Security Management Strategies for the CIORequires Free Membership to View
measures the effectiveness of the protection program
in fulfilling those duties, and that management adapts the protection
program to meet those duties.
- Laws: Laws and regulations define the
legally mandated duties to protect associated with jurisdictions. All
laws of all jurisdictions in which an enterprise operates have to be
considered in order to make prudent determinations as to duty to
protect.
- Owners: The owners are the ones hurt by
bad management decisions and they need to assure that their investment
is not lost by electing proper boards of directors. For public
companies there are regulatory assurances to support the public owners
so that they don't have to get involved in the details of selections in
order to reasonably protect their investments, but this lack of direct
control by owners is often reflected in the frauds we see in the world.
Owners of privately held firms are directly responsible for the
disposition of their assets and for proper protection and they directly
suffer from poor decisions in this regard.
- Board:The board of directors is legally
and morally responsible to assure that the CEO and other officers are
doing their jobs and have the ability to define additional duties to
protect in keeping with their responsibilities. They also have
oversight responsibility to act on behalf of the shareholders to assure
that the shareholder value is protected.
- Auditors:Auditors are tasked with
providing independent and objective feedback to the shareholders, board
of directors, CEO, and others on the effectiveness of the protection
program in fulfilling the duties to protect within the risk tolerance
parameters set by management.
- CEO: The CEO is responsible for day-to-day control over the enterprise and as part and parcel of this responsibility, for protecting shareholder value, for identifying the duties to protect, for assuring that those duties are carried out, and for measuring the performance of those duties to allow adequate control to improve situations that warrant improvement and keep costs as low as possible without undertaking inappropriate levels of risk.
In concert these elements comprise the oversight function of the enterprise information protection.
For more details and in-depth coverage of these issues, buy the Governance Guidebook.
This was first published in January 2006
Join the conversationComment
Share
Comments
Results
Contribute to the conversation