The recognition and application of security risk management in corporate governance

Security as a profession and discipline has emerged principally in the later half of the twentieth century and has developed to become a more defined, usual, respectable and visual part of management. This study aimed to determine the degree of recognition and application of security risk management to corporate governance practices in Australia. Formal research design used descriptive research methodology, consisting of a literature review, primary document analysis and a questionnaire survey to collect data. This research was contrasted to a Corporate Governance Security Model formulated to determine if the model is applicable to the recognition, or application, of a security function to the Australian Stock Exchange (\u27ASX\u27) Corporate Governance principles. A major finding of this study is that security functions and responsibilities are poorly recognised and documented by Australia\u27s largest public company boards. A majority of directors will have no experience or qualifications in security risk management and this is likely to be reflected down through the organisation resulting in low to medium security awareness and culture. Corporate governance statements from companies listed on the ASX/S&P 200 strongly suggests that security related risks are not widely considered as part of the corporate governance framework. With limited application of security in the corporate governance framework, there is less focus on security related behaviour within the codes of conduct held by a majority of public companies. This can have an adverse impact on corporate ethics, internal controls and crisis response capabilities. The study developed a model which implements security risk management functions to the corporate governance framework in order to formally recognise and promote effective management of security risk and compliance. Applying security as a business process to support long term revenue was found to benefit corporate reputation and compliments other risk and business management practices. Security of information and confidentiality is enhanced to encourage reports of misconduct within the company, generating a security and reporting culture. Security functions are currently limited to form part of internal controls within the operating environment and generally viewed as a cost centre which does not contribute to revenue. Security functions are not holistically applied across the organisation or within the corporate governance framework. There are a number of recommendations resulting from the study and are primarily concerned with the continued need for research into the application and recognition of security within the hierarchy of executive and business management

Towards a framework to ensure alignment among information security professionals, ICT security auditors and regulatory officials in implementing information security in South Africa

Information security in the form of IT governance is part of corporate governance. Corporate governance requires that structures and processes are in place with appropriate checks and balances to enable directors to discharge their responsibilities. Accordingly, information security must be treated in the same way as all the other components of corporate governance. This includes making information security a core part of executive and board responsibilities. Critically, corporate governance requires proper checks and balances to be established in an organisation; consequently, these must be in place for all information security implementations. In order to achieve this, it is important to have the involvement of three key role players, namely information security professionals, ICT security auditors and regulatory officials (from now on these will be referred to collectively as the ‘role players’). These three role players must ensure that any information security controls implemented are properly checked and evaluated against the organisation’s strategic objectives and regulatory requirements. While maintaining their individual independence, the three role players must work together to achieve their individual goals with a view to, as a collective, contributing positively to the overall information security of an organisation. Working together requires that each role player must clearly understand its individual role, as well the role of the other players at different points in an information security programme. In a nutshell, the role players must be aligned such that their involvement will deliver maximum value to the organisation. This alignment must be based on a common framework which is understood and accepted by all three role players. This study proposes a South African Information Security Alignment (SAISA) framework to ensure the alignment of the role players in the implementation and evaluation of information security controls. The structure of the SAISA framework is based on that of the COBIT 4.1 (Control Objectives for Information and Related Technology). Hence, the SAISA framework comprises four domains, namely, Plan and Organise Information Security (PO-IS), Acquire and Implement Information Security (AI-IS), Deliver and Support Information Security (DS-IS) and Monitor and Evaluate Information Security (ME-IS). The SAISA framework brings together the three role players with a view to assisting them to understand their respective roles, as well as those of the other role players, as they implement and evaluate information security controls. The framework is intended to improve cooperation among the role players by ensuring that they view each other as partners in this process. Through the life cycle structure it adopts, the SAISA framework provides an effective and efficient tool for rolling out an information security programme in an organisationComputer ScienceM. Sc. (Computer Science

New technologies: one of the key strategic factors of the Serbian corporate governance practice harmonisation with eu requirements

New technologies have been changing the world for centuries. Innovations have been the strongest tool for development and recovery of world economy. Today information is the most valuable asset and global markets and global companies are depending on relevant data and information security. Tech-intelligent processes are fundamental for the European corporate governance environment. The stability of corporate governance as a system with the prime aim to protect investors and take care of stakeholders linked to public companies is based on quality of information and relevant access. When corporate governance is good, then also the process of collecting and disseminating information is good as well. This paper presents the potentials of information technology to be used for better corporate governance and to help Serbian companies to position themselves on European capital markets. Public company as well as of capital markets can be controlled in more efficient way by using IT. Shareholders rights and activities, board of directors` duties and responsibilities, settling of disputes, disclosure and transparency, stakeholders’ protection and other important issues in corporate governance can be provided and organized in a better way. This paper mostly deals with tree main segments of corporate governance policy: protection of shareholders rights, effective board of directors and efficient resolution of disputes. Proper use of technology and right policies and procedures for information security can help public company to improve the efficiency of corporate governance by supporting diligence, restrict abuse and reduce corruption and bribery. Destructive nature of any dispute arising within or out of company has potential to spoil reputation of company and the trust of investors. On the other hand, the dispute, can be solved and even be a tool for better relationship between parties in a dispute in the future. If discovered at the early beginning, the dispute can be handled effectively by mediation. There, information technology and communication can be of great help

Creation and Implementation of an It Governance Compliant It Asset Management Framework for Wexford County Council

IT Governance has evolved from Corporate Governance over time as a means to enforce security and control over information systems and put in place best practices for organisations. There are accredited standards, such as ISO, CobiT, and Information Technology Infrastructure Library (ITIL) to help organisations create, and conform to best practices for information technology security. Currently there is very little IT asset governance specific literature. This study was conducted to research best practices for IT asset management, and proposes a set of guidelines for Wexford County Council to implement for IT asset management. This study also proposes how to physically implement best practices using Microsoft System Center Configuration Manager; and how steps can be taken using the asset governance recommendations to benefit the areas of IT budgeting, risk management and security

The Corporate Governance of National Security

At hundreds of companies, the government installs former spies and military officers to run the business without shareholder oversight, putting security before profits in order to protect vital projects from potentially treasonous influences. Through procedures I call “National Security Corporate Governance,” corporate boardrooms have quietly become instruments of national defense, marrying the efficiency norms of corporate law and the protective ambitions of national security. How is this achieved, and how successfully? Using a variety of research approaches – including Freedom of Information Act (FOIA) requests, archival searches, telephone interviews, and in-person conversations with industry insiders – this Article illuminates a secretive government program and the challenging questions regarding the relationship between private ordering and public goals such as national security

Relationship Between Corporate Governance and Information Security Governance Effectiveness in United States Corporations

Cyber attackers targeting large corporations achieved a high perimeter penetration success rate during 2013, resulting in many corporations incurring financial losses. Corporate information technology leaders have a fiduciary responsibility to implement information security domain processes that effectually address the challenges for preventing and deterring information security breaches. Grounded in corporate governance theory, the purpose of this correlational study was to examine the relationship between strategic alignment, resource management, risk management, value delivery, performance measurement implementations, and information security governance (ISG) effectiveness in United States-based corporations. Surveys were used to collect data from 95 strategic and tactical leaders of the 500 largest for-profit United States headquartered corporations. The results of the multiple linear regression indicated the model was able to significantly predict ISG effectiveness, F(5, 89) = 3.08, p = 0.01, R² = 0.15. Strategic alignment was the only statistically significant (t = 2.401, p \u3c= 0.018) predictor. The implications for positive social change include the potential to constructively understand the correlates of ISG effectiveness, thus increasing the propensity for consumer trust and reducing consumers' costs

Integrating information security into corporate culture

Introduction: There are many components that are required for an organisation to be successful in its chosen field. These components vary from corporate culture, to corporate leadership, to effective protection of important assets. These and many more contribute to the success of an organisation. One component that should be a definitive part in the strategy of any organisation is information security. Information security is one of the fastest growing sub-disciplines in the Information Technology industry, indicating the importance of this field (Zylt, 2001, online). Information security is concerned with the implementation and support of control measures to protect the confidentiality, integrity and availability of electronically stored information (BS 7799-1, 1999, p 1). Information security is achieved by applying control measures that will lessen the threat, reduce the vulnerability or diminish the impact of losing an information asset. However, as a result of the fact that an increasing number of employees have access to information, the protection of information is no longer only dependent on physical and technical controls, but also, to a large extent, on the actions of employees utilising information resources. All employees have a role to play in safeguarding information and they need guidance in fulfilling these roles (Barnard, 1998, p 12). This guidance should originate from senior management, using good corporate governance practices. The effective leadership resulting from good corporate governance practices is another component in an organisation that contributes to its success (King Report, 2001, p 11). Corporate governance is defined as the exercise of power over and responsibility for corporate entities (Blackwell Publishers, 2000, online). Senior management, as part of its corporate governance duties, should encourage employees to adhere to the behaviour specified by senior management to contribute towards a successful organisation. Senior management should not dictate this behaviour, but encourage it as naturally as possible, resulting in the correct behaviour becoming part of the corporate culture. If the inner workings of organisations are explored it would be found that there are many hidden forces at work that determine how senior management and the employees relate to one another and to customers. These hidden forces are collectively called the culture of the organisation (Hagberg Consulting Group, 2002, online). Cultural assumptions in organisations grow around how people in the organisation relate to each other, but that is only a small part of what corporate culture actually covers (Schein, 1999, p 28). Corporate culture is the outcome of all the collective, taken-for-granted assumptions that a group has learned throughout history. Corporate culture is the residue of success. In other words, it is the set of procedures that senior management and employees of an organisation follow in order to be successful (Schein, 1999, p 29). Cultivating an effective corporate culture, managing an organisation using efficient corporate governance practices and protecting the valuable information assets of an organisation through an effective information security program are, individually, all important components in the success of an organisation. One of the biggest questions with regard to these three fields is the relationship that should exist between information security, corporate governance and corporate culture. In other words, what can the senior management of an organisation, using effective corporate governance practices, do to ensure that information security practices become a subconscious response in the corporate culture?

Integrating information security into corporate culture

Introduction: There are many components that are required for an organisation to be successful in its chosen field. These components vary from corporate culture, to corporate leadership, to effective protection of important assets. These and many more contribute to the success of an organisation. One component that should be a definitive part in the strategy of any organisation is information security. Information security is one of the fastest growing sub-disciplines in the Information Technology industry, indicating the importance of this field (Zylt, 2001, online). Information security is concerned with the implementation and support of control measures to protect the confidentiality, integrity and availability of electronically stored information (BS 7799-1, 1999, p 1). Information security is achieved by applying control measures that will lessen the threat, reduce the vulnerability or diminish the impact of losing an information asset. However, as a result of the fact that an increasing number of employees have access to information, the protection of information is no longer only dependent on physical and technical controls, but also, to a large extent, on the actions of employees utilising information resources. All employees have a role to play in safeguarding information and they need guidance in fulfilling these roles (Barnard, 1998, p 12). This guidance should originate from senior management, using good corporate governance practices. The effective leadership resulting from good corporate governance practices is another component in an organisation that contributes to its success (King Report, 2001, p 11). Corporate governance is defined as the exercise of power over and responsibility for corporate entities (Blackwell Publishers, 2000, online). Senior management, as part of its corporate governance duties, should encourage employees to adhere to the behaviour specified by senior management to contribute towards a successful organisation. Senior management should not dictate this behaviour, but encourage it as naturally as possible, resulting in the correct behaviour becoming part of the corporate culture. If the inner workings of organisations are explored it would be found that there are many hidden forces at work that determine how senior management and the employees relate to one another and to customers. These hidden forces are collectively called the culture of the organisation (Hagberg Consulting Group, 2002, online). Cultural assumptions in organisations grow around how people in the organisation relate to each other, but that is only a small part of what corporate culture actually covers (Schein, 1999, p 28). Corporate culture is the outcome of all the collective, taken-for-granted assumptions that a group has learned throughout history. Corporate culture is the residue of success. In other words, it is the set of procedures that senior management and employees of an organisation follow in order to be successful (Schein, 1999, p 29). Cultivating an effective corporate culture, managing an organisation using efficient corporate governance practices and protecting the valuable information assets of an organisation through an effective information security program are, individually, all important components in the success of an organisation. One of the biggest questions with regard to these three fields is the relationship that should exist between information security, corporate governance and corporate culture. In other words, what can the senior management of an organisation, using effective corporate governance practices, do to ensure that information security practices become a subconscious response in the corporate culture?

The Implementation of Multiple Information Security Governance (ISG) Frameworks Strategy and Critical Success Factors in Indonesia’s Oil and Gas Industry: Case Study of PT X

Oil and gas industry are among the largest contributor to the Indonesia’s foreign exchange. Many believe that information technology will be major driver for economic wealth in the oil and gas Industry. However, implementing information technology to support corporate business process brings vast information security risks. There is a need of comprehensive information security governance that can comply to information security standards and regulations. This research is conducted to evaluate the use of multiple ISG frameworks for implementing information security governance in a multinational oil and gas company. In detail, we evaluate the effectiveness of such framework, assess its implementation maturity level, and identify the success and inhibiting factors for implementing ISG frameworks. This study shows that framework XYZ, as a multiple ISG framework, is effective to cover the controls of ISO 17799, COSO, and IT Risk Framework at once. Meanwhile, the observed case study indicated lack of compliancy of Framework XYZ followed by the invention of gap between current ISG implementation efforts and company visions. Lastly, several success and inhibiting factors are identified in the ISG framework implementation at PT X

Corporate Restructuring and Bondholder Wealth

This paper provides an overview of existing research on how corporate restructuring affects the wealth of creditors.Restructuring is defined as any transaction that affects the firm's underlying capital structure.Thus, it reaches well beyond asset restructuring and includes transactions such as leveraged buyouts, security issues and exchanges, and the issuance of stock options.The analysis identifies significant gaps in the literature, emphasizes the potential differences between creditor wealth changes in market- and network-oriented governance systems, and provides valuable insights into methodological advances.Many issues obviously remain, as empirical evidence is still incomplete and focuses exclusively on the US.In network-oriented regimes, the potential for research remains constrained by the lesser development of bond markets that disclose information on creditor wealth shocks.Still, on-going debt securitization should now allow for the investigation of at least some critical issues.This is imperative, as the position of creditors in the firm differs substantially across governance systems despite the gradual convergence of these regimes across the world.bondholder wealth;corporate restructuring;mergers and acquisitions;event studies;bond returns