News
Plain-English guides to information security risks for directors
9 June 2008
The Information Security Awareness Forum (ISAF) in conjunction with
the Information Assurance Advisory Council (IAAC) and BT, has issued a
series of Director's Guides to raise awareness of the need to protect
against information security risks, as well as educate all levels of
management and other disciplines on how to tackle the problem.
According to ISAF, the Guides are the summation of the considerable
knowledge amassed by members of the Forum in the years prior to its
formation earlier this year.
"Although the Forum has only been in existence since February, the
fact that it is an umbrella organisation incorporating the BCS, the CMA,
Eurim, GetSafeOnline, ISC2, ISACA, IAAC and ten other organisations,
means our members have considerable experience of the risks associated
with information security and leakage," said Dr David King, ISSA-UK and
Chair of the Information Security Awareness Forum.
The Director's Guides he explained, are the result of the
distillation of this knowledge, which is unsurpassed in the Information
security industry.
“For too long, directorships have been viewed as positions of
entitlement. They are not. The guides as a whole clearly show that
directors and senior managers must address a wide range of issues and
seek answers to a number of important questions,” said Lars Davies from
Kalypton Limited
“The Regulation and Legislation guide clearly illustrates a few of
the myriad legal and regulatory obligations that all directors and
senior managers face, obligations that they simply cannot pass on to
others. Not only can directors face personal liability for offences
committed by their organizations, but they can face severe personal
sanctions, in some cases a term of imprisonment of up to seven years, if
they are party to the destruction, mutilation, or falsification of
company information irrespective of whether that information is
paper-based or electronic.
"Record retention obligations, and the information assurance
requirements that follow from those obligations, come in many guises.
Whilst statutes such as the Companies Act provide for explicit
requirements, others, including those such as the Companies Act which
contain explicit obligations, implicitly require organizations to
maintain suitable records to ensure that they can evidence the fact that
they have been managed correctly,” he continued
“If these guides achieve nothing other than to shake directors out of
their self-imposed complacency, a complacency cultivated over the past
two decades, then they will have achieved their purpose admirably,” he
concluded
Ray Stanton, global head of business continuity, security &
governance practice, BT Global Services, said, "The publication of these
guides could scarcely be more timely. While the technology and systems
we employ to keep data secure continue to improve; the biggest threat to
security remains lapses in concentration when it comes to doing the
basics correctly.
"A large part of that is due to poor communication and a poor
understanding of the risk posed by lapses in security. For example, our
own research has shown that nearly a quarter of UK employees (22%)
believe that losing a mobile electronic device containing sensitive
business information would not be a disaster.
"Changing this type of widespread attitude to security will require a
pan-industry effort as exemplified by these new guides."
“Corporate information risk is seldom discussed at the boardroom
table. These good looking and well written Guides show busy board
members why information risk is important and how it can be effectively
managed at a corporate level.” Said Bruno Brunskill of Anite Business
Consulting, Acting Company Secretary for the Information Assurance
Advisory Council (IAAC)
"The Guides are extraordinarily topical for UK companies, now that
provisions of the Companies Act 2006 are due to come into force later
this year. As the US Sarbanes-Oxley Act heads for its fifth anniversary
this summer, it's clear that corporate governance issues are going to
top of many boardroom agendas," Dr David King said.
"The Governance and Structures Guide, for example, seeks to explain
in layman's terms, how directors are accountable to their stakeholders
when it comes to protecting their organisation's information. It also
details how to formulate an information risk governance framework in any
organisation, as well as looking at the cultural issues on security that
managers may encounter," Dr David King added.
Further information
The Guides can be downloaded from the ISAF website:
www.theisaf.org/kzscripts/default.asp?cid=6
|
