In many respects, the identification of cyber risks is a relatively straightforward task. Almost all Internet risks spring from one or more of three sources:
• variable reliability and application of technology;
• uncertainty surrounding legal and regulatory compliance issues;
• problematic behaviour of personnel in employing and operating Internet technologies.
These types of concern tend not to arise so critically in traditional business and professional environments where procedures are well established, codes and protocols govern business and professional conduct, and models and channels for providing goods and services are conventional.
Internet technologies are disruptive. They introduce new models for the provision of goods and services based on a global platform and in an environment where communications are instantaneous, paper records are subsumed in digital content, and speed, efficiency and cost-effectiveness are paramount.
In such a challenging environment, risks abound and are not always easy to identify. In fact, the risks are so numerous, it is virtually impossible to assemble a comprehensive catalogue of Internet risks, not least because they differ from organisation to organisation – and what may be a risk for one concern may present no problem to another.
The real challenge in addressing Internet risk lies in developing a strategy complemented by an appropriate framework for identifying, categorising and assessing it, and deploying responsibility and accountability for its containment and management.
The decision of an organisation to employ Internet technologies to achieve its goals, like any other strategy, is a decision for boards of directors, or partners in the case of a partnership. It is the task of boards and partners to set the strategy of an organisation.
Internet technologies and IT are now vital for the effective performance of any business or professional organisation. Without these technologies, organisations will almost certainly be unable to compete effectively in their respective markets and probably will be unable to survive.
Organisations rely on IT for:
• supporting supply and demand functions;
• streamlining business processes;
• developing and maintaining a global presence;
• supporting niche business and professional services;
• performing competitively in markets that involve instant and global communications;
• administering the operations of their personnel.
Given the critical importance of IT to any organisation, it is imperative that IT and Internet strategies are managed and administered competently and effectively. Internet and IT strategies that are misaligned with business goals and objectives; managed without forethought and planning; inadequately resourced with up-to-date IT; and assigned low priority at board level will almost certainly cause an organisation to underperform in terms of its competitors, to the extent that eventually it will fail in its chosen marketplace.
Critical to the efficient management and successful implementation of the strategy of any organisation is the need for the effective adoption of good governance principles. Essentially, governance represents the control of and regulation of an organisation that is reflected by good order and competent management.
For the purposes of considering Internet risk in the context of governance principles, there are three areas of governance to be addressed: corporate governance, IT governance and project governance.
At either board or partnership level, corporate governance is defined by certain well-recognised categories of management conduct:
• clearly defined roles of line-management responsibility and accountability throughout the organisation;
• transparent decision making at all levels throughout the organisation;
• the taking into account of the interests of shareholders and other stakeholders, such as employees, suppliers, creditors and business referral sources;
• addressing risk issues confronting the organisation, including legal and regulatory compliance and information security.
The range and categories of Internet risk discussed in the previous chapters are quite clearly strategic risks. Even those risks that are categorised as arising in an operational context have significant strategic implications.
In the context of IT risks, failure to encrypt e-mail may result in breaches of confidential data, which may in turn affect the organisation’s reputation.
In the context of legal and compliance risks, failure to comply with the DPA may result in the prosecution and conviction of an organisation and its employees.
In the context of operational risk, the circulation of obscene material on an employer’s e-mail system may also result in prosecution of an organisation and its employees.
Each of these three examples offers the potential for an organisation’s reputation to be significantly damaged in a global market.
Managing Internet risk, therefore, clearly involves making strategic decisions at board or partner level. In any organisation, the responsibility for identification, development and execution of a strategy lies with the Board or Partnership. It is at that level that the nature, scope and oversight of the implementation of a strategy are decided.
Internet risks can be highly complex. They frequently require an understanding and knowledge of complicated IT and obscure legal and regulatory provisions. The consequences for any mismanagement can be significant and may affect the very existence of the organisation.
The primary statutory framework governing corporate bodies is the Companies Act 2006, which consolidates and adds to previous legislation. Sections 171–177 govern directors’ duties and may be summarised as:
• acting within their powers;
• promoting the success of the company;
• exercising reasonable judgement;
• exercising reasonable care and diligence;
• avoiding conflict of interest;
• declining benefits from third parties;
• declaring any interest in transactions and arrangements.
The primary non-statutory framework governing corporate bodies is the Combined Code on Corporate Governance 2008, which provides a framework within which directors are able to develop and improve an organisation’s performance by addressing the interests of shareholders and which refers to the governance criteria discussed earlier.
