In this excerpt from "The Practical Guide to Compliance and Security Risks," author Rebecca Herold outlines the risks executives are often in the dark about and the importance of creating a security management oversight council.
Identifying Risks to Executives
Executives have increasing exposure to information security risks as technology advances and new laws and regulations are implemented. Executives are susceptible to risks such as
- Not being aware of existing risks within the organization and not knowing which risks are most significant
- Failure to create, support, and communicate an adequate and effective security culture and control framework to meet business needs
- Failure to effectively delegate responsibilities for risk management throughout all levels of the organization
- Failure to detect where security weaknesses exist within the organizational business units
- Failure to successfully monitor risk management activities to ensure compliance with policy
|Security is not a one-time effort. IT environments keep changing, new laws and regulations are being passed every day, and new security risks can occur or develop at any time.|
Making Security a Business Responsibility
Information security must be viewed as a business responsibility and must be shared by all members of business management. It is most effective to incorporate security throughout the business units by creating a security management oversight council to ensure that there is clear security direction and apparent management support for security initiatives. Such a council should promote and enhance security within all business processes by applying appropriate commitment and adequate resources.
For some organizations, the oversight council may be part of an existing management body. In others, it will be most effective to create a new group of managers to oversee security. Typically, an information security oversight council
- Reviews, approves, and visibly supports information security policy and overall responsibilities
- Monitors significant changes in risks to information assets and emergence of major threats
- Reviews and monitors information security incidents and how they were resolved
- Approves major initiatives to enhance information security
|The information security officer should head the information security management oversight council to ensure consistent security is implemented throughout the organization.|
To be successful in today's information economy, enterprise business governance and IT governance can no longer be considered separate and distinct disciplines. Effective enterprise governance must focus individual and group expertise and experience where it will be most productive. Governance must monitor and measure performance and provide assurance to critical security issues. Information security must be regarded as an integral part of business strategy.
|An IT governance structure should link and integrate the IT security processes and resources with the business strategies and objectives.|
A successful IT governance framework will integrate and optimize the way IT functions and associated business processes are planned, organized, acquired, implemented, delivered, supported, and monitored. IT governance, which includes security within every element, is integral to the success of enterprise-wide governance. IT governance should assure efficient, effective, and measurable improvements throughout all enterprise processes. Effective IT governance will enable the enterprise to use information in the most efficient and effective way possible, which will ultimately increase business benefits, put the organization in a position to take advantage of emerging opportunities, and enable the company to gain a competitive advantage.
To read more from The Practical Guide to Compliance and Security Risks, download the full excerpt.
This was first published in April 2006