nach oben

Journal of Management and Governance

Erschienen in:

08.09.2016

Information security governance: pending legal responsibilities of non-executive boards

verfasst von: Laura Georg

Erschienen in: Journal of Management and Governance | Ausgabe 4/2017

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The study shows that a structural conflict of interest in non-executive boards exists due to missing corporate governance structures and a lack of awareness for legal issues with regard to information security risks. Non-executive boards receive information on strategic security threats as a part of their oversight function to fulfill investor interest in transparency. At the same time, they act as representatives of company stakeholders and have an interest to counteract to information security risks based on the stakeholder’s risk disposition. If not properly structured by corporate governance rules, these different interests may lead to regulatory aberrations on non-executive board level. The study analyses a Deutsche Telekom AG case where non-executive board members, employees, and journalists fell victim to a spying scandal subject to the German telecommunications secrecy law in 2005–2006. The analysis demonstrates how the handling of information security on non-executive board level bears governance risks as well as legal risks that are insufficiently addressed in corporate governance research. The paper contributes to avoid a reproduction of events in the future, by suggesting the principle of a segregation of duties on non-executive boards as well as providing an overview of relevant legislative requirements that clarify tasks of non-executive board members with regard to information security. The study therefore helps protecting corporations and their stakeholders from similar consequences of missing corporate security governance.

Nächster Artikel Corporate ethics: evidence from Islamic banks

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Health and Safety regulations are not included, since security research acknowledges a clear difference.

Aguilar, L. A. (2014). Board of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus, Cyber Risks and the Boardroom Conference, New York Stock Exchange. http://www.sec.gov/News/Speech/Detail/Speech/1370542057946. Accessed 15 July 2015.

Ahrens, T., Filatotchev, I., & Thomsen, S. (2011). The research frontier in corporate governance. Journal of Management and Governance,. doi:10.1007/s10997-009-9115-8.

Aktiengesetz (AktG). 1965, revised last 2015, BGBI. I S. 1089.

Bailey, P. (2013). Boardroom strategic decision-making style: Understanding the antecedents. Corporate Governance: An International Review, 21(2), 131–146.CrossRef

BDO. (2014). 2014 BDO Board Survey. https://www.bdo.com/getattachment/84604876-6221-4873-bfea-ca984ff65702/attachment.aspx.

Bundesdatenschutzgesetz (BDSG). (1990, revised 2009), BGBI. I, 2254.

Bundestag. (2015). Gesetz zur Erhöhung der Sicherheit informationstechnischer System (IT-Sicherheitsgesetz), Bundesanzeiger.

Christiansen, C. A., & Westervelt, R. (2015). Security in the 3rd platform: Marching toward proactive defense. IDC Research, 6.

Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2014). Enterprise risk management—Integrated framework. New York: AICPA.

Crombie, N. (2011). A discourse analysis of corporate governance texts. University of Canterbury, http://www.academia.edu/7207626/2011_-_Crombie_-_A_Discourse_Analysis_of_Corporate_Governance_Texts. Accessed 13 Aug 2015.

Däubler-Gmelin, H., Merzhäuser, M., Rothbauer, H., Baum, G., Reiter, J., & Methner, O. (2011). Bericht der Anwälte. 51.

Department of Defense. (2011). DoD Strategy. Supra note 14, at 10–11.

Di Pietra, R., Grambovas, C. A., Raonic, I., & Riccaboni, A. (2008). The effects of board size and ‘busy’ directors on the market value of Italian companies. Journal of Management and Governance, 12(1), 73–91.CrossRef

European Commission. (2013). Proposal for Directive to secure a high common level of network and information security across the Union. COM 48.

European Council. (2012). Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

European Union. (2006). 8th Company Law Directive, Directive 2006/43/EC.

Garg, A., Curtis, J., & Halper, H. (2003). Quantifying the financial impact of IT security breaches. Information Management and Computer Security, 2(11), 74–83.CrossRef

Georg, L. (2007). The function of corporate security within large organization: The interrelationship between Information security and business strategy. https://archive-ouverte.unige.ch/files/downloads/461/unige_461_thesis.pdf. Accessed 25 Sept 2015.

Gurevitch, M., & Levy, M. R. (Eds.). (1985). Mass communication review yearbook. Beverly Hills: Sage.

Hathaway, O. A., Crootof, R., Levitz, P., Nix, H., Nowlan, A., Perdue, W., et al. (2012). The law of cyber-attack. California Law Review, 100(4), 817–886.

Hilb, M. (2011). Redesigning corporate governance: Lessons learnt from the global financial crisis. Journal of Management and Governance, 15(4), 533–538.CrossRef

Hilgartner, S., & Bosk, C. L. (1988). The rise and fall of social problems: A public arena model. American Journal of Sociology, 94(7), 53–78.CrossRef

Huse, M., Hoskisson, R., Zattoni, A., & Viganò, R. (2011). New perspectives on board research: Changing the research agenda. Journal of Management and Governance, 15(1), 5–28.CrossRef

International Organization for Standardization. (2013). ISO/IEC 27001:2013 Information technology—Security techniques—Information security management systems—Requirements, Geneva.

Johnsten, L., & Shearing, C. (2003). Governing security: Explorations in policing and justice (pp. 281–297). New York: Routhledge.

Kowalski, S. (1994). Do computer security models model computer crime. Stockholm: Royal Institute of Technology.

Lippert, R. K., Walby, K., & Steckle, R. (2013). Multiplicities of corporate security: Identifying emerging types, trends and issues. Security Journal, 26, 206–221.CrossRef

Lok, J. (2010). Institutional logics as identity projects. Academy of Management Journal, 53(6), 1305–1335.CrossRef

Martin, J. (1973). Security, accuracy, and privacy in computer systems. New Jersey: Englewood Cliffs: Prentice-Hall.

McAfee. (2014). Net Losses: Estimating the Global Cost of Cybercrime. http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf. Accessed on 17 May 2015.

McCarthy, J. (1995). Memorandum to P. M. Morse Proposing Time Sharing, Stanford University. http://www-formal.stanford.edu/jmc/history/timesharing-memo/timesharing-memo.html. Accessed on 29 Sept 2015.

Melde- und Analysestelle Informationssicherung (MELANI). (2011). Informationssicherung: Lage in der Schweiz und international. Halbjahresbericht 2010/II, 45.

Monetary Authority of Singapore. (2013a). Guidelines on Risk Management Practices—Board and Senior Management. http://www.mas.gov.sg/~/media/MAS/Regulations%20and%20Financial%20Stability/Regulatory%20and%20Supervisory%20Framework/Risk%20Management/Board%20and%20Senior%20Mgmt_1%20Apr%25MAS.

Monetary Authority of Singapore. (2013b). Technology Risk Management Guidelines. http://www.mas.gov.sg/~/media/MAS/Regulations%20and%20Financial%20Stability/Regulatory%20and%20Supervisory%20Framework/Risk%20Management/TRM%20Guidelines%20%2021%20June%25Tsu:.

Monetary Authority of Singapore, Instructions on Incident Notification and Reporting to MAS. http://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspx. Accessed on 12 June 2015.

Neidhardt, F. (1994). Öffentlichkeit, öffentliche Meinung, soziale Bewegungen. Kölner Zeitschrift für Soziologie und Sozial-Psychologie, 34, 7–41.

Petrick, J. A., & Scherer, R. F. (2003). The Enron scandal and the neglect of management integrity capacity. American Journal of Business, 18(1), 37–50.CrossRef

PriceWaterhouseCoopers. (2015). Leading in extraordinary times, The 2015 US CEO Survey, in CEOs’ words. 1–30.

Rainer, R. K., Marshall, T. E., Knapp, K. J., & Montgomery, G. H. (2007). Do information security professionals and business managers view information security issues differently? Information Systems Security, 16, 100–108.CrossRef

Sarbanes-Oxley-Act (SOX). (2002). Public Law No. 107–204. Washington, DC: GPO.

Schwarz, D., Ferrillo, P., & Gotshal, W. (2014). Cyber Security and Cyber Governance: Federal Regulation and Oversight—Today and Tomorrow. Harvard Law School Forum on Corporate Governance and Financial Regulation, September 10.

Shleifer, A., & Vishny, R. W. (1997). A survey of corporate governance. The Journal of Finance, 52(2), 737–783.CrossRef

Siponen, M. T. (2001). An analysis of the recent IS security development approaches: Descriptive and prescriptive implications. In G. Dhillon (Eds.), Information security management: Global challenges in the New Millennium (pp. 101–123). Idea Group Publication, Hershey

Telekommunikationsgesetz (TKG). (2004). BGBI. I S. 1190.

Tzu, S. (1994). The art of war. Barnes & Noble.

Turnbull Report. (1999). Internal control: Guidance for directors on the combines code, Institute of Chartered Accountants in England and Wales.

Yatim, P. (2010). Board structures and the establishment of a risk management committee by Malaysian listed firms. Journal of Management and Governance, 14(1), 17–36.CrossRef

Zajac, E. J., & Westphal, J. D. (2004). The social construction of market value: Institutionalization and learning perspectives on stock market reactions. American Sociological Review, 69(3), 433–457.CrossRef

Zaman, M. (2001). Turnbull, generating undue expectations of the corporate governance role of audit committees. Managerial Auditing Journal, 16(1), 5–9.CrossRef

Titel: Information security governance: pending legal responsibilities of non-executive boards
verfasst von: Laura Georg
Publikationsdatum: 08.09.2016
Verlag: Springer US
Erschienen in: Journal of Management and Governance / Ausgabe 4/2017
Print ISSN: 1385-3457
Elektronische ISSN: 1572-963X
DOI: https://doi.org/10.1007/s10997-016-9358-0

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 4/2017

Does director capital influence board turnover after an incident of fraud? Evidence from Italian listed companies

External audit and goodwill write-off

Dual class shares, board of directors’ effectiveness and firm’s market value: an empirical study

Corporate governance effectiveness along the entrepreneurial process of a family firm: the role of private equity

Performance information use in public administration: an exploratory study of determinants and effects

Corporate ethics: evidence from Islamic banks

Premium Partner