Information Security Governance

13 02 2012

by John Mroz

Gartner conducted a study of the governance regarding information security at key companies. Their findings are included in the table below, but generally show a relatively weak governance process in most companies for information security.

The Gartner findings are very surprising based on my experiences at GM. Our Vice President and CIO, Terry Kline, has published an article on our corporate intranet site entitled: “Everyone Should be a Little Paranoid”. In the article, Terry describes how information is one of the company’s most important assets and all employees need to take steps to protect that information.[1]  GM has implemented a security system where all email going to external parties is stopped and the user given an additional prompt where they are asked to individually select the external email addresses to receive the message. In addition, the user is asked in a separate prompt to validate whether any attachments included in the message need to be sent. Only after the user responds to those prompts are messages sent outside the GM firewall.

The GM results in comparison to the Gartner survey include:

Gartner Results GM Experience
Thirty-six percent of the respondents indicated that the most senior person responsible for information security reports outside of the IT organization. The most senior person responsible for information security reports to the VP and CIO
About half of the respondents indicated that they receive sponsorship and support for their information security programs from leadership outside of the IT organization. However, only 18% of respondents indicated that business unit managers constitute the primary membership of their governance bodies. GM management is very involved in security issues. Our President was recently included on an issue regarding security and made the decision to implement a more stringent security practice than had been in place.
Only 22% of the respondents indicate that the business units are involved in developing the policies that will affect their business. GM business leadership is actively involved in security policies.
More than 30% of respondent organizations don’t have an information security charter or don’t know if such a document exists. Not only does GM have a security charter, but also has a lengthy information security policies and practices document.
Only 69% of respondent organizations have a formal process in place to integrate information security requirements analysis and design into the application development process. The GM system development process includes “non-functional” requirements as part of the design process, which includes security.
Only 55% of respondent organizations have quarterly targets for their information security programs. GM IT leadership have performance goals regarding the number of audit, SoX, and security goals, but those goals are measured semi-annually, not quarterly.
While 71% of respondent organizations have outsourced some IT services, only 55% of the respondents regularly audit their external providers against accepted standards, such as International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) and COBIT.[2] GM is a heavily outsourced organization, where we use external IT providers and exchange data on a regular basis with key suppliers.

GM is certainly not perfect, and has had a number of challenges in the past few years. Because of our size, and the extent to which we interact globally with a large number of suppliers we have to have policies and practices that govern our data.

As an additional example, GM was a late adopter of wireless internet connections, especially at public sites such as airports and coffee shops due to security concerns. This policy was initially not popular among employees but business executives agreed with IT leadership to delay implementation of these technologies until a secure solution was in place. GM enabled wireless connections and access at public internet cafes about 2 years ago but the access is secure. The GM wireless card is configured to encrypt the data, and all access at public wi-fi sites must be done using the GM VPN. The GM approach is contrary even today with a recent study conducted by the Wi-Fi Alliance and Wakefield Research. In the study, the researchers found users know what measures they should take to ensure public internet site security, but only 18 percent of users who connect to public hotspots are using VPN software.[3]

In conclusion, information security governance is very much in place at GM. While other organizations may view security as optional, or may not provide the necessary sponsorship to ensure the effectiveness of security policies, GM leadership plays a very active role in keeping GM information secure.


[2] Survey Analysis: Information Security Governance, Gartner, May 31, 2011, Tom Scholtz

[3] SC Magazine, ”Don’t let Wi-Fi hotspots get the best of you”, Swen Baumann, February 6, 2012




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: