- Email: [email protected]
A framework for the governance of information security
Computers & Security (2004) 23, 638e646
www.elsevier.com/locate/cose
A framework for the governance of information security Shaun Posthumus, Rossouw von Solms) Port Elizabeth Technikon, Department of Information and Technology, Private Bag X6011, Port Elizabeth 6000, South Africa Received 18 October 2004; revised 27 October 2004; accepted 27 October 2004
KEYWORDS Business information risk; Corporate governance; Information security governance
Abstract This paper highlights the importance of protecting an organization’s vital business information assets by investigating several fundamental considerations that should be taken into account in this regard. Based on this, it is illustrated that information security should be a priority of executive management, including the Board and CEO and should therefore commence as a corporate governance responsibility. This paper, therefore, motivates that there is a need to integrate information security into corporate governance through the development of an information security governance (ISG) framework. This paper further proposes such a framework to aid an organization in its ISG efforts. ª 2004 Published by Elsevier Ltd.
Introduction It can be said that business information plays an extremely important role in most organizations today, and, therefore, efforts to protect such business information should be of the utmost importance. Traditionally, a great deal of attention is focused on efforts that address the risks affecting business information from an IT infrastructure point of view. This is because Information Technology (IT) has come to play such an ) Corresponding author. Tel.: C27 41 504 3604; fax: C27 41 504 9604. E-mail addresses: [email protected] (S. Posthumus), [email protected] (R. von Solms). 0167-4048/$ - see front matter ª 2004 Published by Elsevier Ltd. doi:10.1016/j.cose.2004.10.006
integral role with regard to the storage, processing and transmission of valuable business information assets. However, information security is more often than not viewed only as a technical concern (Entrust, 2004), and hence seems to lack the attention of top management and boards of directors. Birman (2000) claims that security is more than purely a technical concern, it is also a strategic concern as well as even possibly a legal one. Swindle and Conner (2004) motivate that information security needs to be addressed as a corporate governance responsibility which should involve risk management efforts, reporting and accountability on the part of executive leadership and boards of directors. The term information security governance (ISG) describes the process of how
A framework for the governance of information security
639
information security is addressed at an executive level. Information security governance is considered to be a facet of an organization’s broader corporate governance strategy (Corporate Governance Task Force, 2004), which itself commences at Board level (King Report, 2001). However, Entrust (2004) suggests that very few sound ISG frameworks exist that can effectively guide most organizations in their ISG endeavors. It is therefore the objective of this paper to formulate an ISG framework in order to elucidate how information security should be addressed at an executive level, as a component of corporate governance. In order to accomplish this, this paper will look at several issues, including the scope and importance of business information with relation to understanding the full spectrum of risks that affect it. Additionally, the need to protect business information from these risks will be addressed, highlighting that the support of top management is paramount to the success of an organization’s information security efforts. Once this has been established, the information security governance framework will be proposed in order to demonstrate how executive level management could express their support of information security in their organizations by means of the implementation of such an ISG framework.
does, however, mean that organizations are placed in a situation where they are required to share their business information resources more openly with their stakeholders, who are no longer restricted to a specific place (BS 7799, 1999). Due to this, sensitive business information has become exposed to a lot more than merely the technology that is used to store, process and transmit it. Information is in fact now exposed primarily to three fundamental elements. These elements include: firstly, the technology, as previously stated, which is used to store, process and transmit information; secondly, the stakeholders i.e. the people, who access this information through various private networks and the Internet; and thirdly, the business processes applied to manipulate information as part of a particular business operation or service that an organization provides (BS 7799, 1999). Nowadays, each of these three elements has an essential role to play in facilitating an organization in executing its key business operations. Therefore the presence of information in any business operation would not mean that it is exposed to only a technology element, for example. In fact, from a risk point of view, the scope of business information includes consideration for the people and processes, as well as the technology that it comes into contact with.
Describing business information
The characteristics of business information
In order to properly describe business information, its scope and characteristics need to be clearly illustrated. Furthermore, these considerations also help to point out why business information should be a very important asset in any organization.
Information plays a major role in supporting an organization’s business operations. During each business operation information comes into contact with technology, people and process elements, which have been said to form a part of each business operation. Every one of these elements has the potential to present a very real risk to an organization’s business information assets. Thus, in order to ensure that business information continues to provide useful support to an organization’s business operations, several key characteristics of this information need to be preserved. These characteristics include confidentiality, integrity and availability (BS 7799, 1999).
The scope of business information The development of private networks and the widespread utilization of the Internet have facilitated organizations in performing business transactions with their customers, suppliers and other business partners (Entrust, 2004). This has also enabled these organizations to extend their reach and provide services to outlying markets. Furthermore, even staff members have benefited, since the use of networks has provided them with realtime access to the information and computer applications they need in order to commence with their daily activities (Entrust, 2004). Consequently, the use of such technologies has helped to satisfy the needs of the majority of these company stakeholders, who constantly demand more convenient access to information and business services. This
Confidentiality Humphreys et al. (1998) state that ensuring confidentiality involves ‘‘protecting sensitive information from unauthorized disclosure or intelligible interception’’. In other words, in order to preserve the confidentiality of information assets they need to be kept secret. Thus sensitive business information should not be left freely available to whomever may wish to gain access to it. Only
640
S. Posthumus, R. von Solms
those parties who have been given authorization to access this information should be allowed to do so. Thompson and von Solms (2003) mention that the confidentiality of information may be preserved by applying one of the two approaches. These include restricting access to confidential information or additionally, encrypting sensitive business information.
a long way in ensuring that such information retains its value to an organization and to the organization’s relevant stakeholders. An important question though, why it is important that business information retains its value to an organization, needs to be addressed.
Integrity Preserving the integrity of information resources involves maintaining the correctness and comprehensiveness of that information (Humphreys et al., 1998). Information integrity is important because information plays a major role in the decision making process (Ritchie and Brindley, 2001). If such information is not accurate or complete this could instigate misguided decisions on the part of executive management. Ultimately such decisions could lead to unwanted situations in an organization, which could have otherwise been prevented. A breach of integrity could result from the intentional modification of information by unauthorized parties or even its unintentional modification while information is being stored, processed or transmitted (Thompson and von Solms, 2003). A well known mechanism used to preserve information integrity involves attaching a simple message digest to a message before its transmission (Thompson and von Solms, 2003). This identifier can later be used to calculate if the sent message has been modified.
