Abstract
IT security governance bridges the gap between corporate governance and information security which is defined as the protection of information and other valuable assets in the organization from a wide range of threats in order to maximize ROI (Return On Investment) and minimize risk. These risks emanate from multiple sources like espionage, sabotage, malicious code, computer hacking, sophisticated denial of service attacks, vandalism, fire, flood, and other natural or manmade calamities. Information security in an organization is achieved by implementing suitable sets of safeguards or controls, including policies, processes, procedures etc. These controls need to be established, monitored, and suitably implemented across organization to ensure smooth functioning of business. There are existing sets of internationally recognized standards like CobiT, ISO17799, and others available, which are country and industry specific. These standards include a set of specific controls. Organizations operating in a particular country should be compliant of these standards, and as often these are legal obligations. Stakeholders and auditors are concerned with discrepancies that accrue in the implementation phases of implementation of these standards in any organization. Compliance Auditing (CA) is the process that identifies and analyses any misalignment of the organization’s rules and policies with respect to government regulations/industry best practices, which they are supposed to implement. A distinct challenge in compliance auditing is the measurement of discrepancies between company policies, controls, and industry standards vis-a-vis actual organizational practices.
TopIntroduction
In this chapter we discuss a framework for building a multi agent information model that captures the notion of compliance semantics and present it using event ontology. We also present a methodology for computing the compliance measure of organizational practice with regulatory/standards requirements capturing the relevance of the ontological concepts using fuzzy weights towards estimating the compliance. Without any loss of generality we demonstrate our technique in some particular cases of Information Technology - Security Techniques (AS/NZS ISO/IEC 17799:2006 & CobiT4.1) where we present an ontology, construct semantic model, and derive compliance rules from the information security controls. Finally we compare the two standards and discuss how the model can be used as a decision support system tool at the hands of auditors in the chosen domain.
In this book chapter we endeavour to establish a direct linkage between corporate governance and information security via internal controls. Corporate security governance is a part and parcel of wider corporate governance framework which is meant to be the signpost for strategic guidance of the company. It is a symbol of board of director’s commitment towards the stakeholders. Corporate security governance is expected to provide transparent and authentic reports of financial and accounting system of the organization. Higher echelon of management is legally held responsible for its veracity. The whole exercise is achieved through existence of appropriate framework of internal control which is essential part of corporate governance. Top management are held responsible for the consequence of failure of internal control in the organization. This internal control is critically dependent on information security which is based on particular information security standard, the organization adheres to. Often stakeholders, legal entities, partners, legislators demand multifarious requirements which are often difficult to satisfy simultaneously. To satisfy regulatory requirements, which are often conflicting by nature, information security standards and various industry best practices are deployed by respective organizations to quantitatively measure adherence to numerous industry and country specific regulations. Thus we get the linkage between corporate security governance (which is part of wider gamut of corporate governance), based on internal controls, which in turn exclusively depends on information security for its very existence. Auditing is done to scrutinize the whole process. Auditors are professionals who are legally empowered to critically examine the performance of the organization to make an opinion thereof whether the performance of organization is consistent with the security standards it is supposed to follow. Compliance Auditing (CA) is a process employed by auditors which critically examines and measures any discrepancies between organization’s actual practice and guidelines prescribed in information security standards which the organization is supposed to follow. Hence information security based on organizational internal controls proves to be the vital link for the very existence of corporate governance edifice. Our endeavour in this chapter is to provide a methodology to automatize the compliance auditing process and measure discrepancies between actual performance and security guidelines.
Information security is a direct corporate governance responsibility and lies squarely on the shoulders of the Board of the company.
The chapter is composed of four parts. Part 1 introduces corporate security governance and risk management problems associated with any organization, in a particular domain and in a specific country. Part 1 consists of two sections A &B. Section A defines what is asset (tangible and intangible assets) for an organization and how the security of the asset, which is subject to multiple threats from various sources, is a fiduciary responsibility on the part of management. This section defines how the risk factor is mitigated by introducing procedures, guidelines and regulations in what is commonly known as controls in corporate security governance. It illustrates some government regulations like SOX, HIPAA as well as some information security standards like BSI, CobiT, ISO /IEC 17799:2005 etc. as part of corporate security governance framework. These regulations are legally enforceable in respective countries and strictest compliances are mandatory for organizations operating in those countries. Section B defines risk in greater detail and introduces the concept of risk containment strategy and measurement of risk compliance metric as part of management of information security in an organization.