The paper, titled `Information Security Governance – raising the game' , claims to show how governance can help information security align with overall corporate strategy and so deliver stakeholder value.
This cry has been the mantra of the lesser spotted IT security professional for almost a decade, Infosecurity notes, so what has changed with this report?
Essentially the paper explains how adopting a governance-style approach can lift security out of its technical ‘comfort zone’ and into a wider business context.
Mirroring some of the arguments in the quantifying elements of ISACA's COBIT security framework, the ISF's paper argues that, while corporate governance is well-known and common practice – even obligatory – within the corporate environment, governance itself is not always present in information security.
This, says the forum, is despite the fact that information security is a critical part of any business. However, when the security function does adopt governance, the paper claims it leads to better engagement with senior executives and other corporate governance functions, so helping to foster better understanding, minimize risk and limit reputational damage.
Adrian Davis, the report's author – and the forum's principal analyst – said that corporate information is becoming much more complex because the technologies and processes to manage it are becoming more complex.
“At the same time, information is much more susceptible to attack or abuse, as we’ve witnessed many times this year already. This new report shows how information security governance can become an integral part of corporate governance, demonstrating to a company’s stakeholders – customers, partners, shareholders and regulators – that corporate data is being protected according to industry best practice”, he explained.
Davis' report says that information security governance enables the direction and oversight of information security-related activities across an enterprise, as an integrated part of corporate governance. It shows, adds the paper, customers, business partners, shareholders and regulators that information is being protected according to industry best practices.
It also, the report notes, provides the agility to deal with incidents quickly and effectively, and enables better management of all of information security activities – decreasing the chances of headline-grabbing incidents.