Companies listed on the Alternative Investment Market (AIM) in the UK are subject to Corporate Governance Guidelines for AIM Companies 2007, published by the Quoted Companies Alliance and designed to help organisations develop frameworks that accommodate corporate governance principles.
The principles of IT governance are a subset of corporate governance principles. They introduce a framework of leadership, structure, business processes, standards and compliance requirements designed to ensure that an IT strategy supports, and remains aligned with, an organisation’s objectives.
IT governance frameworks are supported by various tools in the form of methodologies, standards and compliance legislation. It is often mistakenly believed that these ‘supports’ are IT governance. They are not. They are the tools by, and with, which IT governance principles are implemented.
IT governance is a framework that defines the management infrastructure, organisational procedures and compliance requirements, including lines of responsibility, accountability and transparency, and decision-making processes at the various levels of the organisation, all of which operate in the context of IT achieving an organisation’s business objectives.
Although IT governance may be implemented at operational level, its substance and direction, or oversight, are a matter for the Board or Partners. Directing strategy is a board and partnership function for ensuring that an IT strategy remains aligned with organisational goals and is likewise a strategic issue.
Why should an organisation adopt IT governance principles? There are a number of important reasons:
• the need to support corporate governance principles;
• the need for a management framework to protect confidential data;
• the need for a framework to manage IT risk – of which the range and categories of Internet risk are typical examples;
• the need to develop a competitive edge by effective execution of the Board’s or Partners’ strategy.
Alan Calder1 suggests that designing an IT governance framework involves eight key decision areas:
1 IT governance principles and decision-making hierarchy.
2 An information strategy derived from the business strategy.
3 IT risk management in the context of the organisation’s overall risk management framework.
4 Software applications – how business applications are developed, authorised, acquired and managed.
5 Information and communications technology (ICT) architecture (integration and standardisation) to meet the requirements of the information and applications strategy.
6 ICT infrastructure/technology – how IT services are specified, developed, authorised, acquired and managed – what services should be outsourced, why and to whom.
7 ICT investment and project governance – given the IT strategy, which IT initiatives (including outsourcing initiatives) should be implemented and how they should be managed.
8 Information compliance and security – the criteria for securing information and achieving legal/regulatory compliance.
In the case of a company, Calder suggests this comprises:
• a board steering committee comprising key board members and executives, including the chief executive officer, the chief finance officer and the chief compliance officer – and the functions of which would be oversight of the organisation’s whole IT operations, with project governance (of which Internet risk management is a typical example) singled out as a particularly important area for board oversight and monitoring;
• an executive committee comprising appropriate business managers, including a chief information officer to ensure cost-effective implementation of the Board’s strategy – and the functions of which would be to exercise powers of delegation to appropriate levels;
• a technology committee comprising IT personnel and business managers with appropriate theoretical and practical skills.
Various views are advanced for the formation and composition of a governance framework. Much depends on the nature of the organisation’s IT infrastructure and function, current IT projects and the availability of suitable personnel. A single model framework is unlikely to be sufficiently comprehensive to suit all organisations.
Some general principles that emerge as issues to be addressed within IT governance frameworks include:
• IT and business strategies;
• risk and compliance strategies;
• implementation and performance strategies;
• monitoring, reporting and auditing processes;
• value delivery;
• resource allocation.
The frameworks generally advocated for implementation consist of:
• a board of directors (or partners) to identify, set and drive the strategy;
• a management board to ensure implementation and compliance;
• a technology board to bring expertise where required;
• an operational board to address implementation;
• a project team to progress and manage projects;
• a programme management team to manage the organisation’s portfolio of current IT projects.
These frameworks can be applied equally to partnerships. Most medium-sized and large partnerships in many ways now resemble large corporate bodies and delegate the operational direction of strategic partnership decisions to partnership committees.
Partnerships of any size usually assign specific management functions to specific partners and it is common for there to be a managing partner, a risk partner and a finance partner although, curiously, ‘information security’ partners are rare.
Nonetheless, with thought and planning, there is no reason why the IT governance issues and framework composition described above cannot be implemented by partnerships, with the support of consultancy expertise where required.
The management of Internet risk is a vital project to which the principles of IT governance should be applied. The risks identified in the previous chapters permeate through the IT, legal and compliance, and operational functions of every organisation. Effective management of these risks is vital to the survival of most organisations, if not commercially then certainly professionally.
Various reasons are commonly advanced for the failure of IT projects. They are:
• uncoordinated and misaligned processes;
• poor relationships between personnel and teams managing and implementing the project;
• inadequate skills and experience;
• inadequate resources.