Unquestionably, business information can be considered to be an extremely important asset to any organization. Some would even go as far as claiming that an organization’s information resources are the lifeblood of that organization (Halliday et al., 1996). Others, such as Eloff et al. (1993) state that ‘‘information is the glue that holds an organization together and allows all other resources to be managed’’. The proficient use of information can facilitate an organization in achieving a competitive advantage over others, which helps to produce business value and keeps shareholders and other investors satisfied. Information provided to top executives guides them in making the numerous critical business decisions that form a part of their every day responsibilities. These decisions should be based on information that has been kept confidential, accurate and timely. If any of these characteristics of information has been compromised, an executive management team’s resultant ill-advised decisions could have a significantly devastating impact on the overall well-being of an organization. This could lead to huge financial loss and even the tarnishing of an organization’s corporate reputation (Entrust, 2004). Incidents such as these hint at what value and importance an organization should attach to its information resources since it is quite apparent that any risk to this information could cause quite a considerable amount of damage. In order to protect sensitive business information from the various risks that may potentially affect it, it is important to understand exactly from what sources these risks may arise.
Availability In order for an organization to preserve the availability of its information resources, it must ensure that such resources are accessible for use, by the relevant parties, at the right time. Ensuring the availability of information is extremely important because without timely information an organization would be incapable of continuing normal operations (Gerber and von Solms, 2001). This is largely because having the correct information at the right time enables management to make well-timed business decisions that will enable an organization to gain a competitive advantage over others (Gerber and von Solms, 2001). One of the most common ways in which the availability of information is compromised is through a denial-of-service (DoS) attack. During such an attack an information system is bombarded with a large amount of information requests, which cannot be handled by the system, and thus the system either slows down considerably or crashes, making information unavailable (Whitman and Mattford, 2003). Preserving the confidentiality, integrity and availability of sensitive business information goes
Why business information is important
Business information risk Business information risks may be divided into several categories. These categories broadly describe the various sources of risks that may affect sensitive business information.
Describing business information risks Generally, the risks that may well affect an organization’s vital information assets can be specifically
A framework for the governance of information security classified into two fairly broad categories (Entrust, 2004). The first of these categories includes external risks i.e. those risks that have the potential to impact an organization from the outside. The second category includes those risks that might occur internally and thus have the potential to impact an organization from the inside. Whether business information risks occur internally or externally to an organization, the fact remains that all of these risks present many organizations today with an arduous task when it comes to providing an adequate level of protection for their business information assets (Entrust, 2004). In order for an organization to provide a sufficient amount of protection for its important information assets, it must consider the various internal and external sources from which business information risks may arise.
The sources of business information risk There are basically three main sources from which business information risks may arise. These include the risks associated with natural phenomena, risks of a technical nature resulting from the extensive company-wide dependence on technology today, and also any potential human-related risks that may affect business information. Natural risks could include the possibility of threat events such as floods, earthquakes, lightning storms or even fires having an impact on an organization (Wold and Shriver, 1997). Typically these events, also known as acts of God, have the potential to cause considerable damage, not only to the organization’s business information assets, but also to its physical structures (Whitman and Mattford, 2003). Technical risks arise as a result of a growing dependence on technology, which has already become widely integrated into most organizations today and can be said to form the cornerstone of all information processing, storage and transmission. Smith (1989) shares the same sentiment and states that computers and related technologies form the ‘‘information backbone’’ of organizations operating in the world today. However, such a pervasive presence of technology in most organizations really has the potential to significantly affect the confidentiality, integrity or availability of business information assets. This places these assets at a great risk due to numerous potential hardware or software failures that can occur. Some examples of possible hardware or software failures could include malfunctioning hardware that cannot be repaired or code bugs in computer applications (Whitman and Mattford, 2003).
641
The final source of risks to business information results from the deliberate or accidental acts of human beings. Human risks possibly create the greatest area of concern regarding the protection of an organization’s critical business information assets. Risks of this nature tend to be quite numerous and can cause a lot of damage. Some examples of deliberate acts by human beings include the transmission of viruses through email message attachments, which if opened can bring entire networks to their knees. Hackers also aim to deliberately violate the security of business information by gaining unauthorized access to private corporate networks for malicious purposes. Not everyone, however, wishes to deliberately violate the security of business information. For example, as employees carry out their daily activities they are prone to make mistakes that can seriously affect such business information. Employees may mistakenly capture data incorrectly, perhaps delete sensitive information or even negligently leave sensitive information vulnerable for unauthorized individuals to gain access to it (Whitman and Mattford, 2003). Clearly each of these various sources of risks presents organizations with a very real challenge when it comes to providing adequate protection for their information resources. It is highly important that each of these sources of risks be addressed in order to ensure the confidentiality, integrity and availability of business information from both an internal and external point of view. Additionally, an organization’s active engagement in this challenge will facilitate it in protecting the full scope of its business information, which comes into contact with the people, processes and technology that comprise everyday business operations. This will further demonstrate that such an organization understands that information security is more than merely a technical concern, as the literature has pointed out (Entrust, 2004; Birman, 2000; Corporate Governance Task Force, 2004). The need to holistically protect business information from various sources of risks is quite important. Therefore, several key requirements that should be contemplated in order to ensure that an organization’s sensitive business information assets are protected as holistically as possible.
The need to secure business information Before looking at what is required in order to holistically secure business information, it would
642
S. Posthumus, R. von Solms
External and internal security requirements and guidelines
External requirements and guidelines Information security standards and best practices are important as they are used to inspire global information security principles and nurture trusting relationships between an organization and its various stakeholders (Gerber and von Solms, 2001). As mentioned earlier, BS 7799 is an example of such a standard that offers guidance on how to approach information security through means that have been proven to work in many organizations (BS 7799, 1999). Basically, BS 7799 offers information security advice based on 10 broad security control categories and serves as a starting point for organizations to begin an effective information security strategy (BS 7799, 1999). The security controls an organization selects from these 10 categories should fulfill each of the three security requirements as enumerated above. Legal and regulatory issues associated with information security have arisen because of the ease of access to business information and services today. Entrust (2004) motivates that ‘‘The very openness and accessibility that stimulated the adoption and growth of private networks and the Internet also threaten the privacy of individuals, the confidentiality of business information, and the accountability and integrity of transactions.’’ For this reason governments around the world have mandated numerous statutory and legislative requirements in order to stimulate and develop corporate information security efforts. There are various types of legal requirements that organizations are expected to comply with or face potentially severe prosecution in this regard (Swindle and Conner, 2004). These include various discipline specific as well as country specific statutes and laws. Some examples include the South African Electronic Communications and Transactions Act (2002) and the International Basel II Accord (Basel Committee, 2004).
The importance of addressing both internal and external security requirements is essential in order to properly administer information security and avoid the potential consequences of any negligence in terms of this. Specifically, these security requirements include: firstly, requirements to protect the IT infrastructure; secondly, legal, regulatory and statutory requirements; and thirdly, requirements for information integrity, confidentiality and availability as identified by an organization (Humphreys et al., 1998). These requirements together with the guidance of accepted security standards, such as BS 7799 (1999), and other best practices form the basis of an effective approach to information security.
Internal requirements Business issues in terms of information security translate into those requirements concerned with an organization’s personal internal needs for ensuring the confidentiality, integrity and availability of their sensitive business information assets. Humphreys et al. (1998) describe these security requirements as those that serve to complement an organization’s company-wide principles, goals and needs in terms of information processing that will sustain an organization’s normal business operations. IT infrastructure issues associated with information security help to define those requirements that are relevant in terms of protecting the critical
be more suitable to first discuss the importance of information security as a whole.
Why information security is important Information security, which involves preserving the confidentiality, integrity and availability of business information, helps to mitigate the various risks to such information through the application of a suitable range of security controls. A suitable range of security controls could be defined as having an appropriate mix of physical, technical or operational security controls. These could, for example, include things such as locked doors, user login passwords or even security policies and procedures, respectively. Information security thus assists an organization in sharing its business information in a trustworthy way (BS 7799, 1999). This will ultimately help an organization to continue to build trusting relationships with its customers, suppliers and other business partners. In turn, creating trusting relationships with these stakeholders, by securing information through various security controls will improve the cash flow and profitability of such an organization (BS 7799, 1999). Effective information security can, therefore, have a dramatic and positive impact on an organization. However, in order for organizations to implement an appropriate set of controls and administer information security effectively, various security requirements and guidelines, as mentioned earlier, need to be considered. These security requirements and guidelines also stem from sources both internal and external to an organization.
A framework for the governance of information security infrastructure that forms the ‘‘information backbone’’, as Smith (1989) terms it, of most organizations today. These issues are dealt with primarily through an exercise known as risk analysis which aims to identify and assess various risks in terms of their importance by looking at a variety of asset, threat and vulnerability associations. These risks are further dealt with through a process of risk management in which a suitable set of security controls is selected and implemented in order to mitigate these potential infrastructurerelated risks. Each of these internal and external security requirements helps to address the various important aspects of business information risks that most organizations face today. Fig. 1 illustrates the relationship between these various internal and external security requirements which are needed to mitigate the numerous internal and external risks affecting business information. Information security is a complex issue, though, in terms of satisfying each of these requirements. For this reason, information security must become a central management and governance responsibility (Swindle and Conner, 2004). Ultimately this means that the current way that information security is addressed today needs to change.
How to address information security It has been stated that information security is more than a purely technical issue and may possibly even be a strategic and legal issue as well (Birman, 2000). This point has been clearly moti-
643
vated throughout this paper by the various information risks and security requirements that have thus far been discussed. For this reason there is a definite need to elevate the importance of information security and integrate it into an organization’s overall corporate governance program (Corporate Governance Task Force, 2004). The Corporate Governance Task Force (2004) states that ‘‘the road to information security goes through corporate governance’’. This will require that organizations establish for themselves a sound security direction by implementing information security as part of the various internal controls and guiding principles that comprise an organization’s overall corporate governance program (Corporate Governance Task Force, 2004). These internal controls and guiding principles dictate how an organization is directed and managed (Swindle and Conner, 2004). Integrating information security into corporate governance will serve to institute information security as one of an organization’s fundamental business operations and impose responsibility, in terms of risk management, reporting and executive accountability onto the organization’s respective Corporate Board and CEO (Entrust, 2004). The term used to describe how information security is addressed as a part of an organization’s overall corporate governance responsibilities is information security governance (ISG). Today it is important that organizations consider an approach such as information security governance and get executive management, including the Board and CEO actively involved in such security endeavors. This point, however, needs to be clearly motivated.
Why information security must be addressed as a governance issue
Figure 1 The internal and external requirements that contribute to an effective information security strategy.
The King Report (2001) on Corporate Governance helps to clarify why information security should be addressed as a corporate governance responsibility. Firstly, a major point of consideration is that the Board is responsible and accountable to the shareholders of the company and, therefore, the Board must ensure that their organization produces business value and delivers a suitable return on shareholder investment (King Report, 2001). Good information security efforts will most assuredly help to generate this return, which Swindle and Conner (2004) clearly motivate. The King Report (2001) further states that executive management is responsible for ensuring that their organizations comply with all applicable laws, regulations and
644
S. Posthumus, R. von Solms
codes of practice. It should be in their best interest to fulfill this responsibility as failure in this regard could result in stringent legal action against them (Swindle and Conner, 2004). Additionally, King states that executive management should discover all significant areas of risk and certify that their computer systems and related technologies are capable of facilitating normal business operations. Hence this will ensure that their corporate assets and processes are fully and appropriately exploited in order to generate maximum returns for shareholder investment (King Report, 2001). It is quite important that an organization’s executive management be involved in information security. This is mainly because an organization’s Board of Directors and CEO need to be informed on the effectiveness of the information security strategies their companies have in place since, as illustrated by the King Report (2001), they are ultimately responsible for this. Now that the importance of addressing information security as a corporate governance responsibility has been motivated, it is necessary to examine information security governance more closely, and specifically explore two sides to information security governance.
In terms of directing an organization’s information security efforts, executive management and the Board should produce a corporate information security policy that shows their commitment to information security and supports their organization’s mission, goals and corporate information security strategy (Whitman and Mattford, 2003). The development of such a policy will demonstrate that executive management and the Board is in support of the establishment and implementation of a comprehensive information security plan (Corporate Governance Task Force, 2004). In terms of controlling an organization’s information security efforts, executive management and the Board needs periodic reports from their various organizational department heads, on the effectiveness of their organization’s overall information security plan (Corporate Governance Task Force, 2004). This will enable executive management and the Board to scrutinize and review their strategies and policies so that these may be regulated and improved upon where necessary (King Report, 2001). It is highly important that executive management and the Board is in control of their organization’s information security efforts because, as Entrust (2004) states, ‘‘like quality assurance, [information security] requires continuous, incremental improvement over time.’’
