C RISTO Y LA I GLESIA EN EL S ACRIFICIO EUCARÍSTICO

The content web analysis identified nine areas that related to the formal component.

a) IS/IT Security Vision

The IS/IT Security Vision is the most prioritised element of the Formal Component in the IS/IT security governance model as it indicates the intentions of the board and senior management in achieving and maintaining the confidentiality, integrity and availability of IS/IT assets and business data within companies. The analysis of 210 sets of annual reports revealed that only six companies provided information on the security vision of their IS/IT; four statements were from Group A and two were from Group B. No information was found in the smaller capitalisation group annual reports with regard to the IS/IT Security Vision. Only the larger and medium capitalisation companies provided information in regard to the IS/IT Security Vision.

The IS/IT security governance model suggests that the functionality of IS/IT with regard to confidentiality, integrity and availability could be compromised without effective directives and monitoring by the board and senior management through excellent supervision roles.

Trade-offs between the IT investment and its risk management strategy is greatly needed for achieving the IS/IT Security Vision of IS/IT security governance model. As disclosed by a large capitalisation company,

“The Board of Directors understand the necessity to leverage and optimise IT investments and resources for the best interest of the Group and to safeguard it’s IT resources, intellectual property management and information (P. 82, Company A50)”.

To establish the IS/IT Security Vision, the corporation needs to identify the IT areas, business processes and business data that need to be secured. The board and senior management should be able to identify the most important IS/IT issues that are aligned with business goals. For example, one larger

capitalisation company disclosed the strategic focus for Internet banking, the critical resources that need to be protected and security requirements including security controls and counter-measures.

“Our strategic focus for Internet banking is to make the online channel a key channel for our customers. Improvement was made on key operational areas to ensure accessibility of Internet banking to our customers. Security features were increased such as the implementation of two-factor authentication to offer further protection to our customers. In carrying out these efforts, we are encouraged by the 19 per cent growth in our Internet banking subscriber base as well as the heightened level of transactions over Company A1 Online and our self-service machines during the financial year under review.”(P. 42, Company A1)

From the disclosed information of Company A1, the key operational areas of Internet banking and customer data were recognised as the critical risk areas. When linking these data to the IS/IT security governance model, after the corporation has identified the potential risk areas, the management needs to formulate effective strategies how to achieve IS/IT Security Vision, for instance, create a security plan for mitigating the risks involving security controls and resource planning.

A clear IS/IT security vision in place helps organisations manage the security risks through effective strategies and better IS/IT security governance practices. For example, Company A9 had a clear IS/IT security vision, where the organisation had aligned the security requirements with technological resources and business goals.

“The Company A9 Group continues to undertake initiatives to maintain 100% systems availability and robust system performance for the Group’s computer systems, peripherals and network infrastructure and to enhance security features on all its computer platforms and network infrastructure to ensure secured data protection and uninterrupted transmission. Precautionary measures are regularly reviewed and enhanced to ensure customers’ interests are protected at all times for all online products and services (P. 94, A9)”.

In the IS/IT security governance model, after knowing to what extent IS/IT can support business operations by the internal employees, the board and senior management should be able to define IS/IT Security Vision. The following statement suggests that Company A6, a larger capitalisation company, had an IS/IT Security Vision.

“These initiatives contribute towards a systematic methodology to ensure the confidentiality, integrity, availability and non-repudiation of information and Information Systems against current or any potential threats prevalent in the evolving and changing internet world. This enables the Group to retain its customer trust and maintain high rates of utilisation for the Group’s products and services (p. 127, Company A6)”.

Clearly, the IS/IT Security Vision of Company A6 was concerned with security of the company’s products and services.

b) IS/IT Security Management Strategy

The IS/IT Security Management Strategy is purposely developed in order to achieve the goals of the IS/IT Security Vision. As noted in the IS/IT Security Governance Model, the strategy addresses

how to achieve the vision, for example, by putting the IS/IT security structures in place, setting up IS/IT committees, creating a security plan, setting up a programme of security training and education, setting up and including IS/IT security within the corporate risk management and corporate internal controls agenda, setting up a framework for evaluating, monitoring and auditing the IS/IT security processes.

Each proposed strategy varies according to the nature of the business, culture and environment. The analysis revealed six IS/IT Security Management Strategies. The strategies include IS/IT Security Risk Management, IS/IT Security Internal Controls, Organisational Structure of IS/IT security, Education and Training relating to IS/IT security and IS/IT Security Audit.

i) Risk Management

Only three larger capitalisation companies disclosed IS/IT security risk management information in their statements.

In regard to the IS/IT security governance model, a poor IS/IT Security Governance practice such as an unclear IS/IT Security Vision, misalignment between business goals and security controls requirements, less effective management strategies or policies, could contribute to many possibilities such as business losses and bad reputation. For example, one statement disclosed and discussed security risks and the possible impact.

“The Group’s businesses may be vulnerable to security breaches to key systems, assets and facilities resulting from acts of vandalism, sabotage or terrorism. Potential disruptions to operational systems or destruction of facilities from such security breaches and attacks, could adversely affect the Group’s reputation, its businesses, or financial results (P. 27, Company A11).

