IT Governance

The development of IT governance - which recognizes the convergence between business management and IT management - makes it essential for managers at all levels in organizations of all sizes to understand how information security risks are best dealt with. This is a guide to the relevant issues.

---

It is reported that 60 per cent of organizations have suffered a data security breach in the past two years and 43 per cent of those that have sensitive or critical information have suffered an extremely serious one. With the growing importance of IT to both internal systems and external e-commerce, this may be alarming, but perhaps not surprising. What is surprising is that, up until very recently, data security has been seen as the province of the IT department rather than, as it should be, a key boardroom issue for the e-commerce age. The Turnbull report has focused interest in this issue by setting out how directors of listed companies must comply with the UK's Combined Code requirements in respect of internal controls including both financial, risk management and operational - specifically operational from an IT perspective. By underlining the importance of IT Governance as a critical aspect of Corporate Governance the report establishes "best practice" for any organization both public and private, large and small.
The development of IT governance - which recognizes the convergence between business management and IT management - makes it essential for managers at all levels of the organization to adopt "best practice" in information security. By taking on BS 7799 or ISO 17799 organizations can be certain that they are doing this. This second edition is now updated to contain the final BS 7799/ISO 17799 nomenclature. This handbook guides managers through the maze of issues involved in effective information security management and shows how to introduce reliable management controls. In so doing, it also goes into detail through the process of achieving BS or ISO certification. It is a resource for directors and senior managers in organizations of all sorts and sizes but particularly those with well-developed internal IT systems and those focused on e-commerce. Coverage includes: why is information security necessary?; the Combined Code and the Turnbull Report; BS 7799 - Benefits of certification; information security management; information security policy and scope; the risk assessment and statement of applicability; security of third party access and outsourcing; asset classification and control; personnel security; physical and environmental security; equipment security; general security controls; communications and operations management; controls against malicious software (malware); and housekeeping, network management and media handling.