An information security governance framework
The management side
The two sides to information security governance are essential components that contribute towards an effective strategy for dealing with business information risk at a corporate governance level. Firstly, there is a governance side, which involves executive management and the Board and how they go about setting the information security direction and strategy of their organization. Furthermore there is a management side which is more concerned with how an organization’s security strategy will be implemented and managed.
The governance side According to the King Report (2001), an organization’s Board of Directors is required to successfully direct and control their organization as a whole. Holistically and effectively directing and controlling an organization would, therefore, also include attempts in terms of directing and controlling information security, since this needs to become part of an organization’s fundamental business operations (Entrust, 2004).
The management side of information security governance is concerned with how the stipulations for information security by executive management are implemented in an organization. This involves the commitment of various department heads and other managers to implement the specifications of the corporate information security policy with the assistance of conventional security codes of practice (Corporate Governance Task Force, 2004). In this paper it has been mentioned that BS 7799 is an example of such a code of practice (BS 7799, 1999). A document like this would be able to suggest appropriate security controls that can successfully preserve the confidentiality, integrity and availability of business information and thus could serve to integrate information security into the daily activities and functions of an organization. Once the security measures have been implemented, business information risks, as well as the usefulness of the selected security controls, should be observed and reported to executive management (Corporate Governance Task Force, 2004). These reports will further aid executive management in directing and controlling their organization’s information security endeavors with greater precision.
A framework for the governance of information security
645
Some benefits of information security governance
Figure 2 The governance and management sides of information security.
Fig. 2 illustrates the relationship between the governance and management sides to information security governance. To govern and manage information security effectively, it is important to have a proper framework. Such a framework also presents several benefits.
Figure 3
Information security is becoming a major issue of concern, to both the private and public sectors, including governments around the world (Corporate Governance Task Force, 2004). For this reason the Corporate Governance Task Force (2004) recommends that effective governance frameworks should exist. Entrust (2004) motivates that the acceptance and implementation of an ISG framework is an important action in securing business information through the protection of information systems, acting in accordance with legislation, as well as improving the efficiency of business operations, amongst other things. Thus information security governance enables an organization to effectively fulfill all the internal and external requirements in terms of protecting business information assets and, therefore, covers the full scope of risks faced by an organization in this regard. These security requirements could be viewed as information risk directives that would advise executive management on what should be done in order to govern and manage information security properly. Consequently these
An information security governance framework.
646 requirements will ultimately help to guide the construction and implementation of an effective information security strategy through corporate governance. Hence, this approach will introduce accountability to three central aspects of corporate governance (Swindle and Conner, 2004), which are principal to an organization’s business key operations, namely people, processes and technology, as they have been discussed earlier. Accountability results in several benefits that stand to be gained by implementing an ISG framework such as this. These benefits include enhanced internal security practices and controls, and the promotion of self-governance as a preference over increased legislation by governments and local authorities (Entrust, 2004). Fig. 3 illustrates the framework for an effective information security governance strategy highlighting the major elements of concern and how they relate to each other in order to create a good ISG framework.
Conclusion Information security governance is a complex issue requiring the commitment of everyone in an organization to do their bit in order to protect their company’s valuable business information assets. If administered effectively, information security governance will be of value to organizations in ways that exceed the mere observance of lawful conduct (Swindle and Conner, 2004). In fact information security governance is useful as a mechanism to increase overall productivity and lower costs in an organization and produce value for all of its relevant stakeholders, including governments and other legislative authorities (Swindle and Conner, 2004). For these above mentioned reasons it is of vital importance that executive management teams, including boards and CEOs adopt a sound ISG framework, such as the one presented in this paper. This will ultimately help to guide the implementation of an effective information security governance strategy in their organizations and
S. Posthumus, R. von Solms address all pertinent aspects of business information risk that may be present.
References Basel Committee. Basel II: international convergence of capital measurement and capital standards. Available from: !http://www.bis.org/publ/bcbs107.pdfO; 2004, June. Birman KP. The next-generation internet: unsafe at any speed. IEEE Computer 2000;33(8):54e60. BS 7799. BS 7799: code of practice for information security management as a base for certification; 1999. Corporate Governance Task Force. Information security governance: a call to action. Available from: !http://www. cyberpartnership.org/InfoSecGov4_04.pdfO; 2004, April. Electronic Communications and Transactions Act. Available from: !http://www.gov.za/gazette/acts/2002/a25-02.pdfO; 2002. Eloff JHP, Labuschagne L, Badenhorst KP. A comparative framework for risk analysis methods. Computers and Security 1993;12(6):597e603. Entrust. Information Security Governance (ISG): an essential element of corporate governance. Available from: !http:// itresearch.forbes.com/detail/RES/1082396487_702.htmlO; 2004. Gerber M, von Solms R. From risk analysis to security requirements. Computers and Security 2001;20(7):577e84. Halliday S, Badenhorst K, von Solms R. A business approach to effective information technology risk analysis and management. Information Management and Computer Security 1996;4(1):19e31. Humphreys EJ, Moses RH, Plate EA. Guide to BS7799 risk assessment and management. British Standards Institution; 1998. King report. The king report on corporate governance. Available from: !http://www.iodsa.co.za/IoD%20Draft%20King%20 Report.pdfO; 2001. Ritchie B, Brindley C. The information-risk conundrum. Marketing Intelligence and Planning 2001;19(1):29e37. Smith MR. Commonsense computer security. McGraw-Hill; 1989. Swindle O, Conner B. The link between information security and corporate governance. Available from: !http:// www.computerworld.com/securitytopics/security/story/0, 10801, 92915, 00.htmlO; 2004, May. Thompson K, von Solms R. Integrating information security into corporate culture. Masters dissertation, Port Elizabeth Technikon; 2003. Whitman ME, Mattford HJ. Principles of information security. Course Technology; 2003. p. 153e90. Wold GH, Shriver RF, editors. Risk analysis techniques; Available from: !http://www.drj.com/new2dr/w3_030.htm: Systems Support, incO; 1997.
www.elsevier.com/locate/cose
A framework for the governance of information security Shaun Posthumus, Rossouw von Solms) Port Elizabeth Technikon, Department of Information and Technology, Private Bag X6011, Port Elizabeth 6000, South Africa Received 18 October 2004; revised 27 October 2004; accepted 27 October 2004
KEYWORDS Business information risk; Corporate governance; Information security governance
Abstract This paper highlights the importance of protecting an organization’s vital business information assets by investigating several fundamental considerations that should be taken into account in this regard. Based on this, it is illustrated that information security should be a priority of executive management, including the Board and CEO and should therefore commence as a corporate governance responsibility. This paper, therefore, motivates that there is a need to integrate information security into corporate governance through the development of an information security governance (ISG) framework. This paper further proposes such a framework to aid an organization in its ISG efforts. ª 2004 Published by Elsevier Ltd.
