going to take a major breach of security before this organization gets its act together.’ Some ten years later, that sentiment is still quite evident and typifies organizations’ reluctance to do deal with the significant threats and to invoke well-accepted controls.”
In today’s corporate governance environment, boards simply cannot afford to take their information security governance responsibilities anything less than seriously.
[10] “Operational Risk”, a consultative document from the Basel Committee on Banking Supervision in January 2001
[11] Combined Code on Corporate Governance, Section C.2.1, July 2003
[12] Turnbull Guidance, paragraph 21
[13] BIS Press Release, 26 June 2004
[14] “Hi-Tech Crime: the Impact on UK Business 2005”, survey conducted by NOP for the UK’s NHTCU
[15] Ernst & Young’s (www.ey.com/global/content.nsf/International/Home) 11th annual Information Security Survey, which in 2004 interviewed nearly 1,300 executives across 51 countries.