UK: Information Security Governance - It’s your Responsibility

Ensuring compliance with the growing body of legislation relating to corporate governance is a daunting task. Your statutory duties are now more demanding than ever before.

Sarbanes-Oxley, The Companies Bill, Basel II, the EU Data Protection Directive – the amount of corporate governance legislation grows every year.

Effective corporate governance demands the implementation of effective security controls over information and information systems. Without effective information security controls you cannot hope to manage IT risk and ensure compliance with laws and regulations relating to information processing and storage.

Information security controls:

• can protect returns on investment in IT by protecting IT assets and managing their use;

• will reduce the risk of reputational loss or damage;

• can help you to meet your company’s legal and regulatory requirements;

• are vital elements of effective risk assessment and risk management processes.

Security governance is about achieving two key objectives.

Ensuring compliance with the legislation and regulations that apply to your company and being able to demonstrate effective information security in every area of your business. We’re not talking nirvana – these objectives can be achieved by a variety of means. For example;

• devising an information risk management strategy (which would integrate seamlessly within the company’s overall risk management strategy);

• implementing pragmatic and realistic security policies and standards, procedures and policies which guide the company, its employees and business partners on how to process and store information securely;

• having effective and usable regulatory compliance management tools and reporting mechanisms to make sure that senior management can report confidently that the right information security controls for your company are in place and working.

Deloitte’s UK security team have helped clients in industries and countries across the globe to implement world class security governance solutions.

Effective risk management is one of the cornerstones of corporate governance. At Deloitte we also understand that information risk management should be handled in line with your broader corporate risk profile.

We can help you to develop an effective programme to identify, monitor and manage risks within your information systems. We can help you to establish risk assessment processes that are appropriate for your business – and also provide a joined-up approach with your information security controls.

Full compliance with a heavyweight security standard is not for everyone. But it is a powerful way to demonstrate your company’s information security governance to shareholders and clients.

The Deloitte security team have helped companies across the world to implement standards and frameworks such as ITIL, BS7799/ ISO-1-7799 and CobiT. We understand how these can best add value to your organisation.

Most importantly, we understand how compliance with information security standards should fit within the broader remit of technology assurance and overall corporate governance.

Full compliance with legislation and regulation is a time-consuming overhead which can be worrying and confusing.

What aspects of the EU Data Protection Directive are relevant to your business? How can you ensure your treatment of data complies with the Act?

Have your security controls been implemented in line with the Computer Misuse Act?

Does the New Basel Capital Accord have implications for the way your business deals with information risk?

Deloitte can help you understand exactly what rules apply to your business, and how best to approach compliance.

Deloitte is a name known and trusted by key stakeholders, including Boards, Audit Committees and, ultimately, the markets. We are the most diverse Professional Services & Consultancy firm, thereby maintaining access to a wealth of experience that is not available to our direct competitors.

What we provide is technology assurance. We cannot guarantee that your infrastructure will never fail or be compromised. But we can ensure that:

• information risks are effectively managed;

• information security is handled in line with internationally accepted standards of best practice; and

• your organisation’s security policies and controls comply with all relevant laws and regulations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.