With IAAC and BT, the Information Security Awareness Forum (ISAF) founded by the ISSA-UK has issued a series of Director’s Guides seeking to raise awareness of the need to protect against information security risks. The Director’s Guides are sponsored jointly by IAAC, ISAF and BT.
According to ISAF, the guides are the summation of the knowledge amassed by members of the Forum in the years prior to its formation earlier this year. "Although the Forum has only been in existence since February, the fact that it is an umbrella organisation incorporating the BCS, the CMA, Eurim, GetSafeOnline, ISC2, ISACA, IAAC and ten other organisations, means our members have considerable experience of the risks associated with information security and leakage," said Dr David King, ISSA-UK and Chair of the Information Security Awareness Forum.
Director guides
“For too long, directorships have been viewed as positions of entitlement. They are not. The guides as a whole clearly show that directors and senior managers must address a wide range of issues and seek answers to a number of important questions,” said Lars Davies from Kalypton.
“The Regulation and Legislation guide clearly illustrates a few of the myriad legal and regulatory obligations that all directors and senior managers face, obligations that they simply cannot pass on to others. Not only can directors face personal liability for offences committed by their organisations, but they can face severe personal sanctions, in some cases a term of imprisonment of up to seven years, if they are party to the destruction, mutilation, or falsification of company information irrespective of whether that information is paper-based or electronic. Record retention obligations, and the information assurance requirements that follow from those obligations, come in many guises. Whilst statutes such as the Companies Act provide for explicit requirements, others, including those such as the Companies Act which contain explicit obligations, implicitly require organizations to maintain suitable records to ensure that they can evidence the fact that they have been managed correctly,” he added.
“If these guides achieve nothing other than to shake directors out of their self-imposed complacency, a complacency cultivated over the past two decades, then they will have achieved their purpose admirably,” he concluded.
Ray Stanton, global head of business continuity, security & governance practice, BT Global Services, said: "The publication of these guides could scarcely be more timely. While the technology and systems we employ to keep data secure continue to improve; the biggest threat to security remains lapses in concentration when it comes to doing the basics correctly. A large part of that is due to poor communication and a poor understanding of the risk posed by lapses in security. For example, our own research has shown that nearly a quarter of UK employees (22 per cent) believe that losing a mobile electronic device containing sensitive business information would not be a disaster. Changing this type of widespread attitude to security will require a pan-industry effort as exemplified by these new guides."
“Corporate information risk is seldom discussed at the boardroom table. These good looking and well written guides show busy Board members why information risk is important and how it can be effectively managed at a corporate level,” said Bruno Brunskill MA (Oxon), CISSP, FSyI, M.Inst.ISP, Anite Business Consulting, Acting as the Company Secretary for Information Assurance Advisory Council (IAAC).
"The guides are extraordinarily topical for UK companies, now that provisions of the Companies Act 2006 are due to come into force later this year. As the US Sarbanes-Oxley Act heads for its fifth anniversary this summer, it’s clear that corporate governance issues are going to top of many boardroom agendas," Dr David King said.
"The Governance and Structures Guide, for example, seeks to explain in layman’s terms, how directors are accountable to their stakeholders when it comes to protecting their organisation’s information. It also details how to formulate an information risk governance framework in any organisation, as well as looking at the cultural issues on security that managers may encounter," Dr King added.
According to King, other topics, including information risk at the board level and how management should tackle the information risk issues, are covered in some depth in the guides.
"Despite their depth of knowledge, the guides are written in Plain English, with no IT jargon. As such they are a perfect set of advisories for today’s Directors," Dr David King said. For more on the ISAF:
