In this video, Kip Boyle discusses working with an executive team. Explore reasons why supporting executives and the Board of Directors is a major goal of an information security program.
- [Instructor] Supporting your executives and the Board of Directors is one of the four major goals of an information security program. But it's also one of the least well-understood of the goals by all concerned. There are three key areas of board responsibility that your information security program will help to support. Corporate governance refers specifically to the set of rules, controls and processes put in place to dictate corporate behavior. In September 2015, the OECD Secretary General said, "Good corporate governance is a means to create "market confidence and business integrity." Good governance involves balancing the interest of a company's many stakeholders such as shareholders, management, employees, customers, suppliers, financiers, government and the community.
In practice, the board explicitly delegates responsibilities for most governance matters to the Chief Executive Officer. Boards manage risk at a high level in all aspects of their business. Many boards organize themselves using an Enterprise Risk Management or ERM framework. Remember that risk is a chance of harm or loss. In other words, risk is uncertainty. ERM is an ongoing process of reducing uncertainty for the entire organization and not just a particular area inside that organization.
ERM aims to provide reasonable assurance the organization will achieve its objectives. There are four broad ERM categories. Strategic, which are the high level goals, supporting an organization's mission such as achieving a certain percentage of market share. Operational, which is the effective and efficient use of its resources, which you can measure by keeping gross profit margin above a certain level. Financial, which is concerned with the reliability of financial reports, so managers and investors can rely on those numbers for their planning.
And finally, compliance. Being sure the organization is operating within the applicable laws and regulations. An effective information security program will support some or all ERM efforts. You'll need to work with your executives to learn what they expect. Now, because it consumes a lot of information security effort these days, let's take a deeper dive into compliance. It's the ongoing effort of ensuring that your organization is abiding by both industry regulations and government legislation.
Examples of common compliance mandates affecting information security include, the Payment Card Industry Data Security Standard, the Health Insurance Portability and Accountability Act of 1996, the Sarbanes-Oxley Act of 2002, and the Federal Information Security Management Act. It's important for you to know, there is a material difference between being compliant and being secure. Sometimes, organizations think they're the same thing.
When that happens, they can get so consumed by complicated regulations, that they stop focusing on security altogether. Using PCI-DSS as an example, Target Corporation comes to mind. Recall that over 40 million credit and debit card numbers were stolen from them in late 2013. But this happened even though Target was validated as being PCI compliant just two months before the breach. So it's best to think of compliance as just a way to know whether your organization needs a specific set of security requirements at a given moment in time.
Although it's not a formal part of GRC, it's important for a board to know whether or not the company is meeting its standard of due care. For an organization, due care is defined as the conduct that would be exercised by the prudent manufacturer of a product or although it's not a formal part of GRC, it's important for a board to know whether or not the company is meeting its standard of due care. For an organization, due care is defined as the conduct that would be exercised by the reasonably prudent manufacturer of a product or the reasonably prudent professional in that line of work.
Due care most often comes up when the board is concerned about the possibility of an actual lawsuit from someone who claims to have been harmed by your organization. When the organization carefully and knowingly follows due care, an injured party will not be able to prove negligence which can be a costly thing to be convicted of. When creating an information security program, you must consider what organizations similar to your own do to protect information and information systems. For example, even an unregulated organization should install a firewall between the Internet and their internal data network because that's become a very common practice for everyone.
It could be difficult to get detailed information about security from your competitors, so look to independent organizations that can provide this information to you, often for free. For each of these GRC areas, your information security program needs to provide board members with an understanding of the information security goals it should support, where your program has been in the past, where you are now, and where you're going next, and you'll need to help guide the board's decision-making by providing data that's easy for you to gather and present and easy for them to understand.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance