Those who serve on public company boards are busy people. Often, they are on the move from place to place, tackling different priorities. To reach them by physical mail on a timely basis is a challenge, which becomes even more serious when many documents supporting the upcoming meeting agenda are dispatched within days of the crucial board meetings.
Consider this scenario: You are sending an overnight package to a hotel in Boston, the place along the board member’s itinerary. The packet just missed the board member for he/she had to leave the hotel early due to a previously unscheduled meeting. Now, the package is sitting at the hotel, with some confidential contents in it, such as data regarding an acquisition target, unreleased quarterly financial statements and a draft of the next earnings release. Not only should it not fall into the wrong hands, but also the right hands must receive it in a timely manner to prepare for the upcoming meeting.
To support the company board for its anytime-anywhere information needs, document management, information communication and information security are critical. The documents, both current and archived, must be accessible to the board member. The communication between the company and its board members must be secure while in transit, and the receiver must be authenticated. In addition, the board member should be able to access, on a timely basis, not just the recently sent documents, but perhaps many others relevant to the upcoming issues.
Board Portal—The Concept
As an alternative to the legacy of shipping overnight packages to the board, an electronic depository of documents, typically called a board portal, can be created to provide directors timely retrieval of documents almost anywhere. This is where documents relevant to the board and its committees are stored in electronic form. According to one estimate, about one out of five companies used board portals in 2006.1
The concept of a portal to manage and share documents in a secured manner can be used in a variety of contexts. For example, a portal can support a project team across geographical locations. The attractiveness of creating a portal for board members comes from the need for the members to access sensitive information from just about anywhere and at any time in a secured manner. Once an electronic repository is created, there really is no limit on the type or number of documents stored in the portal for board member access. In fact, it would be cost-effective to provide as complete and current a portfolio of documents as the company management could post as and when available. Documents on the portal can be managed (i.e., post a new document, change a version of an existing document, archive dated documents) by a single point of authority, such as the board secretary or corporate counsel.
Several benefits of a state-of-the-art board portal are greater responsiveness of directors (especially between in-person meetings), global access, information management and dissemination, through controlled processes, a centralized document repository, confidentiality and privacy, risk mitigation, and reduced printing costs.2
A company may opt to create its own board portal or use a board portal service. However, the former option may not be viable for companies that do not have the necessary expertise to design and implement such a portal. A more cost-effective solution for many would be to have a service provider design, install and maintain a portal for the company. In such cases, it is the service provider’s responsibility to secure the portal, provide appropriate protocols for access authorization, ensure secure communication, and define and protect the boundaries of the portal. Almost all control and security concerns are identical whether a company chooses to design its own portal or finds a service provider to do so. (Unless otherwise noted, the remainder of the article refers to board portals offered by service providers.)
Figure 1 presents an illustrative list of providers of board portals (this list is not necessary exhaustive).
Whether designed internally or outsourced, it is helpful to view the portal in two categories. First, the portal, like any other infrastructure, should have built-in features, including user authorization and credentialing, encryption, boundary management, secure electronic communication, and audit trails and logs. Depending on the board’s needs, the portal may require future modification. Second, someone within the company should be designated to manage the content and provide access to authorized users. Thus, content management is an ongoing activity within the company and, in fact, those who designed and implemented the portal should not have access to the production documents in the company’s portal.
The typical features of a board portal are listed in figure 2. The portal works as a depository of documents, some relevant for upcoming meetings (e.g., minutes, drafts of resolutions) and others for reference when necessary (e.g., director’s manual). The repository provides archives of various documents related to the industry and the company coverage in the media and by industry analysts (e.g., Forrester reports). The portal provides for electronic communication among members of the board and management and the board and its committees. Moreover, the portal supports processes that are relevant to board functions for effective and efficient conduct of its duties. For example, annual board and committee evaluation questionnaires can be filled out onsite and routine resolutions can be voted ahead of the meeting.3 Finally, having a centralized repository allows for consistent and proper document management. For example, version controls can be implemented and backup and recovery of documents can be facilitated. A disciplined approach to document management can be adopted, for example, for purge, archive and retention requirements, which are often affected by laws and regulations, and the board’s decision timelines. In this manner, there is only one final version of each document, which provides the basis for evaluating the current status of meetings, board decisions and action items.
Benefits and Risks of Board Portals
While there are considerable benefits from having a board portal, there are significant risks as well. Given the sensitivity and confidentiality of data, security concerns of board portals demand considerable attention at the planning stage and, subsequently, during its use. The following sections discuss relevant control and security concerns and related protection measures to ensure that board portals are secure.
Control and Security Objectives
Benefits of having a board portal are obvious: online realtime access to information, reduction in use of paper, ease of access to documents, and reduced concern for loss of physical documents in transit or from the hands of directors. These potential improvements in board communication and decision effectiveness also bring certain risks, including potential compromise in access privileges, theft of confidential information and unavailability of the portal for some reason. These risks can, and should, be addressed before signing up with a vendor or launching a home-grown board portal.
The control and security objectives of an electronic board portal include confidentiality, integrity and availability. Specifically, the cost of leakage of information stored at a board portal is very high; the board cannot afford to have an early release of financial performance to those who break into the portal. This, and similar leaks (due-diligence data on a target acquisition, for example), could have a material effect on the company stock price and its image. While sharing with authorized users, keeping the portal documents under wraps is a serious concern. The nature and sensitivity of content in a board portal suggest that even the most rigorous measures for confidentiality are likely to be cost-effective in this case.
