Technology studied from the board's perspective - Update - Information Security Oversight - Brief Article

Internal Auditor, Feb, 2002 by Joanne Hodges

A RECENT SURVEY OF corporate directors and board advisors suggests that corporations rely heavily on the Internet for several important business functions. The "Information Security Oversight" study, conducted by the National Association of Corporate Directors and sponsored by KPMG's Audit Committee Institute in cooperation with The IIA, The Critical Infrastructure Assurance Office, and the U.S. Department of Commerce, included 250 corporate directors and 66 board advisors. Those polled indicated that 92 percent of their company employees use Internet technology for e-mail, 72 percent use it for research, 69 percent for corporate procurement, 62 percent for corporate sales, and 52 percent for corporate banking.

The survey results suggest that extensive use of Internet technology has led many boards to consider information security an important priority. Two-thirds of respondents regard information security as an integral part of the organization's risk management program, and almost 75 percent said that their organization has a formal information security policy -- one-half of which were formulated or approved by the board. However, only 25 percent of those polled said information security is raised as a board issue on an annual basis. In addition, one-fifth of the respondents believe information security is unrelated to risk. Another 70 percent of board members said they delegate oversight of information security to audit committees.

Representing companies ranging in size from a two-person shop to a 325,000-employee Fortune-500 retailer, respondents also confirmed that their companies had suffered many security breaches over the past year. Nearly half reported that some information security infringement directly affected Internet use. One-fifth said that their organization has suffered from a computer virus. Other problems, listed in descending order of frequency, include e-mail or Web-site intrusion, loss of software or data, and/or hacking. Less than one percent reported a denial-of-service attack or theft of proprietary product.

Given organizations' heavy use of the Internet and other information technologies, their vulnerability to attack, and the associated high cost, researchers recommend four essential board practices and related actions. Following these recommendations, they say, will help directors ensure that key company information -- and the systems and networks that store, manipulate, and transmit it -- are secure:

1. Place information security on the board's agenda.

2. Identify information security leaders, hold them accountable, and ensure support for them.

3. Ensure the effectiveness of the corporation's information security policy through review and approval.

4. Assign information security to a key committee. For information on ordering the complete study, which includes details on implementing best practices, visit the NACD Web site at www.nacdonline.org.