Introduction It can be said that business information plays an extremely important role in most organizations today, and, therefore, efforts to protect such business information should be of the utmost importance. Traditionally, a great deal of attention is focused on efforts that address the risks affecting business information from an IT infrastructure point of view. This is because Information Technology (IT) has come to play such an ) Corresponding author. Tel.: C27 41 504 3604; fax: C27 41 504 9604. E-mail addresses: [email protected] (S. Posthumus), [email protected] (R. von Solms). 0167-4048/$ - see front matter ª 2004 Published by Elsevier Ltd. doi:10.1016/j.cose.2004.10.006
integral role with regard to the storage, processing and transmission of valuable business information assets. However, information security is more often than not viewed only as a technical concern (Entrust, 2004), and hence seems to lack the attention of top management and boards of directors. Birman (2000) claims that security is more than purely a technical concern, it is also a strategic concern as well as even possibly a legal one. Swindle and Conner (2004) motivate that information security needs to be addressed as a corporate governance responsibility which should involve risk management efforts, reporting and accountability on the part of executive leadership and boards of directors. The term information security governance (ISG) describes the process of how
A framework for the governance of information security
639
information security is addressed at an executive level. Information security governance is considered to be a facet of an organization’s broader corporate governance strategy (Corporate Governance Task Force, 2004), which itself commences at Board level (King Report, 2001). However, Entrust (2004) suggests that very few sound ISG frameworks exist that can effectively guide most organizations in their ISG endeavors. It is therefore the objective of this paper to formulate an ISG framework in order to elucidate how information security should be addressed at an executive level, as a component of corporate governance. In order to accomplish this, this paper will look at several issues, including the scope and importance of business information with relation to understanding the full spectrum of risks that affect it. Additionally, the need to protect business information from these risks will be addressed, highlighting that the support of top management is paramount to the success of an organization’s information security efforts. Once this has been established, the information security governance framework will be proposed in order to demonstrate how executive level management could express their support of information security in their organizations by means of the implementation of such an ISG framework.
does, however, mean that organizations are placed in a situation where they are required to share their business information resources more openly with their stakeholders, who are no longer restricted to a specific place (BS 7799, 1999). Due to this, sensitive business information has become exposed to a lot more than merely the technology that is used to store, process and transmit it. Information is in fact now exposed primarily to three fundamental elements. These elements include: firstly, the technology, as previously stated, which is used to store, process and transmit information; secondly, the stakeholders i.e. the people, who access this information through various private networks and the Internet; and thirdly, the business processes applied to manipulate information as part of a particular business operation or service that an organization provides (BS 7799, 1999). Nowadays, each of these three elements has an essential role to play in facilitating an organization in executing its key business operations. Therefore the presence of information in any business operation would not mean that it is exposed to only a technology element, for example. In fact, from a risk point of view, the scope of business information includes consideration for the people and processes, as well as the technology that it comes into contact with.
Describing business information
The characteristics of business information
In order to properly describe business information, its scope and characteristics need to be clearly illustrated. Furthermore, these considerations also help to point out why business information should be a very important asset in any organization.
Information plays a major role in supporting an organization’s business operations. During each business operation information comes into contact with technology, people and process elements, which have been said to form a part of each business operation. Every one of these elements has the potential to present a very real risk to an organization’s business information assets. Thus, in order to ensure that business information continues to provide useful support to an organization’s business operations, several key characteristics of this information need to be preserved. These characteristics include confidentiality, integrity and availability (BS 7799, 1999).
The scope of business information The development of private networks and the widespread utilization of the Internet have facilitated organizations in performing business transactions with their customers, suppliers and other business partners (Entrust, 2004). This has also enabled these organizations to extend their reach and provide services to outlying markets. Furthermore, even staff members have benefited, since the use of networks has provided them with realtime access to the information and computer applications they need in order to commence with their daily activities (Entrust, 2004). Consequently, the use of such technologies has helped to satisfy the needs of the majority of these company stakeholders, who constantly demand more convenient access to information and business services. This
Confidentiality Humphreys et al. (1998) state that ensuring confidentiality involves ‘‘protecting sensitive information from unauthorized disclosure or intelligible interception’’. In other words, in order to preserve the confidentiality of information assets they need to be kept secret. Thus sensitive business information should not be left freely available to whomever may wish to gain access to it. Only
640
S. Posthumus, R. von Solms
those parties who have been given authorization to access this information should be allowed to do so. Thompson and von Solms (2003) mention that the confidentiality of information may be preserved by applying one of the two approaches. These include restricting access to confidential information or additionally, encrypting sensitive business information.
a long way in ensuring that such information retains its value to an organization and to the organization’s relevant stakeholders. An important question though, why it is important that business information retains its value to an organization, needs to be addressed.
Integrity Preserving the integrity of information resources involves maintaining the correctness and comprehensiveness of that information (Humphreys et al., 1998). Information integrity is important because information plays a major role in the decision making process (Ritchie and Brindley, 2001). If such information is not accurate or complete this could instigate misguided decisions on the part of executive management. Ultimately such decisions could lead to unwanted situations in an organization, which could have otherwise been prevented. A breach of integrity could result from the intentional modification of information by unauthorized parties or even its unintentional modification while information is being stored, processed or transmitted (Thompson and von Solms, 2003). A well known mechanism used to preserve information integrity involves attaching a simple message digest to a message before its transmission (Thompson and von Solms, 2003). This identifier can later be used to calculate if the sent message has been modified.
