20 Questions Directors Should Ask about Information Technology Security

“The CICA’s Information Technology Advisory Committee developed this booklet to guide Boards of Directors in evaluating information technology (IT) security issues. It should also be of use to other bodies responsible for governance — in particular audit committees and strategic bodies such as IT steering committees, risk management committees, and CEO/CFO controls certification committees. Directors are expected to satisfy themselves that risks potentially jeopardizing the integrity of information, the availability of information and operational systems, the confidentiality of sensitive data, and compliance with regulatory bodies, are identified and reduced or eliminated. This booklet provides questions for Boards to ask senior management as well as the context needed to ask the questions and assess responses. In this document, IT Security (Security) is defined as the protection of data captured, processed, transmitted, reported and stored electronically. IT Security also covers the protection of related components such as application systems, system software, networks and hardware, as well as the supporting people, policies, procedures, processes and organization.” (Read the CICA publication 20 Questions Directors Should Ask about Information Technology Security.)