According to the 1991 Cadbury Report, corporate governance is "the system by which companies are directed and controlled. Boards of Directors are responsible for the governance of their companies"
There are two basic steps towards ensuring good corporate governance: identifying the risks, and then controlling/mitigating those risks. The real problem lies in being able to quantify the scale and potential impact of the risk in the new environment.

In terms of information security, risks include those posed by outsiders (for example hackers, crackers, 'hacktivists' and competitor companies) and by internal factors – IT failures, genuine mistakes by employees and deliberate actions by disgruntled employees, etc.

Other risks include breaches of regulations on data protection and retention, the theft of information, defamation and liability issues.

It must also be absolutely clear to whom this risk is presented. In other words, to whom does the Board of Directors have a Duty of Care? This includes both traditional stakeholders (such as shareholders) and other stakeholders (including employees, suppliers and customers/consumers).

A Board – and individual directors – can demonstrate due care for their company's information assets by adopting good corporate governance measures such as appropriate risk management, internal auditing and controls. To this end, there are clear frameworks in place to which any UK Board should adhere. These include the Turnbull Report and management standards such as ISO 17799.

While compliance with specific security management standards is not yet a regulatory requirement in the UK, companies that don't actively demonstrate compliance with best practice will open themselves up to legal claims and, increasingly, will be regarded by the markets and stakeholders as bad risks. That is the message all in-house security professionals must impart to their own Board of Directors.

Source

SMT

Postscript

Dr Andrew Rathmell is chairman of the Information Assurance Advisory Council