The IS/IT security management strategy, which is one of the formal elements of the IS/IT security governance model, suggests that all types of business risks including IS/IT security risks are the responsibility and accountability of the board and senior management. Therefore, a proper structure is vital, corporate committees like the Risk Management Committee are responsible for incorporating and overseeing IS/IT security risks. There are many strategies that can be placed engaging IS/IT security risks. For example, as disclosed by a larger capitalisation company, the Risk Management Team of Company A4 had conducted a security workshop to help employees in identifying and mitigating risks in order to improve and maintain the IS/IT security level.

“Two additional workshops were carried out by the risk management team to enhance awareness of risk management in addition to the regular risk management induction programmes for new staff. There was also a workshop on ”Business Information Security” to highlight various risks associated with information security (p. 99, Company A4)”.

As identified in the IS/IT security governance model, in Chapter 4, continuous risk identification, assessment and mitigation over the IS/IT security risks should be carried out by employees as part of fulfilling IS/IT security responsibilities. To provide a comprehensive view of IS/IT risks surrounding the organisation, establishing a framework relating to IS/IT risk was one of the IS/IT security management strategies in the IS/IT security governance model:

“In 2008, an IT Risk Framework was developed and is continually maintained to ensure that risks are correctly identified and the necessary remedial actions are in place (P. 127, Company A6)”.

The risk management over the technological resources and IS/IT security procedure may be covered in the audit plan. For example the following risk areas were covered in the Audit Plan of Company A2.

1. Quality of assets 2. Operational controls 3. Financial controls 4. Customer satisfaction

5. Compliance with laws and regulations 6. Lending practices

7. Management efficiency 8. Information technology

9. Data centres and network security

(P. 48, Company A2)

ii) IS/IT Security internal controls

In the IS/IT Security Governance Model, IS/IT security internal controls are part of IS/IT Security Risk Management. Internal control is a mechanism to ensure intended goals are achieved within the risk management process. The analysis revealed that only two companies disclosed IS/IT security internal controls information. For example, the following statement discloses how the IS/IT security internal controls may be integrated into the risk management process.

“There are documented procedures in place that cover management accounting, financial reporting, procurement, information systems security, compliance and other risk management issues. The objective of the policies and procedures is to ensure that internal control principles or mechanisms are embedded in operations. This enables the Group to respond quickly to evolving risks and immediately report on any significant control failure (P. 82, Company A50)” .

iii) Organisational structure of IS/IT security

The analysis then proceeded to examine if there are any existing specific job roles relating to IS/IT security. Only 3 companies presented specific information of IS/IT security roles.

The existing established organisational structure with reference to the IS/IT security role was evidenced in two reports. The first was from Group A in the “Finance” industry sector;

“Operational Control and Information Technology Security” (P. 117, Company A6)

and second was from Group B in the “Trading/Services” industry sector;

“Management Team: (IT Security)” (P. 41, Company B101).

The existence of an organisational structure for IS/IT security unit/group within the two companies suggests that the boards and senior managements had clear IS/IT Security Visions in securing its IS/IT infrastructure and business data.

The analysis revealed that in one company the development of an IS/IT security role took place after the re-organisation of the IT department. This can be seen in the re-organisation process of the IT Department of one medium capitalisation company in five areas including ‘security’ which were stated as follows:

“Re-organisation of IT Department, IT department was re-organised taking the following attributes into consideration Focus, Specialisation, Functional Fit, Business-Aligned, Security and Career Centric (p. 42, Company B2)”

The board and senior management of Company B2 had shown that the protection of its IT infrastructure and business data is prioritised at governance level through the organisational structure of IS/IT security. The IS/IT security governance model suggests that the existing/potential organisational structure for IS/IT security would enhance the integration of expertise from different disciplines or departments in achieving effective operation of IS/IT and maintaining security over IS/IT.

iv) Education and Training relating to IS/IT security

Nine companies disclosed information on training attended by the board and senior management.

Six top capitalisation and three medium capitalisation companies disclosed information relating to training with regard to IS/IT security. For example,

“Importance of IT Security was attended by the board of directors (P. 70, CA8)”

“the boards and members of the Audit Committee in Company A21 attended training in “Importance of IT Security (p. 26 & 31, Company A21)”

and

“Directors’ Training: Importance of IT Security (P. 20, Company B18)”.

Apart from seeking disclosures on IS/IT security training attended by the Board and Senior Managers, information was sought about whether the corporation prepared, organised and held their own IS/IT security training for their internal employees. Only three companies disclosed information in this respect.

A workshop is identified as part of the education and training elements relating to IS/IT security. One larger company disclosed details on IS/IT security workshops conducted by the Risk Management Team for raising awareness on how to manage the risks. The statement relating to the workshop has already been presented in an earlier sub-section, Risk Management. The statement relating to workshop is represented as follows.

“Two additional workshops were carried out by the risk management team to enhance awareness of risk management in addition to the regular risk management induction programmes for new staff. There was also a workshop on ”Business Information Security” to highlight various risks associated with information security (p. 99, Company A4)”.

