Information Security Governance: Missing Link In Corporate Governance

Posted by

Information Security GovernanceCorporate governance is a term that refers broadly to the rules, processes, or laws by which businesses are operated, regulated, and controlled. By mandate all Zimbabwean companies should practice good cooperate governance whether they are listed on the Zimbabwe Stock Exchange (ZSE) or not.

However, most senior executives and board members in Zimbabwe seem to give a blind eye to a critical facet of corporate governance: Information security governance. In most of the countries worldwide senior management and the board are held responsible for any security breaches to the organisation’s data or IT systems.

Before I get into detail of defining information security governance let me give some background information to validate the above assertion. I was at one point surveyor for the Global Information Security Survey for Middle East and Africa (MEA), and I had the opportunity to sit and discuss/survey information security governance and other security issues with senior executives from organisations across many sectors.

From the survey I learnt that the governance of information security is still in its infancy in Zimbabwe and in some cases it does not even exist. This pandemic is also common in most of the SADC countries. South Africa though has made positive strides in this area by imposing stringent compliance regulations i.e. The Electronic Communications and Transactions Act 25, Protection of personal Information Bill, King 3, SA National Cyber Security Policy which list the legal obligations and liability for non compliance.

As it stands we do not have anything of this nature in Zimbabwe that covers all industry sectors. This lack of proper governance and legislation for cyber security is delaying the diversity or investment in infosec in most African countries e.g.

advertisement

“We need to have proper framework for this thing; another problem is cyber security. We don’t have a law to crack down cyber criminals, if you commit any ICT crime, it is not enforceable in the Nigerian court because we don’t have the legal backing yet.” An except from Absence of Cyber Crime Law, Threat to ICT Investment”Nitda (Nigeria)

Info Sec Governance

Information and IT Systems have become the life blood of any modern-day business. Companies succeed or falter based on the reliability, availability, and security of their information. But are most companies properly governing how their information is used, shared, and analysed?

Information security governance is the system by which an organisation directs and controls Information security.  It also describes the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. In simplest terms, it’s a subset of the (even more grandiose sounding) discipline of corporate governance, focused, unsurprisingly on IS Security.

Senior leadership’s fundamental commitment to information security is the most important aspect of effectively managing the security risk to an organisation’s information assets also referred to as leadership duty of care or due care.

To be successful enterprise security governance activities must be driven by the board of directors, senior management and designated key personnel. These activities should be undertaken in a manner consistent with an organisation’s risk management and strategic plans, compliance requirements, organisational structure, culture, and management policies.

A key aspect of security governance is the need to define decision rights and accountability. Achieving this both in theory (the organisation is clearly defined) and practice (everyone knows what to do and how) requires the right culture, policy frameworks, internal controls and defined practices.

The complexity and criticality of information security and its governance demand that it be elevated to the highest organisational levels. As a critical resource, information must be treated like any other asset essential to the survival and success of the organisation.

From here to there

There is a need for organisations to start focusing on proper security governance. For a start organisation such as the Zimbabwe Stock Exchange, the Government, the Computer Society of Zimbabwe, Zim Law Society, POTRAZ, ICAZ, IIAZ, Zimbabwe Institute of Management  and other industry governing bodies should put their heads together and define the appropriate legislations that mandates information security governance either by referring to existing international frameworks (PCI-DSS, SOX, COSO,ITIL,SABSA, Cobit FIPS, NIST, ISO 27002/5, CMM, ITG Governance Framework etc) or by consulting local information security and business professionals to come up with an information security governance framework. Senior Management/executives may get good exposure if they attend seminars such as the MIS Information Security Africa Summit or other related seminars:

http://www.mistieurope.com/default.asp?page=65&return=70&ProductID=12006

http://www.infosecsa.co.za/

Good corporate governance coupled with good security governance has at least the following characteristics:

  • It is treated as and organisation wide issue and leaders are accountable
  • Leads to viable Governance , Risk and Compliance(GRC) Milestones
  • It is risk-based and focuses on all aspects of security
  • Proper frameworks and programs have been implemented
  • It is not treated as a cost but a way of doing business
  • Roles, responsibilities and segregation of duties are defined
  • It is addressed and enforced by policy
  • Adequate resources are committed and Staff are aware and trained
  • It is planned, managed, measurable and measured
  • It is reviewed and audited

The turn around

As the Zimbabwean economy is slowly sprouting, the art of security should also take a leap across all industry sectors. Its adoption will ensure security will become a part of any organisation and thus investor confidence will be boosted.

