Providing information security is not only a series of technical hurdles, it is a challenge of how to govern an organization as well. That is the message of the Corporate Governance Task Force of the National Cyber Security Partnership (NCSP), which recently issued a management framework and call to action for industry to integrated information security governance into their corporate processes.

The NCSP is led by the Business Software Alliance, the Information Technology Association of America, TechNet and the U.S. Chamber of Commerce as well as voluntary partnerships with CEOs, academics, industry experts and federal government agencies. The public-private partnership was established after release of the 2003 White House National Strategy to Secure Cyberspace.

The Task Force identified a core set of principles to guide their efforts. These include:


  • CEOs should conduct an annual information security evaluation, review the results with staff and report on performance to the board of directors.

  • Organizations should conduct periodic risk assessments of information assets as part of a risk management program.

  • Organizations should establish a security management structure to assign explicit individual roles, responsibilities, authority and accountability.

  • Organizations should develop and implement incident response procedures.
  • The Task Force framework was assembled by a broad representation of security experts and not only vendors with products to sell, says Michael Rasmussen, principal analyst with Forrester Research and vice president of Standards and Public Policy with the ISSA, which represents 12.000 security professionals.

    "This report is a landmark because a variety of people are coming to the table to build this guidance together," Rasmussen says. "The biggest message in the report is governance. This is not a silo issue. Security needs to be addressed from the top down. This is an architecture approach to the management of information security. Part of the problem today is that security management is so ad hoc, responding to the latest worms and attacks instead of being proactive. This report promoted security as a managed process and not reactive firefighting."

    Naturally security product and service providers see an opportunity in elevating the awareness of security in the boardroom.

    "The CEOs and boards of directors may need help on where to start. We need to encourage executives to stand back and conduct an assessment, to get the big picture based on information from the security infrastructure," says John Summers, global director of managed security services for Unisys. "That's one of the things we try to help our clients accomplish."

    Organizations should signal their commitment to information security governance by state on their Web site that they intend to use the tools developed by the Corporate Governance Task Force to assess their performance and report the results to their board of directors, the authors advised.

    The report can be downloaded from www.cyberpartnership.org.