In the same way as some organisations, particularly professional bodies, express little enthusiasm for IT, there is also a frequent misunderstanding of IT governance principles.
The management of Internet risk is subject to project failure in just the same way as any other IT project and the implementation of an IT governance framework should be a priority. However, a governance framework is unlikely to succeed without appropriate tools – standards and methodologies – to support its implementation.
Certain standards and methodologies have been developed to address the need for a systematic and methodical approach to developing an IT governance framework and the application of IT governance principles. In the context of Internet risk, they establish principles by which an organisation develops, implements, manages, controls, monitors, audits and reviews an Internet risk project.
COBIT (Control Objectives for Information and related Technology) is a standard for best practice and is essentially an IT governance control framework to maximise investment in IT and provide controls.
COBIT’s fundamental premise is that the framework helps to ensure that IT strategies and projects remain aligned with business requirements. It helps to achieve this by suggesting management controls and resources and combining them into an identifiable model for application to strategies and projects. Further details of this methodology can be found at www.isaca.org/cobit.
BS ISO/IEC 38500:2008
An IT governance framework, such as that described above, can be complemented by certification of the organisation under BS ISO/IEC 38500:2008, the international standard for corporate governance of information technology.
The standard offers guidance to directors of organisations on the most effective use of IT and is designed to give confidence to stakeholders of all descriptions in an organisation’s application of corporate governance principles in IT.
One of the key benefits is the ability to manage risk more effectively because the standard provides a framework within which to help directors and senior management to address legal and ethical responsibilities.
The standard applies to the governance of management processes (and decisions) relating to the information and communication services used by an organisation. These processes could be controlled by IT specialists within the organisation or external service providers, or by business units within the organisation.
The purpose of this standard is to promote effective, efficient and acceptable use of IT in all organisations by:
• assuring stakeholders that, if the standard is followed, they can have confidence in the organisation’s corporate governance of IT;
• informing and guiding directors in governing the use of IT in their organisation;
• providing a basis for objective evaluation of the corporate governance of IT.
The standard provides guidance to senior managers; members of groups monitoring the resources within the organisation; external business or technical specialists, such as legal or accounting; specialists, retail associations or professional bodies; vendors of hardware, software, communications and other IT products; internal and external service providers (including consultants); and IT auditors.2 The standard identifies six principles requiring:
• assumption of responsibility for IT;
• recognition of the strategic importance of IT;
• the rational acquisition of IT;
• the capable performance of IT;
• IT’s compliance with legislation;
• appropriate IT policies.
How might the six principles contained in the standard be applied to managing Internet risk? It must be remembered that the governance role of the Board or Partners is to set the strategy, establish and oversee lines of responsibility and accountability, ensure transparency, have regard to stakeholder interests and adopt an appropriate risk management strategy to include compliance and information security. Below are suggested some general applications for each principle.
Responsibility: the Board or Partners must recognise the importance of Internet technologies in providing the organisation’s services and that managing the risks associated with Internet technologies is an essential element of this responsibility.
Strategy: the Board or Partners determine and set the organisation’s Internet strategy in terms of the IT to be employed, the resources to be made available for its implementation and the resources in terms of finance and personnel to be directed at implementing a risk management strategy.
Acquisition: the Board or Partners must base their decisions on a clear analysis of the advantages and disadvantages, together with the risks and associated costs.
In this context, the Board and Partners should consider, for example:
• the business case, including the risks of using Internet technologies for providing services;
• the operational case, including the risks of using Internet technologies;
• the IT implications and the need to devote additional IT resources to manage Internet risks;
• the financial implications of an Internet risk management strategy, particularly the cost of deploying new IT and possibly recruiting new personnel.
Performance: the Board or Partners must decide how the use of Internet technologies and the management of risks associated with them will provide the required services and, at the same time, satisfy the needs of shareholders and stakeholders. Examples of particular considerations might be:
• the suitability of the organisation’s existing Internet technology for the provision of its present and future services;
• the skills and capabilities of the organisation’s current personnel for maintaining and improving service levels;
• the need for, and the cost of, additional resources for developing and maintaining an Internet technology risk management strategy;
• the extent to which the development and implementation of such a strategy will impact on the overall performance of the organisation;
• the need for a management structure or framework dedicated to the management of Internet risk and compliance.
Conformance: the Board or Partners must assess the implications of using Internet technologies for the provision of services in the context of legal and regulatory compliance.
