Information Security Governance – raising the game
A new report from independent information security body, the Information Security Forum (ISF), provides organizations with a clear picture of how better governance can help the information security function raise its game within the business. Entitled ‘Information Security Governance – raising the game’, the report outlines how adopting a governance-style approach can lift security out of its technical ‘comfort zone’ and into a wider business context.
The ISF argues that while corporate governance is well-known and common practice, even obligatory, within the corporate environment, governance itself is not always present in information security – a critical part of any business. However, when the security function does adopt governance, it leads to better engagement with senior executives and other corporate governance functions, helping to foster better understanding, minimise risk and limit reputational damage.
The report’s author and ISF Principal Analyst, Adrian Davis, comments: “Corporate information is becoming much more complex because the technologies and processes to manage it are becoming more complex. At the same time, information is much more susceptible to attack or abuse, as we’ve witnessed many times this year already. This new report shows how information security governance can become an integral part of corporate governance, demonstrating to a company’s stakeholders – customers, partners, shareholders and regulators – that corporate data is being protected according to industry best practice.”
‘Information Security Governance – raising the game’ offers practical step-by-step guidance for businesses via a comprehensive security governance framework, developed using ISF Member experience, analysis, research, tools and workshops. It enables Members to demonstrate how information security can:
- Deliver value to stakeholders: Improve effectiveness and efficiency; meet stakeholder requirements; enable business initiatives; and integrate with enterprise processes
- Achieve strategic goals: Execute strategic objectives; set and refine information risk appetite; sustain buy-in and commitment; and maintain security requirements
- Provide information risk assurance: Oversee assurance programme; implement risk assessment; ensure compliance; manage supply chain risk; and monitor and report on assurance.
An executive summary of the ‘Information Security Governance – raising the game’ report is available here (after free registration).
•Date: 26th October 2011 • Region: World •Type: Article • Topic: ISM