Another company showed that a proactive strategy like an IS/IT security forum was seen to be important in the corporation’s risk management programme. The forum is an interactive method to acquire information from employees about IS/IT security issues in the organisation.

“The Group maintains a strong knowledge of and continues to refine its mitigation strategies against Information Technology threats by participating in specific forums on Information Security and industry dialogues such as the Internet Banking Task Force. These initiatives contribute towards a systematic methodology to ensure the confidentiality, integrity, availability and non-repudiation of information and Information Systems against current or any potential threats prevalent in the evolving and changing internet world (p. 127, Company A6)”.

The other example of training that was disclosed by a corporation is presented below:

“Throughout the year, the Company had conducted various training and development courses for the benefit of its staff for their career development and to provide better customer service and provide quality customer service. Among the trainings and courses held were Quality Management System and Information Security Management System training (p. 7, Company B11)”.

n the IS/IT security governance model in Chapter 4 providing continuous education and training relating to IS/IT security is a critical strategy for the development of employee values and organisational values. Few companies disclosed details of training relating to IS/IT security.

v) Audit

The audit differs with internal controls to some extent. The audit uses the detection approach, while internal controls are a mechanism based on the prevention approach. The audit acts as a check and balance to evaluate the effectiveness of processes after implementation.

The auditing process is identified as part of the IS/IT Security Management Strategy in the IS/IT Security Governance Model. In this context, the Audit strategy helps management to evaluate the effectiveness of IS/IT security processes in many areas including IS/IT Security policies and IS/IT Security procedures implementation. In the context of IS/IT security governance, the IS/IT Security procedures are concerned with the application of security controls and security solutions. The management may use the audit results, such as deficiencies in IS/IT security procedures implementation, to determine the risks that are relevant to IS/IT assets and business data as set forth in the IS/IT Security Vision.

The annual reports were examined to discover whether companies included IS/IT security in the audit process. Only 5 companies disclosed details of audit scope in relation to IS/IT security. The determined areas for auditing within companies were varied.

As disclosed by two companies, the audit included the IS/IT Security procedures.

 “The internal auditors also participate in risk management and IT projects to provide assurance of good governance and application of security controls (p. 20, Company B2)”

lending practices and information technology, including the various application systems in production, data centres, and network security (p. 162 Company A2T)”

Apart from the IS/IT security procedures implementation, compliance on IS/IT security processes was part of audit areas covered.

 “General IT Controls Review at Company A14, the audit scope includes review of overall IT management, delivery and support of service providers, access control management and compliance to Security Policy (p. 80, Company A14)”

 “A process audit was conducted by a consultant to determine the compliance and maturity level of Information Security in Company B4 (p. 62, Company B4)”.

c) IS/IT Security Policy

IS/IT Security Policy is a higher level statement designed to maintain secure IS/IT assets and business data. While the IS/IT Security Management Strategy addresses how to achieve the IS/IT Security Vision, the policy document is developed as a platform for linking the IS/IT security management strategy with the board’s IS/IT Security Vision.

Information was sought about the disclosure of information on IS/IT Security Policies. Nine companies provided information; five from the top capitalisation companies and another four from the middle capitalisation companies. The following are examples of disclosed statements of IS/IT Security Policies.

Top capitalisation companies

“Company A13 has in place an IT Governance policy based on current Information Technology (IT) issues identified internally and raised by the Internal and External Auditors. It consists of six core policies, namely, IT Security Policy, IT Network Policy, IT Application Control Policy, IT Desktops, PDA, Email, Internet and Intranet Policy, Purchasing, Licensing and Usage of Corporate Software Policy and Business Continuity Facility Policy. (p. 116, Company A13)”.

Medium capitalisation:

“The Corporate Information Security Policy (CISP), which was developed and communicated to all staff, covers the management of information, data security and provides guidelines on the acceptable use of Company B4 IT resources. The CISP also provides basic guidance on operational controls related to information security at Company B4 Group of Companies. (p. 62, Company B4)”,

“The Group also formulated and implemented the ICT Policy and Guidelines to ensure proper protection of ICT resources, data integrity and security. The ICT Policy and guidelines were approved by the Board and enforced in April 2008 (p. 63, Company B3)”

“IT Policies and Procedures. There is also an IT Policy which incorporates the Corporate Policy on the usage of Personal Computer Software and Corporate Policy on the usage of E-mail and Internet. This is in addition to the IT Asset Hardware & Software Policy and the Security Implementation for the Antivirus Level Protection. These policies are established to achieve and maintain confidentiality,

integrity, availability, authenticity and reliability of information and information processing.(p. 70- 71, Company B101)”.

There were various security areas covered in the IS/IT security policies as disclosed in the companies’ reports. The ultimate goal of IS/IT security policy was to achieve and maintain confidentiality, integrity and availability of the IS/IT assets and business data, regardless of company size.

Interestingly, the IS/IT security definition has been extended to authenticity and reliability of IS/IT assets and business data, as identified by a larger capitalisation company.

“IT policies and procedures are in place to achieve and maintain confidentiality, integrity, availability, authenticity and reliability of information or information processing facilities ...There are documented