Conclusions
click here to download paper in PDF format (1.4M)

             
             
  Home About Gamma Tour our Web Site Events White Papers Services Visitors' Book How to contact us
        IMS Internal Control ISMS Smart Cards Common Criteria
                 

Conclusions

This paper has set out:

  • the methodology to measure the effectiveness of the control element of an ICS

  • a methodology to present risk options in the form of a story as a RTP to improve communications between risk specialists and senior management.

Internal Control system

An ICS is a mandatory requirement to meet the obligations of Corporate Governance and the legislation, throughout the world, requiring Directors and Senior Managers to maintain effective control of the organisation and to demonstrate positively their involvement in the control of the organisation.

The ICS can have a material impact on the ability of an organisation to meet its objectives.  The paper shows that you can have an ICS that inhibits an organisation to meet it objectives as well as an ICS that assists.  Almost certainly all organisations will need to be able to react promptly to unexpected events.

ICS Metrics

We propose two sets of metrics for use in determining the effectiveness of an ISMS within an organisation. The first set of metrics is independent of external factors and is therefore a true measure of the effectiveness of the organisation's procedures and management system.

“Operational effectiveness is determined solely by measuring the time parameters.

These metrics are Time dependent.  They are the time to detect an event and the time taken then to rectify the consequences.  We anticipate that analysis against these metrics will be by class of event.  This led us to see clearly the view expressed on empirical evidence that prompt detection of potential events is the best solution and the optimum position is that a procedure is constructed so that any errors made are automatically detected (for example: the old fashioned double entry bookkeeping system). They are useful in designing an appropriate ICS and verifying that the implementation accords with the design.

The second set concerns costs and impact penalties and is useful in deciding whether the ICS is cost effective.

Classes of ICS

We knew that all business operations incur a cost. We divided the cost into four categories:

  • Cost of doing business

  • Cost of having an ICS

  • Impact penalty from a control failure which will materialise if the event is not detected within the time window where rectification is possible

  • Cost of rectification following the manifestation of an event.

We postulate seven classes of controls with differing properties.  These range from a procedure to immediately detect an event and stop the event impacting the organisation (clearly an optimum position) to a catastrophe situation when the event may cause a business failure.

This categorisation enables people to consider the nature of ICS procedures necessary to address identified events in order to optimise the cost effectiveness of the control procedures.  It must always be remembered that some events will be outside the control of the organisation, therefore prevention is not an option and the ICS procedures are forced to address rectification only (if this is possible at all).

Risk Treatment Plans

The use of Risk Treatment Plans (RTPs) expressed as a story of what organisation has put in place to address risk events (of their choosing) in relation to the possible impacts of that event allows everyone from the Board downward to understand what risk management issues are addressed and how.  The granularity of the RTPs is a matter that an organisation (or part thereof) may elect to meet their needs.  The story will always address the questions 'Suppose the control does not work? What do we do then?  This enables a thorough systematic decomposition of the procedures in place (or proposed) so as to enable people to confirm that the controls are just sufficient for the purpose.

Applicability

We believe that this methodology is applicable to all risk situations whether these be the risks of doing business, information security, quality, environmental, legislative/regulatory compliance etc. 

We trust that this paper will make a substantial contribution to the ongoing debate on how Information Security (or Assurance) can be achieved by organisations in the future.

Acknowledgments

We would like to record our thanks to the very many people, all over the world, who have over the years taught us about Information Security and Internal Control structures. 

In particular in respect of this paper we would record our thanks to

Matthew Pemble of RBS

Richard Hackworth of HSBC

David Spinks of EDS

Harvey Mattinson of the UK Cabinet Office

Michael Nash of Gamma Secure Systems

Leslie McCartney of Reuters

Ted Humphries of Xisec

Marc Kekicheff of Visa International

Regina Brewer of Konami (Europe)

We trust that our contribution will be seen as our thanks to them for their training to us.

References

[APB guidance]

Briefing paper - Providing Assurance on the effectiveness of Internal Control issued by the Audit Practices Board July 2001, see http://www.frc.org.uk/ Copies from ABG Professional Information info@abgpublications.co.uk

[BASEL 2]

The Bank of International Settlements, the New Basel 2 Accord, see http://www.bis.org/

[BS7799-2]

Information security management systems - Specification with guidance for use, BS 7799-2:2002
[GlobalPlatform] The GlobalPlatform Card Specification and the GlobalPlatform Card Security Security Requirements Specification, http://www.globalplatform.org/

[Higgs]

Review of the role and effectiveness of non-executive directors, Derek Higgs, 2003, see http://www.dti.gov.uk/
[ISO 14001] Environmental management systems - Specification with guidance for use, BS EN ISO 14001:1966

[ISO/IEC 17799]

Information technology - Code of practice for information security management, BS ISO/IEC 17799:2000 

[ISO 9001]

Quality management systems - Requirements, BS EN ISO 9001:2000

[OECD]

Organisation for Economic Co-operation and Development, Corporate Governance, see http://www.oecd.org/

[Sarbanes-Oxley]

Sarbanes-Oxley Act of 2002, USA Congress, an Act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes, see http://news.findlaw.com/
[Turnbull] Internal Control, Guidance for directors on the Combined Code (The Turnbull Report), Institute of Chartered Accountants in England and Wales, see http://www.icaew.co.uk/

             
             
             
 
Gamma is an ISO/IEC 27001:2005 and BS EN ISO 9001: 2008 registered company, certified for the provision of information security consultancy.  BSI certificate numbers IS 85916 and FS  30710.  Please send comments to webmaster@gammassl.co.uk or complete our Visitors'Book. Gamma Secure Systems, Diamond House, Frimley Road, Camberley, Surrey, GU15 2PS, UK Tel: +44 1276 702500 - Fax: +44 1276 692903Copyright © Gamma Secure Systems Limited 2004
 
 
Page last updated: 18 March, 2004