Information Governance and IT Law - Risk and Compliance EvaluationIntroductionThe UK is committed to an ambitious vision in which electronic networks will create an Information Society and Knowledge Economy. Information and Communication Technologies (ICT) hold the potential to revitalise UK business, to spur economic growth and competitiveness, to revolutionise working practices and living environments as well as to transform government services and our democratic process. With the froth from the dotcom bubble out of the way, UK businesses are getting down to the serious task of harnessing ICT to make them more competitive.
However, it is clear that electronic networks will only be exploited if trust and confidence can be assured. Today, cyber-crime and information security incidents are deterring consumers and imposing costs on businesses. Tomorrow, as organisations become more dependent upon networks, insecurity will be a business critical issue. • The UK has an ambitious agenda to become a leader in the Knowledge Economy and to use ICT to transform public life • Trust and confidence in information networks is vital to the achievement of this vision • A clear national agenda has been articulated in Protecting the Digital Society • The private sector should be capable of managing its own information risks via good corporate governance • Corporate boards are increasingly aware of the importance of Information Assurance • This awareness is not yet being translated into effective controls • Boards need clear incentives and effective tools to enable them to realise the potential of the Knowledge Economy I. Justify, based on the ideas of corporate and information governance and BS 7799 part 1, the three key areas that a company should be concerned with in developing their Information Security Management System (ISMS), giving relevant examples based on the case study to illustrate your analysis. There are numerous guidelines and standards relating to Information Assurance and security.
These range from the high level Guidelines on Information Security produced in 2002 in revised form by the Organisation for Economic Co-operation and Development (OECD), through risk assessment systems such as the Carnegie Mellon University (CMU)/Software Engineering Institute (SEI)'s OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation), to the joint initiative by the National Security Agency (NSA) and National Institute of Standards and Technology (NIST) to promulgate minimum technical standards for system configuration.
What Boards require is a management standard that enables them to implement Turnbull in relation to information risk. The most prevalent such standard today is British Standard 7799 Code of Practice for Information Security Management, (Part I of which became International Standard 17799). Since the company’s servers and the Storage Area Network (SAN) for the UK operation are contained in two mirrored data centres, the three key areas that our company should be concerned with in developing their Information Security Management System (ISMS) are: 1.
BS7799 is a comprehensive work of reference and is intended to facilitate the identification of a wide range of IA controls, which most IT environments in the industrial and commercial sectors will need. The Code contains a detailed set of controls that will satisfy the IA requirements of most IT environments across all functional domains, and a specification (BS7799 Part II), against which compliance may be assessed. It also has a certification scheme linked to it so that organisations can obtain independent confirmation that their information security management systems comply with the standard.