For example, the Board or Partners should examine:
• the implications of compliance with the DPA;
• the implications of compliance with the provisions governing employee use of e-mail and accessing the World Wide Web in the workplace;
• the implications of complying with industry, trade or professional codes of practice.
It is the responsibility of the Board or Partners to establish the full extent of the organisation’s exposure to liability for non-compliance. The Board or Partners should, therefore, promulgate policies and procedures addressing compliance issues among all personnel at all levels.
Human behaviour: it is widely recognised that in the context of information security, the great majority of incidents (some commentators have suggested as many as 70%) arise from human error. It is the responsibility of the Board or Partners to ensure that personnel are trained to understand their responsibilities.
This is a key principle of corporate governance which begins with the Board’s or Partners’ responsibility to establish clearly defined lines of accountability and responsibility throughout the organisation.
The Board or Partners should promulgate suitable policies and procedures to be observed, for instance, in respect of the use of e-mail, the handling of confidential data, or engaging in social networking sites.
COSO
COSO (www.coso.org) is a committee of sponsoring organisations, created in 1985 from a number of influential finance, auditing and accounting organisations with the objectives of identifying key causes of fraudulent financial reporting and making recommendations for its prevention through internal controls. The COSO framework is set out in the report: Control – Integrated Framework 1992.
Internal controls are measures introduced by a board of directors or partnership designed to provide confidence in an organisation’s operations, financial reporting and legal and regulatory compliance.
Internal controls are described simply as processes (not documents) that provide reasonable assurance that the organisation’s projects are aligned with its business goals.
COSO has been linked with Section 404 of the Sarbanes–Oxley Act 2002, requiring management to reveal any financial weaknesses that may raise questions over an organisation’s assurance of the adequacy of its financial controls, where vulnerabilities have been disclosed.
It is important to understand that certification and implementation of methodologies are not IT governance, although they may be evidence of this. IT governance is the framework of leadership, organisational infrastructure and business processes. Standards and methodologies are tools employed in implementing an IT governance framework.
The principles of corporate governance are extended by the concept of IT governance and its various tools and methodologies which establish a framework for the implementation of any IT strategies introduced by the Directors or Partners.
The management of Internet risk is a project in the same way that any other activity of an organisation is a project. More precisely, the management of Internet risk is a series of connected projects.
For instance, the implementation of organisation-wide encryption of e-mail, perhaps internally, and externally with preferred clients or strategic allies, is a project. Development of a website through which financial transactions can be concluded is another project. A third project might be organisation-wide deployment of a business continuity and disaster recovery plan.
Internet risk management involves a series of individual projects which may or may not be related. However, if Internet risk is to be managed effectively, the series of projects undertaken by an organisation should amount to a co-ordinated, organised and logical set of projects. This is often referred to as programme portfolio management.
It is difficult to find a comprehensive, universally accepted definition of the word ‘project’. Essentially, a project is a task to which are usually attached specific time limits and objectives and which is usually performed by a team with the appropriate skills for achieving its objectives.
In the case of Internet risk, whatever the nature of the individual project, there will almost certainly be:
• time criticality;
• the need for a team;
• the need for skills, for example in the areas of IT and legal and compliance issues.
Like corporate governance and IT governance, project governance is a framework for the delivery and achievement of a project’s objectives through application of the governance principles of transparency, responsibility, accountability, compliance and risk management.
Implementation involves securing and managing the required resources, adapting to change, and monitoring and auditing performance. In the governance hierarchy, project governance sits below corporate governance, alongside IT governance, and above project management.
The objectives of a project governance framework are to:
• keep the project aligned with the strategic objectives of the organisation for its duration;
• provide a continual auditing of resources against cost;
• deploy resources, so that the project provides maximum value and benefit to the organisation;
• provide a formal and structured approach to risk management;
• apply recognised best practice project management methodologies.
Project governance features are based on the same principles as corporate governance and IT governance: responsibility, accountability and transparency, and in many respects project governance features mirror them.
The key features of a project governance framework are:
• leadership and commitment from the Board or Partners;
• a clear management, executive, operational and administrative committee structure for approval, monitoring and audit processes, including if necessary a specific risk management committee;
• within the committee infrastructure, the assignment of clear line-management responsibility and accountability at all levels with defined timescales and goals;
• within, above and below the committee infrastructure, the establishment of clear communication channels;
• specified objectives communicated to all stakeholders, including customers and clients;
• defined project procedures and processes aligned with measurable business objectives and IT infrastructures designed for realising a return on investment;
• adoption of recognised project management methodologies;
• dedication of adequate and relevant resources;
• provision for independent monitoring and reporting.
