Distinction and Need for Governance at All Three Levels Corporate it Info Security

¶ … Corporate governance, IT Governance and Information Security Governance

IS 8310 Governance, Risk Management and Compliance

Governance is the process of empowering leaders to implement rules that are enforceable and amendable. For comprehensive understanding of the term' governance' it is essential to identify the leaders and the set of rules, and various positions that leaders govern. Corporate governance, IT Governance and Information Security Governance embraces a linkage with certain acquiescence system while focusing on information security and privacy issues in the organization. This work will give a distinction between the three terms and identify how they related to each other and how endeavors to comply with each system is leveraged to apply to each other.

INTRODUCTION

Governance is the process of empowering leaders to implement rules that are enforceable and amendable. Therefore, for comprehensive understanding of the term' governance' it is critical to categorize the leaders and the set of rules, and various positions that leaders govern. For successful completion of this paper, it is essential to discuss corporate governance, IT governance and Information Security governance. Corporate governance is the process by which leaders direct and control corporations. In executing good governance, the boards of members together with the executive management aim at providing strategic direction by carrying out their routine duties responsibly (Photopoulos, 2008).

They also ascertain appropriate management of corporate risks that arises unpredictably. Finally, corporate governance ascertains responsible utilization of company resources. IT governance comprises of; leadership, company structures and procedures. The three elements ascertain that the company's Information Technology maintains and broadens the strategies and intentions of the company. Information Security governance has similar functions with IT governance; however, it preserves the confidentiality and reliability of classified data in the company. Therefore, for the organizations to secure the information systems and empower their security systems, it is essential for them to integrate information security into the corporate governance (Gartner, 2010).

Most organizations, such TechNet view information security as a complex matter, but that is not the case. When organizations make major initiative to protect their information assets, executive management must consider information security a significant part of organizational operations. The effective way of accomplishing such objective is integrating it with other internal controls and processes that comprise corporate governance. The following recommendations emphasize the need of integrating Information Security governance in TechNet with other control systems.

1) TechNet should incorporate Information security governance to establish cyber security into its corporate governance procedures.

2) TechNet should indicate their devotion to Information Security governance by affirming their intention of relating with corporate governance in evaluating their performance and provide the report to the board members

3) Companies that embrace corporate governance program should indicate their devotion to information security governance by willingly showing an interest on their company website

Conclusions

Efficient Information security governance requires incessant improvement for successful performance. The recommendations provide a strong foundation for organizations that intends to empower their Information security governance. However, application of these suggestions is an inception to safeguarding information systems and empowers TechNet's security measures. This paper seeks to encourage organizations to prioritize on corporate governance, IT governance and Information Security governance procedures and create awareness on the need of governance in organizations (Biegelman & Bartow, 2006).

2. CORPORATE GOVERNANCE

Corporate governance entails organizational principles that describe the link that exists between the stakeholders, the executive and the board members. These principles affect how the organization operates. At the most fundamental level corporate governance focuses on matters that define organizational ownership and management. However, it extends its function by showing a clear connection between the stakeholders and the executive. Organizations with strong governance policies offer effective access to assets and supports in economic development. In addition, corporate governance extends its functions to dealing with social and institutional challenges (Rasmussen, 2010).

Good governance addresses issues that embrace the significance of justice, precision, liability, and accountability to shareholders and investors. An effective and morally governed business requires efficient internal governance and favorable corporate environment. Thus, aspects such as, secure company assets, operating judiciary and liberty are fundamental to interpret corporate governance set of rules into feasible practices. Furthermore, effective corporate governance ascertains fairness and transparency in organizational environment, and that, organizations accept liability for actions committed against the policies. Consequently, ineffective corporate governance results to injustice, embezzlement of funds, dishonesty and misuse of resources. The board of director assumes the responsibility of bad corporate governance. The affairs and the general performance of the company lie in the hands of the boardroom (Basri, 2008).

However, the corporate laws and regulations empower the boardroom to delegate some of the duties to the committee members. For effective performance, corporate governance sub-delegates some duties to other smaller governances dealing with finances, human resources and Information Technology as shown in Figure 1.

