Information security governance: Due care

Most modern corporate governance guidelines, and also some country laws, make the Board and specifically the CEO responsible for the well-being of the organization. These parties must ensure that critical company assets are identified and that these assets are protected against possible risks that may negatively influence the organization. Information can certainly be regarded as a critical business asset in most organizations today. Therefore, due care needs to be applied in the protection of information resources. Failure to do so can lead to a legal charge of negligence. As best practices can be argued as a very effective approach to apply due care, this paper proposes a self-evaluation exercise (based on best practices) for boards of companies to be used to determine whether due care has indeed been applied.