Please note, that the Knowledge Base isn't translated to english completely at the moment. You will still find some german texts - we are translating permanently the outstanding parts! Thank you for understanding!

Security Governance

		INFO & KNOWLEGDE

Starting from Corporate Governance, which means the control of all organisational and structural tasks, IT-Governance is derived, which means the responsibility of the Management for setting up and control of organisational structures and processes, so that IT helps to reach the economical targets and supporting business strategies. This comprise goal alignment, measuring and controling the processes.

Considering IT as fundamental supporting process for the business processes, the importance of confidentiality of certain information, as well as their integrity and availability is becoming clear to everyone. Therefore IT security targets are an essential part of Corporate Governance, which is covered by IT-Governance. In the guidelines for IT-Governance you'll find IT-Security-Standards, also often called Security Governance - controling the IT-Security, which is the core task of IT-Security-Management.

Standards and laws

The realisation of Security Governance can be guided by international standards and guidelines on the one hand, but you have to consider national law and regulations on the other hand. Because they have also tremendous influence on implementations of arrangements and countermeasures.

The most important standards are:

	ISO 17799 / ISO 27002 : Code of Practice for Information Security Management
	ISO / IEC 15408 : Security Techniques - Evaluation Criteria for IT Security / Common Criteria
	ISO / IEC TR 13335: Information Technology - Guidelines for the Management of IT-Security
	CobiT
	IT-Grundschutzhandbuch : Bundesamt für Sicherheit in der Informationstechnik
	ITIL - IT Infrastructure Library

Further standards and norms

Of course there are many more standards you will see in this field: TickIT; NIST 800-14 General accepted principles and practises for Securing Information Technology Systems; COSO Internal Control Integrated Framework; IFAC - International IT Guidelines; EnSEC - Enterprise Security Management, WebTrust, SysTrust, ITSEC - Information Technology Security Evaluation Criteria und Common Criteria for Information Technology Security Evaluation as predecessor of ISO / IEC 15408

		LEGAL

Laws, ordinances and directives

Depending on the part of the world you are staying there may be other laws like KontraG, Basel II, Bundesabgabenordnung BAO, AktG, DSG, Emittenten Compliance Verordnung, Corporate Governance Codex, Health Insurance Portability and Accountability Act, OECD Principles of Corporate Governance, Sarbanes Oxley Act from 2002, the Gramm Leach Bliley Act aus 1999, der California Database Security Breach Information Act (SB 1386) or the Federal Information Security Management Act (FISMA) which may have impact on IT Security Governance.

Gramm Leach Bliley Act

Requiring a hard security policy from financial institutions for ensuring security and confidentiality of non-public personal data from customers.

Health Insurance Portability a. Accountability Act

HIPAA challenges the provider of health services keeping confidentiality and security all health related information.

Sarbanes Oxley Act

SOA is demanding more and more rigorous duties for information and publication of internal information processing.