Corporate Governance

Finance Governance

Human Resource Governance

IT Governance

FIGURE 1

2.1. CORPORATE GOVERNANCE METHODOLOGY

2.11. International Financial Corporation Corporate Governance

The company develops an International financial corporation methodology in implementing corporate governance in the company. This methodology establishes a collaborative affiliation with stakeholders and relates with them in enhancing governance practices. This is achievable by mainstreaming corporate governance evaluation in investment procedures for every IFC operation by employing the IFC Corporate Governance method. In essence, International Financial Corporation governance approach is the procedure used by companies in evaluating the corporate governance structures, principles and procedures through application of appropriate tools. Every evaluation is company-related to ascertain feasible approach to corporate governance (Basri, 2008).

This approach serves as a basis for corporate governance development structure's approach. In all IFC business deals, it becomes impossible for IFC members to carry out appropriate assessment without assessing and making sound decisions in financial stakeholder rights; liability and the boardroom; the internal control system, precision and disclosure guidelines. The executive management must understand the core issues of corporate governance and invent approaches for the safety of stakeholders and shareholders. Employing IFC methodology allows effective management of corporate governance related threats, enhances the capacity to delivering valuable advice to shareholders, and develops stronger collaborations with shareholders. Therefore, employing corporate governance evaluations in IFC operations is essential in improving business decision-making procedure.

3. IT GOVERNANCE

IT governance deals particularly with IT systems, their functioning and Risk management. The primary intentions of managing information technology systems are ensuring that the system engenders business significance, and alleviates the threats linked with it. This is achievable by implementing company structures with defined roles for the liability of information, businesses procedures and infrastructure. IT governance requires ascertaining that the resources in IT create value-reward and alleviate IT connected risks evading business failure (Schwalby, 2011).

Information is imperative to company success- valuable and competent delivery of services and goods. The transformation process, generally known as "business change," is the key enabler of new business strategies in the private and public organizations. Business transformation provides numerous rewards; however, it is susceptible several risks, which may hinder business processes and cause unplanned outcomes. In essence, IT governance forms part of corporate governance by ascertaining that IT objectives are achieved and risks alleviated in that IT created value to maintain development in the organization (Huang, Zmud & Price, 2010).

3.1 Using COBIT Methodology in IT governance

IT Governance assumes a vital significance in contemporary organizations whereby Information Technology business operations are fundamental. Furthermore, the company depends on information, systems and advanced technologies to develop. Even though technology advancement may enhance various company processes, cut down costs and changes company practices, it also caries heavy risks. Successful companies are capable of identifying and managing such risks by employing a methodology that allows organizations to manage the risks and increase transparency in business operations (Matwyshyn, 2009).

IT governance is relevant to companies to ascertain conformity, IT alignment, and positive return on IT business deals, enhanced security, risk management and so forth. For this reasons, companies must improve the IT system in order to streamline all the business operations. Executing IT governance is a challenging task, and unless the company implements IT control using the COBIT framework. COBIT is a powerful, updated global set of generally established IT management good practices and control objectives meant for executive management, IT experts and auditors (Barnhizer, 2006).

4. CORPORATE GOVERNANCE AND IT GOVERNANCE

Evaluation on corporate governance has a direct or indirect influence on IT and the control of IT governance. In addition, in a business driven technology, corporate governance relies on IT governance for successful execution of business processes. The board of directors and the executive management are accountable for IT Governance. In circumstances where Chief Executive Officers face criminal charges for defying corporate governance, IT Governance becomes accountable for business operations. Board members play different roles to ascertain the success of the company, and they delegate some roles to other members (Adegbite, 2012). IT governance consists of other forms of smaller governances, which include performance and ability governance, network governance and Information security governance as shown in Figure 2 below.

Corporate Governance

Finance Governance

Risk Governance

Performance governance

Network governance

IT Governance

InfoSec governance

FIGURE 2

5. INFORMATION SECURITY GOVERNANCE

Information Security Governance comprises, Leadership, company structures, procedures and monitoring systems and technologies that ascertain privacy, reliability and availability of company data.

