ENRIQUE DE LA LAMA

The formal component comprised nine areas which were ‘IS/IT security vision’’, ‘IS/IT security management strategy’, ‘risk management’, ‘IS/IT security internal controls’, ‘organisational structure of IS/IT’, ‘education and training relating to IS/IT security’, ‘audit’, ‘IS/IT security policy’ and ‘IS/IT security standards’.

In the IS/IT security vision, only six companies (of 210) disclosed information on the security vision of IS/IT. The majority who disclosed were from Group A. The three smaller issues highlighted in the IS/IT security vision were first, trade off between the IT management and risk management strategy, second, the alignment was needed to achieve business needs, security requirements and business goal. Third, the identification of critical business activities may lead to the critical risk management.

While in the IS/IT security management strategy, the goal of IS/IT security management strategy was to establish ways to achieve the IS/IT security vision. In the web analysis results five strategies were reported, which included ‘risk management’, ‘IS/IT security internal controls’, ‘organisational structure of IS/IT’, ‘education and training relating to IS/IT security’ and ‘audit’.

Risk Management

There were three companies from Group A which presented data relating to IS/IT security risk management. Four points of issue were highlighted; first, the importance of risk management to prevent potential business losses and bad reputation, second, the educational and awareness programme

needs to be conducted continuously within the risk management programme, third, development of an IT risk framework, and the fourth, the technological resources and security procedures considered in the risk management plan and covered by Audit.

IS/IT security internal controls

IS/IT security internal control was part of IS/IT security management strategy in the model of IS/IT security governance. Only two companies disclosed information relating to IS/IT security internal controls on the website. The issue brought out was how internal controls were applied in the risk management process.

Organisational structure of IS/IT security

The organisational structure referred to any specific security role relating to IS/IT security. There were three companies who released this information on the web. Surprisingly, two companies that revealed the specific role in IS/IT were from Group B. All the specific roles were handled on a group basis rather than on an individual basis.

Education and Training relating to IS/IT security

The educational aspect was also part of IS/IT security management strategy within the formal component. Nine companies revealed information on education and training aspects relating to IS/IT security, where the majority came from Group A. Two issues concerned with training were related to; first, the board of directors and senior management had attended the training relating to IS/IT security; and second, the development of IS/IT security training programme within organisation.

Audit

In the IS/IT security governance model, the audit process was an example of IS/IT security management strategy. In the website analysis, the goal of analysis was to examine if audit was conducted within the IS/IT processes. The analysis revealed that five companies had included IT within their audit process. The areas of IT covered by audit were IT projects, various application systems in production, data centres and network security, overall IT management, compliance to security policy and maturity level of information security.

IS/IT security policy

The IS/IT security policy is a communication tool, which connects the IS/IT security vision with IS/IT security management strategy. There were nine companies who made their IS/IT security policy public, with a balanced representation from each group, Group A and Group B. Several policies relating to IS/IT areas and IS/IT security controls had been disclosed on the website analysis. These include IT network policy, IT application control, IT desktop, PDA, e-mail, internet, intranet, purchasing, licensing and usage of corporate software, hardware, business continuity facility, management of information, data security and operational controls related to information security. The goal of IS/IT security policy was to maintain confidentiality, integrity and availability and these security elements can be extended to authenticity and reliability.

IS/IT security standards

The independent document, namely, IS/IT security standard, had two types, internal and external. The internal standard was written by the company and the external standard was developed and written by external bodies (local or international bodies). As reported in the website analysis, there were seven companies which showed what type of standards they used. All information reported came from the external standard and there was no information disclosed on internal standards. The external standards highlighted were International Standard of ISO127001 and NSS Certification– a technology certification in compliance with security standards. The most popular standard used was ISO127001. Technical component

In the IS/IT security governance model, there were two layers of the technical component, first, technological areas and second, IS/IT security procedures. The technological areas comprised two inner layers, IT Infrastructure and Business Data/Information and Business Information Systems. And the IS/IT security procedures were concerned with security counter-measures/controls, where IS/IT security procedures were determined by technological areas. Interestingly, 14 companies made the information relating to technological Areas and IS/IT Security Procedures public on the website. Four issues underlined from the website analysis were first, the adoption of new infrastructure, second, the upgrading of IT infrastructure, third, the improvement of information architecture and fourth, the adoption of new business models.

Business Information Systems

Business information systems were technological solutions based on business requirements. The purpose of business information systems was to integrate parts between departments and functional areas to achieve certain business requirements. Two examples were brought up from the website analysis; Internet Protocol Virtual Private Network and Corporate Geographical Information Systems (GIS).

IS/IT Security Procedures

IS/IT security procedures supported the IT infrastructure, business data and business information systems. The adoption of security procedures was based on the acceptance of the risk level. The highlighted examples of IS/IT security procedures were two; first, security countermeasures— Cryptographic Coprocessor and Zip Specialty Processor, encryption/decryption, firewalling, intrusion prevention; and second, security controls—security monitoring, analysis, and threat mitigation capabilities.

The web disclosures did not yield much evidence of the impact of the involvement and the role of individuals. They do show that some companies appear to be deeply involved in IS/IT security matters. However, failure to disclose information on the website does not mean that companies and, hence, boards and senior managers are not involved in IS/IT security.