Information Security Governance - Course Description
The term Governance is widely used and abused across a range of facets of our business world. It is imprecise in its definition and is understood to mean different things to different audiences. It has emerged gradually, some say like a dark cloud, others hailing it as long-awaited enlightenment. However, it has gathered momentum because of a succession of corporate debacles and control failures which have threatened to undermine the very foundations of confidence of the businesses we all work in and rely on.
Governance and Information Security are inseparable. Today, an organisation’s information and other intangible assets account for the overwhelming majority of its market value. Organisations can survive many calamities including the loss of critical assets such as facilities, equipment and people. Few however can continue with the loss of their information. Impairments to the safety and integrity of information can be devastating to a company and its senior executives, who are held increasingly accountable for their organisation’s financial information.
Accordingly, information security governance has become a legitimate high-level concern and responsibility of the board of directors, executive management and senior IT management. Ensuring proper Information Security is one of the critical functions of good corporate governance today.
The global revolution in governance regulation, brought about by high-profile organisational failures of the past decade, is impacting most enterprises. As a result of these failures a complex array of laws and regulations - including the well-known Sarbanes-Oxley - have been implemented to force improvement in governance, security and organisational transparency.
The driving force that has welded information security to governance is the critical role today of information and the systems that handle it. Management guru Peter Drucker[1] famously observed over a decade ago that information is a “resource equal in importance to the traditionally important resources of land, labor and capital”. Gartner Group[2] has recently estimated that in less than a decade organisations will typically deal with thirty times more information than they do today. This is not a reassuring notion.
Information security can no longer be viewed as just a technical issue to be left to the IT department. Rather, it is a Corporate Governance issue that must be addressed by CEOs and Boards of Directors, then implemented and enforced across all levels of the organisation.
What Information Security Means Today
Until recently, the focus of security has been on the protection of the IT systems that process and store the vast majority of information, rather than on the information itself. But this approach is too narrow to accomplish the level of integration, process assurance and overall security that is now required.
Properly governed, information security takes the larger view that the organisation’s information - and the knowledge based on it - must be adequately protected regardless of how it is handled, processed, transported or stored. It addresses the universe of risks, benefits and processes involved with all information resources. Information security, as with other critical organisational resources, must be addressed at the enterprise governance level.
What You Will Learn
This full-day concentrated overview has been designed to give you a solid understanding of what you need to know about one of the most important challenges facing your business:
- the role of Governance
- the integral role of information security
- the structure, people and processes which support it
- the ongoing challenges and developments of good governance
By the end of the day you will leave with the ability to engage and meaningfully discuss the topic within your management and executive teams and to play your part in successfully defining and meeting the governance requirements of your organisation. Key topics covered include:
- Corporate Governance developments and changes, and what has driven them
- The "What" and "Why" of Governance
- The relationship between corporate governance and information security management
- What processes, frameworks, tools and activities are available to support what we need to do?
- How can we achieve what we need, at reasonable cost efficiency?
- Governance with teeth - the emergence of regulatory power, and the events which have driven it
- Dealing with the challenges of governance regulation (SOX, Turnbull etc)
- How much is enough? Are we over-engineering?
Who Should Attend
The program has been designed for all participants in the Governance process, including:
- CIO, CSO and other senior IT management
- Security Professionals, Auditors, Risk Managers, Privacy Officers, Compliance Officers
- Senior general management
- Board members
[1] Drucker, Peter; “Management Challenges for the 21st Century;” Harpers Business; 1993
[2] Hallawell, Arabella; Gartner Global Security and Privacy Best Practices; Gartner Analyst Reports; USA; 2004