5.1 Corporate Governance and Information Security Governance

Corporate Governance entails set of laws, regulations, and internal controls that manages and regulates organizations. Information security governance is a division of companies' general corporate governance plan. The information maintained by companies is one of the fundamental assets for the success of the business. The boardroom accounts for the success of the company bears the responsibility of safeguarding classified information. The safety of such information is achievable through efficient management and ascertained by efficient oversight of the board members (Whitman, Michael, Mattord & Herbert, 2012).

Companies view Information security governance as a complex issue because it entails risk management issues, transparency and liability. Efficient security needs active involvement of executive management to evaluate rising threats and empower leadership. TechNet approved on the significance of integrating a scalable government structure to assist organizations describe the path from responsiveness about Information Security issues to execution of solutions. With such objective underway, TechNet formed subcommittees to;

a) Refine the current literature on Information Security governance

b) Form a preface structure for Information Security governance

c) Modify implementation directions for diverse bodies

d) Suggest procedures for analyzing compliance

6. CORPORATE GOVERNANCE TechNet RECOMMENDATIONS

6.1 Information Security Governance Framework

1) TechNet should incorporate Information security governance to establish cyber security into its corporate governance procedures.

Information security governance (ISG) is an integral element for effective management of organization. The status of information security requires that immediate attention in order to ascertain that information is uncompromised and the systems remains safe. TechNet has the responsibility of examining the best practices to information security governance and identify how the company will enhance ISG framework. The framework developed suggests implementation of controls to assist secure company's data and information systems. In other words, Information Security governance will focuses on the following issues in order to strengthen the system.

a) Emphasize on the powers and responsibilities of the board members.

b) Stress on the authority and duties of the top executive

c) Underscore on the powers and functions of executive committee

d) Powers and responsibilities of top management

e) Duties of company employees, stakeholders and shareholders

f) Develop security program

g) Managerial unit reporting

h) Data security program assessment

The subcommittee should create a matrix for mapping the various components of the framework to various company structures. Based on the framework, the top executive has the authority of delegating different Information security duties to the suitable persons in the company. Both the framework and the matrix aim at assisting the company in developing an internal model for implementing information security governance. As information security becomes integral in the overall company operations, it becomes fundamental to establish strong governance models to ascertain effective infrastructure. The responsibility of the subcommittee is to evaluate the company structures and governance and provide a framework that enhances information security. This program will ascertain safety of classified information in rising cyber security threats (Wilkin, Campbell & Moore, 2012).

6.2 Implementation of Information Security framework

With the growing data security threats, most companies are integrating Information security with other business models, an approach intended to accomplish the objective of incorporating information security with corporate governance. The TechNet subcommittee entrusted with the responsibility of developing an ideal information security program affirms that adapting and executing the framework and evaluation tool is fundamental in beefing up data security. The security program is a company improvement program that functions as an avenue for establishing, planning and executing development actions. The ISG evaluation program correctly introduced by companies is an initial step in integrating information security into the company's corporate governance framework (Adegbite, 2011).

An increased attention on information security will beef up company's general status and empower its security position. The program recommended by the subcommittee will reinforce the framework developed by the Corporate Governance .The program will help the company assess the value of the implemented Information Security governance framework. The company intends to use the framework and the security program in addressing a wide range of information security areas that influence various company procedures to counteract risks within the company.

The company uses a broad range of acceptable methodologies to create the program and remain suitable alternative for companies to rely for information security concerns. The objective is merely for companies to view information security as a fundamental component of business operations (Adegbite, 2010). In simplifying the functions played by the information, the company divides Information Security governance into four;

a) Company Dependency - evaluates Company's dependence on information technology for stability purposes and as the level of company interdependency and control.

b) Risk Management -- analyses the risk management procedures as it intends to develop information securing approaches and tools

c) Personnel -- analyze the aspects of the company on information security program

d) Processes -- The Company identifies procedures that forms part of information security program.

