January 2009 Governance IT Compliance Framework
A general introduction to Governance, Risk and Compliance in the context of
the Governance IT compliant eMail Archiving Service
What is governance, risk
The benefits of compli- A Governance, Risk and Compliance framework for electronic
GRC in the context of
While the need for governance has of the FSA in the financial sector, Furthermore how this should be
always existed, corporate govern- have made directors liable if they addressed in a world where elec-
ance and particularly risk manage- fail to ensure that accountable risk tronic communications is the de
ment has been given centre stage management frameworks are es- facto form of communication,
as a consequence of a number of tablished and maintained in their knows no borders, easily accessi-
high profile business collapses organizations. ble and where few – if any – con-
such as Enron, Arthur Andersen trols are practiced.
21% of employee e-mail and WorldCom. Tightening eco-
subpoenaed by courts & nomic prospects, both at a national This document looks at the critical
regulators. and international level, will only role of how standards - such as
raise the bar for good governance ISO 27001 - can help form part of
13% of companies have for companies of all sizes both in an organization’s risk and compli-
respect to customers and share- ance framework, to help towards
battled lawsuits triggered providing and managing the opera-
by employee e-mail. tional risk profile of the organization
As a result, there is greater pres- and thereby contributing to an
65% of companies lack e sure from investors, stakeholders overall structure of corporate gov-
-mail retention policies. and the public for further transpar- ernance.
ency of financial reporting and
internal controls, together with the Corporate governance has taken
94% of companies fail to centre stage in the management
broadening of directors’ responsi-
retain & archive IM. bilities to safeguard their interests forum, and consequentially it has
in terms of ensuring that financial become a marketing factor for
46% of companies offer controls and systems are robust many organizations facing prospec-
employees NO e-mail and defensible. What is less understood is what is tive clients and business partners.
meant in practical terms by a risk
It is becoming common knowledge management framework and how
that national legislation and interna- this relates to companies of all
50% of workplace IM tional standards such as Sarbanes- sizes.
users send/receive in Oxley, Basel II, and requirements
risky content including
gossip, confidential info,
porn. Governance, Risk and Compliance as a service
Organizations wishing to manage compliance and a management defining a comprehensive and
information security and risk, re- framework to ensure that true busi- certifiable set of policies and proce-
Source: 2004 Workplace E- quire an organization to implement ness benefits are realized from dures, hard-wire these in to a com-
Mail and IM Survey from an information security manage- implementing ISO 27001, and the bined hardware, software and
ment system (ISMS) - which is infrastructure to ensure its mainte- services offering.
exactly why we chose the ISO nance going forward.
Association 27001 framework. Implementing the Governance IT
The central design point for our services offering is therefore simply
The ISMS should include risk as- ISMS services has therefore been a matter of setting the baseline of
sessment, risk management, audit to ameliorate the arduous task of company users. Cont. Pg. 2.
Governance IT Compliance Framework Page 2
ISO271001—The Governance IT Compliance Back-bone
The primary goal of ISO 27001 It can improve the way an entire ment. It requires an organization to
within a corporate governance department is operated, provide establish a risk management
context is, via asset identification, reassurance to senior managers, framework that can enable an
valuation, business impact assess- internal customers and external organization to manage, review
ment and risk assessment to de- clients; put simply, it provides the and improve the overall health of
velop an intimate knowledge of the assurance to stakeholders or information security and risk under
business activity under examina- shareholders that controls man- one management system or
tion. dated under an organization’s “information security management
contractual, legislative and regula- system” (ISMS).
Without this risk identification and tory requirements are met.
risk assessment there is a danger Whatever your business require-
of being ill-informed and undiscov- ment to demonstrate and manage
ered risk ‘blind spots’. information security and corporate
governance, it all originates from
ISO 27001 is far broader than just one simple principle - good and
IT: it encompasses an entire busi- effective risk management. .
ness function and its’ supporting
back office processes. It spans and It is for these reasons that the
affects every part of the organiza- Governance IT Archiving services
tion (and those of trusted third is based on and delivers on the
parties) and can add to or subtract promises of the ISO 27001 stan-
from an organization’s bottom line. ISO 27001 is the new “benchmark’ dard.
for Information Security Manage-
companies only What are the Information Security Imperatives
do what is An improved understanding of the effectiveness of the ISMS (e.g. date (e.g. network bottlenecks, disk
absolutely information and other assets, and less labour intensive, for example, clutter, development of poor hu-
necessary and of business processes themselves, if using tools, and provides a man practices)
hope that the rest across the organisation means of self check.
