| Governing for enterprise security
In the introduction to the document CERT states: “What does it mean to govern for enterprise security or, stated differently, to govern an organization to achieve and sustain acceptable or adequate security? And why is the Networked Systems Survivability Program interested in this topic? Our working definition of Governing for Enterprise Security is: Directing and controlling an organization to establish and sustain a culture of security in the organization's conduct (beliefs, behaviors, capabilities, and actions). Governing for enterprise security (GES) builds upon and expands commonly described forms of governance. These include corporate governance, enterprise governance, and information technology (IT) governance. Definitions of corporate governance typically include the relationships and incentives among boards of directors (or equivalent), senior executives, shareholders, and key stakeholders towards ensuring fiscal accountability, clear responsibility, and accurate reporting. Terms included in some definitions include probity (complete and confirmed integrity), due diligence, and standard of due care. Corporate governance and enterprise governance overlap when the definition is expanded to include the "structure through which the objectives of the enterprise are set, and the means of attaining those objectives and monitoring performance are determined." [OECD 99, 04]. Structures and means may include, for example, policies (and their corresponding standards, procedures, and guidelines), strategic and operational plans, awareness and training, risk assessments, internal controls, and audits. IT governance addresses the actions required to align IT with enterprise objectives and ensure IT investment decisions and performance measures demonstrate the value of IT towards meeting these. Refer to the supporting notes below for expanded definitions of corporate, enterprise, and IT governance. While these definitions speak most often to commercial, for-profit corporations, they can also be interpreted and appropriately tailored for government, education, and non-profit institutions as well as organizations of any size. Most senior executives and managers know what governance means and their responsibilities with respect to it. Our intent here is to aid them in expanding their governance perspective to include security, incorporating enterprise-wide security thinking into their and their organizations' day-to-day governance actions.” Read the document at http://www.cert.org/governance/ges.html
•Date:
14th October 2004 • Region: N.America/World •Type:
Article •Topic: ISM |
