Governance of Enterprise Security: CyLab 2012 Report How ... - RSA
Governance of Enterprise Security: CyLab 2012 Report How ... - RSA
Governance of Enterprise Security: CyLab 2012 Report How ... - RSA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
I. I. Introduction<br />
Introduction<br />
I. Introduction<br />
PURPOSE OF OF THE THE GOVERNANCE SURVEY<br />
PURPOSE OF THE GOVERNANCE SURVEY<br />
<strong>CyLab</strong>’s <strong>CyLab</strong>’s first first biennial biennial <strong>Governance</strong> <strong>Governance</strong> <strong>of</strong> <strong>of</strong> <strong>Enterprise</strong> <strong>Enterprise</strong> <strong>Security</strong> <strong>Security</strong> Survey Survey (<strong>Governance</strong> (<strong>Governance</strong> Survey) Survey) was was conducted conducted in in 2008, 2008, and and<br />
<strong>CyLab</strong>’s the the second first in biennial 2010. The <strong>Governance</strong> surveys <strong>of</strong> have have <strong>Enterprise</strong> been been consistent <strong>Security</strong> Survey and (<strong>Governance</strong> designed designed to to determine: determine: Survey) was conducted in 2008, and<br />
the second in 2010. The surveys have been consistent and designed to determine:<br />
! ! Whether Whether the claims claims <strong>of</strong> <strong>of</strong> IT pr<strong>of</strong>essionals pr<strong>of</strong>essionals that that their their boards boards and and senior management management were were not not paying paying<br />
! attention Whether attention the to to the the claims security security <strong>of</strong> IT <strong>of</strong> <strong>of</strong> pr<strong>of</strong>essionals their their organizations’ organizations’ that their data data boards and and information information and senior management technology technology (IT) (IT) were systems systems not paying were were<br />
attention valid valid to the security <strong>of</strong> their organizations’ data and information technology (IT) systems were<br />
valid<br />
! ! The The degree degree to to which which boards <strong>of</strong> directors and <strong>of</strong>ficers <strong>of</strong>ficers (D&Os) (D&Os) were actually managing privacy privacy and<br />
! The cybersecurity cybersecurity degree to risks risks which boards <strong>of</strong> directors and <strong>of</strong>ficers (D&Os) were actually managing privacy and<br />
cybersecurity risks<br />
! ! The board and organizational organizational structure for such governance governance<br />
! The board and organizational structure for such governance<br />
! The degree to which companies were following best practices for privacy and security. security.<br />
! The degree to which companies were following best practices for privacy and security.<br />
The results <strong>of</strong> the 2008 2008 and <strong>Governance</strong> 2010 <strong>Governance</strong> Survey confirmed Surveys confirmed that: that:<br />
The results <strong>of</strong> the 2008 <strong>Governance</strong> Survey confirmed that:<br />
! Boards and executives were not exercising adequate oversight oversight <strong>of</strong> <strong>of</strong> the the privacy privacy and and security <strong>of</strong> <strong>of</strong> their their<br />
! systems Boards systems and and executives data data were not exercising adequate oversight <strong>of</strong> the privacy and security <strong>of</strong> their<br />
systems and data<br />
! Most Most companies companies did did not have have privacy and security executives<br />
! Most companies did not have privacy and security executives<br />
! Most Most organizations organizations were were not not engaging engaging in in key key privacy privacy and and security security activities activities that that would would help help protect protect<br />
! the Most the organization organization organizations from from were risk. risk. not engaging in key privacy and security activities that would help protect<br />
the organization from risk.<br />
The <strong>CyLab</strong> 2010 and <strong>2012</strong> <strong>Governance</strong> Surveys asked asked similar similar questions questions to determine determine whether whether governance governance<br />
over The over <strong>CyLab</strong> digital digital assets assets 2010 and has has <strong>2012</strong> improved. improved. <strong>Governance</strong> The The <strong>2012</strong> <strong>2012</strong> Surveys report report asked measures measures similar the the questions progress progress to made made determine and and identifies identifies whether areas governance where where<br />
boards boards over digital and and senior senior assets has executives executives improved. need The to improve <strong>2012</strong> report their measures oversight, oversight, the and progress compares, made where and identifies possible, the areas results where from<br />
2008 boards 2008 and and 2010. 2010. senior executives need to improve their oversight, and compares, where possible, the results from<br />
2008 and 2010.<br />
BACKGROUND: DUTY OF BOARDS & DIRECTORS<br />
The governance responsibilities <strong>of</strong> D&Os have been in the spotlight since 2002 with the fall <strong>of</strong> Enron and<br />
Arthur Andersen and the enactment <strong>of</strong> Sarbanes-Oxley. The economic collapse in 2008-09 drew even more<br />
attention to board and executive responsibility for the management <strong>of</strong> risk. In addition, (1) natural disasters<br />
that have disrupted operations, (2) headlines that have resulted from data breaches, and (3) the loss <strong>of</strong><br />
confidential and proprietary information from sophisticated cyber attacks have caused D&Os to wonder if<br />
their operations and data are secure and if corporate response plans are adequate.<br />
The dependency <strong>of</strong> all organizations upon information systems and global networks has extended governance<br />
responsibilities to the use <strong>of</strong> IT. What is IT governance? The IT <strong>Governance</strong> Institute (ITGI) states that:<br />
IT governance is the responsibility <strong>of</strong> the board <strong>of</strong> directors and executive management. It is an<br />
integral part <strong>of</strong> enterprise governance and consists <strong>of</strong> the leadership and organizational structures<br />
and processes that ensure that the organization’s IT sustains and extends the organization’s<br />
strategies and objectives. 2<br />
BACKGROUND: DUTY OF BOARDS & DIRECTORS<br />
The governance responsibilities <strong>of</strong> D&Os have been in the spotlight since 2002 with the fall <strong>of</strong> Enron and<br />
Arthur Andersen and the enactment <strong>of</strong> Sarbanes-Oxley. The economic collapse in 2008-09 drew even more<br />
attention to board and executive responsibility for the management <strong>of</strong> risk. In addition, (1) natural disasters<br />
that have disrupted operations, (2) headlines that have resulted from data breaches, and (3) the loss <strong>of</strong><br />
confidential and proprietary information from sophisticated cyber attacks have caused D&Os to wonder if<br />
their operations and data are secure and if corporate response plans are adequate.<br />
The dependency <strong>of</strong> all organizations upon information systems and global networks has extended governance<br />
responsibilities to the use <strong>of</strong> IT. What is IT governance? The IT <strong>Governance</strong> Institute (ITGI) states that:<br />
IT governance is the responsibility <strong>of</strong> the board <strong>of</strong> directors and executive management. It is an<br />
integral part <strong>of</strong> enterprise governance and consists <strong>of</strong> the leadership and organizational structures<br />
and processes that ensure that the organization’s IT sustains and extends the organization’s<br />
strategies and objectives. 2<br />
BACKGROUND: DUTY OF BOARDS & DIRECTORS<br />
The governance responsibilities <strong>of</strong> D&Os have been in the spotlight since 2002 with the fall <strong>of</strong> Enron and<br />
Arthur Andersen and the enactment <strong>of</strong> Sarbanes-Oxley. The economic collapse in 2008-09 drew even more<br />
attention to board and executive responsibility for the management <strong>of</strong> risk. In addition, (1) natural disasters<br />
that have disrupted operations, (2) headlines that have resulted from data breaches, and (3) the loss <strong>of</strong><br />
confidential and proprietary information from sophisticated cyber attacks have caused D&Os to wonder if<br />
their operations and data are secure and if corporate response plans are adequate.<br />
The dependency <strong>of</strong> all organizations upon information systems and global networks has extended governance<br />
responsibilities to the use <strong>of</strong> IT. What is IT governance? The IT <strong>Governance</strong> Institute (ITGI) states that:<br />
IT governance is the responsibility <strong>of</strong> the board <strong>of</strong> directors and executive management. It is an<br />
integral part <strong>of</strong> enterprise governance and consists <strong>of</strong> the leadership and organizational structures<br />
and processes that ensure that the organization’s IT sustains and extends the organization’s<br />
strategies and objectives. 2<br />
Carnegie Carnegie Mellon Mellon <strong>CyLab</strong> <strong>CyLab</strong><br />
Carnegie Mellon <strong>CyLab</strong><br />
!<br />
!<br />
7I!<br />
7I!