Reduction of security incidents and
will not fall apart” Real tangible evidence of cost better understanding of their root
reduction through better risk man- causes
Van Hauser of agement and reduction of impact
The Hacker’s caused by exploitation of threats Greater staff security awareness,
Choice - Heard motivating staff to support when
on BBC World Better cost/benefit analysis to senior management set security
ensure return on investment when and risk management targets
taking decisions on going forward
with business initiatives Tangible evidence to auditors, and
Proactive measuring tools can assurance to senior management
An easier process of monitoring prevent problems arising at a later that you are in control.
Governance, Risk and Compliance as a service—continued
An ISO 27001 certificated ISMS A pre-tailored ISO 27001 certifi- thus provide transparency of
based solution will provide an cation will cost a fraction of a full services and greater manage-
important foundation for any audit and demonstrates the ment.
overall certification process the existence of a best-practice
company choose to implement. based information security infra- ISO 27001 is also an effective
structure response to information risks
The Governance IT certified identified in any COSO-type
policies and processes tells The certification process also enterprise risk management
existing and potential customers, helps the organization focus on framework.
as well as regulators, that you continuously improving its infor-
The Information Systems Audit and
have defined and put in place mation security processes
effective information security
(www.isaca.org) has reported that
processes, thereby helping to ISO 27001 can be easily a number of recently issued docu-
create a trusting relationship mapped and contribute towards ments are the result of continuing
an ITIL environment and COBIT efforts to define, assess, report on,
effective IT control framework, and improve internal control.
Governance IT Compliance Framework Page 3
What are the challenges to corporate good governance?
The United Kingdom has in many This means that: ments that affect corporate gov-
ways acted as a leading exponent ernance practices in a jurisdic-
of governance, risk and compli- The corporate governance tion should be consistent with the
ance within the European context. framework should be developed rule of law, transparent and
Revised Turnbull Guidelines on with a view to its impact on over- enforceable
Internal Control Oct 2005 requires all economic performance, mar- Governance Best
UK listed companies and organiza- ket integrity and the incentives it The division of responsibilities Practices
tions to establish a security man- creates for market participants among different authorities in a
agement framework, which is simi- and the promotion of transparent jurisdiction should be clearly According to findings
lar to the definition of an Informa- and efficient markets articulated and ensure that the by the IBM Data
tion Security Management System public interest is served Governance Council,
(ISMS) defined within ISO/IEC the top governance
27001:2005 (“ISO 27001”).
Supervisory, regulatory and challenges today are:
This Standard discusses and man- enforcement authorities should
• Inconsistent data
dates risk assessment and risk have the authority, integrity and governance, which
management, and requires organi- resources to fulfil their duties in a can cause a
zations to ensure they can demon- professional and objective man- disconnect between
strate the relationship between ner. business goals and IT
controls implemented to mitigate or programs.
Source: OECD Principles of Corporate
reduce risks, and how they must
Governance 2004 • Governance policies
manage and accept risks. The legal and regulatory require- are not linked to
In the general context of Compliance Frameworks reporting.
