Information Security Governance Framework

 

ISGovernance Metrics
Operational LossesImpact on Profit and Loss Statement
Operational RisksEstimated Unfunded Liabilities on Legal Risks (Litigation and/or Regulatory Fines)
IT Audits & RatingsInformation Technology Audits and Ratings
IP Audits & RatingsIntellectual Property Audits & Ratings on Information Security Risk Exposures
IS Governance ScorecardMonthly/Quarterly Board Report Summarizing ISGovernance Metrics
 

Recommended ISGovernance Metrics for Board-approval, verification and validation per the Information Security Governance Framework include an enterprise wide set of interdependent quantitative and qualitative risk tolerance factors defined in Basel's Advanced Management Approach for Operational Risks involving identity theft, privacy and information security. The minimum risk tolerance factors requiring Board-approval include Operational Losses (profit and loss statement) and Operational Risks (unfunded liabilities impacting capital). Two derivative metrics arising from quantifying Operational Risks, per GLBA 501(b), GLBA 521 and GLBA 523,  include measuring compliance with (1) IT Governance through well-established IT audits and IT Ratings established by the FFIEC and (2) IP Governance on safeguarding trademarks and trade secrets from corporate identity theft risks. The ISGovernance Metrics are summarized in the ISGovernance Scorecard, a monthly/quarterly Board Report. The Metrics and Scorecard are described in the IS Governance Framework.

IP Governance risks are the root source of corporate identity theft attacks that use infringing domain names within fraudulent web sites, email spam, sub-domain name risks and phishing sites to deceive and defraud consumers contrary to an extensive set of federal regulations listed in Matrixes D and D1 of the Information Security Governance Framework. Research from open-source databases by the IP Governance Task Force reveals financial firms are failing to safeguard their brands and related domain names from fraudulent corporate identity theft uses thus enabling federal crimes against consumers and bank IT networks. Financial firms, on average, own less than 7% of the universe of confusingly similar domain names for their brands. Failure to comply with the fundamental parts of GLBA 501(b), GLBA 521 and GLBA 523 in turn create a chain reaction of related federal crimes that include deceptive privacy and security statements under GLBA 503 and the FTC ACT plus false disclosures under FDICIA Section 112 on safeguarding material assets, enterprise risk management requirements and compliance with federal and state regulations. See Matrixes D, D1 and D2 of the IS Governance Framework for a review of relevant regulations, enforcement cases and a Scenario Analysis that describes converging forces in the Spring/Summar of 2007.

Paradigm/Compliance Model: Intellectual Property owners have a fiduciary and regulatory obligation, especially in this digital age, to safeguard their intellectual property or digital assets from cyber attacks that are used in downstream federal crimes against their IT networks and online consumers. IP owners increasing their ownership levels of confusingly similar domain names used in fake web sites, email spam and phishing sites decrease (1) their supply for future cyber attacks, (2) the rate of future attacks on IT Networks and Consumers, (3) related operational losses for the bank and its consumers, (4) demands on law enforcement, and (5) reputation and operational risks thus leading to renewed consumer confidence and usage of internet channels for a positive ROI. Complying with information security regulations leads to operating efficiencies and a competitive advantage but it depends fully on Boards of Directors taking leadership and setting Board-approved risk tolerance metrics for compliance and providing relevant resources to achieve these objectives as outlined in Basel II. Presented below is the IP Risk Tolerance model, Matrix B2, that outlines a scale of compliance, Operational Risks, Operational Losses, Ownership levels of confusingly similar domains and remediation budgets for approval by a Board of Directors.

Two derivative metrics arising from quantifying Operational Risks, per GLBA 501(b), GLBA 521 and GLBA 523, include measuring compliance with (1) IT Governance through well-established IT audits and IT Ratings established by the FFIEC and (2) IP Governance on safeguarding trademarks and trade secrets from corporate identity theft risks. A failure to comply with either IT Governance or IP Governance triggers a chain reaction of non-compliance with GLBA 503 on posting accurate privacy and security statements and with the FTC ACT on deceptive and misleading statements - all confirmed by historical enforcement cases per Matrix D3 of the Information Security Governance Framework. Links are provided below to:

IP Ratings by the IP Governance Task Force
measuring ownership levels of confusingly similar
domain names on a scale of 0% to 99.5%
for each brand portfolio of a financial firm

IT Ratings established by the FFIEC

Online Brand Rating model

Uniform Rating System for Information Technology (URSIT)

Copyright . IP Governance Task Force. All rights reserved.