Integrity of documents within the portal is critical. To preserve integrity, all sources of origination and modification of documents should be controlled and their privileges should be well defined. The good news is that the number of users of a portal is usually small, and a gatekeeper can be appointed for watching the flow from document origination to modification and, subsequently, to archival.
Finally, without availability of the portal to its authorized users, the board activities would come to a grinding halt. They would then have to resort to e-mailing or physically mailing documents in unsecured environments. To avoid this, data and system availability concerns should be addressed by the service provider.
Control and Security Measures
An electronic board portal should have a well-insulated boundary, protected by a firewall. Ideally, nothing else should exist on the server that hosts the portal. Only authorized users should be able to access the portal. Given the nature and sensitivity of portal documents, credentials for access authorization should involve at least a two-factor authentication based on: what you know (a strong password) and what you have (e.g., a token or a keyfob).
Each board member’s access to portal documents should be subject to role-based privileges. For example, only directors serving on the compensation committee are allowed access to future executive compensation plans. Management should have access to documents for purposes such as whether a particular document or presentation is posted on the portal and to schedules and agendas of the board and its committees. Certain executives may not be granted access to some of the confidential documents or data. For example, the vice president of human resources may not be allowed access to documents related to a prospective acquisition target. Similarly, a division manager posting actual and budgeted figures for his/her division has no need to learn about other board matters, such as a share repurchase program currently under consideration or an ongoing litigation. Finally, all postings to the portal should ideally be controlled by one administrator, such as the corporate secretary or corporate counsel.
In addition to sound access control measures, it is essential that all users of the portal be properly authenticated. At least two-factor authentication system must be used; a single-factor authentication or password is not sufficient in light of the sensitivity of the data stored on the portal. Digital signatures supported by a public key infrastructure and public key certificates should be strongly considered, if not mandated. Given the limited number of users involved in the document management and retrieval, this can be accomplished costeffectively.
If the portal services are vendor-supplied, the vendor should have no access whatsoever to any of the portal content. The vendor’s role should be limited to troubleshooting and maintenance of the portal infrastructure and communication. The vendor site should provide for secure boundary controls to avoid compromises between portals of different clients. Company A’s portal should be secured so that its documents are completely safe from unauthorized access by Company B on the same vendor-supplied portal infrastructure.
Access to the portal should be in a network state that is secure, such as a virtual private network (VPN). For each network communication, proper user authentication must occur. Additionally, the authentication of all resources that are a part of the portal infrastructure must also occur.
Session controls should be in place; session ID must be logged and periodic reauthentication of the user should occur using a dynamic session key provided by authentication devices such as a keyfob.
Content within the portal should be encrypted. Select content may require asymmetric encryption, whereas most content can be encrypted using a strong symmetric cipher, such as Rijndael or 3DES algorithm.
Documents and their versions must also be subject to controls. Version controls over documents, to track date, time and author of document changes, should be maintained. To delete obsolete items that are no longer necessary, a remote, automated purge function that uses rule-based criteria is recommended. Equally important, such a practice must be extended to the remotely stored data, for example, on a board member’s personal computer or handheld device. However, almost all litigations require that all documents related to such litigation be retained. Consequently, at the onset of litigation, all automated deletion procedures must be blocked to preserve litigation-related evidence for e-discovery.
To provide ongoing assurance that there are no compromises and that vulnerabilities are identified and addressed to secure the portal, information systems (IS) auditors must audit the company’s board portal periodically. Several specific steps might be considered in such an audit:
- Review access rights and roles granted to various users.
- Review log analysis to assess the effectiveness of the portal monitoring activities.
- Conclude penetration testing of the portal to determine and address existing boundary protection mechanisms, firewall configuration and access controls.
- Evaluate whether access logs are periodically reviewed by the site administrator.
- Determine if any follow-up actions took place for detected exceptions or compromises.
- Determine if failed login attempts have been periodically analyzed by the site administrator and appropriate follow-up actions have been taken.
In the event that the company plans to use a vendorprovided board portal service, a copy of an opinion, such as a Statement on Auditing Standards (SAS) 70, should be obtained on portal security from an independent third party.
There is little doubt that having a board portal can be a blessing for a company. Such a portal is likely rated higher on its effectiveness across all the attributes compared to the legacy alternative of next-day air packages. However, having taken the decision to implement a portal, the entity must take time to systematically implement the decision, regardless of whether it is created internally or outsourced.
1 Badal, Jaclyne; The Wall Street Journal, Goodbye Briefing Books, http://www.infostreet.com/press/news/Wall_Street_Journal_10_23_06.pdf
2 BoardVantage, www.BoardVantage.com, 2007
3 Wilson, Sonsini, Goodrich & Rosati, “Board Consents and Section 16 Reports Move Online: A Legal Review of Web-based Technology Supporting Effective Corporate Governance for Board of Directors,” 6 December 2005
Arvind Godbole, CISA, CA
is chief information security officer and chief financial officer of Synel Inc. He is a member of ISACA and can be reached at firstname.lastname@example.org.
Vasant Raval, CISA
is professor of accounting and information systems at Creighton University. He has coauthored two books on information systems and published many articles on information systems and information security. He currently serves on the board of directors of Syntel Inc. He is a member of ISACA and can be reached at email@example.com.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.