Unquestionably, business information can be considered to be an extremely important asset to any organization. Some would even go as far as claiming that an organization’s information resources are the lifeblood of that organization (Halliday et al., 1996). Others, such as Eloff et al. (1993) state that ‘‘information is the glue that holds an organization together and allows all other resources to be managed’’. The proficient use of information can facilitate an organization in achieving a competitive advantage over others, which helps to produce business value and keeps shareholders and other investors satisfied. Information provided to top executives guides them in making the numerous critical business decisions that form a part of their every day responsibilities. These decisions should be based on information that has been kept confidential, accurate and timely. If any of these characteristics of information has been compromised, an executive management team’s resultant ill-advised decisions could have a significantly devastating impact on the overall well-being of an organization. This could lead to huge financial loss and even the tarnishing of an organization’s corporate reputation (Entrust, 2004). Incidents such as these hint at what value and importance an organization should attach to its information resources since it is quite apparent that any risk to this information could cause quite a considerable amount of damage. In order to protect sensitive business information from the various risks that may potentially affect it, it is important to understand exactly from what sources these risks may arise.
Availability In order for an organization to preserve the availability of its information resources, it must ensure that such resources are accessible for use, by the relevant parties, at the right time. Ensuring the availability of information is extremely important because without timely information an organization would be incapable of continuing normal operations (Gerber and von Solms, 2001). This is largely because having the correct information at the right time enables management to make well-timed business decisions that will enable an organization to gain a competitive advantage over others (Gerber and von Solms, 2001). One of the most common ways in which the availability of information is compromised is through a denial-of-service (DoS) attack. During such an attack an information system is bombarded with a large amount of information requests, which cannot be handled by the system, and thus the system either slows down considerably or crashes, making information unavailable (Whitman and Mattford, 2003). Preserving the confidentiality, integrity and availability of sensitive business information goes
Why business information is important
Business information risk Business information risks may be divided into several categories. These categories broadly describe the various sources of risks that may affect sensitive business information.
Describing business information risks Generally, the risks that may well affect an organization’s vital information assets can be specifically
A framework for the governance of information security classified into two fairly broad categories (Entrust, 2004). The first of these categories includes external risks i.e. those risks that have the potential to impact an organization from the outside. The second category includes those risks that might occur internally and thus have the potential to impact an organization from the inside. Whether business information risks occur internally or externally to an organization, the fact remains that all of these risks present many organizations today with an arduous task when it comes to providing an adequate level of protection for their business information assets (Entrust, 2004). In order for an organization to provide a sufficient amount of protection for its important information assets, it must consider the various internal and external sources from which business information risks may arise.
The sources of business information risk There are basically three main sources from which business information risks may arise. These include the risks associated with natural phenomena, risks of a technical nature resulting from the extensive company-wide dependence on technology today, and also any potential human-related risks that may affect business information. Natural risks could include the possibility of threat events such as floods, earthquakes, lightning storms or even fires having an impact on an organization (Wold and Shriver, 1997). Typically these events, also known as acts of God, have the potential to cause considerable damage, not only to the organization’s business information assets, but also to its physical structures (Whitman and Mattford, 2003). Technical risks arise as a result of a growing dependence on technology, which has already become widely integrated into most organizations today and can be said to form the cornerstone of all information processing, storage and transmission. Smith (1989) shares the same sentiment and states that computers and related technologies form the ‘‘information backbone’’ of organizations operating in the world today. However, such a pervasive presence of technology in most organizations really has the potential to significantly affect the confidentiality, integrity or availability of business information assets. This places these assets at a great risk due to numerous potential hardware or software failures that can occur. Some examples of possible hardware or software failures could include malfunctioning hardware that cannot be repaired or code bugs in computer applications (Whitman and Mattford, 2003).
641
The final source of risks to business information results from the deliberate or accidental acts of human beings. Human risks possibly create the greatest area of concern regarding the protection of an organization’s critical business information assets. Risks of this nature tend to be quite numerous and can cause a lot of damage. Some examples of deliberate acts by human beings include the transmission of viruses through email message attachments, which if opened can bring entire networks to their knees. Hackers also aim to deliberately violate the security of business information by gaining unauthorized access to private corporate networks for malicious purposes. Not everyone, however, wishes to deliberately violate the security of business information. For example, as employees carry out their daily activities they are prone to make mistakes that can seriously affect such business information. Employees may mistakenly capture data incorrectly, perhaps delete sensitive information or even negligently leave sensitive information vulnerable for unauthorized individuals to gain access to it (Whitman and Mattford, 2003). Clearly each of these various sources of risks presents organizations with a very real challenge when it comes to providing adequate protection for their information resources. It is highly important that each of these sources of risks be addressed in order to ensure the confidentiality, integrity and availability of business information from both an internal and external point of view. Additionally, an organization’s active engagement in this challenge will facilitate it in protecting the full scope of its business information, which comes into contact with the people, processes and technology that comprise everyday business operations. This will further demonstrate that such an organization understands that information security is more than merely a technical concern, as the literature has pointed out (Entrust, 2004; Birman, 2000; Corporate Governance Task Force, 2004). The need to holistically protect business information from various sources of risks is quite important. Therefore, several key requirements that should be contemplated in order to ensure that an organization’s sensitive business information assets are protected as holistically as possible.
The need to secure business information Before looking at what is required in order to holistically secure business information, it would
642
S. Posthumus, R. von Solms
External and internal security requirements and guidelines
External requirements and guidelines Information security standards and best practices are important as they are used to inspire global information security principles and nurture trusting relationships between an organization and its various stakeholders (Gerber and von Solms, 2001). As mentioned earlier, BS 7799 is an example of such a standard that offers guidance on how to approach information security through means that have been proven to work in many organizations (BS 7799, 1999). Basically, BS 7799 offers information security advice based on 10 broad security control categories and serves as a starting point for organizations to begin an effective information security strategy (BS 7799, 1999). The security controls an organization selects from these 10 categories should fulfill each of the three security requirements as enumerated above. Legal and regulatory issues associated with information security have arisen because of the ease of access to business information and services today. Entrust (2004) motivates that ‘‘The very openness and accessibility that stimulated the adoption and growth of private networks and the Internet also threaten the privacy of individuals, the confidentiality of business information, and the accountability and integrity of transactions.’’ For this reason governments around the world have mandated numerous statutory and legislative requirements in order to stimulate and develop corporate information security efforts. There are various types of legal requirements that organizations are expected to comply with or face potentially severe prosecution in this regard (Swindle and Conner, 2004). These include various discipline specific as well as country specific statutes and laws. Some examples include the South African Electronic Communications and Transactions Act (2002) and the International Basel II Accord (Basel Committee, 2004).
The importance of addressing both internal and external security requirements is essential in order to properly administer information security and avoid the potential consequences of any negligence in terms of this. Specifically, these security requirements include: firstly, requirements to protect the IT infrastructure; secondly, legal, regulatory and statutory requirements; and thirdly, requirements for information integrity, confidentiality and availability as identified by an organization (Humphreys et al., 1998). These requirements together with the guidance of accepted security standards, such as BS 7799 (1999), and other best practices form the basis of an effective approach to information security.
Internal requirements Business issues in terms of information security translate into those requirements concerned with an organization’s personal internal needs for ensuring the confidentiality, integrity and availability of their sensitive business information assets. Humphreys et al. (1998) describe these security requirements as those that serve to complement an organization’s company-wide principles, goals and needs in terms of information processing that will sustain an organization’s normal business operations. IT infrastructure issues associated with information security help to define those requirements that are relevant in terms of protecting the critical
be more suitable to first discuss the importance of information security as a whole.
Why information security is important Information security, which involves preserving the confidentiality, integrity and availability of business information, helps to mitigate the various risks to such information through the application of a suitable range of security controls. A suitable range of security controls could be defined as having an appropriate mix of physical, technical or operational security controls. These could, for example, include things such as locked doors, user login passwords or even security policies and procedures, respectively. Information security thus assists an organization in sharing its business information in a trustworthy way (BS 7799, 1999). This will ultimately help an organization to continue to build trusting relationships with its customers, suppliers and other business partners. In turn, creating trusting relationships with these stakeholders, by securing information through various security controls will improve the cash flow and profitability of such an organization (BS 7799, 1999). Effective information security can, therefore, have a dramatic and positive impact on an organization. However, in order for organizations to implement an appropriate set of controls and administer information security effectively, various security requirements and guidelines, as mentioned earlier, need to be considered. These security requirements and guidelines also stem from sources both internal and external to an organization.
A framework for the governance of information security infrastructure that forms the ‘‘information backbone’’, as Smith (1989) terms it, of most organizations today. These issues are dealt with primarily through an exercise known as risk analysis which aims to identify and assess various risks in terms of their importance by looking at a variety of asset, threat and vulnerability associations. These risks are further dealt with through a process of risk management in which a suitable set of security controls is selected and implemented in order to mitigate these potential infrastructurerelated risks. Each of these internal and external security requirements helps to address the various important aspects of business information risks that most organizations face today. Fig. 1 illustrates the relationship between these various internal and external security requirements which are needed to mitigate the numerous internal and external risks affecting business information. Information security is a complex issue, though, in terms of satisfying each of these requirements. For this reason, information security must become a central management and governance responsibility (Swindle and Conner, 2004). Ultimately this means that the current way that information security is addressed today needs to change.
How to address information security It has been stated that information security is more than a purely technical issue and may possibly even be a strategic and legal issue as well (Birman, 2000). This point has been clearly moti-
643
vated throughout this paper by the various information risks and security requirements that have thus far been discussed. For this reason there is a definite need to elevate the importance of information security and integrate it into an organization’s overall corporate governance program (Corporate Governance Task Force, 2004). The Corporate Governance Task Force (2004) states that ‘‘the road to information security goes through corporate governance’’. This will require that organizations establish for themselves a sound security direction by implementing information security as part of the various internal controls and guiding principles that comprise an organization’s overall corporate governance program (Corporate Governance Task Force, 2004). These internal controls and guiding principles dictate how an organization is directed and managed (Swindle and Conner, 2004). Integrating information security into corporate governance will serve to institute information security as one of an organization’s fundamental business operations and impose responsibility, in terms of risk management, reporting and executive accountability onto the organization’s respective Corporate Board and CEO (Entrust, 2004). The term used to describe how information security is addressed as a part of an organization’s overall corporate governance responsibilities is information security governance (ISG). Today it is important that organizations consider an approach such as information security governance and get executive management, including the Board and CEO actively involved in such security endeavors. This point, however, needs to be clearly motivated.
Why information security must be addressed as a governance issue
Figure 1 The internal and external requirements that contribute to an effective information security strategy.
The King Report (2001) on Corporate Governance helps to clarify why information security should be addressed as a corporate governance responsibility. Firstly, a major point of consideration is that the Board is responsible and accountable to the shareholders of the company and, therefore, the Board must ensure that their organization produces business value and delivers a suitable return on shareholder investment (King Report, 2001). Good information security efforts will most assuredly help to generate this return, which Swindle and Conner (2004) clearly motivate. The King Report (2001) further states that executive management is responsible for ensuring that their organizations comply with all applicable laws, regulations and
644
S. Posthumus, R. von Solms
codes of practice. It should be in their best interest to fulfill this responsibility as failure in this regard could result in stringent legal action against them (Swindle and Conner, 2004). Additionally, King states that executive management should discover all significant areas of risk and certify that their computer systems and related technologies are capable of facilitating normal business operations. Hence this will ensure that their corporate assets and processes are fully and appropriately exploited in order to generate maximum returns for shareholder investment (King Report, 2001). It is quite important that an organization’s executive management be involved in information security. This is mainly because an organization’s Board of Directors and CEO need to be informed on the effectiveness of the information security strategies their companies have in place since, as illustrated by the King Report (2001), they are ultimately responsible for this. Now that the importance of addressing information security as a corporate governance responsibility has been motivated, it is necessary to examine information security governance more closely, and specifically explore two sides to information security governance.
In terms of directing an organization’s information security efforts, executive management and the Board should produce a corporate information security policy that shows their commitment to information security and supports their organization’s mission, goals and corporate information security strategy (Whitman and Mattford, 2003). The development of such a policy will demonstrate that executive management and the Board is in support of the establishment and implementation of a comprehensive information security plan (Corporate Governance Task Force, 2004). In terms of controlling an organization’s information security efforts, executive management and the Board needs periodic reports from their various organizational department heads, on the effectiveness of their organization’s overall information security plan (Corporate Governance Task Force, 2004). This will enable executive management and the Board to scrutinize and review their strategies and policies so that these may be regulated and improved upon where necessary (King Report, 2001). It is highly important that executive management and the Board is in control of their organization’s information security efforts because, as Entrust (2004) states, ‘‘like quality assurance, [information security] requires continuous, incremental improvement over time.’’
