Tuesday, March 15, 2005

Security Governance rivals SOX Section 404...

All enterprises confront a category of unforeseen risk. Such risks hinge on events that “might happen,” but haven’t been considered by the organization and, therefore, yield too little information to disseminate to stakeholders. However, stakeholders can demand a management system for Security Governance that is comprehensive, proactive and relevant. The management system, as provided by executives, board members and oversight committees, includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources. The system also incorporates a top management strategic policy that focuses on managing risk for Security Governance while reflecting the location, assets and purpose of the organization, enterprise or entity.

In establishing a process for risk assessment, the organization should consider:

· Impact, in the event the risk event is realized;
· Exposure to the risk on a spectrum from rare to continuous, and
· Probability based upon the current state of management controls.

An organization will encounter dynamic strategic security risks. Its executives must use the management system to identify and assess these risks, develop a strategy for dealing with them to achieve Security Governance.

Security Governance is evolving rapidly and taps the thinking of various standards organizations, including OECD, BSI, NIST, ISSA, GAISP, BSA, ITAA, ASIS and dozens of other bodies of influence and knowledge. However, no matter what best practices an organization attempts to standardize on, it must weight the attitudes of the employees and stakeholders.

Unless these stakeholders fully understand the motivation behind tasks and guidelines, the system will fail. The organization that embraces change and introduces a Security Governance framework that manages not only the foreseen human risks but also the unforeseen will greatly enhance its chance of survival. Culture plays a paramount role in the risk for Security Governance because:

1. Any changes in risk management may require changes in the culture and

2. The current culture is a dramatic influence on current and future security initiatives.


Internal controls can provide reasonable assurance that an organization will meet its intended goals. Yet people (Human Factors) will fail an organization in material errors, losses, fraud and breaches of laws and regulations. People will generate constant change, and this cumulative uncertainty mandates a resilient management system for Security Governance that controls risk.

With the system in place, the board of directors soon realizes that managing risk for Security Governance rivals Section 404 of Sarbanes-Oxley as a key to success. In fact, without Security Governance, rules won’t matter and the stakeholders will again ask: How could this happen to us?

No comments: