This snapshot taken on 05/09/2007, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
In recent years there has been an increasing emphasis on corporate governance: those processes and procedures which ensure an appropriate level of responsibility and accountability in the direction of the organisation.
The Sarbanes–Oxley Act [External website] in the US and the Turnbull report [External website] in the UK both reflect this increasing concern.
At the heart of governance is the proper management of risk. Key points underpinning corporate governance are that:
The framework is concerned with managing risks to information within an overall structure of corporate governance, i.e. the process of IA Governance.
Definition: IA Governance – ensuring stakeholder confidence that Information Systems risk is managed pragmatically, appropriately, and in a cost-effective manner.
IA governance is therefore an integral element of corporate governance, in two senses. Firstly, it protects records maintained by the organisation in order to support the notion of accountability. Secondly, since in most cases an organisation will be crucially dependent on its information assets, the protection of those assets is part of good business practice and a demonstration of a responsible approach.
The independent view on IA and the importance of information risk management can be seen, for example, in the work of the Information Assurance Advisory Council (IAAC) [External website] and the Information Security Forum (ISF) [External website].
All Central Government departments are required by the Cabinet Secretary to manage the risks to their key information systems by:
Information risk management secures information of UK national interest, assists with the development of electronic government and promotes confidence in those parts of government which form part of the CNI.
Whilst this principle has been expressed in terms of Central Government departments, the concept of alignment with an accepted standard and the ongoing monitoring of effectiveness are applicable across the wider public sector.
The international standard for information security management, ISO/IEC 17799, is a key element of the governance framework. It ties the Information Security Management System of an organisation to the internal business processes, and provides a statement of best practice for organisations managing information confidentiality, integrity and availability.
The standard is applicable not only to commercial systems but also across government, from Central Government departments to Local Authorities (LAs) and Non-Departmental Public Bodies (NDPBs).
The standard developed from British Standard 7799 (BS7799), and at the time of writing the relationship between the two is that:
The standardisation achieved through ISO/IEC 17799 supports the move to have policy that is accessible both to Central Government departments and also to the wider public sector.
Implementation of the ISO standard and the application of information risk management are vital for promoting public trust in government.