An information security governance framework
The management side
The two sides to information security governance are essential components that contribute towards an effective strategy for dealing with business information risk at a corporate governance level. Firstly, there is a governance side, which involves executive management and the Board and how they go about setting the information security direction and strategy of their organization. Furthermore there is a management side which is more concerned with how an organization’s security strategy will be implemented and managed.
The governance side According to the King Report (2001), an organization’s Board of Directors is required to successfully direct and control their organization as a whole. Holistically and effectively directing and controlling an organization would, therefore, also include attempts in terms of directing and controlling information security, since this needs to become part of an organization’s fundamental business operations (Entrust, 2004).
The management side of information security governance is concerned with how the stipulations for information security by executive management are implemented in an organization. This involves the commitment of various department heads and other managers to implement the specifications of the corporate information security policy with the assistance of conventional security codes of practice (Corporate Governance Task Force, 2004). In this paper it has been mentioned that BS 7799 is an example of such a code of practice (BS 7799, 1999). A document like this would be able to suggest appropriate security controls that can successfully preserve the confidentiality, integrity and availability of business information and thus could serve to integrate information security into the daily activities and functions of an organization. Once the security measures have been implemented, business information risks, as well as the usefulness of the selected security controls, should be observed and reported to executive management (Corporate Governance Task Force, 2004). These reports will further aid executive management in directing and controlling their organization’s information security endeavors with greater precision.
A framework for the governance of information security
645
Some benefits of information security governance
Figure 2 The governance and management sides of information security.
Fig. 2 illustrates the relationship between the governance and management sides to information security governance. To govern and manage information security effectively, it is important to have a proper framework. Such a framework also presents several benefits.
Figure 3
Information security is becoming a major issue of concern, to both the private and public sectors, including governments around the world (Corporate Governance Task Force, 2004). For this reason the Corporate Governance Task Force (2004) recommends that effective governance frameworks should exist. Entrust (2004) motivates that the acceptance and implementation of an ISG framework is an important action in securing business information through the protection of information systems, acting in accordance with legislation, as well as improving the efficiency of business operations, amongst other things. Thus information security governance enables an organization to effectively fulfill all the internal and external requirements in terms of protecting business information assets and, therefore, covers the full scope of risks faced by an organization in this regard. These security requirements could be viewed as information risk directives that would advise executive management on what should be done in order to govern and manage information security properly. Consequently these
An information security governance framework.
646 requirements will ultimately help to guide the construction and implementation of an effective information security strategy through corporate governance. Hence, this approach will introduce accountability to three central aspects of corporate governance (Swindle and Conner, 2004), which are principal to an organization’s business key operations, namely people, processes and technology, as they have been discussed earlier. Accountability results in several benefits that stand to be gained by implementing an ISG framework such as this. These benefits include enhanced internal security practices and controls, and the promotion of self-governance as a preference over increased legislation by governments and local authorities (Entrust, 2004). Fig. 3 illustrates the framework for an effective information security governance strategy highlighting the major elements of concern and how they relate to each other in order to create a good ISG framework.
Conclusion Information security governance is a complex issue requiring the commitment of everyone in an organization to do their bit in order to protect their company’s valuable business information assets. If administered effectively, information security governance will be of value to organizations in ways that exceed the mere observance of lawful conduct (Swindle and Conner, 2004). In fact information security governance is useful as a mechanism to increase overall productivity and lower costs in an organization and produce value for all of its relevant stakeholders, including governments and other legislative authorities (Swindle and Conner, 2004). For these above mentioned reasons it is of vital importance that executive management teams, including boards and CEOs adopt a sound ISG framework, such as the one presented in this paper. This will ultimately help to guide the implementation of an effective information security governance strategy in their organizations and
S. Posthumus, R. von Solms address all pertinent aspects of business information risk that may be present.
References Basel Committee. Basel II: international convergence of capital measurement and capital standards. Available from: !http://www.bis.org/publ/bcbs107.pdfO; 2004, June. Birman KP. The next-generation internet: unsafe at any speed. IEEE Computer 2000;33(8):54e60. BS 7799. BS 7799: code of practice for information security management as a base for certification; 1999. Corporate Governance Task Force. Information security governance: a call to action. Available from: !http://www. cyberpartnership.org/InfoSecGov4_04.pdfO; 2004, April. Electronic Communications and Transactions Act. Available from: !http://www.gov.za/gazette/acts/2002/a25-02.pdfO; 2002. Eloff JHP, Labuschagne L, Badenhorst KP. A comparative framework for risk analysis methods. Computers and Security 1993;12(6):597e603. Entrust. Information Security Governance (ISG): an essential element of corporate governance. Available from: !http:// itresearch.forbes.com/detail/RES/1082396487_702.htmlO; 2004. Gerber M, von Solms R. From risk analysis to security requirements. Computers and Security 2001;20(7):577e84. Halliday S, Badenhorst K, von Solms R. A business approach to effective information technology risk analysis and management. Information Management and Computer Security 1996;4(1):19e31. Humphreys EJ, Moses RH, Plate EA. Guide to BS7799 risk assessment and management. British Standards Institution; 1998. King report. The king report on corporate governance. Available from: !http://www.iodsa.co.za/IoD%20Draft%20King%20 Report.pdfO; 2001. Ritchie B, Brindley C. The information-risk conundrum. Marketing Intelligence and Planning 2001;19(1):29e37. Smith MR. Commonsense computer security. McGraw-Hill; 1989. Swindle O, Conner B. The link between information security and corporate governance. Available from: !http:// www.computerworld.com/securitytopics/security/story/0, 10801, 92915, 00.htmlO; 2004, May. Thompson K, von Solms R. Integrating information security into corporate culture. Masters dissertation, Port Elizabeth Technikon; 2003. Whitman ME, Mattford HJ. Principles of information security. Course Technology; 2003. p. 153e90. Wold GH, Shriver RF, editors. Risk analysis techniques; Available from: !http://www.drj.com/new2dr/w3_030.htm: Systems Support, incO; 1997.