Corporate Governance Task Force of the National Cyber Security Partnership Releases Industry Framework
Public-Private Partnership Issues Call to Action for CEOs and Boards of Directors to Incorporate Information Security as Part of Corporate Governance Policies and Management
12 Apr 2004
WASHINGTON D.C. – The Corporate Governance Task Force of the National Cyber Security Partnership (NCSP) today released a management framework and call to action to industry, non-profits and educational institutions, challenging them to integrate effective information security governance (ISG) programs into their corporate governance processes.
The NCSP Task Force report identifies cyber security roles and responsibilities within corporate management structures and references and combines industry-accepted standards and best practices, metrics and tool sets that bring accountability to three key elements of corporate governance programs and information security systems: people, process and technology.
Although information security is often viewed as a technical issue, it is also a governance challenge that involves risk management, reporting and accountability. As such, it requires the active engagement of executive management and boards of directors across all industry sectors and among non-profit organizations and educational institutions. By using the ISG framework and assessment tools, organizations can integrate information security into their corporate governance programs and create a safer business community for themselves and the enterprises that interact with them.
In addition to the recommendations and tool sets contained in the report, the NCSP plans to assist organizations seeking to meet the Task Force call to action by promoting ISG implementation through an awareness and rollout campaign in the coming months.
“In this era of increased cyber attacks and information security breaches, it is essential that all organizations give information security the focus it requires,” said Amit Yoran, Director of the National Cyber Security Division, IAIP, at the Department of Homeland Security. “Addressing these cyber and information security concerns, the private sector will not only strengthen its own security, but help protect the homeland as well. The Department of Homeland Security supports the Task Force’s call on organizations to make information security governance a priority and to use tools such as the ones described in this report to develop effective information security governance programs.”
The recommendations that follow are designed for broad application to private sector businesses across all sectors, non-profit organizations and educational institutions:
- Organizations should adopt the information security governance framework described in the report and embed cyber security into their corporate governance process.
- Organizations should signal their commitment to information security governance by stating on their website that they intend to use the tools developed by the Corporate Governance Task Force to assess their performance and report the results to their board of directors.
- All organizations represented on the Corporate Governance Task Force should signal their commitment to information security governance by voluntarily posting a statement on their website. In addition, TechNet, the Business Software Alliance, the Information Technology Association of America, the Chamber of Commerce and other leading trade associations and membership organizations should encourage their members to embrace information security governance and post statements on their websites. Furthermore, all Summit participants should embrace information security governance and post statements on their websites, and if applicable, encourage their members to do so as well.
- The Department of Homeland Security should endorse the information security governance framework and core set of principles outlined in this report, and encourage the private sector to make cyber security part of its corporate governance efforts.
- The Committee of Sponsoring Organizations of the Treadway Commission (COSO) should revise the Internal Controls-Integrated Framework so that it explicitly addresses information security governance.
“It is the fiduciary responsibility of senior management in organizations to take reasonable steps to secure their information systems. Information security is not just a technology issue, it is also a corporate governance issue,” said Art Coviello, president and CEO at RSA Security, and co-chair of the Corporate Governance Task Force. “This call to action is the work of many competing institutions coming together with common purpose -to develop a framework that is easy to understand and still leads to improved security; to develop a tool-set that organizations of all sizes can implement; and to deliver recommendations that will help get this done on a voluntary basis across many sectors of the economy. We have done our job and now we encourage CEOs and Boardrooms across this country to do theirs.”
“We cannot solve our cyber security challenges by delegating them to government officials or CIOs. The best way to strengthen US information security is to treat it as a corporate governance issue that requires the attention of Boards and CEOs,” said Bill Conner, chairman, president and CEO, Entrust, Inc. “Today’s call to action delivers the necessary framework, and the process to de-risk cyber security, corporate governance and our economy. As we implement these recommendations, we will reap the rewards of productivity growth, customer satisfaction and improved competitiveness, and gain the larger reward of enhanced homeland security.”
The National Cyber Security Partnership (NCSP) is led by the Business Software Alliance (BSA), the Information Technology Association of America (ITAA), TechNet and the U.S. Chamber of Commerce in voluntary partnership with academics, CEOs, federal government agencies, and industry experts. Following the release of the 2003 White House National Strategy to Secure Cyberspace and the National Cyber Security Summit, the public-private partnership was established to develop shared strategies and programs to better secure and enhance America’s critical information infrastructure. The task forces will be releasing separate work products beginning in March 2004 and ending in April 2004. For more information, please visit www.cyberpartnership.org.