The Oversight Function
Oversight is the critical governance function provided
by top management relating to information protection and it is
fundamental to proper operation of a protection program. It is the job
of oversight to assure that proper duties to protect are put in place,
that the management measures the effectiveness of the protection program
in fulfilling those duties, and that management adapts the protection
program to meet those duties.
-
Laws: Laws and regulations define the
legally mandated duties to protect associated with jurisdictions. All
laws of all jurisdictions in which an enterprise operates have to be
considered in order to make prudent determinations as to duty to
protect.
-
Owners: The owners are the ones hurt by
bad management decisions and they need to assure that their investment
is not lost by electing proper boards of directors. For public
companies there are regulatory assurances to support the public owners
so that they don't have to get involved in the details of selections in
order to reasonably protect their investments, but this lack of direct
control by owners is often reflected in the frauds we see in the world.
Owners of privately held firms are directly responsible for the
disposition of their assets and for proper protection and they directly
suffer from poor decisions in this regard.
-
Board:The board of directors is legally
and morally responsible to assure that the CEO and other officers are
doing their jobs and have the ability to define additional duties to
protect in keeping with their responsibilities. They also have
oversight responsibility to act on behalf of the shareholders to assure
that the shareholder value is protected.
-
Auditors:Auditors are tasked with
providing independent and objective feedback to the shareholders, board
of directors, CEO, and others on the effectiveness of the protection
program in fulfilling the duties to protect within the risk tolerance
parameters set by management.
-
CEO: The CEO is responsible for day-to-day
control over the enterprise and as part and parcel of this
responsibility, for protecting shareholder value, for identifying the
duties to protect, for assuring that those duties are carried out, and
for measuring the performance of those duties to allow adequate control
to improve situations that warrant improvement and keep costs as low as
possible without undertaking inappropriate levels of risk.
-
Managers: Managers make and cary out
decisions that may turn into duties if they
become a reasonable exepectation of others. For example, a manager
that decides to escort workers to their cars at night potentially
creates a duty to do so.
In concert these elements comprise the oversight
function of the enterprise information protection.
|