Engaging the Board - Corporate Governance and Information Assurance

RAND Engaging the Board Corporate Governance and Information Assurance Andrew Rathmell, Stephanie Daman, Kevin O’Brien and Aarti Anhal Prepared for The Information Assurance Advisory Council (IAAC) RAND Europe The research described in this report was prepared for the Information Assurance Advisory Council (IAAC). Further information can be found at www.iaac.org.uk. ISBN: 0-8330-3508-8 The RAND Corporation is a nonprofit research organization providing objective analysis and effective solutions that address the challenges facing the public and private sectors around the world. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. R® is a registered trademark. © Copyright 2004 RAND Corporation All rights reserved. No part of this book may be reproduced in any form by any electronic or mechanical means (including photocopying, recording, or information storage and retrieval) without permission in writing from RAND. Published 2004 by the RAND Corporation 1700 Main Street, P.O. Box 2138, Santa Monica, CA 90407-2138 1200 South Hayes Street, Arlington, VA 22202-5050 201 North Craig Street, Suite 202, Pittsburgh, PA 15213-1516 RAND URL: http://www.rand.org/ To order RAND documents or to obtain additional information, contact Distribution Services: Telephone: (310) 451-7002; Fax: (310) 451-6915; Email: order@rand.org For more information about RAND Europe or this document, please contact: Newtonweg 1, 2333 CP Leiden, The Netherlands Tel: + 31-71 524 5151 Tel: + 31-71 524 5191 www.randeurope.org reinfo@rand.org The INFORMATION ASSURANCE ADVISORY COUNCIL The Information Assurance Advisory Council (IAAC) is a private sector led, cross-industry forum dedicated to promoting a safe and secure Information Society. IAAC brings together corporate leaders, public policy makers, law enforcement and the research community to address the security challenges of the Information Age. IAAC is engaged with Government and corporate leaders at the highest levels; it produces innovative policy advice based on professional analysis and global best practice. IAAC Corporate Sponsors IAAC Government Liaison Panel DISCLAIMER IAAC’s recommendations do not necessarily represent the views of all of its members or sponsors, whether private sector or Government. Strategic interaction with Government is through a Government Liaison Panel. ii PREFACE This report, prepared for and funded by the Information Assurance Advisory Council, presents the results of an analysis of the relationship between corporate governance and information assurance. The objective of the study was to identify the ways in which information assurance can be embedded into corporate risk management processes in the changing UK corporate governance environment. Corporate governance now calls for effective management of risks but board-level awareness is not yet being translated into effective controls. Based upon extensive research, consultations and testing of the findings with the corporate governance and risk management communities in the UK and abroad, this study outlines the ways in which information assurance can be embedded into corporate risk management practices and how companies can be incentivised to adopt good practices. This report is a successor to the May 2002 IAAC Paper Protecting the Digital Society, which outlined three central actors in promoting information assurance – government, the private sector and citizens. This report addresses the second of these actors. This document is an overview analysis of the issues affecting the private sector, upon which IAAC is basing further analysis and actions. Three additional IAAC reports, all issued in October 2002, provide additional analysis and guidance for corporate boards: • Benchmarking Information Assurance • Information Assurance & Corporate Governance: What Every Director Must Know • Insuring Digital Risk: A Roadmap for Action The report should be of interest to boards and senior management in corporations, professionals in the legal, audit, insurance and investment sectors as well as to regulators and public policy makers concerned with promoting information assurance and modernising corporate governance. iii ACKNOWLEDGMENTS These recommendations are the result of an extensive research and consultation process undertaken by IAAC since July 2001. On behalf of IAAC, RAND Europe analysts undertook a comprehensive review of the state of the art in corporate governance and information risk management. This was supplemented with expert and stakeholder discussions at a seminar hosted by the Institute of Chartered Accountants in July 2001, an expert meeting with risk management specialists in January 2002; wider industry discussions at IAAC’s January 2002 Symposium. During the summer of 2002, IAAC issued a consultation paper to a wide audience in the UK and abroad including internal auditors, insurers, risk managers and technologists drawn from a wide cross section of the public and private sectors. This consultation was supplemented by a pilot survey focused upon IAAC members to provide in-depth information about corporate perceptions and practices. The results of this work were discussed with cross-sector representatives at IAAC’s 3rd Annual Symposium in October 2002.1 The findings of this paper owe a great deal to the advice provided in oral and written form from dozens of participants in this research process. Particular thanks are due to the following individuals and institutions who provided detailed written comments on the paper: David Brewer; Bruno Brunskill; Daniel Dresner on behalf of National Computing Centre members; Neil Fisher; Richard Hackworth; Willie List; Angela Robinson; Andrea Shellard & Jiwan Shourie, on behalf of the Institute of Internal Auditors. Andrew Daly provided valuable comments on drafts of the paper. Any errors of fact or interpretation are of course the responsibility of the authors. 1 All related reports and workshop/conference materials are available at: www.iaac.org.uk iv ... - tailieumienphi.vn