What, though, is information assurance? It is a holistic approach towards protecting corporate information and information systems - and, therefore, business continuity - by ensuring their availability, integrity, authentication, confidentiality and non-repudiation. Although building on the discipline of information security, the concept of IA raises the profile of security as a business-critical operational function rather than as the technical support function it was previously viewed as.
There is an increasing awareness of the importance of ensuring accessibility, availability and security of corporate information resources. Companies are faced with rising concerns over issues ranging from the protection of personal information from both loss and theft, through industrial espionage, to business continuity in the face of erroneous or malicious interruptions to information systems.
Yet, mitigating these risk factors is made much easier through the implementation of effective corporate governance strategies on IA. Information is clearly a high-level enterprise asset, therefore it is the responsibility of all managers and directors to ensure its security on behalf of all stakeholders.
Identifying your Information Assets
Information assets do not consist solely of computer hardware or software. The majority of company directors tend to overlook embedded information (e.g. in manufacturing) and intangibles such as general information about the company, R&D, IPR, brand and reputation.
Therefore, all aspects of controlling and securing corporate information in the manner of greatest benefit to the organization must be valued and costed in the same manner as other corporate assets. Yet one of the hurdles currently faced by those attempting to integrate IA considerations into corporate governance and risk management is the inability to measure the cost-benefit comparison of applied IA measures to an organization.
Gaining Board-Level Awareness - The Y2K Experience
The Y2K experience demonstrated that IA's strategic governance role can only be established in a company once senior management have given it their full support and commitment. However, the success of organizations' Y2K strategies has ironically led to senior management undermining both the benefits arising from their work on Y2K and the value of continuing to invest interest in IT issues. The requirements for good corporate governance clearly show a continued need for management involvement in such issues.
What is Good Corporate Governance?
Good corporate governance refers to the management of risk within an organization in order to ensure the continuity of that organization's business and existence. The two steps towards ensuring good corporate governance are the identification and mitigation of these risks. The challenge is being able to quantify the scale and potential impact of risk in the new environment.
Currently, the IA corporate governance framework as far as the UK is concerned, centers on two pillars: the Turnbull Report and British Standard 7799 Code of Practice for IA Management, i.e., the BS7799, which is now also an international standard, ISO 17799. The 1999 Turnbull Report on corporate governance requires companies to ensure they have a sound system of internal control and effective risk management processes which the board reviews regularly.
ISO 17799, a risk management model, contains a detailed set of controls that will satisfy the IA requirements of most IT environments across all functional domains. The ten different sections constitute a guide to all the processes to be implemented in order to ensure an effective information security management program in any organization. Although there has been mixed industry opinion as to the benefits of the actual certification process involved in BS7799, it is generally agreed that many of its practices and processes act as a valuable baseline standard.
Incentives for Promoting IA and Good Corporate Governance
While the need for robust IA as an element of corporate governance may be clear, the challenge remains to motivate corporate leaders to adopt both good corporate governance in general and IA in particular.
Negative incentives include stock market reporting rules, avoidance of legal liability both for company and individual directors, avoidance of costs consequent on a security incident including loss of customers and damage to reputation. On the other hand positive incentives include competitive advantage through using IA as a marketing differentiator, lower costs through reduced insurance premiums, and greater business benefits as internal and external stakeholders place trust in information processes.
The Way Forward
A valuable starting point for the enhancement of IA as an element of good corporate governance would be to move beyond these requirements to include refinements detailing IA auditing and reporting requirements. There is a need for company reporting requirements to mandate reporting of aggregate statistics on IA incidents, in order to contribute to a better understanding of the nature and extent of the problem. Making IA incidents 'routine' in this way may also help to reduce competitive sensitivities about information sharing.
Within an organization itself, the board needs to be regularly informed by their IT security managers so that they understand the implications of frequently-evolving risks posed to their information assets. Of equal importance is the information security communication strategy for employees within the organization. Although the final responsibility for the implementation of IA as good corporate governance rests with the board, the over-arching processes required to achieve this standard in practice require the informed co-operation of all constituents in the organization.
It is now time for senior management to face up to their obligations, informing themselves and ensuring that the message is spread across their organizations. This education and outreach will ultimately ensure their very success in the information society.
Aarti Anhal is a researcher for the Information Assurance Advisory Council (IAAC). For further information on IAAC and its activities, please visit the website at www.iaac.org.uk.
IAAC's Second Annual Symposium (www.iaac.org.uk/events/symp01.htm) on January 29, 2002 will offer insights into the future of UK, European and international policy and regulation relating to information assurance and security.