by The Open University
Available in 39 free installments
Owner:
Chapter 1 of the Set Book presents a case for effective information security based largely upon perceived threats and legal obligations. Chapter 2 introduces further imperatives, which govern specific types of organisation in the UK.
Read Chapter 2 of the Set Book.
(a) Identify the imperatives that are relevant to each of the following types of organisation:
publicly listed company (plc)
organisation in supply-chain relation with a plc
UK Government (HMG)
non-governmental organisation (NGO)
non-departmental public body (NDPB)
organisation in supply-chain relation with HMG, NGO, NDPB
Note: The supply chain for an organisation is the set of other organisations involved in the creation, by the original organisation, of a product or service.
(b) Describe how the Turnbull Report affects your organisation.
The ‘Orange Book? referred to in the Set Book is more properly known as Management of Risk ? A Strategic Overview published by HM Treasury in 2001. (Note: In the context of computer security, the term ‘Orange Book? originally referred to the U.S. National Computer Security Center's 1985 publication U.S. Department of Defense, Trusted Computer System Evaluation Criteria, but has since been appropriated as a shorthand for similar documents.)
Recall that an imperative is a pressure that forces you to act. Thus, for example, an imperative for the UK Government in this context is that it must comply with the Turnbull Report, adapted in the form of the Orange Book.
Chapter 2 of the Set Book describes the impact of the Turnbull Report on for-profit organisations in some detail, while simply mentioning that it applies to not-for-profit organisations. If you work in the not-for-profit sector, you may wish to consult colleagues within your organisation to help you to answer (b).
(a) We identified the following imperatives. The page references in the table are to the Set Book.
| Type of organisation | Imperative |
|---|---|
| publicly listed company (plc) | Combined Code and Turnbull Report (pp. 19?21) |
| organisation in supply-chain relation with a plc | Indirect pressure of Combined Code and Turnbull Report (pp. 21?22) |
| UK Government (HMG) | Turnbull adapted as Orange Book (p. 22) |
| non-governmental organisation (NGO) | Turnbull adapted as Orange Book (p. 22) |
| non-departmental government body (NDPB) | Turnbull adapted as Orange Book (p. 22) |
| organisation in supply-chain relation with HMG, NGO, NDPB | Indirect pressure of Orange Book (p. 22) |
The extent to which supply-chain organisations need to comply with the Combined Code, Turnbull Report or Orange Book is currently unclear. However, the more an organisation is able to demonstrate compliance with these imperatives, the fewer are the barriers to its participation in a supply chain.
(b) The Open University receives funding from the Government via the Higher Education Funding Council for England and Wales (HEFCE). Following Turnbull, HEFCE published guidance on internal control and risk management for university governing bodies and senior managers.
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
