A commonly held misconception in SA is that corporate governance applies only to the financial services sector, says Andy Dalrymple, security practice manager at Dimension Data.
Speaking at the Dimension Data Executive Forum on information security yesterday, Dalrymple pointed out that any company operating in the South African legal environment, regardless of its parentage, is subject to the requirements of good governance.
[VIDEO]"Should the company, or any of its stakeholders, suffer a loss where negligent non-compliance with legislation, or a breach of fiduciary duties, as described in King II, can be demonstrated, the consequences on companies and individual directors can be severe," he said.
Explaining the relationship between risk and ICT, he said corporate governance is relevant to IT professionals in that King II identifies IT as a critical component of modern business, while IT infrastructure, systems and processes are clearly identified as areas of risk to companies.
Information assets are essential to most companies` ability to transact in the ordinary course of business, and IT is often the custodian for both the firm`s reputation and its ability to generate revenue going forward, he noted.
"In addition, directors generally know very little about IT, and are thus highly reliant on their IT staff`s willingness to assess, report and mitigate risk with respect to information assets," Dalrymple said.
Risk posture
He said organisations could achieve a "compliant ICT risk posture" by utilising the tremendous body of literature and research available, and the number of published best practices, which contain information on practical common sense methodologies that can be deployed to mitigate risk, including BS 7799 (ISO 1-7799) and Cobit.
He also urged organisations to engage a reputable partner, with appropriate certifications and track record to advise and assist with the formulation of an appropriate response to challenges.
[VIDEO]Also speaking at the event, Ernst and Young information security specialist Karin H"one debated whether information security should be a board-level issue.
She concluded that in terms of risk management, based on the finding of the King report, the board is responsible for the total governance process, and management is accountable to the board.
"The board should set risk strategies as policy and communicate it to all employees," H"one said, adding that boards should make use of recognised risk mitigation models and conduct formal risk assessments at least annually.
"The board should also have a comprehensive system of control established to mitigate risks and disclose in the annual report what they have done with risk management."
H"one argued that senior management must develop an appreciation for the capabilities and limitations of information security.
"If senior management doesn`t believe in it, why should anyone else follow it? No factor is more influential than senior management in setting the tone that information security is important," she said.
* Yesterday`s Executive Forum was organised by Dimension Data and ITWeb.
Share