Because the potential for project failure is so significant, every project should possess certain characteristics such as:
• effective sponsorship;
• clear objectives;
• skilled and competent team members;
• recognised methodologies;
• lines of responsibility and accountability;
• awareness of stakeholder interest;
• analysis of the organisation’s existing portfolio of projects.
Project governance methodology is the process of applying governance principles to the management of a project in order to maximise the chance of the project fulfilling its business objective. Methodologies support project governance; they are not, in themselves a governance framework. They are aids to implementing project governance principles.
PRINCE2
The most widely applied project methodology is PRINCE (Projects in Controlled Environments www.prince2.com). The most recent version, PRINCE2, was published in June 2009.3 It is a process-based standard used widely by the UK government for providing best practice guidance on project management.
It introduces seven key themes of project management that focus on the business case, the organisation, planning, project risk, progress monitoring, quality control, and issues and changes.
The processes that support these themes are starting projects, directing projects, initiating projects, controlling stages, managing stage boundaries and closing projects.
The methodology addresses the importance of the business environment and identifies and considers the essential roles required for managing a project, supported by process-based checklists.
PRINCE2 can be adopted for all types of project, large or small, although a small project may not justify adoption of each aspect, in which event the organisation can implement only the relevant features of the methodology.
BS 6079:2002
BS 6079:20024 is the current standard of certification for project management and provides guidance for various personnel on the techniques of planning, managing and implementing projects. BS 6079-1:2002 provides guidance on compliance with the standard. Work has begun on an international standard, ISO21500.
PPM
PPM is the integrated management of a portfolio of projects designed to deliver strategic business benefit.
PPM organises projects so as to enable an organisation to ensure it adopts a mix of projects which is consistent with business objectives. This ensures the organisation’s overall project strategy and selection is tailored to its needs and remains aligned with corporate obligations.
The benefits of PPM are significant. Effective PPM offers flexibility in terms of an organisation’s response to market forces. A wider range of solutions becomes available and can be more appropriately assessed. PPM enables an organisation to weigh up and compare issues such as risk, cost, investment and commitment of resources, and to prioritise them appropriately across a range of selected projects.
PPM is organised and conducted by a programme management office (PMO), which provides guidance in respect of, for instance, the suitability of projects for inclusion in a portfolio, risk profiles, availability of personnel and resources.
An organisation embarking on a comprehensive Internet risk management project should consider the introduction of a PPM process in order to maintain control of the varied, sometimes complex, and sometimes interconnected mix of risks to which Internet technologies give rise.
Val IT 2.0
Val IT 2.0 is a governance framework and is concerned with the management of an organisation’s portfolio of investment in projects so as to ensure an adequate return on investment for the organisation.
In essence, the principles of Val IT 2.0 address the need to manage investments in IT in a prescribed way, defining them in categories, tracking their performance, ensuring that stakeholder interests are recognised and assigning lines of accountability during the life of the investment.
In the case of Internet risk, an example of a useful application of this methodology might be the introduction of an e-mail encryption strategy. This technology remains relatively underdeveloped and is not widely used. An organisation might employ the methodology to decide whether or not embarking on such a course might, or might not provide an adequate return on investment in the long run.
Val IT is explained in a series of white papers published by the IT Governance Institute (www.itgi.org), which set out the various management practices to be adopted in the areas of value governance, portfolio management and investment management. Ultimately, the Board of Directors or Partners are responsible and accountable to stakeholders in the organisation to ensure that business investments and resources deliver adequate business value.
A key component for the effective and successful application of corporate, IT and project governance principles is a methodical and comprehensive assessment and management of risk. No matter how conscientiously governance principles are applied, unless the Board or Partners conduct an analysis of the risks attendant upon an Internet technology strategy, there is not only considerable scope for strategic and operational project failure but, worse, the potential for civil or even criminal proceedings.
A key development in the management of Internet risk is the code of practice, BS 31100:2008, for risk management, which provides recommendations for the framework, process and implementation of a risk management strategy.
The principles of risk assessment are addressed in the next chapter and principles for the management of Internet risk are addressed in Chapter 7.
1 IT Governance Guidelines for Directors, Calder A, IT Governance (2005).
2 Permission to reproduce from the BSI website is granted by BSI (see footnote on page 155).
3 See, for instance, Managing and Successfully Directing Projects with PRINCE2 TM, Murray A, Outperform, © TSO 2009, © PRINCE2 2009, Overview Brochure.
4 Permission to reproduce from the BSI website is granted by BSI (see footnote on page 155).
18.117.142.141