• Risks are not
In the context of good governance COSO defines internal control as: From this, you can see that COBIT,
addressed from a
it is important to recognize other a process, affected by an entity's COSO and SAC allows greater
existing supporting management board of directors, management, alignment with other supporting
with common data
frameworks that currently support and other personnel, designed to standards (i.e. ISO 27001, ISO
corporate governance. provide reasonable assurance 9000, ISO 20000, ISO 18000) to
regarding the achievement of ob- help ensure any audit and compli- calculation
Control Objectives for Information jectives in the following categories: ance framework can potentially processes.
and related Technology (COBIT) benefit from managing, and subse-
can be used at the highest level of Effectiveness and efficiency of quently auditing, one management • Metadata and
IT governance, providing an overall operations system. business glossaries
control framework based on an IT are not used to bridge
process model that is intended by Reliability of financial reporting The introduction of the Sarbanes- semantic differences
IT governance to generically suit Oxley Act also places strict require- in global enterprises.
every organization. Compliance with applicable laws ments on directors and financial
and regulations. officers to ensure their systems • Few technologies
COBIT adapted its definition of have acceptable controls in place exist today to assess
control from COSO, i.e. the poli- when signing off on accounts (SOX data asset values that
cies, procedures, practices, and only affects companies if they, or link security, privacy
organizational structures should be their subsidiaries, are listed on the and compliance.
designed to provide reasonable USA stock market).
• Controls and
assurance that business objectives
will be achieved; and that unde- Accordingly, Sarbanes-Oxley,
deployed before long-
sired events will be prevented or COBIT and COSO all provide a
detected and corrected. similar framework for organizations
to meet regulatory requirements.
There is also a need for detailed, By implementing control proce-
standardized processes. Specific dures using COSO directives,
COSO emphasizes that the inter-
practices and standards, such as COBIT business and IT govern-
nal control system is a tool of, but
ITIL and ISO 27001 also cover ance objectives - corporate govern-
not a substitute for, management
specific areas that can be mapped ance can be satisfied.
and that controls should be built
to the COBIT framework, thus
into, rather than built onto, operat-
providing a hierarchy of guidance Once these control procedures are
ing activities. Although it defines
materials. In addition, each of the functioning correctly, directors and
internal control as a process, it
34 IT processes and high-level corporate boards will be able to
recommends evaluating the effec-
control objectives can be specifi- sign off financial reports as re-
tiveness of internal control as at
cally mapped to sections within quired under s302 and s404 of
point in time, similar to that now
ISO 27001. COBIT and ISO 27001 Sarbanes-Oxley Act with the
found in the Clauses of ISO 27001
can work together as a framework, knowledge that they are in compli-
- See Clause 4.2.2 - measuring the
for providing assurance. ance.
effectiveness of controls selected.
DK 2300 København
Tel: +45 7026 0350
We deliver….. Governance IT A/S is a company founded with the goal of delivering a comprehensive and certified Information
Good Governance Management Security System (ISMS) specific to eMails and other eCommunications.
Our service is an IBM Express Advantage Solution which includes IBM hardware, software, content and educa-
tion—all of which is supported by our service desk.
This is why we are able to deliver Governance, Risk and Compliance as a service.
Visit our website The Governance IT services provide out of the box policies and procedures for the implementation of a compre-
hensive Information Management Security System (ISMS) based on the ISO 27001 standard.
If you would like to find out more about how we can help you manage your eMail and reduce risk in your organi-
zation, visit our website or contact us directly for a free trial and evaluation.
The Governance IT Compliance Framework
Industry and leading standards bodies,
such as the ISACA, International Secu-
rity Forum, International Standards
Organisation and British Standards
Institute, are all working to get a grip on
the topic of eMail information security.
Using existing management systems to
achieve corporate governance and
identifying synergies between COSO,
COBIT, ISO 20000 (ITIL), ISO 9001,
and ISO 27001 are rapidly becoming
board room agenda items.
At Governance IT we have created a
systematic and holistic framework for
implementing an Information Security
Management solution – especially tar-
geted at mid-sized to large companies
who are looking for good governance
assurance but do not have the infra-
structure or financial means to imple-
ment a traditional solution.
The Governance IT solution takes its’
starting point in the context of the issues
facing all modern businesses in ad-
dressing the benefits and associated
issues of eCommunications.
The Governance IT Governance, Risk
and Compliance framework is built upon
the best practices and management
frameworks as defined by COSO, CO-
BIT, ISO 20000 (ITIL), IBM Data Gov-
ernance Model and ISO 27001.