The company relies on ISG evaluation program and framework in understanding the functions of information security governance has in company and the ways to improve it. Initially, corporate organizations were the only organizations that used ISG, however, with the rising cyber security threats, other businesses have shown their interests. This paper intends to introduce and emphasize the functions of information security governance to businesses without a security program. It evaluates and adapts effective recommendations for introducing the Information security governance framework and program to fit into various company cultures and structures (Adegbite, 2011).

6.3 ISG authentication and conformity

Information security shares similarities with quality assurance. In recognizing the relationship, the company has intentionally implemented verification and compliance policy recommendations intended to improve quality of security issues. With technological advancement on everyday basis, information security needs incessant improvement. The Corporate Governance affirms that with untimely quality assurance programs, may companies fear that endeavors to enhance information security will elevate business costs. Similar to quality assurance, however, information security increases productivity, heightens customer contentment, and eventually, increases brand loyalty. The following recommendations facilitate the authentication and conformity ISG efforts (Adegbite, 2010).

Recommendation

TechNet should indicate their devotion to Information Security governance by affirming their intention of relating with corporate governance in evaluating their performance and provide the report to the board members.

The Information Security governance structure and implementation program that corporate governance develops assists in establishing the process and assume evaluations that are more thorough and which functions as foundation for future improvement. The principles help initiate efforts to integrate information security into corporate governance assessment tools.

a) Chief executive officers should evaluate annual information security, analyze the evaluation report with employees and present a performance report to the boardroom. In addition, it is essential for the company to perform periodic risk evaluations of information assets and incorporate it with risk management program.

b) As well, the company should develop policies and processes established on risk assessments to safeguard information assets.

c) As part of the recommendation, the company should implement a security management framework to delegate competent individual duties, responsibilities, power, and liability.

d) Furthermore, the company should execute plans and establish actions to offer sufficient information security for systems and data.

e) The company should handle Information security as a fundamental aspect in business life cycle

f) The company should offer information security responsiveness, training, and education to employees

g) The company should perform periodic assessment of the efficiency of information security guidelines and processes

h) The company should develop and implement a plan for counteractive response to address any information security risks

i) It is also necessary for the company to create and initiate event response procedures.

j) As well to ascertain continuous company operations, the company should implement plans, process and evaluations

k) Finally, in order to evaluate information security performance, the company should employ Security guidance practices, for instance, ISO 17799

Recommendation 3:

Companies that embrace corporate governance program should indicate their devotion to information security governance by willingly showing an interest on their company website. Furthermore, TechNet Company should persuade its employees to employ information security governance and put it on the websites. Furthermore, the board members should introduce information security governance, indicate it on the website, and if possible encourage the employees to follow the suit. In order to conform to the voluntary effort, the company embracing the corporate governance should accept and execute the recommendations in order to establish a good reputation and be a role model to others. Furthermore, the company should openly support information security Governance, and sell the idea to their employees.

7. CONCLUSION

This paper discusses the distinction and need for Governance at the Corporate Governance, IT Governance, and Information Security Governance. Governance is the process of strengthening leaders to execute rules that are enforceable and adjustable when necessary. The company views corporate governance, IT Governance and Information Security Governance is an approach embraced by the company in safeguarding company's classified information. As discussed, leaders should emphasize the significance of practicing good governance. In order to practice good governance, the members of the board and the executive management have the responsibility of providing strategic direction by carrying out their routine duties responsibly. Furthermore, the company requires them to guarantee suitable management of corporate risks that arises unpredictably (Photopoulos, 2008).

The paper discusses the various aspects of the mentioned governances, the persons accountable, and the methodologies of implementing the governances. In essence, corporate governance assures responsible use of company resources. IT governance entails three things, that is, leadership, company structures and procedures. The three components establish that the company's Information Technology maintains and broadens the strategies and intentions of the company. Information Security governance has similar functions with IT governance; however, it secures the confidentiality and reliability of company information. Therefore, for the company to secure the information systems and sanction their security systems, it is important to incorporate information security into the corporate governance. Most companies, such as TechNet view information security as a complex matter, but based on the discussion about the various functions of corporate, IT and Information Security governance, its proves simple.