Information Security: A Corporate Governance Issue

  • E. Kritzinger von Solms
  • L. A. M. Strous
Part of the IFIP — The International Federation for Information Processing book series (IFIPAICT, volume 124)


Information is a valuable resource for any organisation today and is critical for the success of the organisation. It is the corporate board’s responsibility to ensure the success of the organisation; therefore the board is also responsible for the information security in the organisation. This paper addresses the questions whether the current reference documents on corporate governance pay sufficient attention to information security and whether reference documents on security management and baseline controls sufficiently recognise the relationship with internal control systems and governance framework and specifically pay attention to the responsibilities of the corporate board with respect to information security.

Key words

information security management internal control corporate governance IT governance 


  1. [1]
    Information systems risk management: Key concepts and business processes, Thomas Finne, Computers & Security, volume 19 (2000) number 3, pp. 234–242Google Scholar
  2. [2]
    Managing Security of Information, International Federation of Accountants (IFAC), 535 Fifth Street Avenue, Floor 26, New York 10017Google Scholar
  3. [3]
    Study Tallies High Expense Of Computer Viruses,TechWeb News, July 7, 2000,
  4. [4]
    The role of information security in corporate governance, Ken Lindup, Computers & Security, volume 15 (1996) number 2, pp. 477–485Google Scholar
  5. [5]
    Corporate governance in The Netherlands — Forty recom—mendations,(Peters’ report), Committee on Corporate Governance, The Netherlands, June 1997Google Scholar
  6. [6]
    The Code of Corporate Practices and Conduct, (King Report), Institute of Directors, South Africa, version of July 2001Google Scholar
  7. [7]
    Report of the Committee on the Financial Aspects of Corporate Governance, (Cadbury Report), UK, December 1992Google Scholar
  8. [8]
    Internal control systems of credit institutions,Banking Supervisory Sub-Committee of the EMI, July 1997Google Scholar
  9. [9]
    Working paper on Internal Control Systems,prepared by internal auditors of a group of central banks, BIS and EMI, June 1997Google Scholar
  10. [10]
    Internal control — integrated framework, Committee of Sponsoring Organisations of the Treadway Commission (COSO), September 1992Google Scholar
  11. [11]
    GMITS: Guidelines for the Management of IT Security, Part 1: Concepts and models for managing and planning IT security, ISO/IEC JTC1/SC27, PDTR 13335–1 (revision), version 28–11–2001Google Scholar
  12. [12]
    Board Briefing on IT Governance, IT Governance Institute, 2001, ISBN 1–893209–27–XGoogle Scholar
  13. [13]
    A call to action for corporate governance,developed through the co-operation of the IIA, AICPA, ISACA and NACD, March 2000,
  14. [14]
    Control and Governance — Number 1: Guidance on Control, Canadian Institute of Chartered Accountants (CICA), November 1995, ISBN 0–88800–436–1Google Scholar
  15. [15]
    Control and Governance — Number 2: Guidance for directors — Governance processes for control, Canadian Institute of Chartered Accountants (CICA), December 1995, ISBN 0–88800–138–7Google Scholar
  16. [17]
    Principles of corporate governance, Organisation for Economic Cooperation and Development (OECD), 1999Google Scholar
  17. [18]
    COBIT — Governance, Control and Audit for Information and Related Technology, IT Governance Institute/ISACA/ISACF, 3rd edition, 2001, ISBN 1–893209–13–XGoogle Scholar
  18. [19]
    Information security governance: guidance for boards of directors and executive management, IT Governance Institute, 2001, ISBN 1893209–28–8Google Scholar
  19. [20]
    Guidelines for the security of information systems, Organisation for Economic Co-operation and Development (OECD), 1992, OCDE/GD(92)190Google Scholar
  20. [21]
    ] An introduction to Computer Security: the NIST Handbook, National Institute of Standards and Technology (NIST), version March 1995Google Scholar
  21. [22]
    ] Information Security Management Guidelines,ISO TC68/SC2/ WG4, TR 13569, draft version 30–3–1999Google Scholar
  22. [23]
    ITIL Security Management, Central Computer and Telecommunications Agency (CCTA), 1999, ISBN 0–11–330014–XGoogle Scholar
  23. [24]
    Code of Practice for Information Security Management, ISO/IEC PDTR 17799: 2000, proposed draft version of November 2001Google Scholar
  24. [25]
    IT Baseline Protection Manual, Bundesamt für Sicherheit in der Informationstechnik (BSI), version 2001Google Scholar
  25. [26]
    Information security management systems — specification with guidance for use,British Standards Institute (BSI), final draft BS7799–2: 2002Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2003

Authors and Affiliations

  • E. Kritzinger von Solms
    • 1
  • L. A. M. Strous
    • 2
  1. 1.Department Computer Science and Information SystemsUniversity of South AfricaPretoriaSouth Africa
  2. 2.Payment Systems Policy DepartmentDe Nederlandsche Bank NVAmsterdamThe Netherlands

Personalised recommendations