Q. Have you observed any changes or shifts in the way leading organizations are approaching IT and information assurance?
A. Most would agree that information systems and information technology are critical elements of most organizations’ infrastructure and that the security of the information and technology assets are critically important. Many have recognized that good governance is the most effective way to effect change in an organization. By governance we mean the policy environment, the placement and organization of the human resources needed to manage the information security function, and executive oversight of security operations. It is the responsibility of senior management to implement governance options that assure the secure use and operation of information assets, although this is often relegated to IT staff.
A shift we have seen is a wider acceptance of the need for formal governance in the security functions across a broader range of organizations. In the past, larger organizations were more likely to adopt formal governance solutions. Now, many small and medium sized organizations are taking the time and effort as well as financial resources needed to make information security governance an effective control mechanism.
The primary objective of governance can be achieved when the members of an organization know what to do, how it should be done, who should do it, and executive management ensures that it gets done. It is incumbent on everyone in the areas of information security, information systems, and risk management to understand the critical nature of effective governance and how it applies to protecting information assets.
The Corporate Governance Task Force at the IT Governance Institute has prepared a report titled Guidance for Boards of Directors and Executive Management, which is in its second edition. This report, available at www.itgi.org, can help communicate the responsibility of the senior executives and Board-level decision makers. The organization also offers advice to security managers in the companion report, Information Security Governance: Guidance for Information Security Managers. Taken together, these documents outline the recommended approach for governance in many types and sizes of organizations.
Answer provided by Herbert J. Mattord, Content Faculty Expert: Information Security and Assurance, Security Executive Council; and Dr. Mike Whitman, Professor of Information Security and Director, KSU Center for Information Security Education at the Michael J. Coles College of Business.