With time as information security grows organically, the following benefits of good information security governance may be noted:

  • The Board of directors taking full responsibility for Information security initiatives
  • Strategic alignment of information security with institutional objectives
  • Risk management – identify, manage, and mitigate risks
  • Performance measurement  – defining, reporting, and using information security governance metrics
  • Value delivery by optimising information security investment and security project delivery
  • Effective protection  and security of information assets
  • Compliances with local and international regulations will be easier
  • Improved resource management, optimising knowledge, infoSec and IT infrastructure
  • Increased customer confidence

We would love to know your thoughts. Is information security governance a metaphor for bureaucracy and inaction in your organisation, or have you found it to be a positive force in aligning your efforts to the needs of the business?

image source: free-press-release.com



3 Comments

  1. Munyaradzi says:

    Quite an interesting article. The Zimbabwean situation on this matter is saddening. There is very little understanding of the risks organisations faceas a result of ignoring or not paying attention to information security principles and unfortunately no MAJOR cybercrime incident has been reported….if detected. Here is my line of thought, if a bank losses 200k in an online banking scheme….the govt is forced to step in with legislature prosecuting such miscreants. But wait, do the authorities have the technical know how of getting evidence in such crimes? No. Are there any judges with the knowledge of ruling over such issues? No. Worse still, are our systems admins trained to identify such intrusions/activity? NO. A big NO. So there is need for awareness in our society and im not too sure whether it will have to take a major incident for organisations to realise their exposure.
    I was shocked when some major bank introduced SMS banking. Good lord, that is a very risky application fraught with so many vulnerabilities. I would NEVER use such a service…..but see..thats because Im a security professional….i can imagine how the banks executives are boasting about it and probably even calling it Value adding services. What the hell? We are still a long way to go….execs need to be made aware of the risks they face. I dont know how this can be done.

  2. Nhamoinesu Tinosekwa says:

    I can’t agree more with most of the author’s sentiments. It’s no exaggeration to say information (or should I say data) forms the backbone of most organizations. It is however, saddening to note that in our beloved continent as you have rightly pointed out, institutions hardly walk the talk.
    Only a notable number of organisations do have an IT representative at Senior Executive level let alone in the Board. In my opinion the value we place on a department within an organisations can only be explained by the number of dedicated personnel we allocate towards the operations therein. De facto, it will be absurd to expect Information Security governance issues to be enforced at a company without a dedicated, knowledgeable IT or IS or IO Executive (names might differ). At this point let me just say bravo, to those organisation which have realised the importance of IT and put such dedicated people in place(though in some cases their competence or incompetence is debatable).
    However, Cde Author, you should note that the challenges which our beloved Zimbabwe was going through can’t afford to be ignored when we are discussing this issue. Do you think it would have made sense to think of fool proof data security in the hyper-inflationary environs? I’m therefore hoping that now that the pressure is easing, our focus and priorities also have to shift. Data protection and availability needs to be enforced, breaches likewise need to be punishable. This thus needs to be legislated, not only for the benefit of this generation but for generations to come.
    This can only be accomplished if the right people are put on the right positions and we set our priorities right as a nation. I can see the media is flooded with news of investors who are setting an eye over the jewel of Africa. IS should not be left behind.
    I am confident we have what it takes to be at the top. I have no doubt though, the task is no honey moon walk.

  3. The Writer says:

    Thank you guys for your feeed back. I agree the Zim economy affected most companies and because of that InfoSec becam just like any other operating expense. However, now that our economy is slowly coming back to the surface and there are many initiatives around the enhancements of Technology and Broadband meaning that we will become prone to all the security risks that affect the world. On top of this, International companies will be investing in Zim and they require confidence and Governance is one of these confdence drivers. Thus Zim Companies need to put governance frameworks in place and position themselve for the economic turnaround . The basics of governance start with puting the right people in place, communication structures, strategy and investment plan. When all these are in place then it will become easy to develop a viable security plan. In all It takes us those skilled to take it to the world and then for the companies and the government to create a viable environment. It also takes a complete culture change….

Leave a Reply

Your email address will not be published.