Corporate Directors’ & Officers’ Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process, by Charles Cresson Wood
WELL-KNOWN AUTHOR: Charles Cresson Wood is best known for his book entitled Information Security Policies Made Easy, which provides already-written policies, and which is now in its 12th edition (used by 70% of Fortune 500 Companies). Also relevant to the book described on this web site, is Charles’ book entitled Information Security Roles & Responsibilities Made Easy, which contains already-written job descriptions, mission statements, committee charters, and the like, and which is now in its second edition. Charles has published over 375 articles in the information security and privacy area. He has also published several other books in this same field, such as Effective Information Security Management.
IN-DEPTH RESEARCH: Charles has been speaking, researching, writing and consulting about roles and responsibilities in the information security and privacy field for a long time, and this paragraph provides a few samples of his work. In 1979, he was a member of the team, working at SRI International (formerly Stanford Research Institute), that produced the first manual for the investigation and prosecution of computer crime, which was published by the U.S. Department of Justice. In 1995, he published an article in Computers & Security entitled “Shifting Information Systems Security Responsibility from User Organizations to Vendor/Publisher Organizations.” In 2006, he published an article entitled “Compliance with the Industry-Specific Standard of Due Care,” in the Computer Security Alert. In 2016, he published an article in the Journal of Legislation entitled “Solving the Information Security & Privacy Crisis by Expanding the Scope of Top Management Personal Liability.” In 2017, he wrote (along with coauthors William S. Rogers, Jr. and Ralph Spencer Poore) an article in the ISSA Journal entitled “A Simple Appeal to Common Sense: Why the Current Legal & Regulatory Regime for Information Security & Privacy Doesn’t Work -- and Cannot Be Made to Work.” In 2018, he wrote (along with coauthors William S. Rogers, Jr., and Ralph Spencer Poore) an article in The SciTech Lawyer (published by the American Bar Association) entitled “Why It’s Now Time for an Internationally-Harmonized Legal Regime for Information Security and Privacy.” In 2022, he wrote an article in the ISSA Journal entitled "The Rules Have Now Been Clarified -- the Minimum Legal Duties for Directors & Officers are Both Established and Readily Determined."
EXTENSIVE EXPERIENCE: Charles has been working in the information security and privacy field, as a technical consultant, a management consultant, and more recently also an independent attorney, for over 40 years. He has done information security and privacy work with over 125 organizations, many of them Fortune 500 companies. He has also done this same type of work for several federal government agencies and held a “top secret” clearance. Charles was a key member of a team that developed a new type of risk assessment for one of the branches of the US military, and he also worked as a management consultant specializing in information security and privacy at Stanford Research Institute (now SRI International).
OFFICIAL DESIGNATIONS: Charles holds a Doctor of Jurisprudence (JD) degree from St. Francis School of Law (magna cum laude). He is also currently a licensed attorney in the states of California and Washington. He has a Master of Business Administration (MBA) degree with a major in financial information systems, as well as a Bachelor of Science in Economics (BSE) degree with a major in accounting, both from the Wharton School of Business at the University of Pennsylvania. He additionally holds a Master of Science in Engineering (MSE) degree, with a major in computer science, from the Moore School of Engineering at the University of Pennsylvania (birthplace of the world’s first general-purpose electronic computer, which was called the ENIAC). While Charles has passed the California Certified Public Accountant (CPA) examination, he is neither certified as a CPA, nor does he hold himself out as a CPA. In contrast, Charles has been designated, and is currently certified, as Certified in the Governance of Enterprise Information Technology (CGEIT), a Certified Information Systems Auditor (CISA), a Certified Information Security Manager (CISM), a Certified Information Systems Security Professional (CISSP), and a Certified Information Privacy Professional (CIPP/US). He is also the recipient of the Lifetime Achievement Award from the Computer Security Institute for his “sincere dedication to the computer security profession.”
Third Party Reviews of Corporate Directors' & Officers' Legal Duties
“Considering that Charles wrote the great resource Information Security Policies Made Easy, it should come as no surprise that he has created yet another masterpiece with this book [Corporate Directors’ & Officers’ Legal Duties] … If you’re responsible, in any way, for information security and privacy compliance, especially if you serve as a corporate director or officer, get this book!” – Kevin Beaver, CISSP, Information Security Consultant, Principle Logic, and Author of “Hacking for Dummies,” plus 11 other information security books
“For those who need to show that their firm takes information security and privacy seriously, and demonstrate that to stakeholders, in Corporate Directors' & Officers' Legal Duties for Information Security and Privacy, Charles Cresson Wood has written another invaluable reference.” – Ben Rothke, CDPSE, CRISC, SMSP, CGEIT, CISA, CISM, CISSP, Senior Information Security Manager, Tapad, and author of the books entitled “Network Security: The Complete Reference,” and "Computer Security: 20 Things Every Employee Should Know"
“Corporate Directors' & Officers' Legal Duties for Information Security and Privacy is a treasure trove of valuable information to help an organization understand who is responsible for cybersecurity. Specifically, so much of the area of cyber protections and controls is focused on technical individuals and technical competency. This is not a bad thing, but technical individuals are not responsible for the information security program of an organization. Directors & Officers must understand their responsibilities when it comes to cybersecurity [and cyberprivacy], and these volumes amazingly, map, the legal requirements to the leadership responsible for carrying out information security and privacy in an organization.” – Shane D. Stailey, PhD, DCS-IA, MSM-ISS, MS CIS, Senior Industrial Control Systems Cybersecurity Professional, Training Opportunities and Strategy Lead, Infrastructure Assurance & Analysis Division, National & Homeland Security, Idaho National Laboratory
“A valuable resource!” – Deb Radcliff, Cybersecurity Analyst, Speaker, and Investigative Journalist, and author of the book "Breaking Backbones: Information is Power"
Related Third Party Reviews
Some reviews of Charles’ book entitled Information Security Policies Made Easy follow:
“A complete kit of proven best practices that any organization can use and customize to make policies that meet their exact needs. Don't write policies without it.” --Jay Heiser, Columnist, Information Security Magazine
“Charles Cresson Wood, CISSP, CISA, CISM, is a distinguished contributor to our field; in addition to extensive consulting in a wide range of industries, publication of hundreds of professional articles and five books, and service as a professional editor, he has also contributed expert commentary to the public news media.” --Michael Kabay, PhD, CISSP-ISSMP
Legal Services Available
Charles, and the attorneys on his team, are available to perform the Duties Audit™ compliance audit services described in the new book described on this web site. He and his team are also available to supervise other attorneys who perform this same Duties Audit process. Charles also prepares and delivers custom training and awareness materials tailored to the needs of a particular company’s Directors & Officers. For example, he can prepare and deliver a custom one-hour presentation to the Board of Directors, detailing the relevant laws and regulations that they must comply with, in the information security and privacy domain. He additionally assists firms in creating new, and upgrading existing, corporate governance systems, as well as GRC (Governance, Risk and Compliance) systems that integrate information security and privacy metrics.
Directors & Officers must, these days, be personally involved in information security and privacy. One article describing a survey done by The Conference Board indicated that cyber-security is the biggest external business worry of CEOs, and now ahead of competition and economic conditions. See Erik Sherman, U.S. CEOs More Worried About Cybersecurity than a Possible Recession, Fortune, January 17, 2019. Similarly, a 2014 survey indicated that cybersecurity is the number one issue keeping Directors & Officers awake at night. See John E. Black, Jr., Awake at Night: Cyber Breaches and the New Risk to Directors & Officers, IMRI.com, October 2014.]
Legal Services Disclaimer
Charles is licensed to provide legal services in California and Washington, and arrangements can most often be made to allow him—or other members of his legal team—to practice on a temporary basis in other states as well. Even when such arrangements cannot be made, it is possible for Charles, or another attorney member of his team, to provide services in another state, so long as a licensed attorney from that other state is involved on the project as a supervisor. The nature of the work and the specific state where the client is incorporated, and where the services would be rendered, would all need to be considered. Charles, or other attorneys on his team, would be pleased to perform complimentary research on this point, and make this licensing determination, without any obligation or cost to a prospective client.
This web site provides general educational and awareness-raising information and is not intended to constitute, or be interpreted as, legal advice. The information on this web site is also not guaranteed to be up-to-date, and subsequent developments may render it outdated. The information on this web site is not intended to replace, and in fact cannot replace, the advice and counsel rendered by a licensed attorney who responds to the reader’s unique situation. Viewing this web site, responding via email, placing a phone call, or otherwise communicating with the Charles, or any of his staff, does not establish an attorney-client relationship. Such a relationship is established only by a negotiated legal services contract.
Neither the publisher, the author of this book, nor the Lawyer Auditor performing a Duties Audit, makes any pledge, promise, guarantee, or warrantee, and offers no insurance policy, and/or any other transfer of risk associated with legal and/or regulatory obligations facing the auditee firm (as well as its Directors & Officers) in the information security and privacy area, or for that matter, in any other area.